2 DCs mit Replikation
Zur Navigation springen
Zur Suche springen
Zwei DC mit Replikation einrichten
Situation
Existierender DC Name: rumba IP: 192.168.242.201 Ist DNS: Ja Domain Informationen DNS Domain Name: xinux.test Kerberos realm: XINUX.TEST Domain Admin: administrator Admin-PW: password Hinzuzufügender DC Name: tango IP: 192.168.242.200
samba4 installieren
- apt-get install samba smbclient winbind ntp libnss-winbind krb5-user acl
Vorbereitungen
- Beide Rechner sollten im selben Netz sein und sich pingen können
- etc/hosts anpassen: Der Rechner muss sich unter seiner IP finden, bei localhost den Namen löschen
127.0.0.1 localhosttango tango.xinux.test192.168.242.200 tango tango.xinux.test
- DNS anpassen: searchdomain eintragen und den existierenden DC als DNS angeben
nameserver 192.168.242.201 search xinux.test
- DNS testen:
host -t A rumba.xinux.test rumba.xinux.test has address 192.168.242.201
Kerberos
In der krb5.conf müssen folgende Einträge stehen:
[libdefaults] dns_lookup_realm = false dns_lookup_kdc = true default_realm = XINUX.TEST
Testen ob man ein Kerberosticket bekommt
root@tango:~# kinit administrator Password for administrator@XINUX.TEST: root@tango:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@XINUX.TEST Valid starting Expires Service principal 10.09.2015 11:08:57 10.09.2015 21:08:57 krbtgt/XINUX.TEST@XINUX.TEST
renew until 11.09.2015 11:08:44
Der Domain beitreten
- ACHTUNG Für das Administrator-Passwort gelten die Standardrichtlinien von SAMBA4!
- Weiterführende Infos: samba-tool domain join --help
root@tango:~# rm /etc/samba/smb.conf root@tango:~# samba-tool domain join XINUX.TEST DC -Uadministrator --realm=XINUX.TEST --dns-backend=SAMBA_INTERNAL
Ausgabe:
Finding a writeable DC for domain 'XINUX.TEST' Found DC rumba.xinux.test Password for [WORKGROUP\administrator]: workgroup is XINUX realm is xinux.test checking sAMAccountName Adding CN=TANGO,OU=Domain Controllers,DC=xinux,DC=test Adding CN=TANGO,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xinux,DC=test Adding CN=NTDS Settings,CN=TANGO,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xinux,DC=test Adding SPNs to CN=TANGO,OU=Domain Controllers,DC=xinux,DC=test Setting account password for TANGO$ Enabling account Calling bare provision No IPv6 address will be assigned Provision OK for domain DN DC=xinux,DC=test Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=xinux,DC=test] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=xinux,DC=test] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=xinux,DC=test] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=xinux,DC=test] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=xinux,DC=test] objects[402/1616] linked_values[0/0] Partition[CN=Configuration,DC=xinux,DC=test] objects[804/1616] linked_values[0/0] Partition[CN=Configuration,DC=xinux,DC=test] objects[1206/1616] linked_values[0/0] Partition[CN=Configuration,DC=xinux,DC=test] objects[1608/1616] linked_values[0/0] Partition[CN=Configuration,DC=xinux,DC=test] objects[1616/1616] linked_values[28/0] Replicating critical objects from the base DN of the domain Partition[DC=xinux,DC=test] objects[97/97] linked_values[23/0] Partition[DC=xinux,DC=test] objects[365/268] linked_values[23/0] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=xinux,DC=test Partition[DC=DomainDnsZones,DC=xinux,DC=test] objects[46/46] linked_values[0/0] Replicating DC=ForestDnsZones,DC=xinux,DC=test Partition[DC=ForestDnsZones,DC=xinux,DC=test] objects[18/18] linked_values[0/0] Partition[DC=ForestDnsZones,DC=xinux,DC=test] objects[36/18] linked_values[0/0] Committing SAM database Sending DsReplicateUpdateRefs for all the replicated partitions Setting isSynchronized and dsServiceName Setting up secrets database Joined domain XINUX (SID S-1-5-21-3964088599-1372953937-1397556401) as a DC
Anzeige der Replikation
DC1:
root@rumba:~# samba-tool drs showrepl Default-First-Site-Name\RUMBA DSA Options: 0x00000001 DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d DSA invocationId: fc6eaa8e-a1cf-4af8-b919-f0af6abddb27 ==== INBOUND NEIGHBORS ==== DC=DomainDnsZones,DC=xinux,DC=test Default-First-Site-Name\TANGO via RPC DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38 Last attempt @ Thu Sep 10 11:30:34 2015 CEST was successful 0 consecutive failure(s). Last success @ Thu Sep 10 11:30:34 2015 CEST DC=ForestDnsZones,DC=xinux,DC=test Default-First-Site-Name\TANGO via RPC DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38 Last attempt @ Thu Sep 10 11:30:34 2015 CEST was successful 0 consecutive failure(s). Last success @ Thu Sep 10 11:30:34 2015 CEST DC=xinux,DC=test Default-First-Site-Name\TANGO via RPC DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38 Last attempt @ Thu Sep 10 11:30:59 2015 CEST was successful 0 consecutive failure(s). Last success @ Thu Sep 10 11:30:59 2015 CEST CN=Schema,CN=Configuration,DC=xinux,DC=test Default-First-Site-Name\TANGO via RPC DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38 Last attempt @ Thu Sep 10 11:30:34 2015 CEST was successful 0 consecutive failure(s). Last success @ Thu Sep 10 11:30:34 2015 CEST CN=Configuration,DC=xinux,DC=test Default-First-Site-Name\TANGO via RPC DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38 Last attempt @ Thu Sep 10 11:30:35 2015 CEST was successful 0 consecutive failure(s). Last success @ Thu Sep 10 11:30:35 2015 CEST ==== OUTBOUND NEIGHBORS ==== DC=DomainDnsZones,DC=xinux,DC=test Default-First-Site-Name\TANGO via RPC DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=ForestDnsZones,DC=xinux,DC=test Default-First-Site-Name\TANGO via RPC DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=xinux,DC=test Default-First-Site-Name\TANGO via RPC DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) CN=Schema,CN=Configuration,DC=xinux,DC=test Default-First-Site-Name\TANGO via RPC DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) CN=Configuration,DC=xinux,DC=test Default-First-Site-Name\TANGO via RPC DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) ==== KCC CONNECTION OBJECTS ==== Connection -- Connection name: f31d9725-b1a6-4450-93d4-8b62fabf609f Enabled : TRUE Server DNS name : TANGO.xinux.test Server DN name : CN=NTDS Settings,CN=TANGO,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xinux,DC=test TransportType: RPC options: 0x00000001 Warning: No NC replicated for Connection!
DC2:
root@tango:~# samba-tool drs showrepl Default-First-Site-Name\TANGO DSA Options: 0x00000001 DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38 DSA invocationId: 1278e3ce-dadf-4e44-be9a-43c591e8318d ==== INBOUND NEIGHBORS ==== CN=Schema,CN=Configuration,DC=xinux,DC=test Default-First-Site-Name\RUMBA via RPC DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d Last attempt @ Thu Sep 10 11:28:15 2015 CEST was successful 0 consecutive failure(s). Last success @ Thu Sep 10 11:28:15 2015 CEST DC=xinux,DC=test Default-First-Site-Name\RUMBA via RPC DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d Last attempt @ Thu Sep 10 11:28:15 2015 CEST was successful 0 consecutive failure(s). Last success @ Thu Sep 10 11:28:15 2015 CEST DC=DomainDnsZones,DC=xinux,DC=test Default-First-Site-Name\RUMBA via RPC DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d Last attempt @ Thu Sep 10 11:31:28 2015 CEST was successful 0 consecutive failure(s). Last success @ Thu Sep 10 11:31:28 2015 CEST DC=ForestDnsZones,DC=xinux,DC=test Default-First-Site-Name\RUMBA via RPC DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d Last attempt @ Thu Sep 10 11:28:15 2015 CEST was successful 0 consecutive failure(s). Last success @ Thu Sep 10 11:28:15 2015 CEST CN=Configuration,DC=xinux,DC=test Default-First-Site-Name\RUMBA via RPC DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d Last attempt @ Thu Sep 10 11:28:15 2015 CEST was successful 0 consecutive failure(s). Last success @ Thu Sep 10 11:28:15 2015 CEST ==== OUTBOUND NEIGHBORS ==== CN=Schema,CN=Configuration,DC=xinux,DC=test Default-First-Site-Name\RUMBA via RPC DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=xinux,DC=test Default-First-Site-Name\RUMBA via RPC DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=DomainDnsZones,DC=xinux,DC=test Default-First-Site-Name\RUMBA via RPC DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=ForestDnsZones,DC=xinux,DC=test Default-First-Site-Name\RUMBA via RPC DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) CN=Configuration,DC=xinux,DC=test Default-First-Site-Name\RUMBA via RPC DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) ==== KCC CONNECTION OBJECTS ==== Connection -- Connection name: 2770037b-6291-442b-9b94-89c8d6c780c0 Enabled : TRUE Server DNS name : rumba.xinux.test Server DN name : CN=NTDS Settings,CN=RUMBA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xinux,DC=test TransportType: RPC options: 0x00000001 Warning: No NC replicated for Connection!
Ein paar Anpassungen
- cat /etc/nsswitch.conf
passwd: compat winbind group: compat winbind
- cat /etc/samba/smb.conf
dns forwarder = 192.168.255.250 idmap_ldb:use rfc2307 = yes winbind enum users = yes winbind enum groups = yes registry shares = yes
- reboot
Checks
- wbinfo -t
checking the trust secret for domain LINUGGS via RPC calls succeeded
- wbinfo -p
Ping to winbindd succeeded
- wbinfo -u
LINUGGS\administrator LINUGGS\franz.walter LINUGGS\hans.mueller LINUGGS\rudi.schmidt LINUGGS\erwin.zott LINUGGS\klaus.cewe LINUGGS\hans.will LINUGGS\krbtgt
SeDiskOperatorPrivilege
net rpc rights grant 'XINUX\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
Vorhandene Rechte lassen sich so Anzeige
net rpc rights list accounts -Uadministrator