I have setup a new Samba Active Directory DC on Fedora 25 and samba-
4.5.8-1.fc25.x86_64, rebuild from src.rpm with dc option enable.
This system (fedora-addc) is only an AD-DC. In the next days I will
deploy another Centos 7 samba member server with standard samba-4.4.4
rpm (without dc enabled) and join it to Fedora AD-DC for manage data
users.
After install bind dns and samba new rebuild rpms, I have follow this
howto and setting up the AD:
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
I have use this samba tool deploy:
samba-tool domain provision --realm=solinos.loc --domain=solinos \
--dns-backend=BIND9_DLZ --use-rfc2307 \
--server-role=dc --function-level=2008_R2 \
--use-xattr=yes
This is my current automatic generate smb.conf file:
# Global parameters
[global]
netbios name = FEDORA-ADDC
realm = SOLINOS.LOC
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = SOLINOS
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
template shell = /bin/bash
template homedir = /home/%U
[netlogon]
path = /var/lib/samba/sysvol/solinos.loc/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
I have also setup ntp like howto.
At this point, in this test environment, all work fine, I can manage
users, groups and dns entry, and join for test some windows client to
it, the new samba users are recognized from Linux:
[ root at fedora-addc ~]# id ospite
uid=3000017(SOLINOS\ospite) gid=100(users)
gruppi=100(users),3000017(SOLINOS\ospite),3000009(BUILTIN\users)
Now my question is:
There are other thinks I must to do on AD DC?
What parameter is better add to smb.conf?
Why administrator is mapped like root?:
[ root at fedora-addc ~]# id
administrator
uid=0(root) gid=0(root) gruppi=0(root)
and if I add administrator to "Domain Admins" nothing change
# samba-tool group addmembers 'Domain Admins' Administrator
# samba-tool group listmembers 'Domain Admins'
Administrator
# id administrator
uid=0(root) gid=0(root) gruppi=0(root)
Please, let me know, this is my first samba AD-DC + samba AD-Member
server implementation, and tomorrow I must deploy all into a servers
production.
Many thanks.
--
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)
On Tue, 25 Apr 2017 14:07:05 +0200 Dario Lesca via samba <samba at lists.samba.org> wrote:> I have setup a new Samba Active Directory DC on Fedora 25 and samba- > 4.5.8-1.fc25.x86_64, rebuild from src.rpm with dc option enable. > > This system (fedora-addc) is only an AD-DC. In the next days I will > deploy another Centos 7 samba member server with standard samba-4.4.4 > rpm (without dc enabled) and join it to Fedora AD-DC for manage data > users. > > After install bind dns and samba new rebuild rpms, I have follow this > howto and setting up the AD: > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller > > I have use this samba tool deploy: > > samba-tool domain provision --realm=solinos.loc --domain=solinos \ > --dns-backend=BIND9_DLZ --use-rfc2307 \ > --server-role=dc --function-level=2008_R2 \ > --use-xattr=yes > > At this point, in this test environment, all work fine, I can manage > users, groups and dns entry, and join for test some windows client to > it, the new samba users are recognized from Linux: > > [ root at fedora-addc ~]# id ospite > uid=3000017(SOLINOS\ospite) gid=100(users) > gruppi=100(users),3000017(SOLINOS\ospite),3000009(BUILTIN\users) >This is ONLY on the Samba AD DC, when you come to setup a Unix domain member you will need to set it up so that the OS can recognise the AD users, all the info is the wiki.> Now my question is: > > There are other thinks I must to do on AD DC?Only if you are going to use the DC as a fileserver as well.> > What parameter is better add to smb.conf?Do not add anything until you have researched it properly and only then if you are 100% sure you need it and you probably don't need to add anything.> > Why administrator is mapped like root?: > [ root at fedora-addc ~]# id > administrator > uid=0(root) gid=0(root) gruppi=0(root)So that Administrator can do the things that root can do.> > and if I add administrator to "Domain Admins" nothing changeThat was a waste of time, Administrator was already a member of Domain Admins.> # samba-tool group addmembers 'Domain Admins' Administrator > # samba-tool group listmembers 'Domain Admins' > Administrator > # id administrator > uid=0(root) gid=0(root) gruppi=0(root) > > Please, let me know, this is my first samba AD-DC + samba AD-Member > server implementation, and tomorrow I must deploy all into a servers > production. >You seem to be doing okay at the moment, next stop the Unix domain member ;-) Rowland
Il giorno mar, 25/04/2017 alle 13.26 +0100, Rowland Penny via samba ha scritto:> On Tue, 25 Apr 2017 14:07:05 +0200 > Dario Lesca via samba <samba at lists.samba.org> wrote: > > > I have setup a new Samba Active Directory DC on Fedora 25 and > > samba- > > 4.5.8-1.fc25.x86_64, rebuild from src.rpm with dc option enable. > > > > This system (fedora-addc) is only an AD-DC. In the next days I will > > deploy another Centos 7 samba member server with standard samba- > > 4.4.4 > > rpm (without dc enabled) and join it to Fedora AD-DC for manage > > data > > users. > > > > After install bind dns and samba new rebuild rpms, I have follow > > this > > howto and setting up the AD: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Dire > > ctory_Domain_Controller > > > > I have use this samba tool deploy: > > > > samba-tool domain provision --realm=solinos.loc -- > > domain=solinos \ > > --dns-backend=BIND9_DLZ --use-rfc2307 \ > > --server-role=dc --function-level=2008_R2 \ > > --use-xattr=yes > > > > At this point, in this test environment, all work fine, I can > > manage > > users, groups and dns entry, and join for test some windows client > > to > > it, the new samba users are recognized from Linux: > > > > [ root at fedora-addc ~]# id ospite > > uid=3000017(SOLINOS\ospite) gid=100(users) > > gruppi=100(users),3000017(SOLINOS\ospite),3000009(BUILTIN\users > > ) > > > > This is ONLY on the Samba AD DC, when you come to setup a Unix domain > member you will need to set it up so that the OS can recognise the AD > users, all the info is the wiki. > > > Now my question is: > > > > There are other thinks I must to do on AD DC? > > Only if you are going to use the DC as a fileserver as well. > > > > > What parameter is better add to smb.conf? > > Do not add anything until you have researched it properly and only > then > if you are 100% sure you need it and you probably don't need to add > anything. > > > > > Why administrator is mapped like root?: > > [ root at fedora-addc ~]# id > > administrator > > uid=0(root) gid=0(root) gruppi=0(root) > > So that Administrator can do the things that root can do. > > > > > and if I add administrator to "Domain Admins" nothing change > > That was a waste of time, Administrator was already a member of > Domain > Admins. > > > # samba-tool group addmembers 'Domain Admins' Administrator > > # samba-tool group listmembers 'Domain Admins' > > Administrator > > # id administrator > > uid=0(root) gid=0(root) gruppi=0(root) > > > > Please, let me know, this is my first samba AD-DC + samba AD-Member > > server implementation, and tomorrow I must deploy all into a > > servers > > production. > > > > You seem to be doing okay at the moment, next stop the Unix domain > member ;-)Thanks Rowland, then the AD-DC is ok. This little virtual server (3Gb of disk) must do only the DNS and AD-DC for my network. However I would like to enable also the DHCP service, and think it's right to activate it on this server. What is the best way to do so? It's possible enable ISC DHCP and automatically update the AD-DC zone, in this case solinos.loc zone? Let me know some suggest. Thanks Now I try to setup a samba domain member and join it to this AD-DC. -- Dario Lesca (inviato dal mio Linux Fedora 25 Workstation)