Ubuntu 18.04
Sponsored Link

Samba : Samba AD DC : 既存 AD に Samba DC を追加
2018/06/27
 
すでに存在する Windows の Active Directory のフォレストに Samba DC を追加します。
当例では、以下のような Active Directory 環境で設定します。
ドメインサーバー : Windows Server 2012 R2
NetBIOS名 : FD3S01
ドメイン名 : srv.world
レルム : SRV.WORLD
ホスト名 : fd3s.srv.world
Forest/Domain 機能レベル   : 2008 R2
[1] ドメイン管理ユーザーの Kerberos チケットの取得 等々を実施しておきます。
root@smb:~#
apt -y install krb5-user
root@smb:~#
vi /etc/krb5.conf
# 以下の内容に変更 (レルムは自身の環境に置き換え)

[libdefaults]
        default_realm = SRV.WORLD
        dns_lookup_realm = false
        dns_lookup_kdc = true

root@smb:~#
systemctl stop systemd-resolved

root@smb:~#
systemctl disable systemd-resolved

Removed /etc/systemd/system/samba-ad-dc.service.
# resolv.conf のリンクは削除して実体を新規作成

root@smb:~#
ll /etc/resolv.conf

lrwxrwxrwx 1 root root 39 Apr 27 10:30 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
root@smb:~#
rm /etc/resolv.conf

root@smb:~#
vi /etc/resolv.conf
# 参照する DNS を AD に変更 (ドメイン名は自身の環境に置き換え)

domain srv.world
nameserver 10.0.0.100
root@smb:~#
kinit administrator

Password for administrator@SRV.WORLD:
root@smb:~#
klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@SRV.WORLD

Valid starting       Expires              Service principal
06/27/2018 20:52:11  06/28/2018 06:52:11  krbtgt/SRV.WORLD@SRV.WORLD
        renew until 06/28/2018 20:52:07
[2] 既存 AD に Samba DC を追加します。
# デフォルトの設定ファイルはリネームまたは削除

root@smb:~#
mv /etc/samba/smb.conf /etc/samba/smb.conf.org

root@smb:~#
samba-tool domain join srv.world DC -U "FD3S01\administrator" --dns-backend=SAMBA_INTERNAL

Finding a writeable DC for domain 'srv.world'
Found DC FD3S.srv.world
Password for [FD3S01\administrator]:
workgroup is FD3S01
realm is srv.world
Adding CN=DLP,OU=Domain Controllers,DC=srv,DC=world
Adding CN=DLP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=srv,DC=world
Adding CN=NTDS Settings,CN=DLP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=srv,DC=world
Adding SPNs to CN=DLP,OU=Domain Controllers,DC=srv,DC=world
Setting account password for DLP$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=srv,DC=world
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=srv,DC=world] objects[402/1438] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=srv,DC=world] objects[804/1438] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=srv,DC=world] objects[1206/1438] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=srv,DC=world] objects[1608/1438] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=srv,DC=world] objects[1743/1438] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=srv,DC=world] objects[402/2159] linked_values[0/39]
Partition[CN=Configuration,DC=srv,DC=world] objects[804/2159] linked_values[0/39]
Partition[CN=Configuration,DC=srv,DC=world] objects[1206/2159] linked_values[0/39]
Partition[CN=Configuration,DC=srv,DC=world] objects[1608/2159] linked_values[0/39]
Partition[CN=Configuration,DC=srv,DC=world] objects[1776/2159] linked_values[39/39]
Replicating critical objects from the base DN of the domain
Partition[DC=srv,DC=world] objects[110/110] linked_values[25/28]
Partition[DC=srv,DC=world] objects[381/4798] linked_values[28/28]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=srv,DC=world
Partition[DC=DomainDnsZones,DC=srv,DC=world] objects[36/36] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=srv,DC=world
Partition[DC=ForestDnsZones,DC=srv,DC=world] objects[19/19] linked_values[0/0]
Exop on[CN=RID Manager$,CN=System,DC=srv,DC=world] objects[3] linked_values[0]
Committing SAM database
Adding 1 remote DNS records for DLP.srv.world
Adding DNS A record DLP.srv.world for IPv4 IP: 10.0.0.30
Adding DNS CNAME record e856365c-3f62-4774-b8a8-0c8b06d566c7._msdcs.srv.world for DLP.srv.world
All other DNS records (like _ldap SRV records) will be created samba_dnsupdate on first startup
Replicating new DNS records in DC=DomainDnsZones,DC=srv,DC=world
Partition[DC=DomainDnsZones,DC=srv,DC=world] objects[1/36] linked_values[0/0]
Replicating new DNS records in DC=ForestDnsZones,DC=srv,DC=world
Partition[DC=ForestDnsZones,DC=srv,DC=world] objects[1/19] linked_values[0/0]
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain FD3S01 (SID S-1-5-21-1764851099-3332435390-390327390) as a DC

root@smb:~#
systemctl stop smbd nmbd winbind

root@smb:~#
systemctl disable smbd nmbd winbind

root@smb:~#
systemctl unmask samba-ad-dc

Removed /etc/systemd/system/samba-ad-dc.service.
root@smb:~#
systemctl start samba-ad-dc

root@smb:~#
systemctl enable samba-ad-dc
# 任意の AD ユーザーでローカルホストに対して認証可能か確認

root@smb:~#
smbclient //127.0.0.1/netlogon -U Serverworld -c 'ls'

Enter FD3S01\Serverworld's password:
  .                                   D        0  Wed Jun 27 20:54:35 2018
  ..                                  D        0  Wed Jun 27 20:54:35 2018

                29832064 blocks of size 1024. 26234432 blocks available

# ディレクトリのレプリケーションのステータス確認

root@smb:~#
samba-tool drs showrepl

Default-First-Site-Name\DLP
DSA Options: 0x00000001
DSA object GUID: e856365c-3f62-4774-b8a8-0c8b06d566c7
DSA invocationId: 6c2f7dda-a93e-4158-9b8b-3a494863c3d9

==== INBOUND NEIGHBORS ====

DC=DomainDnsZones,DC=srv,DC=world
        Default-First-Site-Name\SMB via RPC
                DSA object GUID: ab920914-1b88-4df9-9146-f2d13d04830e
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

.....
.....

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: 465f7e2b-02ab-4d47-8265-9e5a7388ddd2
        Enabled        : TRUE
        Server DNS name : smb.srv.world
        Server DN name  : CN=NTDS Settings,CN=SMB,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=srv,DC=world
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!
# No NC replicated for Connection! は公式ドキュメントによると、害は無くさほど気にしなくとも良いとのこと
[3]
関連コンテンツ
 
Tweet