CentOS 7
Sponsored Link

Samba AD DC : Join in Existing AD Domain2018/06/27

Add Samba DC in Existing Windows AD Domain.
This example is based on the environment like follows.
And alsp Samba has been installed like the example on here.
Domain Server : Windows Server 2012 R2
NetBIOS名 Nmae : FD3S01
Domain Name : srv.world
Hostname : fd3s.srv.world
Forest/Domain Functional Level   : 2008 R2
[1] Get Doman Administrator's Kerberos Ticket and so on.
[root@smb ~]#
yum -y install krb5-workstation
[root@smb ~]#
vi /etc/krb5.conf
# change like follows (replace Realm to your own one)

        default_realm = SRV.WORLD
        dns_lookup_realm = false
        dns_lookup_kdc = true

# change DNS setting to refer to AD (replace the interface name and AD's IP to your own one)

[root@smb ~]#
nmcli connection modify eth0 ipv4.dns

[root@smb ~]#
nmcli connection down eth0; nmcli connection up eth0
[root@smb ~]#
kinit administrator

Password for administrator@SRV.WORLD:
[root@smb ~]#

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@SRV.WORLD

Valid starting       Expires              Service principal
06/27/2018 19:24:52  06/28/2018 05:24:52  krbtgt/SRV.WORLD@SRV.WORLD
        renew until 06/28/2018 19:24:48
[2] Add Samba DC to existing AD.
[root@smb ~]#
samba-tool domain join srv.world DC -U "FD3S01\administrator" --dns-backend=SAMBA_INTERNAL

Finding a writeable DC for domain 'srv.world'
Found DC FD3S.srv.world
Password for [FD3S01\administrator]:
workgroup is FD3S01
realm is srv.world
Adding CN=SMB,OU=Domain Controllers,DC=srv,DC=world
Adding CN=SMB,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=srv,DC=world
Adding CN=NTDS Settings,CN=SMB,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=srv,DC=world
Adding SPNs to CN=SMB,OU=Domain Controllers,DC=srv,DC=world
Setting account password for SMB$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
A Kerberos configuration suitable for Samba AD has been generated at /etc/samba/krb5.conf
Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
Provision OK for domain DN DC=srv,DC=world
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=srv,DC=world] objects[402/1436] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=srv,DC=world] objects[804/1436] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=srv,DC=world] objects[1206/1436] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=srv,DC=world] objects[1608/1436] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=srv,DC=world] objects[1743/1436] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=srv,DC=world] objects[402/2141] linked_values[0/24]
Partition[CN=Configuration,DC=srv,DC=world] objects[804/2141] linked_values[0/24]
Partition[CN=Configuration,DC=srv,DC=world] objects[1206/2141] linked_values[0/24]
Partition[CN=Configuration,DC=srv,DC=world] objects[1608/2141] linked_values[0/24]
Partition[CN=Configuration,DC=srv,DC=world] objects[1766/2141] linked_values[24/24]
Replicating critical objects from the base DN of the domain
Partition[DC=srv,DC=world] objects[109/108] linked_values[25/28]
Partition[DC=srv,DC=world] objects[376/4748] linked_values[28/28]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=srv,DC=world
Partition[DC=DomainDnsZones,DC=srv,DC=world] objects[34/34] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=srv,DC=world
Partition[DC=ForestDnsZones,DC=srv,DC=world] objects[18/18] linked_values[0/0]
Exop on[CN=RID Manager$,CN=System,DC=srv,DC=world] objects[3] linked_values[0]
Committing SAM database
Adding 1 remote DNS records for SMB.srv.world
Adding DNS A record SMB.srv.world for IPv4 IP:
Adding DNS CNAME record ab920914-1b88-4df9-9146-f2d13d04830e._msdcs.srv.world for SMB.srv.world
All other DNS records (like _ldap SRV records) will be created samba_dnsupdate on first startup
Replicating new DNS records in DC=DomainDnsZones,DC=srv,DC=world
Partition[DC=DomainDnsZones,DC=srv,DC=world] objects[1/35] linked_values[0/0]
Replicating new DNS records in DC=ForestDnsZones,DC=srv,DC=world
Partition[DC=ForestDnsZones,DC=srv,DC=world] objects[1/19] linked_values[0/0]
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain FD3S01 (SID S-1-5-21-1764851099-3332435390-390327390) as a DC

[root@smb ~]#
systemctl restart samba

# verify possible authenticate with an AD user to localhost

[root@smb ~]#
smbclient // -U Serverworld -c 'ls'

Enter FD3S01\Serverworld's password:
  .                                   D        0  Wed Jun 27 19:50:09 2018
  ..                                  D        0  Wed Jun 27 19:50:14 2018

                27245572 blocks of size 1024. 24788736 blocks available

# verify replication status with AD

[root@smb ~]#
samba-tool drs showrepl

DSA Options: 0x00000001
DSA object GUID: ab920914-1b88-4df9-9146-f2d13d04830e
DSA invocationId: af571adc-be90-427f-8690-28aa93059b83


        Default-First-Site-Name\FD3S via RPC
                DSA object GUID: 856fa301-de41-4030-bd94-99dee8a4dd99
                Last attempt @ Wed Jun 27 14:32:26 2018 JST was successful
                0 consecutive failure(s).
                Last success @ Wed Jun 27 14:32:26 2018 JST



Connection --
        Connection name: 5837abaa-9bcc-40be-9136-5fe27da3dab2
        Enabled        : TRUE
        Server DNS name : FD3S.srv.world
        Server DN name  : CN=NTDS Settings,CN=FD3S,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=srv,DC=world
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!
# for [No NC replicated for Connection!] you don't care it according to samba official site
Matched Content