join_samba4_as_additional_dc
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
join_samba4_as_additional_dc [2015/09/10 20:51] cbustillo [Verify /etc/hosts] |
join_samba4_as_additional_dc [2020/04/10 17:38] (current) |
||
|---|---|---|---|
| Line 29: | Line 29: | ||
| ===== Getting ready for joining Samba as a DC to an existing domain ===== | ===== Getting ready for joining Samba as a DC to an existing domain ===== | ||
| + | |||
| + | You should remove any existing smb.conf in '/usr/local/samba/etc/' and the content in '/usr/local/samba/private/'. For Sernet Packages the locations are: '/etc/samba/smb.conf' and '/var/lib/samba/private' | ||
| ==== Verify /etc/hosts ==== | ==== Verify /etc/hosts ==== | ||
| Line 35: | Line 37: | ||
| <code> | <code> | ||
| - | 127.0.0.1 localhost.localdomain localhost | + | 127.0.0.1 localhost.localdomain localhost |
| - | 10.12.112.86 DC2.redtic.uclv.cu DC2 | + | 10.12.112.85 redtic-ad2.redtic.uclv.cu redtic-ad2 |
| </code> | </code> | ||
| - | If the local hostname is resolved to 127.0.0.1, Samba would use this IP for the various DC DNS entries. This would prevent clients from reaching this Domain Controller! | + | If the local hostname is resolved to 127.0.0.1, Samba would use this IP for the various DC DNS entries. This would prevent clients from reaching this Domain Controller! |
| + | |||
| + | ==== DNS resolving ==== | ||
| + | |||
| + | Configure the host, you want to join as an additional Domain Controller, to use a DNS server that is able to resolve zones from the Active Directory. On Linux and Unixes, this is typically done by adding a „nameserver“ and „search domain“ entry to to /etc/resolv.conf: | ||
| + | |||
| + | <code> | ||
| + | domain redtic.uclv.cu | ||
| + | search redtic.uclv.cu | ||
| + | nameserver 10.12.112.84 #redtic-ad1's IP | ||
| + | </code> | ||
| + | |||
| + | Consult your distributions documentation for configuring the usage of a DNS server. To verify a correct name resolution, try resolving the hostname of one of your existing Domain Controllers: | ||
| + | |||
| + | <code> | ||
| + | # host -t A redtic-ad1.redtic.uclv.cu | ||
| + | redtic-ad1.redtic.uclv.cu has address 10.12.112.84 | ||
| + | </code> | ||
| + | |||
| + | ==== Kerberos ==== | ||
| + | |||
| + | Be sure, that you have your setup your existing domain correctly as your default realm in /etc/krb5.conf with the following options: | ||
| - | * You should remove any existing smb.conf in '/usr/local/samba/etc/' and the content in '/usr/local/samba/private/'. For Sernet Packages the locations are: '/etc/samba/smb.conf' and '/var/lib/samba/private' | ||
| - | * Be sure, that you have your setup your existing domain correctly as your default realm in /etc/krb5.conf with the following options: | ||
| <code> | <code> | ||
| [libdefaults] | [libdefaults] | ||
| - | dns_lookup_realm = true | + | dns_lookup_realm = false |
| dns_lookup_kdc = true | dns_lookup_kdc = true | ||
| default_realm = REDTIC.UCLV.CU | default_realm = REDTIC.UCLV.CU | ||
| </code> | </code> | ||
| - | * Check your DNS config (/etc/resolv.conf) is pointing to the DC you want join. | + | You should then test to make sure that DNS and kerberos are setup correctly to point at your existing domain controller. Test that it is all working by trying a kinit as a domain administration: |
| <code> | <code> | ||
| - | domain redtic.uclv.cu | + | # kinit administrator |
| - | search redtic.uclv.cu | + | # klist |
| - | nameserver 10.12.112.84 #redtic-ad1's IP | + | |
| </code> | </code> | ||
| + | ===== Joining the existing domain as a DC ===== | ||
| + | |||
| + | Before you start the joining, make yourself familiar with the parameters and options of „samba-tool domain join“: | ||
| - | * You should then test to make sure that DNS and kerberos are setup correctly to point at your existing domain controller. Test that it is all working by trying a kinit as a domain administration: | ||
| <code> | <code> | ||
| - | # kinit administrator | + | # samba-tool domain join --help |
| - | # klist | + | |
| </code> | </code> | ||
| + | Expecially the following two options are required, if your future Domain Controllers have multiple NICs. Because „samba-tool“ would auto-choose one of the IPv4/IPv6 addresses, if multiple where found, it might be necessary to bind Samba to the desired interfaces using: | ||
| - | ===== Joining the existing domain as a DC ===== | + | <code>--option="interfaces=lo eth0" --option="bind interfaces only=yes"</code> |
| To join run the following command as root: | To join run the following command as root: | ||
| Line 92: | Line 114: | ||
| printcap name = /dev/null | printcap name = /dev/null | ||
| - | # DNS Forwarders, if you are using internal DNS | + | # DNS Forwarders, uncomment if you are using internal DNS |
| - | dns forwarder = YOUR-FORWARDER's-IP | + | # dns forwarder = YOUR-FORWARDER's-IP |
| </code> | </code> | ||
| ===== Check required DNS entries of the new host ===== | ===== Check required DNS entries of the new host ===== | ||
| Line 128: | Line 150: | ||
| # samba-tool dns add IP-of-your-DNS _msdcs.redtic.uclv.cu 737506d0-bfe6-40c8-815d-08c3dff7a67f CNAME redtic-ad2.redtic.uclv.cu -Uadministrator | # samba-tool dns add IP-of-your-DNS _msdcs.redtic.uclv.cu 737506d0-bfe6-40c8-815d-08c3dff7a67f CNAME redtic-ad2.redtic.uclv.cu -Uadministrator | ||
| </code> | </code> | ||
| + | |||
| + | ===== Configure DNS Server ===== | ||
| + | |||
| + | Follow the steps in [[samba4_as_ad_dc#configure_dns|configure DNS Server.]] | ||
| Now is time to put a "nameserver" entry of your new DC in your '/etc/resolv.conf'. Example: | Now is time to put a "nameserver" entry of your new DC in your '/etc/resolv.conf'. Example: | ||
| Line 179: | Line 205: | ||
| You can seize all five roles: rid, schema, naming, pdc and infrastructure (you can use "--role=all" to seize all at once). | You can seize all five roles: rid, schema, naming, pdc and infrastructure (you can use "--role=all" to seize all at once). | ||
| + | |||
| + | ====== Known issues and ways to fix/workaround ====== | ||
| + | ---- | ||
| + | |||
| + | If after join Samba4 as second domain controllers you receive the following error in the second DC in the logs file o after running manually "samba_dnsupdate --verbose": | ||
| + | |||
| + | <code> | ||
| + | /usr/sbin/samba_dnsupdate: update failed: NOTAUTH | ||
| + | /usr/sbin/samba_dnsupdate: update failed: NOTAUTH | ||
| + | /usr/sbin/samba_dnsupdate: update failed: NOTAUTH | ||
| + | /usr/sbin/samba_dnsupdate: update failed: NOTAUTH | ||
| + | /usr/sbin/samba_dnsupdate: update failed: NOTAUTH | ||
| + | /usr/sbin/samba_dnsupdate: update failed: NOTAUTH | ||
| + | </code> | ||
| + | |||
| + | To solve the above, in the second DC (recently joined) put like dns server the DC1's IP address, ie: | ||
| + | /etc/resolv.conf | ||
| + | |||
| + | <code> | ||
| + | search yourdomain.com | ||
| + | nameserver ip-of-dc2 | ||
| + | nameserver ip-of-dc1 | ||
| + | </code> | ||
| + | |||
| + | Finally restart Samba o run: | ||
| + | |||
| + | <code> | ||
| + | # samba_dnsupdate --verbose | ||
| + | </code> | ||
| + | |||
| + | No you can see that all record are added successfully!!! | ||
| ====== A note on DNS updates ====== | ====== A note on DNS updates ====== | ||
join_samba4_as_additional_dc.1441918317.txt.gz · Last modified: 2020/04/10 17:38 (external edit)
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
