This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
join_samba4_as_additional_dc [2015/09/10 20:51] cbustillo [Verify /etc/hosts] |
join_samba4_as_additional_dc [2020/04/10 17:38] (current) |
||
---|---|---|---|
Line 29: | Line 29: | ||
===== Getting ready for joining Samba as a DC to an existing domain ===== | ===== Getting ready for joining Samba as a DC to an existing domain ===== | ||
+ | |||
+ | You should remove any existing smb.conf in '/usr/local/samba/etc/' and the content in '/usr/local/samba/private/'. For Sernet Packages the locations are: '/etc/samba/smb.conf' and '/var/lib/samba/private' | ||
==== Verify /etc/hosts ==== | ==== Verify /etc/hosts ==== | ||
Line 35: | Line 37: | ||
<code> | <code> | ||
- | 127.0.0.1 localhost.localdomain localhost | + | 127.0.0.1 localhost.localdomain localhost |
- | 10.12.112.86 DC2.redtic.uclv.cu DC2 | + | 10.12.112.85 redtic-ad2.redtic.uclv.cu redtic-ad2 |
</code> | </code> | ||
- | If the local hostname is resolved to 127.0.0.1, Samba would use this IP for the various DC DNS entries. This would prevent clients from reaching this Domain Controller! | + | If the local hostname is resolved to 127.0.0.1, Samba would use this IP for the various DC DNS entries. This would prevent clients from reaching this Domain Controller! |
+ | |||
+ | ==== DNS resolving ==== | ||
+ | |||
+ | Configure the host, you want to join as an additional Domain Controller, to use a DNS server that is able to resolve zones from the Active Directory. On Linux and Unixes, this is typically done by adding a „nameserver“ and „search domain“ entry to to /etc/resolv.conf: | ||
+ | |||
+ | <code> | ||
+ | domain redtic.uclv.cu | ||
+ | search redtic.uclv.cu | ||
+ | nameserver 10.12.112.84 #redtic-ad1's IP | ||
+ | </code> | ||
+ | |||
+ | Consult your distributions documentation for configuring the usage of a DNS server. To verify a correct name resolution, try resolving the hostname of one of your existing Domain Controllers: | ||
+ | |||
+ | <code> | ||
+ | # host -t A redtic-ad1.redtic.uclv.cu | ||
+ | redtic-ad1.redtic.uclv.cu has address 10.12.112.84 | ||
+ | </code> | ||
+ | |||
+ | ==== Kerberos ==== | ||
+ | |||
+ | Be sure, that you have your setup your existing domain correctly as your default realm in /etc/krb5.conf with the following options: | ||
- | * You should remove any existing smb.conf in '/usr/local/samba/etc/' and the content in '/usr/local/samba/private/'. For Sernet Packages the locations are: '/etc/samba/smb.conf' and '/var/lib/samba/private' | ||
- | * Be sure, that you have your setup your existing domain correctly as your default realm in /etc/krb5.conf with the following options: | ||
<code> | <code> | ||
[libdefaults] | [libdefaults] | ||
- | dns_lookup_realm = true | + | dns_lookup_realm = false |
dns_lookup_kdc = true | dns_lookup_kdc = true | ||
default_realm = REDTIC.UCLV.CU | default_realm = REDTIC.UCLV.CU | ||
</code> | </code> | ||
- | * Check your DNS config (/etc/resolv.conf) is pointing to the DC you want join. | + | You should then test to make sure that DNS and kerberos are setup correctly to point at your existing domain controller. Test that it is all working by trying a kinit as a domain administration: |
<code> | <code> | ||
- | domain redtic.uclv.cu | + | # kinit administrator |
- | search redtic.uclv.cu | + | # klist |
- | nameserver 10.12.112.84 #redtic-ad1's IP | + | |
</code> | </code> | ||
+ | ===== Joining the existing domain as a DC ===== | ||
+ | |||
+ | Before you start the joining, make yourself familiar with the parameters and options of „samba-tool domain join“: | ||
- | * You should then test to make sure that DNS and kerberos are setup correctly to point at your existing domain controller. Test that it is all working by trying a kinit as a domain administration: | ||
<code> | <code> | ||
- | # kinit administrator | + | # samba-tool domain join --help |
- | # klist | + | |
</code> | </code> | ||
+ | Expecially the following two options are required, if your future Domain Controllers have multiple NICs. Because „samba-tool“ would auto-choose one of the IPv4/IPv6 addresses, if multiple where found, it might be necessary to bind Samba to the desired interfaces using: | ||
- | ===== Joining the existing domain as a DC ===== | + | <code>--option="interfaces=lo eth0" --option="bind interfaces only=yes"</code> |
To join run the following command as root: | To join run the following command as root: | ||
Line 92: | Line 114: | ||
printcap name = /dev/null | printcap name = /dev/null | ||
- | # DNS Forwarders, if you are using internal DNS | + | # DNS Forwarders, uncomment if you are using internal DNS |
- | dns forwarder = YOUR-FORWARDER's-IP | + | # dns forwarder = YOUR-FORWARDER's-IP |
</code> | </code> | ||
===== Check required DNS entries of the new host ===== | ===== Check required DNS entries of the new host ===== | ||
Line 128: | Line 150: | ||
# samba-tool dns add IP-of-your-DNS _msdcs.redtic.uclv.cu 737506d0-bfe6-40c8-815d-08c3dff7a67f CNAME redtic-ad2.redtic.uclv.cu -Uadministrator | # samba-tool dns add IP-of-your-DNS _msdcs.redtic.uclv.cu 737506d0-bfe6-40c8-815d-08c3dff7a67f CNAME redtic-ad2.redtic.uclv.cu -Uadministrator | ||
</code> | </code> | ||
+ | |||
+ | ===== Configure DNS Server ===== | ||
+ | |||
+ | Follow the steps in [[samba4_as_ad_dc#configure_dns|configure DNS Server.]] | ||
Now is time to put a "nameserver" entry of your new DC in your '/etc/resolv.conf'. Example: | Now is time to put a "nameserver" entry of your new DC in your '/etc/resolv.conf'. Example: | ||
Line 179: | Line 205: | ||
You can seize all five roles: rid, schema, naming, pdc and infrastructure (you can use "--role=all" to seize all at once). | You can seize all five roles: rid, schema, naming, pdc and infrastructure (you can use "--role=all" to seize all at once). | ||
+ | |||
+ | ====== Known issues and ways to fix/workaround ====== | ||
+ | ---- | ||
+ | |||
+ | If after join Samba4 as second domain controllers you receive the following error in the second DC in the logs file o after running manually "samba_dnsupdate --verbose": | ||
+ | |||
+ | <code> | ||
+ | /usr/sbin/samba_dnsupdate: update failed: NOTAUTH | ||
+ | /usr/sbin/samba_dnsupdate: update failed: NOTAUTH | ||
+ | /usr/sbin/samba_dnsupdate: update failed: NOTAUTH | ||
+ | /usr/sbin/samba_dnsupdate: update failed: NOTAUTH | ||
+ | /usr/sbin/samba_dnsupdate: update failed: NOTAUTH | ||
+ | /usr/sbin/samba_dnsupdate: update failed: NOTAUTH | ||
+ | </code> | ||
+ | |||
+ | To solve the above, in the second DC (recently joined) put like dns server the DC1's IP address, ie: | ||
+ | /etc/resolv.conf | ||
+ | |||
+ | <code> | ||
+ | search yourdomain.com | ||
+ | nameserver ip-of-dc2 | ||
+ | nameserver ip-of-dc1 | ||
+ | </code> | ||
+ | |||
+ | Finally restart Samba o run: | ||
+ | |||
+ | <code> | ||
+ | # samba_dnsupdate --verbose | ||
+ | </code> | ||
+ | |||
+ | No you can see that all record are added successfully!!! | ||
====== A note on DNS updates ====== | ====== A note on DNS updates ====== |