Samba: Join an additional Domain Controller to Samba Active Directory

Hi,


These steps describes to join an additional Domain Controller to your previously builted Active Directory. Also first ensure you have a timeserver running in your network. If not I described to install and configure ntp for Linux in this post. ntpd can run on the same machine as samba.

Also configure a static IP Address. In this example 192.168.254.7.

Base System is Linux Debian 9 stretch

Active Directory domain: franken.local

Install packages. Kerberos REALM: FRANKEN.LOCAL (Uppercase Domain name), Kerberos-Server and Administration Server: frankendc1.franken.local. Kerberos Parameter whould be overwritten later…

root@debdev: ~ # apt-get update && apt-get upgrade && apt-get -y install samba attr dnsutils net-tools smbclient krb5-user krb5-config winbind libpam-winbind libnss-winbind libpam-krb5 

Disable lecacy samba daemons

root@frankendc1: ~ # systemctl stop smbd nmbd winbind
root@frankendc1: ~ # systemctl disable smbd nmbd winbind

Set your hostname and reboot

root@debdev2: ~ # hostnamectl set-hostname frankendc2
root@debdev2: ~ # reboot

Move or delete to default smb.conf file

root@frankendc2: ~ # mv /etc/samba/smb.conf /etc/samba/smb.conf.org

Create a new /etc/resolv.conf with your Active Directory domain in the search list and the static IP of the first Domain Controller as DNS Server

search franken.local
nameserver 192.168.254.6

Check name resolution and connection

root@frankendc2: ~ # nslookup franken.local
Server:         192.168.254.6
Address:        192.168.254.6#53

Name:   franken.local
Address: 192.168.254.6
Name:   franken.local
Address: 192.168.254.6

root@frankendc2: ~ # nslookup frankendc1.franken.local
Server:         192.168.254.6
Address:        192.168.254.6#53

Name:   frankendc1.franken.local
Address: 192.168.254.6
Name:   frankendc1.franken.local
Address: 192.168.254.6

root@frankendc2: ~ # ping frankendc1.franken.local
PING franken.local (192.168.254.6) 56(84) bytes of data.
64 bytes from 192.168.254.6 (192.168.254.6): icmp_seq=1 ttl=64 time=0.202 ms

Configure kerberos to use the existing Active Directory. Copy the krb5.conf from frankendc1

root@frankendc2: ~# scp root@frankendc1.franken.local:/etc/krb5.conf /etc

And get a kerberos ticket for the Active Directory.

root@frankendc2: ~# kinit administrator@FRANKEN.LOCAL
Warning: Your password will expire in 41 days on Fri Nov 29 22:19:41 2018

Join the domain

Enable Samba

root@frankendc1: ~ # systemctl unmask samba-ad-dc
root@frankendc1: ~ # systemctl start samba-ad-dc
root@frankendc1: ~ # systemctl enable samba-ad-dc

Note: This command line uses your Hostname as DC Hostname

root@frankendc2: ~ # samba-tool domain join franken.local DC --dns-backend=SAMBA_INTERNAL
...
Partition[DC=ForestDnsZones,DC=franken,DC=local] objects[18/18] linked_values[0/0]
Committing SAM database
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain FRANKEN (SID S-1-5-21-2606902105-126693256-2254647617) as a DC

Check replication. Warning: No NC replicated for Connection! can be ignored

root@frankendc2:~# samba-tool drs showrepl
Default-First-Site-Name\FRANKENDC2
DSA Options: 0x00000001
DSA object GUID: 8114c3d2-42a9-4947-a632-2fed6e324fe1
DSA invocationId: 1b324895-a661-48ce-9095-30cbbeef8047

==== INBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=franken,DC=local
        Default-First-Site-Name\FRANKENDC1 via RPC
                DSA object GUID: 60393ae0-dd77-4f62-9e8c-46a9e467fbdf
                Last attempt @ Fri Oct 19 12:14:35 2018 CEST was successful
                0 consecutive failure(s).
                Last success @ Fri Oct 19 12:14:35 2018 CEST
.....

Compare Objects between 2 Domain controllers

root@frankendc2:~# samba-tool ldapcmp ldap://frankendc1.franken.local ldap://frankendc2.franken.local 

* Comparing [DOMAIN] context...

* Objects to be compared: 263

* Result for [DOMAIN]: SUCCESS

* Comparing [CONFIGURATION] context...

* Objects to be compared: 1615

* Result for [CONFIGURATION]: SUCCESS
....

Configure sysvol (not implemented by samba yet) replication. Login to frankendc1 and install rsyncd

root@frankendc1:~# apt-get install rsync

Create a file /etc/rsyncd.conf. Adjust the path to the sysvol folder (see /etc/samba/smb.conf)

[SysVol]
path = /var/lib/samba/sysvol/
comment = Samba Sysvol Share
uid = root
gid = root
read only = yes
auth users = sysvol-replication
secrets file = /etc/samba/rsyncd-sysvol.secret

Then create the /etc/samba/rsyncd-sysvol.secret file with the User sysvol-replication and its password separated by colon

sysvol-replication:$y$VOls$ecretRepli

and set permissions

chmod 500 /etc/samba/rsyncd-sysvol.secret

Set RSYNC_ENABLE=true in /etc/default/rsync
Start rsyncd

root@frankendc1:~# systemctl enable rsync
root@frankendc1:~# systemctl start rsync

Install rsync and also create the /etc/samba/rsyncd-sysvol.secret file on the other DCs with only the password it it

$y$VOls$ecretRepli

Then try to access the sysvol folder

root@frankendc2: ~# rsync  rsync://sysvol-replication@frankendc1.franken.local:/SysVol
Password:
drwxrwx---          4,096 2018/10/18 23:17:21 .
drwxrwx---          4,096 2018/10/18 23:17:31 Policies
drwxrwx---          4,096 2018/10/18 22:19:24 franken.local

And try to get the whole sysvol

root@frankendc2: ~# rsync --dry-run -XAavz --delete-after --password-file=/etc/samba/rsyncd-sysvol.secret rsync://sysvol-replication@frankendc1.franken.local:/SysVol /var/lib/samba/sysvol/  
receiving file list ... done
./
Policies/
Policies/PolicyDefinition/
Policies/PolicyDefinition/de-DE/
Policies/PolicyDefinition/en-US/
franken.local/
....

And if successful. Add an cronjob (without the –dry-run parameter) which polls the sysvol folder every 5 minutes

root@frankendc2: ~# crontab -e


*/5 * * * * rsync -XAavz --delete-after --password-file=/etc/samba/rsyncd-sysvol.secret rsync://sysvol-replication@frankendc1.franken.local:/SysVol /var/lib/samba/sysvol/

Michael

Advertisment to support michlstechblog.info

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.