join_samba4_as_additional_dc
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
|
join_samba4_as_additional_dc [2015/06/29 16:10] 127.0.0.1 external edit |
join_samba4_as_additional_dc [2020/04/10 17:38] (current) |
||
|---|---|---|---|
| Line 8: | Line 8: | ||
| Before you install Samba4, follow the steps in [[requeriments|Requeriments]] and then read the instrucctions in [[install_samba4|Install Samba4]] wiki page. If you choose BIND as DNS backend, instead of the internal DNS, then you, of course, have to finish this before you continue. Depending on your needs, you can have different backends on each of your DC. | Before you install Samba4, follow the steps in [[requeriments|Requeriments]] and then read the instrucctions in [[install_samba4|Install Samba4]] wiki page. If you choose BIND as DNS backend, instead of the internal DNS, then you, of course, have to finish this before you continue. Depending on your needs, you can have different backends on each of your DC. | ||
| + | |||
| + | ===== Prerequisites ===== | ||
| + | |||
| + | * The domain must be at least at forest functional level „2003 native“ (not interim!), to join a Samba DC. | ||
| + | * The forests schema must be maximum at version 47 (Server 2008 R2). If your forest is Samba driven, the schema version is 47. Only if you have Windows DCs, this has to be checked, by running on a Windows DC: | ||
| + | <code> | ||
| + | dsquery * “CN=Schema,CN=Configuration,DC=Root-Domäne” -Scope Base -attr objectVersion | ||
| + | </code> | ||
| //For the rest of this HowTo we assume that:// | //For the rest of this HowTo we assume that:// | ||
| Line 22: | Line 30: | ||
| ===== Getting ready for joining Samba as a DC to an existing domain ===== | ===== Getting ready for joining Samba as a DC to an existing domain ===== | ||
| - | * You should remove any existing smb.conf in '/usr/local/samba/etc/' and the content in '/usr/local/samba/private/'. For Sernet Packages the locations are: '/etc/samba/smb.conf' and '/var/lib/samba/private' | + | You should remove any existing smb.conf in '/usr/local/samba/etc/' and the content in '/usr/local/samba/private/'. For Sernet Packages the locations are: '/etc/samba/smb.conf' and '/var/lib/samba/private' |
| - | * Be sure, that you have your setup your existing domain correctly as your default realm in /etc/krb5.conf with the following options: | + | |
| + | ==== Verify /etc/hosts ==== | ||
| + | |||
| + | Verify that the local hostname isn't resolved to 127.0.0.1 in /etc/hosts: | ||
| + | |||
| + | <code> | ||
| + | 127.0.0.1 localhost.localdomain localhost | ||
| + | 10.12.112.85 redtic-ad2.redtic.uclv.cu redtic-ad2 | ||
| + | </code> | ||
| + | |||
| + | If the local hostname is resolved to 127.0.0.1, Samba would use this IP for the various DC DNS entries. This would prevent clients from reaching this Domain Controller! | ||
| + | |||
| + | ==== DNS resolving ==== | ||
| + | |||
| + | Configure the host, you want to join as an additional Domain Controller, to use a DNS server that is able to resolve zones from the Active Directory. On Linux and Unixes, this is typically done by adding a „nameserver“ and „search domain“ entry to to /etc/resolv.conf: | ||
| + | |||
| + | <code> | ||
| + | domain redtic.uclv.cu | ||
| + | search redtic.uclv.cu | ||
| + | nameserver 10.12.112.84 #redtic-ad1's IP | ||
| + | </code> | ||
| + | |||
| + | Consult your distributions documentation for configuring the usage of a DNS server. To verify a correct name resolution, try resolving the hostname of one of your existing Domain Controllers: | ||
| + | |||
| + | <code> | ||
| + | # host -t A redtic-ad1.redtic.uclv.cu | ||
| + | redtic-ad1.redtic.uclv.cu has address 10.12.112.84 | ||
| + | </code> | ||
| + | |||
| + | ==== Kerberos ==== | ||
| + | |||
| + | Be sure, that you have your setup your existing domain correctly as your default realm in /etc/krb5.conf with the following options: | ||
| <code> | <code> | ||
| [libdefaults] | [libdefaults] | ||
| - | dns_lookup_realm = true | + | dns_lookup_realm = false |
| dns_lookup_kdc = true | dns_lookup_kdc = true | ||
| default_realm = REDTIC.UCLV.CU | default_realm = REDTIC.UCLV.CU | ||
| </code> | </code> | ||
| - | * Check your DNS config (/etc/resolv.conf) is pointing to the DC you want join. | + | You should then test to make sure that DNS and kerberos are setup correctly to point at your existing domain controller. Test that it is all working by trying a kinit as a domain administration: |
| <code> | <code> | ||
| - | domain redtic.uclv.cu | + | # kinit administrator |
| - | search redtic.uclv.cu | + | # klist |
| - | nameserver 10.12.112.84 #redtic-ad1's IP | + | |
| </code> | </code> | ||
| + | ===== Joining the existing domain as a DC ===== | ||
| + | |||
| + | Before you start the joining, make yourself familiar with the parameters and options of „samba-tool domain join“: | ||
| - | * You should then test to make sure that DNS and kerberos are setup correctly to point at your existing domain controller. Test that it is all working by trying a kinit as a domain administration: | ||
| <code> | <code> | ||
| - | # kinit administrator | + | # samba-tool domain join --help |
| - | # klist | + | |
| </code> | </code> | ||
| + | Expecially the following two options are required, if your future Domain Controllers have multiple NICs. Because „samba-tool“ would auto-choose one of the IPv4/IPv6 addresses, if multiple where found, it might be necessary to bind Samba to the desired interfaces using: | ||
| - | ===== Joining the existing domain as a DC ===== | + | <code>--option="interfaces=lo eth0" --option="bind interfaces only=yes"</code> |
| To join run the following command as root: | To join run the following command as root: | ||
| Line 73: | Line 114: | ||
| printcap name = /dev/null | printcap name = /dev/null | ||
| - | # DNS Forwarders, if you are using internal DNS | + | # DNS Forwarders, uncomment if you are using internal DNS |
| - | dns forwarder = YOUR-FORWARDER's-IP | + | # dns forwarder = YOUR-FORWARDER's-IP |
| </code> | </code> | ||
| ===== Check required DNS entries of the new host ===== | ===== Check required DNS entries of the new host ===== | ||
| Line 109: | Line 150: | ||
| # samba-tool dns add IP-of-your-DNS _msdcs.redtic.uclv.cu 737506d0-bfe6-40c8-815d-08c3dff7a67f CNAME redtic-ad2.redtic.uclv.cu -Uadministrator | # samba-tool dns add IP-of-your-DNS _msdcs.redtic.uclv.cu 737506d0-bfe6-40c8-815d-08c3dff7a67f CNAME redtic-ad2.redtic.uclv.cu -Uadministrator | ||
| </code> | </code> | ||
| + | |||
| + | ===== Configure DNS Server ===== | ||
| + | |||
| + | Follow the steps in [[samba4_as_ad_dc#configure_dns|configure DNS Server.]] | ||
| Now is time to put a "nameserver" entry of your new DC in your '/etc/resolv.conf'. Example: | Now is time to put a "nameserver" entry of your new DC in your '/etc/resolv.conf'. Example: | ||
| Line 160: | Line 205: | ||
| You can seize all five roles: rid, schema, naming, pdc and infrastructure (you can use "--role=all" to seize all at once). | You can seize all five roles: rid, schema, naming, pdc and infrastructure (you can use "--role=all" to seize all at once). | ||
| + | |||
| + | ====== Known issues and ways to fix/workaround ====== | ||
| + | ---- | ||
| + | |||
| + | If after join Samba4 as second domain controllers you receive the following error in the second DC in the logs file o after running manually "samba_dnsupdate --verbose": | ||
| + | |||
| + | <code> | ||
| + | /usr/sbin/samba_dnsupdate: update failed: NOTAUTH | ||
| + | /usr/sbin/samba_dnsupdate: update failed: NOTAUTH | ||
| + | /usr/sbin/samba_dnsupdate: update failed: NOTAUTH | ||
| + | /usr/sbin/samba_dnsupdate: update failed: NOTAUTH | ||
| + | /usr/sbin/samba_dnsupdate: update failed: NOTAUTH | ||
| + | /usr/sbin/samba_dnsupdate: update failed: NOTAUTH | ||
| + | </code> | ||
| + | |||
| + | To solve the above, in the second DC (recently joined) put like dns server the DC1's IP address, ie: | ||
| + | /etc/resolv.conf | ||
| + | |||
| + | <code> | ||
| + | search yourdomain.com | ||
| + | nameserver ip-of-dc2 | ||
| + | nameserver ip-of-dc1 | ||
| + | </code> | ||
| + | |||
| + | Finally restart Samba o run: | ||
| + | |||
| + | <code> | ||
| + | # samba_dnsupdate --verbose | ||
| + | </code> | ||
| + | |||
| + | No you can see that all record are added successfully!!! | ||
| ====== A note on DNS updates ====== | ====== A note on DNS updates ====== | ||
join_samba4_as_additional_dc.1435594252.txt.gz · Last modified: 2020/04/10 17:38 (external edit)
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
