Samba AD DC(副域控制器)的配置

环境构成
・域名:TESTAD
・完整域名:TESTAD.LOCAL
主域控IP :192.168.122.25(MASTER.TESTAD.LOCAL)
新加备控IP:192.168.122.170(SLAVE.TESTAD.LOCAL)

1、Samba的安装的事前准备以及编译安装跟Samba AD DC(域控制器)的配置步骤相同.
2、配置主DNS为服务器的IPSamba AD DC(域控制器)
例如:vim /etc/resolv.conf
search TESTAD.LOCAL
nameserver 192.168.122.25
3、配置Kerberos
/etc/krb5.conf:
内容如下
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = TESTAD.LOCAL
取得票据
# kinit administrator
Password for administrator@TESTAD.LOCAL:
验证票据
#klist
Ticket cache: KEYRING:persistent:0:0
Default principal: administrator@TESTAD.LOCAL

Valid starting Expires Service principal
2017-03-20T09:17:30 2017-03-20T19:17:30 krbtgt/TESTAD.LOCAL@TESTAD.LOCAL
renew until 2017-03-27T09:17:25
4,配置samba
执行命令
#cd /usr/local/samba/
# bin/samba-tool domain join TESTAD.LOCAL DC -U”TESTAD\administrator” –dns-backend=SAMBA_INTERNAL
Finding a writeable DC for domain ‘TESTAD.LOCAL’
Found DC master.testad.local
Password for [TESTAD\administrator]:
workgroup is TESTAD
realm is testad.local
checking sAMAccountName
Deleted CN=SLAVE,OU=Domain Controllers,DC=testad,DC=local
Deleted CN=NTDS Settings,CN=SLAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=testad,DC=local
Deleted CN=SLAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=testad,DC=local
Adding CN=SLAVE,OU=Domain Controllers,DC=testad,DC=local
Adding CN=SLAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=testad,DC=local
Adding CN=NTDS Settings,CN=SLAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=testad,DC=local
Adding SPNs to CN=SLAVE,OU=Domain Controllers,DC=testad,DC=local
Setting account password for SLAVE$
Enabling account
Calling bare provision
Looking up IPv4 addresses
More than one IPv4 address found. Using 192.168.122.170
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Provision OK for domain DN DC=testad,DC=local
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=testad,DC=local] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=testad,DC=local] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=testad,DC=local] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=testad,DC=local] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=testad,DC=local] objects[402/1630] linked_values[0/0]
Partition[CN=Configuration,DC=testad,DC=local] objects[804/1630] linked_values[0/0]
Partition[CN=Configuration,DC=testad,DC=local] objects[1206/1630] linked_values[0/0]
Partition[CN=Configuration,DC=testad,DC=local] objects[1608/1630] linked_values[0/0]
Partition[CN=Configuration,DC=testad,DC=local] objects[1630/1630] linked_values[28/0]
Replicating critical objects from the base DN of the domain
Partition[DC=testad,DC=local] objects[97/97] linked_values[24/0]
Partition[DC=testad,DC=local] objects[375/278] linked_values[24/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=testad,DC=local
Partition[DC=DomainDnsZones,DC=testad,DC=local] objects[41/41] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=testad,DC=local
Partition[DC=ForestDnsZones,DC=testad,DC=local] objects[18/18] linked_values[0/0]
Committing SAM database
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain TESTAD (SID S-1-5-21-1646527687-725240421-3170490295) as a DC

如果遇到错误
ERROR(ldb): uncaught exception – Failed to setup krb5_context: Invalid argument
File “/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py”, line 175, in _run
return self.run(*args, **kwargs)
File “/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py”, line 651, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File “/usr/local/samba/lib64/python2.7/site-packages/samba/join.py”, line 1192, in join_DC
ctx.do_join()
File “/usr/local/samba/lib64/python2.7/site-packages/samba/join.py”, line 1095, in do_join
ctx.join_provision()
File “/usr/local/samba/lib64/python2.7/site-packages/samba/join.py”, line 740, in join_provision
use_ntvfs=ctx.use_ntvfs, dns_backend=ctx.dns_backend)
File “/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py”, line 2190, in provision
secrets_ldb.transaction_commit()
请确认:
/etc/krb5.conf 的 includedir /etc/krb5.conf.d/ 是否已经注释掉
# vi /etc/krb5.conf
<略>
#includedir /etc/krb5.conf.d/ ←注释
<略
修改etc/smb.conf
[global]域添加
ldap server require strong auth = No
log level = 3
log file =/var/log/samba/samba.log
启动samba
sbin/samba
5,确认DNS记录
# host -t A SLAVE.TESTAD.LOCAL
SLAVE.TESTAD.LOCAL has address 192.168.122.170
6,活动目录复制
samba ad 启动经过几分钟之后,会和其它的DC控制器自动连接,并开始同步数据,
下面的命令可以查看数据的同步效果.
bin/samba-tool drs showrepl
ldb_wrap open of secrets.ldb
GENSEC backend ‘gssapi_spnego’ registered
GENSEC backend ‘gssapi_krb5’ registered
GENSEC backend ‘gssapi_krb5_sasl’ registered
GENSEC backend ‘spnego’ registered
GENSEC backend ‘schannel’ registered
GENSEC backend ‘naclrpc_as_system’ registered
GENSEC backend ‘sasl-EXTERNAL’ registered
GENSEC backend ‘ntlmssp’ registered
GENSEC backend ‘ntlmssp_resume_ccache’ registered
GENSEC backend ‘http_basic’ registered
GENSEC backend ‘http_ntlm’ registered
GENSEC backend ‘krb5’ registered
GENSEC backend ‘fake_gssapi_krb5’ registered
Using binding ncacn_ip_tcp:slave.testad.local[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name slave.testad.local
resolve_lmhosts: Attempting lmhosts lookup for name slave.testad.local
Server ldap/SLAVE.TESTAD.LOCAL@TESTAD.LOCAL is not registered with our KDC: Miscellaneous failure (see text): Server (ldap/SLAVE.TESTAD.LOCAL@TESTAD.LOCAL) unknown
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal – Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal – Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
resolve_lmhosts: Attempting lmhosts lookup for name slave.testad.local
Server ldap/slave.testad.local@TESTAD.LOCAL is not registered with our KDC: Miscellaneous failure (see text): Server (ldap/slave.testad.local@TESTAD.LOCAL) unknown
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal – Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal – Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Default-First-Site-Name\SLAVE
DSA Options: 0x00000001
DSA object GUID: c0a4d4b4-f15a-45c6-bb37-c02eac55e267
DSA invocationId: 907502c6-841e-4c60-ab3e-2698f6f87d92

==== INBOUND NEIGHBORS ====

CN=Schema,CN=Configuration,DC=testad,DC=local
Default-First-Site-Name\MASTER via RPC
DSA object GUID: 9deeadba-2c37-463d-876d-6668dc0cc6e7
Last attempt @ Mon Mar 20 23:51:50 2017 EDT was successful
0 consecutive failure(s).
Last success @ Mon Mar 20 23:51:50 2017 EDT

DC=ForestDnsZones,DC=testad,DC=local
Default-First-Site-Name\MASTER via RPC
DSA object GUID: 9deeadba-2c37-463d-876d-6668dc0cc6e7
Last attempt @ Mon Mar 20 23:51:49 2017 EDT was successful
0 consecutive failure(s).
Last success @ Mon Mar 20 23:51:49 2017 EDT

DC=testad,DC=local
Default-First-Site-Name\MASTER via RPC
DSA object GUID: 9deeadba-2c37-463d-876d-6668dc0cc6e7
Last attempt @ Mon Mar 20 23:51:50 2017 EDT was successful
0 consecutive failure(s).
Last success @ Mon Mar 20 23:51:50 2017 EDT

CN=Configuration,DC=testad,DC=local
Default-First-Site-Name\MASTER via RPC
DSA object GUID: 9deeadba-2c37-463d-876d-6668dc0cc6e7
Last attempt @ Mon Mar 20 23:51:50 2017 EDT was successful
0 consecutive failure(s).
Last success @ Mon Mar 20 23:51:50 2017 EDT

DC=DomainDnsZones,DC=testad,DC=local
Default-First-Site-Name\MASTER via RPC
DSA object GUID: 9deeadba-2c37-463d-876d-6668dc0cc6e7
Last attempt @ Mon Mar 20 23:51:49 2017 EDT was successful
0 consecutive failure(s).
Last success @ Mon Mar 20 23:51:49 2017 EDT

==== OUTBOUND NEIGHBORS ====

==== KCC CONNECTION OBJECTS ====

Connection —
Connection name: 24ef168f-dcc1-4b5f-a0a2-8808667ee99c
Enabled : TRUE
Server DNS name : master.testad.local
Server DN name : CN=NTDS Settings,CN=MASTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=testad,DC=local
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
要建立所有的连接可能需要几分钟,如果超过15分钟所有 samba ad 之间没有全部建议连接,需要手动执行数据的同步
samba-tool drs replicate
.
*”Warning: No NC replicated for Connection!”表示samba有些标志没有在复制服务中被正确注册,这个提示可忽略.
7,确认本地DNS服务
# host -t A testad.local localhost
Using domain server:
Name: localhost
Address: ::1#53
Aliases:

testad.local has address 192.168.122.25
testad.local has address 192.168.122.170

8,确认 Kerberos
用管理员帐号请求Kerberos票据
#kinit administrator
Password for administrator@TESTAD.LOCAL:
Warning: Your password will expire in 76 days on 2017年06月05日 星期一 22时59分56秒
列出本地已缓存的klist票据
#klist
Ticket cache: KEYRING:persistent:0:0
Default principal: administrator@TESTAD.LOCAL

Valid starting Expires Service principal
2017-03-21T02:06:59 2017-03-21T12:06:59 krbtgt/TESTAD.LOCAL@TESTAD.LOCAL
renew until 2017-03-28T02:06:55
9,修改DNS配置添加副域的IP(主,副两台机器)
vim /etc/resolv.conf
search testad.local
nameserver 192.168.122.25
nameserver 192.168.122.170

李海涛

关于李海涛

李海涛 lihaitao 山水 lihato 开源软件研究与服务
此条目发表在Samba分类目录。将固定链接加入收藏夹。