Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to join another Ubuntu DC server to Samba4 AD DC to achieve dual-domain control host model, the article is very detailed, has a certain reference value, interested friends must read it!

* * step: initialize the configuration for setting Samba4

1. Before you start to join the second DC server to the Samba4 AD DC domain environment, you need to pay attention to some initialization information. First, make sure that the hostname of the new system contains a descriptive name.

Suppose that the host of * domain servers is called adc1, and you can name the second domain server adc2 to maintain the consistency of domain controller names.

Execute the following command to modify the system hostname:

# hostnamectl set-hostname adc2

Or you can manually edit the / etc/hostname file and enter the hostname you want to set on the new line.

# nano / etc/hostname

Add the hostname here.

Adc2

Next, open the local system resolution file and add an entry containing the IP address and FQDN name of the primary domain controller. As shown in the following figure:

In this tutorial, the host name of the primary domain control server is adc1.tecmint.lan, and its corresponding IP address is 192.168.1.254.

# nano / etc/hosts

Add the following line:

IP_of_main_DC FQDN_of_main_DC short_name_of_main_DC

Set the hostname for the Samba4 AD DC server

3. Next, open the / etc/network/interfaces configuration file and set a static IP address, as shown below:

Notice the values of the parameters dns-nameservers and dns-search. For DNS parsing to work properly, you need to set these two values to the IP address and domain name of the primary Samba4 AD DC server.

Restart the Nic service for the modified configuration to take effect. Check the / etc/resolv.conf file to make sure that the values of the two DNS configured on the network card have been updated to this file.

# nano / etc/network/interfaces

Edit and replace your custom IP settings:

Auto ens33 iface ens33 inet static address 192.168.1.253 netmask 255.255.255.0 brodcast 192.168.1.1 gateway 192.168.1.1 dns-nameservers 192.168.1.254 dns-search tecmint.lan

Restart the network card service and confirm it to be effective.

# systemctl restart networking.service # cat / etc/resolv.conf

Configure DNS for the Samba4 AD server

When you query the hostname by the abbreviated name (used to build the FQDN name), the dns-search value will automatically add the domain name.

4. In order to test whether the DNS resolution is normal, use a series of ping commands to test, followed by the abbreviated name, FQDN name and domain name, as shown below:

In all test cases, the Samba4 AD DC DNS server should return the IP address of the primary domain control server.

Verify that the DNS parsing of the Samba4 AD environment is normal

5. * what you need to pay attention to is to make sure that the host is synchronized with the time of the domain control server. You can use the following command to install NTP client tools on your system to achieve time synchronization:

# apt-get install ntpdate

6. Suppose you want to manually force the time synchronization between the local server and the samba4 AD DC server, use the ntpdate command plus the hostname of the primary domain control server, as follows:

# ntpdate adc1

Time synchronization with Samba4 AD server

Step 2: install the dependency packages necessary for Samba4

7. In order for the Ubuntu 16.04 system to join your domain, you need to install the Samba4 suite, Kerberos client, and other important software packages from the official Ubuntu library with the following command for future use:

# apt-get install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind

Install Samba4 on a Ubuntu system

8. During the installation, you need to provide the Kerberos domain name. Enter the uppercase domain name and press enter to complete the installation process.

Configure Kerberos authentication for Samba4

9. After all dependent packages are installed, request a Kerberos ticket for the domain administrator to verify that the settings are correct by using the kinit command. Use the klist command to list authorized kerberos ticket information.

# kinit domain-admin-user@YOUR_DOMAIN.TLD# klist

Verify Kerberos in a Samba4 domain environment

Step 3: join Samba4 AD DC as a domain controller

10. Before integrating your machine into the Samba4 DC environment, stop all running Samba4 services on the system and rename the default Samba configuration file to start from scratch. During the domain controller configuration process, Samba will create a new configuration file.

# systemctl stop samba-ad-dc smbd nmbd winbind # mv / etc/samba/smb.conf / etc/samba/smb.conf.initial

Before preparing to join the domain, start the samba-ad-dc service, and then use the domain administrator account to run the samba-tool command to join the server to the domain.

# samba-tool domain join your_domain-U "your_domain_admin"

Screenshot of the process of joining a domain:

# samba-tool domain join tecmint.lan DC-U "tecmint_user"

Sample output:

Finding a writeable DC for domain 'tecmint.lan' Found DC adc1.tecmint.lan Password for [WORKGROUP\ tecmint_user]: workgroup is TECMINT realm is tecmint.lan checking sAMAccountName Deleted CN=ADC2,CN=Computers,DC=tecmint,DC=lan Adding CN=ADC2,OU=Domain Controllers,DC=tecmint,DC=lan Adding CN=ADC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tecmint,DC=lan Adding CN=NTDS Settings,CN=ADC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tecmint,DC=lan Adding SPNs to CN=ADC2,OU=Domain Controllers,DC=tecmint DC=lan Setting account password for ADC2 $Enabling account Calling bare provision Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema A Kerberos configuration suitable for Samba 4 has been generated at / var/lib/samba/private/krb5.conf Provision OK for domain DN DC=tecmint,DC=lan Starting replication Schema-DN [CN=Schema,CN=Configuration,DC=tecmint DC=lan] objects [402/1550] linked_values [0/0] Schema-DN [CN=Schema,CN=Configuration,DC=tecmint,DC=lan] objects [804/1550] linked_values [0/0] Schema-DN [CN=Schema,CN=Configuration,DC=tecmint,DC=lan] objects [1206/1550] linked_values [0/0] Schema-DN [CN=Schema,CN=Configuration,DC=tecmint,DC=lan] objects [1550/1550] linked_values [0/0] Analyze and apply schema objects Partition [CN=Configuration,DC=tecmint,DC=lan] objects [402/1614] linked_values [0/0] Partition [CN=Configuration,DC=tecmint DC=lan] objects [804/1614] linked_values [0/0] Partition [CN=Configuration,DC=tecmint,DC=lan] objects [1206/1614] linked_values [0/0] Partition [CN=Configuration,DC=tecmint,DC=lan] objects [1608/1614] linked_values [0/0] Partition [CN=Configuration,DC=tecmint,DC=lan] objects [1614/1614] linked_values [28/0] Replicating critical objects from the base DN of the domain Partition [DC=tecmint,DC=lan] objects [97/97] linked_values [24/0] Partition [DC=tecmint DC=lan] objects [380 Replicating DC=DomainDnsZones,DC=tecmint,DC=lan Partition 283] linked_values [27 schema] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=tecmint,DC=lan Partition [DC=DomainDnsZones,DC=tecmint,DC=lan] objects [45] linked_values [0] Replicating DC=ForestDnsZones,DC=tecmint,DC=lan Partition [DC=ForestDnsZones,DC=tecmint,DC=lan] objects [18] linked_values [0] Committing SAM database Sending DsReplicaUpdateRefs for all the replicated partitions Setting isSynchronized and dsServiceName Setting up secrets database Joined domain TECMINT (SID Slam 1-5-21-715537322-3397311598-55032968) as a DC

Join the domain to Samba4 AD DC

12. After the Ubuntu system with the Samba4 suite installed joins the domain, open the Samba main configuration file and add the following line:

# nano / etc/samba/smb.conf

Add the following to the smb.conf configuration file.

Dns forwarder = 192.168.1.1 idmap_ldb:use rfc2307 = yes template shell = / bin/bash winbind use default domain = true winbind offline logon = false winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes

Replace the above DNS address with your own dns forwarder transponder dns forwarder address. Samba will forward all DNS resolution queries outside the domain authority to this IP address.

13, *, restart the samba service to make the modified configuration take effect, and then execute the following command to check whether the active directory replication function is normal.

# systemctl restart samba-ad-dc # samba-tool drs showrepl

Configure Samba4 DNS

14. In addition, you need to rename the kerberos configuration file under the original / etc and replace it with the new configuration file krb5.conf generated by Samba during joining the domain.

The new configuration file generated by Samba is in the / var/lib/samba/private directory. Use Linux's symbolic link to link the file to the / etc directory.

# mv / etc/krb6.conf / etc/krb5.conf.initial # ln-s / var/lib/samba/private/krb5.conf / etc/ # cat / etc/krb5.conf

Configure Kerberos

15. Similarly, use samba's krb5.conf configuration file to verify that Kerberos authentication is normal. Use the following command to request a ticket for an administrator account and list the cached ticket information.

# kinit administrator # klist

Use Samba to verify that Kerberos authentication is normal

Step 4: verify other domain services

16. One of the first tests you need to do is to verify that the Samba4 DC DNS parsing service is working. To verify domain DNS resolution, use the host command, plus some important AD DNS records, to query the domain name, as shown in the following figure:

The DNS server should return two IP addresses for each query.

# host your_domain.tld # host-t SRV _ kerberos._udp.your_domain.tld # UDP Kerberos SRV record # host-t SRV _ ldap._tcp.your_domain.tld # TCP LDAP SRV record

Verify Samba4 DC DNS

* verify Samba4 DC DNS *

17. These DNS records can also be queried from registered Windows machines with RSAT tools installed. Open DNS Manager and expand to your domain tcp record, as shown in the following figure:

Validate DNS records through the Windows RSAT tool

The next verification is to check that the domain LDAP replication synchronization is normal. Using the samba-tool tool, create an account on the second domain controller, and then check that the account is automatically synchronized to * Samba4 AD DC servers.

On adc2:

# samba-tool user add test_user

On adc1:

# samba-tool user list | grep test_user

Create an account on the Samba4 AD server

Verify synchronization on the Samba4 AD server

You can also create an account from the Microsoft AD DC console and verify that the account appears on both domain control servers.

By default, this account should be created automatically on both samba domain controllers. Use the wbinfo command on the adc1 server to query the account name.

Create an account from Microsoft AD UC

Verify account synchronization function on Samba4 AD server

In fact, open the AD DC console on the Windows machine, expand to the domain controller, and you should see two registered DC servers.

Verify the Samba4 domain controller

Step 5: enable the Samba4 AD DC service

21. To enable Samba4 AD DC services throughout the system, you must first disable the original unwanted Samba services, and then execute the following command to enable only samba-ad-dc services:

# systemctl disable smbd nmbd winbind # systemctl enable samba-ad-dc

Enable the Samba4 AD DC service

22. If you remotely manage Samba4 domain controllers from Microsoft clients, or if other Linux or Windows clients are integrated into the current domain, be sure to mention the IP address of the adc2 server in their Nic DNS server address settings to achieve some kind of procedural redundancy.

The following figure shows the network card configuration requirements for Windows and Debian/Ubuntu clients.

Configure the Windows client to manage Samba4 DC

Configure the Linux client to manage Samba4 DC

If the network of * DC servers 192.168.1.254 is not available, adjust the order of DNS server IP addresses in the configuration file to avoid querying this unavailable DNS server first.

*, if you want to use the Samba4 active Directory account on the Linux system for local authentication, or grant root permission to the AD LDAP account, please see steps 2 and 3 of the tutorial on managing Samba4 AD architecture under the Linux command line.

The above is all the contents of the article "how to join another Ubuntu DC server to Samba4 AD DC to realize dual-domain control host model". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.