Stephen
2019-Mar-22 15:03 UTC
[Samba] Problems with Samba 4.5.16 - configuring a second failover AD DC and joining this to an existing domain SAMDOM
Hello I wonder if anyone here could possibly help me? I am using Samba
version 4.5.16-Debian (version information taken from sudo smbstatus) on
Raspbian and attempting to prototype some future network infrastructure
with a couple of Raspberry Pis.
So far I have sucessfully created a Samba 4 AD DC
ad1.samdom.example.com. I have successfully joined my Windows 10 dekstop
client to the SAMDOM domain provided by ad1 and it authenticated OK, and
appears to synchronise the network time correctly. So far so good!
Ideally I would now like to add to this basic setup by creating an
additional DC, ad2, with ip ad2.samdom.example.com, and join this to the
existing SAMDOM domain provided by ad1 to provide some extra redundancy
and failover.
This is where my problems begin unfortunately.
I have used two separate shell-scripts to commission my two servers
ad1.sh and ad2.sh (please find both scripts attached for scrutiny)
* These two scripts are based heavily upon the tutorial series found
at TechMint here:
https://www.tecmint.com/install-samba4-active-directory-ubuntu/
* The script to build ad1 is the main DC and is based upon section 1
and 2 of the tutorial, and as far as I can tell appears to work
correctly. As discussed I can connect to the server that results
from a Windows 10 client.
* The script to build the second DC used for failover is based upon
part 5 of the linked tutorial series, and this is where I am having
problems.
* Both ad1 and ad2 are assigned static ips, ad1 = 192.168.1.229 and
ad2=192.168.1.228.
I am encountering baffling issues with LDAP when I run my script ad2.sh.
What I don't understand here is that I am apparently able to join domain
SAMDOM without issue, ie in the ad2 script when I do
pi at ad2 $ sudo samba-tool domain join samdom DC
-U"SAMDOM\administrator"
--dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes'
--option="dns forwarder = $EXTERNAL_DNS2 $EXTERNAL_DNS3
$EXTERNAL_DNS4"
This appears to work just fine, and I obtain the following seemingly
plausible output from this command:
Finding a writeable DC for domain 'samdom.example.com'
Found DC ad1.samdom.example.com
Password for [=SAMDOM\administrator]:
workgroup is SAMDOM
realm is samdom.example.com
Adding CN=AD2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
Adding
CN=AD2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Adding CN=NTDS
Settings,CN=AD2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Adding SPNs to CN=AD2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
Setting account password for AD2$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba 4 has been generated at
/var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=samdom,DC=example,DC=com
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com]
objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com]
objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com]
objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com]
objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=samdom,DC=example,DC=com]
objects[402/1614] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com]
objects[804/1614] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com]
objects[1206/1614] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com]
objects[1608/1614] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com]
objects[1614/1614] linked_values[30/0]
Replicating critical objects from the base DN of the domain
Partition[DC=samdom,DC=example,DC=com] objects[97/97] linked_values[23/0]
Partition[DC=samdom,DC=example,DC=com] objects[360/263] linked_values[23/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=samdom,DC=example,DC=com
Partition[DC=DomainDnsZones,DC=samdom,DC=example,DC=com] objects[40/40]
linked_values[0/0]
Replicating DC=ForestDnsZones,DC=samdom,DC=example,DC=com
Partition[DC=ForestDnsZones,DC=samdom,DC=example,DC=com] objects[18/18]
linked_values[0/0]
Committing SAM database
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain SAMDOM (SID S-1-5-21-1810456019-651403982-3541939936) as a DC
Unfortunately it is after this I then have major problems after that
with LDAP when I try and perform the actual replication. When I attempt:
pi at ad2 ~ $ sudo systemctl unmask samba-ad-dc
pi at ad2 ~ $ sudo systemctl restart samba-ad-dc
pi at ad2 ~ $ sudo samba-tool drs showrepl
I get the following error messages:
17) Replicate Samba Account Details between Primary and Secondary DCs
Failed to connect to ldap URL 'ldap://ad2.samdom.example.com' - LDAP
client internal error: NT_STATUS_CONNECTION_REFUSED
Failed to connect to 'ldap://ad2.samdom.example.com' with backend
'ldap': LDAP client internal error: NT_STATUS_CONNECTION_REFUSED
ERROR(ldb): LDAP connection to ad2.samdom.example.com failed - LDAP
client internal error: NT_STATUS_CONNECTION_REFUSED
Initially I thought this was something simple such as an error in name
or host resolution due to network misconfiguration. But I have double
checked my /etc/hosts file content and my resolv.conf on ad2 and I
believe these to be correct, please find these below for ad2 along with
my smb.conf file:
pi at ad2:~ $ cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.1.229 ad1.samdom.example.com ad1
192.168.1.228 ad2.samdom.example.com ad2
pi at ad2:~ $ cat /etc/hostname
ad2
pi at ad2:~ $ cat /etc/resolv.conf
# Generated by resolvconf
search samdom.example.com
nameserver 192.168.1.229
nameserver 192.168.1.228
nameserver 88.215.63.255
nameserver 88.215.61.255
nameserver 8.8.8.8
pi at ad2:~ $ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.228 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::1cb0:8751:ad6b:6df0 prefixlen 64 scopeid 0x20<link>
ether b8:27:eb:9c:98:34 txqueuelen 1000 (Ethernet)
RX packets 703 bytes 136445 (133.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 308 bytes 49680 (48.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
pi at ad2:~ $ cat /etc/samba/smb.conf
# Global parameters
[global]
netbios name = AD2
realm = SAMDOM.EXAMPLE.COM
workgroup = SAMDOM
dns forwarder = 88.215.63.255 88.215.61.255 8.8.8.8
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/samdom.example.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
pi at ad2:~ $ ping ad1.samdom.example.com
PING ad1.samdom.example.com (192.168.1.229) 56(84) bytes of data.
64 bytes from ad1.samdom.example.com (192.168.1.229): icmp_seq=1 ttl=64
time=0.604 ms
64 bytes from ad1.samdom.example.com (192.168.1.229): icmp_seq=2 ttl=64
time=0.460 ms
64 bytes from ad1.samdom.example.com (192.168.1.229): icmp_seq=3 ttl=64
time=0.353 ms
64 bytes from ad1.samdom.example.com (192.168.1.229): icmp_seq=4 ttl=64
time=0.361 ms
pi at ad2:~ $ host -tA ad1.samdom.example.com
ad1.samdom.example.com has address 192.168.1.229
Likewise for ad1:
pi at ad1:~ $ cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.1.229 ad1.samdom.example.com ad1
192.168.1.228 ad2.samdom.example.com ad2
pi at ad1:~ $ cat /etc/hostname
ad1
pi at ad1:~ $ cat /etc/resolv.conf
# Generated by resolvconf
search samdom.example.com
nameserver 192.168.1.229
nameserver 192.168.1.228
nameserver 88.215.63.255
nameserver 88.215.61.255
nameserver 8.8.8.8
pi at ad1:~ $ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.229 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::446b:2bdc:7765:11e2 prefixlen 64 scopeid 0x20<link>
ether b8:27:eb:2f:93:7d txqueuelen 1000 (Ethernet)
RX packets 5724 bytes 572625 (559.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7476 bytes 9492118 (9.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
pi at ad1:~ $ cat /etc/samba/smb.conf
# Global parameters
[global]
netbios name = AD1
realm = SAMDOM.EXAMPLE.COM
workgroup = SAMDOM
dns forwarder = 8.8.8.8
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/samdom.example.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
pi at ad1:~ $ ping ad2.samdom.example.com
PING ad2.samdom.example.com (192.168.1.228) 56(84) bytes of data.
64 bytes from ad2.samdom.example.com (192.168.1.228): icmp_seq=1 ttl=64
time=0.497 ms
64 bytes from ad2.samdom.example.com (192.168.1.228): icmp_seq=2 ttl=64
time=0.469 ms
64 bytes from ad2.samdom.example.com (192.168.1.228): icmp_seq=3 ttl=64
time=0.353 ms
64 bytes from ad2.samdom.example.com (192.168.1.228): icmp_seq=4 ttl=64
time=0.327 ms
Interestingly I note that when I do a host lookup on ad1 I get:
pi at ad1:~ $ host -tA ad2.samdom.example.com
Host ad2.samdom.example.com not found: 3(NXDOMAIN)
There are some official samba articles that suggest that for Samba <4.6
you need to manually setup DNS entries manually on AD1 prior to
configuring AD2 ie
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record,
but this seems a bit of a hacky workaround. This advice appears to
contradict the TechMint tutorials and other advice I have seen elsewhere
on the net though so I am unsure how much weight to lend to this.
Can anyone advise what I am doing wrong here? Any help rendered would be
hugely appreciated :O)
Thanks
Stephen Ellwood
-------------- next part --------------
#---------------------------------------------------------------|
#---------------------------------------------------------------|
# Setup a primary Active Directory controller server |
#---------------------------------------------------------------|
#---------------------------------------------------------------|
PROGRESS_FILE="adprogressprimary";
# ---------------------------------------------------------------|
# Active directory server configuration settings
# ---------------------------------------------------------------|
IP_ADDRESS="192.168.1.229";
IP_ADDRESS_SECONDARY_AD="192.168.1.228";
HOSTNAME_SECONDARY_AD="ad2"
GATEWAY="192.168.1.1";
EXTERNAL_DNS1="88.215.63.255"
EXTERNAL_DNS2="88.215.61.255"
EXTERNAL_DNS3="8.8.8.8"
DNS_SERVERS="$IP_ADDRESS $IP_ADDRESS_SECONDARY_AD $EXTERNAL_DNS1
$EXTERNAL_DNS2 $EXTERNAL_DNS3";
DOMAIN="samdom.example.com";
WIN_DOMAIN="samdom"
HOSTNAME="ad1";
# ---------------------------------------------------------------|
# Shell colour definitions
# ---------------------------------------------------------------|
RCol='\e[0m' # Text Reset
# Regular Bold Underline High Intensity
BoldHigh Intens Background High Intensity Backgrounds
Bla='\e[0;30m'; BBla='\e[1;30m'; UBla='\e[4;30m';
IBla='\e[0;90m'; BIBla='\e[1;90m'; On_Bla='\e[40m';
On_IBla='\e[0;100m';
Red='\e[0;31m'; BRed='\e[1;31m'; URed='\e[4;31m';
IRed='\e[0;91m'; BIRed='\e[1;91m'; On_Red='\e[41m';
On_IRed='\e[0;101m';
Gre='\e[0;32m'; BGre='\e[1;32m'; UGre='\e[4;32m';
IGre='\e[0;92m'; BIGre='\e[1;92m'; On_Gre='\e[42m';
On_IGre='\e[0;102m';
Yel='\e[0;33m'; BYel='\e[1;33m'; UYel='\e[4;33m';
IYel='\e[0;93m'; BIYel='\e[1;93m'; On_Yel='\e[43m';
On_IYel='\e[0;103m';
Blu='\e[0;34m'; BBlu='\e[1;34m'; UBlu='\e[4;34m';
IBlu='\e[0;94m'; BIBlu='\e[1;94m'; On_Blu='\e[44m';
On_IBlu='\e[0;104m';
Pur='\e[0;35m'; BPur='\e[1;35m'; UPur='\e[4;35m';
IPur='\e[0;95m'; BIPur='\e[1;95m'; On_Pur='\e[45m';
On_IPur='\e[0;105m';
Cya='\e[0;36m'; BCya='\e[1;36m'; UCya='\e[4;36m';
ICya='\e[0;96m'; BICya='\e[1;96m'; On_Cya='\e[46m';
On_ICya='\e[0;106m';
Whi='\e[0;37m'; BWhi='\e[1;37m'; UWhi='\e[4;37m';
IWhi='\e[0;97m'; BIWhi='\e[1;97m'; On_Whi='\e[47m';
On_IWhi='\e[0;107m';
# ---------------------------------------------------------------|
# Cleanup code
# ---------------------------------------------------------------|
# Make sure we update our bash prompt to reflect our change of hostname
function finish
{
exec bash
}
trap finish EXIT
# ---------------------------------------------------------------|
# Script Code
# ---------------------------------------------------------------|
# Explain what script actually does
echo -e
"${Yel}---------------------------------------------------------${RCol}"
echo -e "${Yel} Setup Samba 4 Active Directory Domain
Controller${RCol}"
echo -e
"${Yel}---------------------------------------------------------${RCol}"
echo -e "${Yel} This script configures the current Raspberry Pi to be
${RCol}"
echo -e "${Yel} a Samba 4 Active Directory controller.${RCol}"
echo ""
echo -e "${Red} Note: This script should be used for local installation
only${RCol}"
echo -e "${Red} and should not be used via SSH or similar remote access
tools${RCol}"
echo ""
echo -e
"${Yel}---------------------------------------------------------${RCol}"
echo ""
# Create progress file if it doesn't already exists
if [ ! -f ${PROGRESS_FILE} ]; then
echo -e "${Cya} Create file to track installation progress${RCol}"
touch ${PROGRESS_FILE}
fi
# Disable Pi WiFi and Bluetooth RF Interfaces
if ! grep -q 'disable-rf' ${PROGRESS_FILE}; then
echo -e "${Cya}1) Disabling RF Interfaces${RCol}"
sudo systemctl disable wpa_supplicant
sudo systemctl disable bluetooth
sudo systemctl disable hciuart
echo "dtoverlay=pi3-disable-wifi" | sudo tee -a /boot/config.txt;
echo "pi3-disable-bt" | sudo tee -a /boot/config.txt;
echo "disable-rf" >> ${PROGRESS_FILE}
fi
# Enable ACL for main AD drive partition "/"
# (change "defaults,noatime" to "default,noatime,acl" there,
and backup old /etc/fstab)
if ! grep -q 'enable-acl' ${PROGRESS_FILE}; then
echo -e "${Cya}2) Enabling ACL${RCol}"
awk '/^.*\/.*ext4/{if ($3="ext4")
$4="defaults,noatime,acl"};{print}' /etc/fstab > ~/fstab.new
sudo cp /etc/fstab /etc/fstab.backup
sudo mv ~/fstab.new /etc/fstab
echo "enable-acl" >> ${PROGRESS_FILE}
fi
# Change user Pi default logon password
# !!! We MUST do this BEFORE enabling SSH !!!
if ! grep -q 'change-default-password' ${PROGRESS_FILE}; then
echo -e "${Cya}3) Changing Pi default password${RCol}"
echo -e "${Red} Note that during this process you will be prompted to
choose and enter a new password for user pi.${RCol}"
echo -e "${Red} This is the main login account for this Raspberry pi
server, and is also used for remote access via SSH!${RCol}"
echo -e "${Red} Store these credentials somewhere safe! You will need
these to login and administer the machine.${RCol}"
if ! passwd; then
echo "Failed to change default user password. THIS IS A SECURITY
RISK so exiting..."
exit 1
else
echo "change-default-password" >> ${PROGRESS_FILE}
fi
fi
# Update Raspbian package lists
if ! grep -q 'update-raspbian' ${PROGRESS_FILE}; then
echo -e "${Cya}4) Updating Raspbian Package Server List(s)${RCol}"
sudo apt-get update
echo "update-raspbian" >> ${PROGRESS_FILE}
fi
# Upgrade Raspbian packages
if ! grep -q 'upgrade-raspbian' ${PROGRESS_FILE}; then
echo -e "${Cya}5) Upgrading Raspbian${RCol}"
sudo apt-get -y upgrade
echo "upgrade-raspbian" >> ${PROGRESS_FILE}
fi
# Update IP address settings for Pi in /etc/dhcpcd.conf
if ! grep -q 'change-eth0-settings' ${PROGRESS_FILE}; then
echo -e "${Cya}6) Changing Pi Network settings${RCol}"
sudo cp /etc/dhcpcd.conf /etc/dhcpcd.conf.backup
sudo sed -i '/# static IP configuration for Ogden Active Directory
service:/,$d' /etc/dhcpcd.conf;
sudo sed -i '/# Example static IP configuration:/,$d'
/etc/dhcpcd.conf;
echo "# static IP configuration for Ogden Active Directory
service:" | sudo tee -a /etc/dhcpcd.conf
echo "interface eth0" | sudo tee -a /etc/dhcpcd.conf;
echo "static routers=$GATEWAY" | sudo tee -a /etc/dhcpcd.conf;
echo "static ip_address=$IP_ADDRESS" | sudo tee -a
/etc/dhcpcd.conf;
echo "static domain_name_servers=$DNS_SERVERS" | sudo tee -a
/etc/dhcpcd.conf;
echo "static domain_search=$DOMAIN" | sudo tee -a
/etc/dhcpcd.conf;
# Force immediate update to ip address
sudo ifconfig eth0 down
sudo ifconfig eth0 up
sudo service networking restart;
echo "change-eth0-settings" >> ${PROGRESS_FILE};
fi
# Change default pi hostname
if ! grep -q 'change-hostname' ${PROGRESS_FILE}; then
echo -e "${Cya}7) Changing Pi hostname settings${RCol}"
# Update /etc/hosts file prior to hostname change
sudo sed -i "/$HOSTNAME/d" /etc/hosts;
echo "$IP_ADDRESS $HOSTNAME.$DOMAIN $HOSTNAME" | sudo tee -a
/etc/hosts;
echo "$IP_ADDRESS_SECONDARY_AD $HOSTNAME_SECONDARY_AD.$DOMAIN
$HOSTNAME_SECONDARY_AD" | sudo tee -a /etc/hosts;
# Set new hostname by modifying /etc/hostname - only then delete our old
hostname entry
sudo hostnamectl set-hostname $HOSTNAME
sudo sed -i '/raspberrypi/d' /etc/hosts;
sudo systemctl restart systemd-logind.service;
sudo service networking restart;
echo "change-hostname" >> ${PROGRESS_FILE};
fi
# Install Samba4 software
if ! grep -q 'install-samba' ${PROGRESS_FILE}; then
echo -e "${Cya}8) Installing Samba${RCol}"
echo "When prompted during installation please enter the following
options at the installer prompt:";
echo -n "Default Kerberos realm: "; echo "$DOMAIN"|awk
'{print toupper($0)}';
echo "Kerberos servers: $DOMAIN";
echo "Administrative server: $HOSTNAME.$DOMAIN";
echo "Please press a key to continue...";
read -n 1 -s;
sudo apt-get install -y samba krb5-user krb5-config winbind libpam-winbind
libnss-winbind;
echo "install-samba" >> ${PROGRESS_FILE}
fi
# Stop Samba4 services prior to provisioning
if ! grep -q 'stop-samba-services' ${PROGRESS_FILE}; then
echo -e "${Cya}9) Temporarily disable Samba prior to
provisioning${RCol}"
sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service
winbind.service
sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service
winbind.service
sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.backup
sudo rm /etc/krb5.conf
echo "stop-samba-services" >> ${PROGRESS_FILE}
fi
# Provision the new Samba 4 AD controller
if ! grep -q 'provision-samba' ${PROGRESS_FILE}; then
echo -e "${Cya}10) Provision new Samba instance${RCol}"
echo ""
echo "When prompted during installation please enter the following
options at the installer prompt:";
echo -n "realm: "; echo "$DOMAIN"|awk '{print
toupper($0)}';
echo -n "domain: "; echo "$WIN_DOMAIN"|awk '{print
toupper($0)}';
echo "server role: dc";
echo "DNS backend: SAMBA_INTERNAL";
echo "DNS Forwarder: 8.8.8.8";
echo ""
echo -e "${Red} Note that during this process you will be prompted to
choose and enter an administrator password.${RCol}"
echo -e "${Red} This is the superuser password for the specified Samba
domain and is used to create all other accounts!${RCol}"
echo -e "${Red} Store these credentials somewhere safe!${RCol}"
echo ""
sudo samba-tool domain provision --use-rfc2307 --interactive;
echo "provision-samba" >> ${PROGRESS_FILE}
fi
# Link to update kerberos configuration
if ! grep -q 'update-kerberos-config' ${PROGRESS_FILE}; then
echo -e "${Cya}11) Update Kerberos configuration file${RCol}"281
sudo ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf;
echo "update-kerberos-config" >> ${PROGRESS_FILE}
fi
# Enable samba-ad-dc daemon to run at boottime
if ! grep -q 'unmask-enable-samba-daemons' ${PROGRESS_FILE}; then
echo -e "${Cya}12) Unmask Samba services${RCol}"
sudo systemctl unmask samba-ad-dc.service
sudo systemctl start samba-ad-dc.service
sudo systemctl status samba-ad-dc.service
sudo systemctl enable samba-ad-dc.service
echo "unmask-enable-samba-daemons" >> ${PROGRESS_FILE}
fi
# Regenerate resolv.conf, using our updated dhcpcd.conf entries
if ! grep -q 'update-resolve-file' ${PROGRESS_FILE}; then
echo -e "${Cya}13) Update /etc/resolv.conf filename${RCol}"
echo -e "search $DOMAIN\nnameserver $IP_ADDRESS\nnameserver
$IP_ADDRESS_SECONDARY_AD\nnameserver $EXTERNAL_DNS1\nnameserver
$EXTERNAL_DNS2\nnameserver $EXTERNAL_DNS3" | sudo resolvconf -a eth0.inet
echo "update-resolve-file" >> ${PROGRESS_FILE}
fi
# Manually verify required samba ports have been opened
if ! grep -q 'check-samba-ad-ports' ${PROGRESS_FILE}; then
echo -e "${Cya}14) Check Samba AD ports ${RCol}"
sudo netstat -tulpn | egrep 'smbd|samba';
echo "check-samba-ad-ports" >> ${PROGRESS_FILE}
fi
# Manually verify required samba is correctly emulating windows server
if ! grep -q 'check-winserv-emu' ${PROGRESS_FILE}; then
echo -e "${Cya}15) Check Windows Server Emulation ${RCol}"
sudo samba-tool domain level show
echo "check-winserv-emu" >> ${PROGRESS_FILE}
fi
# Ping to check local domain and dns is working correctly
if ! grep -q 'ping-check-local-domain' ${PROGRESS_FILE}; then
echo -e "${Cya}16) Ping test AD DNS functionality${RCol}"
ping -c3 "$HOSTNAME";
PING1CHK=$?;
ping -c3 "$HOSTNAME.$DOMAIN";
PING2CHK=$?;
ping -c3 "$DOMAIN";
PING3CHK=$?;
if [ $PING1CHK -ne 0 ] || [ $PING2CHK -ne 0 ] || [ $PING3CHK -ne 0 ]; then
echo "ERROR: Could not ping host(s) and/or dns server.
Exiting."
exit 2
fi
echo "ping-check-local-domain" >> ${PROGRESS_FILE};
fi
if ! grep -q 'dns-check-local-domain' ${PROGRESS_FILE}; then
echo -e "${Cya}17) DNS lookup check AD domain and AD
server${RCol}"
host -t A "$DOMAIN"
DNS1CHK=$?;
host -t A "$HOSTNAME.$DOMAIN";
DNS2CHK=$?;
host -t SRV "_kerberos._udp.$DOMAIN";
DNS3CHK=$?;
host -t SRV "_ldap._tcp.$DOMAIN";
DNS4CHK=$?;
if [ $DNS1CHK -ne 0 ] || [ $DNS2CHK -ne 0 ] || [ $DNS3CHK -ne 0 ] || [
$DNS4CHK -ne 0 ]; then
echo "ERROR: Could not perform required DNS lookups! Exiting."
exit 3
fi
echo "dns-check-local-domain" >> ${PROGRESS_FILE};
fi
# Request Kerberos ticket
if ! grep -q 'kerberos-ticket-request-check' ${PROGRESS_FILE}; then
echo -e "${Cya}18) Request Kerberos new ticket to check
Kerberos${RCol}"
echo "We will test Kerberos by requesting a new ticket for user
administator.";
echo "Please enter password for administrator@$WIN_DOMAIN when
requested here";
KRB_ADMIN="administrator@`echo "$DOMAIN"|awk '{print
toupper($0)}'`"
kinit $KRB_ADMIN
klist
echo "kerberos-ticket-request-check" >> ${PROGRESS_FILE}
fi
# Install NTP functionality required for Active Directory
if ! grep -q 'install-ntp' ${PROGRESS_FILE}; then
echo -e "${Cya}19) Install required NTP functionality on
server${RCol}"
sudo apt-get install -y ntp ntpdate
echo "install-ntp" >> ${PROGRESS_FILE}
fi
# Configure NTP settings required for Active Directory
if ! grep -q 'configure-ntp' ${PROGRESS_FILE}; then
echo -e "${Cya}20) Configure required NTP functionality on
server${RCol}"
sudo sed -i 's/pool 0.*/pool 0.uk.pool.ntp.org iburst/'
/etc/ntp.conf
sudo sed -i 's/pool 1.*/pool 1.uk.pool.ntp.org iburst/'
/etc/ntp.conf
sudo sed -i 's/pool 2.*/pool 2.uk.pool.ntp.org iburst/'
/etc/ntp.conf
sudo sed -i 's/pool 3.*/pool 3.uk.pool.ntp.org iburst/'
/etc/ntp.conf
sudo sed -i '/^driftfile/a ntpsigndsocket /var/lib/samba/ntp_signd/'
/etc/ntp.conf
sudo sed -i '/^restrict source/a restrict default kod nomodify notrap
nopeer mssntp' /etc/ntp.conf
echo "configure-ntp" >> ${PROGRESS_FILE}
fi
# Set permissions required for NTP server
if ! grep -q 'permissions-ntp' ${PROGRESS_FILE}; then
echo -e "${Cya}21) Set required NTP permissions${RCol}"
sudo chown root:ntp /var/lib/samba/ntp_signd/
sudo chmod 750 /var/lib/samba/ntp_signd/
echo "permissions-ntp" >> ${PROGRESS_FILE}
fi
# Restart NTP
if ! grep -q 'restart-ntp' ${PROGRESS_FILE}; then
echo -e "${Cya}22) Restart NTP to update settings${RCol}"
sudo systemctl restart ntp
echo "restart-ntp" >> ${PROGRESS_FILE}
fi
# Check NTP port is listening
if ! grep -q 'check-ntp-port' ${PROGRESS_FILE}; then
echo -e "${Cya}23) Confirm required NTP ports opened${RCol}"
sudo netstat -tulpn | grep ntp
# Wait here for NTP to synchronise
sleep 10s
echo "check-ntp-port" >> ${PROGRESS_FILE}
fi
# List all NTP servers
if ! grep -q 'list-ntp-servers' ${PROGRESS_FILE}; then
echo -e "${Cya}24) Print list of NTP servers${RCol}"
ntpq -p
echo "list-ntp-servers" >> ${PROGRESS_FILE}
fi
# Check NTP time synchronisation
if ! grep -q 'check-ntp-sync' ${PROGRESS_FILE}; then
echo -e "${Cya}25) Confirm NTP time sychronisation${RCol}"
NTPSYNCCHK=$(ntpdate -qu $HOSTNAME)
if echo "$NTPSYNCCHK" | grep -q 'no server suitable for
synchronization found'; then
echo "ERROR: Could not synchronise to NTP servers. Exiting..."
exit 4
fi
echo "check-ntp-sync" >> ${PROGRESS_FILE}
fi
# Enable SSH service for remote access to AD server for configuration etc.
if ! grep -q 'enable-ssh' ${PROGRESS_FILE}; then
echo -e "${Cya}26) Enable SSH for remote AD server
administration${RCol}"
sudo systemctl enable ssh
sudo systemctl start ssh
echo "enable-ssh" >> ${PROGRESS_FILE}
fi
# Reboot to reflect hostname change
if ! grep -q 'update-shell-prompt' ${PROGRESS_FILE}; then
echo "update-shell-prompt" >> ${PROGRESS_FILE}
sudo reboot
fi
-------------- next part --------------
#---------------------------------------------------------------|
#---------------------------------------------------------------|
# Setup a primary Active Directory controller server |
#---------------------------------------------------------------|
#---------------------------------------------------------------|
PROGRESS_FILE="adprogresssecondary";
# ---------------------------------------------------------------|
# Active directory server configuration settings
# ---------------------------------------------------------------|
IP_ADDRESS="192.168.1.228";
GATEWAY="192.168.1.1";
IP_ADDRESS_PRIMARY_AD="192.168.1.229"; # This first DNS server must
be
# our existing primary AD DC!
PRIMARY_AD_HOSTNAME="ad1"; # Hostname for primary AD DC instance
EXTERNAL_DNS2="88.215.63.255"; # These are all external DNS server
EXTERNAL_DNS3="88.215.61.255";
EXTERNAL_DNS4="8.8.8.8";
DNS_SERVERS="$IP_ADDRESS_PRIMARY_AD $IP_ADDRESS $EXTERNAL_DNS2
$EXTERNAL_DNS3 $EXTERNAL_DNS4";
SAMBA_DNS_FORWARDER="$EXTERNAL_DNS4";
DOMAIN="samdom.example.com"; # Samba Domain details
WIN_DOMAIN="samdom"; # Windows Domain name eg
SAMDOM\\PC_NAME
WIN_DOMAIN_UPPER=="`echo "$WIN_DOMAIN"|awk '{print
toupper($0)}'`"
HOSTNAME="ad2"; # Hostname for this AD DC instance
# ---------------------------------------------------------------|
# Shell colour definitions
# ---------------------------------------------------------------|
RCol='\e[0m' # Text Reset
# Regular Bold Underline High Intensity
BoldHigh Intens Background High Intensity Backgrounds
Bla='\e[0;30m'; BBla='\e[1;30m'; UBla='\e[4;30m';
IBla='\e[0;90m'; BIBla='\e[1;90m'; On_Bla='\e[40m';
On_IBla='\e[0;100m';
Red='\e[0;31m'; BRed='\e[1;31m'; URed='\e[4;31m';
IRed='\e[0;91m'; BIRed='\e[1;91m'; On_Red='\e[41m';
On_IRed='\e[0;101m';
Gre='\e[0;32m'; BGre='\e[1;32m'; UGre='\e[4;32m';
IGre='\e[0;92m'; BIGre='\e[1;92m'; On_Gre='\e[42m';
On_IGre='\e[0;102m';
Yel='\e[0;33m'; BYel='\e[1;33m'; UYel='\e[4;33m';
IYel='\e[0;93m'; BIYel='\e[1;93m'; On_Yel='\e[43m';
On_IYel='\e[0;103m';
Blu='\e[0;34m'; BBlu='\e[1;34m'; UBlu='\e[4;34m';
IBlu='\e[0;94m'; BIBlu='\e[1;94m'; On_Blu='\e[44m';
On_IBlu='\e[0;104m';
Pur='\e[0;35m'; BPur='\e[1;35m'; UPur='\e[4;35m';
IPur='\e[0;95m'; BIPur='\e[1;95m'; On_Pur='\e[45m';
On_IPur='\e[0;105m';
Cya='\e[0;36m'; BCya='\e[1;36m'; UCya='\e[;36m';
ICya='\e[0;96m'; BICya='\e[1;96m'; On_Cya='\e[46m';
On_ICya='\e[0;106m';
Whi='\e[0;37m'; BWhi='\e[1;37m'; UWhi='\e[4;37m';
IWhi='\e[0;97m'; BIWhi='\e[1;97m'; On_Whi='\e[47m';
On_IWhi='\e[0;107m';
# ---------------------------------------------------------------|
# Cleanup code
# ---------------------------------------------------------------|
# Make sure we update our bash prompt to reflect our change of hostname
function finish
{
exec bash
}
trap finish EXIT
# ---------------------------------------------------------------|
# Script Code
# ---------------------------------------------------------------|
# Explain what script actually does
echo -e
"${Yel}---------------------------------------------------------${RCol}"
echo -e "${Yel} Setup Additional Backup Samba 4 Domain
Controller(s)${RCol}"
echo -e
"${Yel}---------------------------------------------------------${RCol}"
echo -e "${Yel} This script configures the current Raspberry Pi to be
${RCol}"
echo -e "${Yel} an additional Samba 4 Domain Controller, that will
join${RCol}"
echo -e "${Yel} to a pre-existing AD forest as a backup or failover
server.${RCol}"
echo -e "${Red} Note: This script should be used for local installation
only${RCol}"
echo -e "${Red} and should not be used via SSH or similar remote access
tools.${RCol}"
echo -e "${Red} To minimise the chance of misconfiguration this script
should be${RCol}"
echo -e "${Red} applied to a fresh Raspbian installations
ONLY.${RCol}"
echo ""
echo -e
"${Yel}---------------------------------------------------------${RCol}"
echo ""
# Create progress file if it doesn't already exists
if [ ! -f ${PROGRESS_FILE} ]; then
echo -e "${Cya} Create file to track installation progress${RCol}"
touch ${PROGRESS_FILE}
fi
# Disable Pi WiFi and Bluetooth RF Interfaces
if ! grep -q 'disable-rf' ${PROGRESS_FILE}; then
echo -e "${Cya}1) Disabling RF Interfaces${RCol}"
sudo systemctl disable wpa_supplicant
sudo systemctl disable bluetooth
sudo systemctl disable hciuart
echo "dtoverlay=pi3-disable-wifi" | sudo tee -a /boot/config.txt;
echo "pi3-disable-bt" | sudo tee -a /boot/config.txt;
echo "disable-rf" >> ${PROGRESS_FILE}
fi
# Enable ACL for main AD drive partition "/"
# (change "defaults,noatime" to "default,noatime,acl" there,
and backup old /etc/fstab)
if ! grep -q 'enable-acl' ${PROGRESS_FILE}; then
echo -e "${Cya}2) Enabling ACL${RCol}"
awk '/^.*\/.*ext4/{if ($3="ext4")
$4="defaults,noatime,acl"};{print}' /etc/fstab > ~/fstab.new
sudo cp /etc/fstab /etc/fstab.backup
sudo mv ~/fstab.new /etc/fstab
echo "enable-acl" >> ${PROGRESS_FILE}
fi
# Change user Pi default logon password
# !!! We MUST do this BEFORE enabling SSH !!!
if ! grep -q 'change-default-password' ${PROGRESS_FILE}; then
echo -e "${Cya}3) Changing Pi default password${RCol}"
echo -e "${Red} Note that during this process you will be prompted to
choose and enter a new password for user pi.${RCol}"
echo -e "${Red} This is the main login account for this Raspberry pi
server, and is also used for remote access via SSH!${RCol}"
echo -e "${Red} Store these credentials somewhere safe! You will need
these to login and administer the machine.${RCol}"
if ! passwd; then
echo "Failed to change default user password. THIS IS A SECURITY
RISK so exiting..."
exit 1
else
echo "change-default-password" >> ${PROGRESS_FILE}
fi
fi
# Update Raspbian package lists
if ! grep -q 'update-raspbian' ${PROGRESS_FILE}; then
echo -e "${Cya}4) Updating Raspbian Package Server List(s)${RCol}"
sudo apt-get update
echo "update-raspbian" >> ${PROGRESS_FILE}
fi
# Upgrade Raspbian packages
if ! grep -q 'upgrade-raspbian' ${PROGRESS_FILE}; then
echo -e "${Cya}5) Upgrading Raspbian${RCol}"
sudo apt-get -y upgrade
echo "upgrade-raspbian" >> ${PROGRESS_FILE}
fi
# Update IP address settings for Pi in /etc/dhcpcd.conf
if ! grep -q 'change-eth0-settings' ${PROGRESS_FILE}; then
echo -e "${Cya}6) Changing Pi Network settings${RCol}"
sudo cp /etc/dhcpcd.conf /etc/dhcpcd.conf.backup
sudo sed -i '/# static IP configuration for Ogden Active Directory
service:/,$d' /etc/dhcpcd.conf;
sudo sed -i '/# Example static IP configuration:/,$d'
/etc/dhcpcd.conf;
echo "# static IP configuration for Ogden Active Directory
service:" | sudo tee -a /etc/dhcpcd.conf
echo "interface eth0" | sudo tee -a /etc/dhcpcd.conf;
echo "static routers=$GATEWAY" | sudo tee -a /etc/dhcpcd.conf;
echo "static ip_address=$IP_ADDRESS" | sudo tee -a
/etc/dhcpcd.conf;
echo "static domain_name_servers=$DNS_SERVERS" | sudo tee -a
/etc/dhcpcd.conf;
echo "static domain_search=$DOMAIN" | sudo tee -a
/etc/dhcpcd.conf;
# Force immediate update to ip address
sudo ifconfig eth0 down
sudo ifconfig eth0 up
sudo service networking restart;
echo "change-eth0-settings" >> ${PROGRESS_FILE};
fi
# Change default pi hostname
if ! grep -q 'change-hostname' ${PROGRESS_FILE}; then
echo -e "${Cya}7) Changing Pi hostname settings${RCol}"
# Update /etc/hosts file prior to hostname change
sudo sed -i "/$HOSTNAME/d" /etc/hosts;
echo "$IP_ADDRESS_PRIMARY_AD $PRIMARY_AD_HOSTNAME.$DOMAIN
$PRIMARY_AD_HOSTNAME" | sudo tee -a /etc/hosts;
echo "$IP_ADDRESS $HOSTNAME.$DOMAIN $HOSTNAME" | sudo tee -a
/etc/hosts;
# Set new hostname by modifying /etc/hostname - only then delete our old
hostname entry
sudo hostnamectl set-hostname $HOSTNAME
sudo sed -i '/raspberrypi/d' /etc/hosts;
sudo systemctl restart systemd-logind.service;
sudo service networking restart;
sleep 5s
echo "change-hostname" >> ${PROGRESS_FILE};
fi
# Ping to check local domain and dns is configured correctly prior to Samba
installation
if ! grep -q 'ping-check-local-domain' ${PROGRESS_FILE}; then
echo -e "${Cya}8) Ping test AD DNS functionality${RCol}"
ping -c3 "$HOSTNAME";
PING1CHK=$?;
ping -c3 "$PRIMARY_AD_HOSTNAME.$DOMAIN";
PING2CHK=$?;
ping -c3 "$DOMAIN";
PING3CHK=$?;
ping -c3 "$HOSTNAME.$DOMAIN";
PING4CHK=$?;
if [ $PING1CHK -ne 0 ] || [ $PING2CHK -ne 0 ] || [ $PING3CHK -ne 0 ] || [
$PING4CHK -ne 0 ]; then
echo "ERROR: Could not ping host(s) and/or dns server.
Exiting."
exit 2
fi
echo "ping-check-local-domain" >> ${PROGRESS_FILE};
fi
# Install NTP client functionality required for additional Active Directory
instance
if ! grep -q 'install-ntp' ${PROGRESS_FILE}; then
echo -e "${Cya}9) Install NTP client functionality on
server${RCol}"
sudo apt-get install -y ntpdate
echo "install-ntp" >> ${PROGRESS_FILE}
fi
# Force server time to synchronise with existing AD NTP server instance
if ! grep -q 'check-ntp-sync' ${PROGRESS_FILE}; then
echo -e "${Cya}10) Force server NTP client to sychronise time with
existing AD instance $PRIMARY_AD_HOSTNAME.$DOMAIN ${RCol}"
NTPSYNCCHK=$(ntpdate -qu $PRIMARY_AD_HOSTNAME)
if echo "$NTPSYNCCHK" | grep -q 'no server suitable for
synchronization found'; then
echo "ERROR: Could not synchronise to NTP servers. Exiting..."
exit 4
fi
echo "check-ntp-sync" >> ${PROGRESS_FILE}
fi
# Install Samba4 software
if ! grep -q 'install-samba' ${PROGRESS_FILE}; then
echo -e "${Cya}11) Installing Samba${RCol}"
echo "When prompted during installation please enter the following
options at the installer prompt:";
echo -n "Default Kerberos realm: "; echo "$DOMAIN"|awk
'{print toupper($0)}';
sudo apt-get install -y samba krb5-user krb5-config winbind libpam-winbind
libnss-winbind
echo "install-samba" >> ${PROGRESS_FILE}
fi
# Verify Samba installation by retrieving a Kerberos ticket
if ! grep -q 'kerberos-ticket-request-check' ${PROGRESS_FILE}; then
echo -e "${Cya}12) Request Kerberos new ticket to check
Kerberos${RCol}"
echo "We will test Kerberos by requesting a new ticket for user
administator.";
echo "Please enter password for administrator@$WIN_DOMAIN when
requested here";
KRB_ADMIN="administrator@`echo "$DOMAIN"|awk '{print
toupper($0)}'`"
kinit $KRB_ADMIN
klist
echo "kerberos-ticket-request-check" >> ${PROGRESS_FILE}
fi
# Stop Samba4 services prior to provisioning
if ! grep -q 'stop-samba-services' ${PROGRESS_FILE}; then
echo -e "${Cya}13) Temporarily disable Samba prior to
provisioning${RCol}"
sudo systemctl stop samba-ad-dc smbd nmbd winbind;
sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.initial
echo "stop-samba-services" >> ${PROGRESS_FILE}
fi
# Join new DC to pre-existing Samba 4 AD Domain:
if ! grep -q 'join-domain' ${PROGRESS_FILE}; then
echo -e "${Cya}14) Join new AD DC to existing Samba Domain${RCol}"
sudo samba-tool domain join $DOMAIN DC
-U"$WIN_DOMAIN_UPPER\administrator" --dns-backend=SAMBA_INTERNAL
--option='idmap_ldb:use rfc2307 = yes' --option="dns forwarder =
$EXTERNAL_DNS2 $EXTERNAL_DNS3 $EXTERNAL_DNS4"
echo "join-domain" >> ${PROGRESS_FILE}
fi
# Edit smb.conf and add some modified settings
#if ! grep -q 'modify-smb-config' ${PROGRESS_FILE}; then
#
# echo -e "${Cya}15) Modify Samba Configuration${RCol}"
#
# FIXME For now just fudge this by hardcoding IP addresses
# sudo sed -i '/^.global.$/a dns forwarder = 8.8.8.8\nidmap_ldb:use
rfc2307 = yes\n\ntemplate shell = /bin/bash\nwinbind use default domain =
true\nwinbind nss info = rfc2307\nwinbind enum users = yes\nwinbind enum groups
= yes' /etc/samba/smb.conf
# echo "modify-smb-config" >> ${PROGRESS_FILE}
#fi
# Restart Samba following configuration changes
if ! grep -q 'restart-samba' ${PROGRESS_FILE}; then
echo -e "${Cya}16) Restart Samba Instance${RCol}"
sudo systemctl unmask samba-ad-dc
sudo systemctl restart samba-ad-dc
sleep 10s
echo "restart-samba" >> ${PROGRESS_FILE}
fi
# Replicate Samba account details between both of our DCs
if ! grep -q 'samba-replicate-accounts' ${PROGRESS_FILE}; then
echo -e "${Cya}17) Replicate Samba Account Details between Primary and
Secondary DCs${RCol}"
sudo samba-tool drs showrepl
echo "samba-replicate-accounts" >> ${PROGRESS_FILE}
fi
# Update Kerberos configuration
if ! grep -q 'update-krb-config' ${PROGRESS_FILE}; then
echo -e "${Cya}18) Update Kerberos configuration${RCol}"
sudo mv /etc/krb5.conf /etc/krb5.conf.initial
sudo ln -s /var/lib/samba/private/krb5.conf /etc/
sudo cat /etc/krb5.conf
echo "update-krb-config" >> ${PROGRESS_FILE}
fi
# Verify Samba installation by retrieving a Kerberos ticket
if ! grep -q 'kerberos-ticket-request-check' ${PROGRESS_FILE}; then
echo -e "${Cya}19) Request Kerberos new ticket to check
Kerberos${RCol}"
echo "We will test Kerberos by requesting a new ticket for user
administator.";
echo "Please enter password for administrator@$WIN_DOMAIN when
requested here";
KRB_ADMIN="administrator@`echo "$DOMAIN"|awk '{print
toupper($0)}'`"
kinit $KRB_ADMIN
klist
echo "kerberos-ticket-request-check" >> ${PROGRESS_FILE}
fi
# Do DNS test to verify everything
if ! grep -q 'dns-check-local-domain' ${PROGRESS_FILE}; then
echo -e "${Cya}20) DNS lookup check AD domain and AD
server.${RCol}"
echo -e "${Red} Note that TWO separate IP addresses should be listed
here.${RCol}"
host -t A "$DOMAIN"
DNS1CHK=$?;
host -t SRV "_kerberos._udp.$DOMAIN";
DNS2CHK=$?;
host -t SRV "_ldap._tcp.$DOMAIN";
DNS3CHK=$?;
if [ $DNS1CHK -ne 0 ] || [ $DNS2CHK -ne 0 ] || [ $DNS3CHK -ne 0 ]; then
echo "ERROR: Could not perform required DNS lookups! Exiting."
exit 3
fi
echo "dns-check-local-domain" >> ${PROGRESS_FILE};
fi
# Finally startup dameons
if ! grep -q 'configure-samba-daemons' ${PROGRESS_FILE}; then
echo -e "${Cya}21) DNS lookup check AD domain and AD
server.${RCol}"
sudo systemctl disable smbd nmbd winbind
sudo systemctl enable samba-ad-dc
echo "configure-samba-daemons" >> ${PROGRESS_FILE};
fi
# Enable SSH service for remote access to AD server for configuration etc.
if ! grep -q 'enable-ssh' ${PROGRESS_FILE}; then
echo -e "${Cya}22) Enable SSH for remote AD server
administration${RCol}"
sudo systemctl enable ssh
sudo systemctl start ssh
echo "enable-ssh" >> ${PROGRESS_FILE}
fi
# Update shell prompt to reflect change in local hostname
if ! grep -q 'update-shell-prompt' ${PROGRESS_FILE}; then
echo -e "${Cya}23) Restart shell to reflect changed
hostname${RCol}"
echo "update-shell-prompt" >> ${PROGRESS_FILE}
sudo reboot
fi
Rowland Penny
2019-Mar-22 16:07 UTC
[Samba] Problems with Samba 4.5.16 - configuring a second failover AD DC and joining this to an existing domain SAMDOM
On Fri, 22 Mar 2019 15:03:51 +0000 Stephen via samba <samba at lists.samba.org> wrote:> Hello I wonder if anyone here could possibly help me? I am using > Samba version 4.5.16-Debian (version information taken from sudo > smbstatus) on Raspbian and attempting to prototype some future > network infrastructure with a couple of Raspberry Pis. > > So far I have sucessfully created a Samba 4 AD DC > ad1.samdom.example.com. I have successfully joined my Windows 10 > dekstop client to the SAMDOM domain provided by ad1 and it > authenticated OK, and appears to synchronise the network time > correctly. So far so good! Ideally I would now like to add to this > basic setup by creating an additional DC, ad2, with ip > ad2.samdom.example.com, and join this to the existing SAMDOM domain > provided by ad1 to provide some extra redundancy and failover. > > This is where my problems begin unfortunately. > > I have used two separate shell-scripts to commission my two servers > ad1.sh and ad2.sh (please find both scripts attached for scrutiny) > > * These two scripts are based heavily upon the tutorial series found > at TechMint here: > https://www.tecmint.com/install-samba4-active-directory-ubuntu/ > * The script to build ad1 is the main DC and is based upon section 1 > and 2 of the tutorial, and as far as I can tell appears to work > correctly. As discussed I can connect to the server that results > from a Windows 10 client. > * The script to build the second DC used for failover is based upon > part 5 of the linked tutorial series, and this is where I am > having problems. > * Both ad1 and ad2 are assigned static ips, ad1 = 192.168.1.229 and > ad2=192.168.1.228. > > I am encountering baffling issues with LDAP when I run my script > ad2.sh. What I don't understand here is that I am apparently able to > join domain SAMDOM without issue, ie in the ad2 script when I do > > pi at ad2 $ sudo samba-tool domain join samdom DC > -U"SAMDOM\administrator" --dns-backend=SAMBA_INTERNAL > --option='idmap_ldb:use rfc2307 = yes' --option="dns forwarder > $EXTERNAL_DNS2 $EXTERNAL_DNS3 $EXTERNAL_DNS4" > > This appears to work just fine, and I obtain the following seemingly > plausible output from this command: > > Finding a writeable DC for domain 'samdom.example.com' > Found DC ad1.samdom.example.com > Password for [=SAMDOM\administrator]: > workgroup is SAMDOM > realm is samdom.example.com > Adding CN=AD2,OU=Domain Controllers,DC=samdom,DC=example,DC=com > Adding > CN=AD2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > Adding CN=NTDS > Settings,CN=AD2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > Adding SPNs to CN=AD2,OU=Domain > Controllers,DC=samdom,DC=example,DC=com Setting account password for > AD2$ Enabling account > Calling bare provision > Looking up IPv4 addresses > Looking up IPv6 addresses > No IPv6 address will be assigned > Setting up share.ldb > Setting up secrets.ldb > Setting up the registry > Setting up the privileges database > Setting up idmap db > Setting up SAM db > Setting up sam.ldb partitions and settings > Setting up sam.ldb rootDSE > Pre-loading the Samba 4 and AD schema > A Kerberos configuration suitable for Samba 4 has been generated at > /var/lib/samba/private/krb5.conf > Provision OK for domain DN DC=samdom,DC=example,DC=com > Starting replication > Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] > objects[402/1550] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] > objects[804/1550] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] > objects[1206/1550] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] > objects[1550/1550] linked_values[0/0] > Analyze and apply schema objects > Partition[CN=Configuration,DC=samdom,DC=example,DC=com] > objects[402/1614] linked_values[0/0] > Partition[CN=Configuration,DC=samdom,DC=example,DC=com] > objects[804/1614] linked_values[0/0] > Partition[CN=Configuration,DC=samdom,DC=example,DC=com] > objects[1206/1614] linked_values[0/0] > Partition[CN=Configuration,DC=samdom,DC=example,DC=com] > objects[1608/1614] linked_values[0/0] > Partition[CN=Configuration,DC=samdom,DC=example,DC=com] > objects[1614/1614] linked_values[30/0] > Replicating critical objects from the base DN of the domain > Partition[DC=samdom,DC=example,DC=com] objects[97/97] > linked_values[23/0] Partition[DC=samdom,DC=example,DC=com] > objects[360/263] linked_values[23/0] Done with always replicated NC > (base, config, schema) Replicating > DC=DomainDnsZones,DC=samdom,DC=example,DC=com > Partition[DC=DomainDnsZones,DC=samdom,DC=example,DC=com] > objects[40/40] linked_values[0/0] Replicating > DC=ForestDnsZones,DC=samdom,DC=example,DC=com > Partition[DC=ForestDnsZones,DC=samdom,DC=example,DC=com] > objects[18/18] linked_values[0/0] Committing SAM database > Sending DsReplicaUpdateRefs for all the replicated partitions > Setting isSynchronized and dsServiceName > Setting up secrets database > Joined domain SAMDOM (SID S-1-5-21-1810456019-651403982-3541939936) > as a DC > > Unfortunately it is after this I then have major problems after that > with LDAP when I try and perform the actual replication. When I > attempt: > > pi at ad2 ~ $ sudo systemctl unmask samba-ad-dc > > pi at ad2 ~ $ sudo systemctl restart samba-ad-dc > > pi at ad2 ~ $ sudo samba-tool drs showrepl > > I get the following error messages: > > 17) Replicate Samba Account Details between Primary and Secondary DCs > Failed to connect to ldap URL 'ldap://ad2.samdom.example.com' - LDAP > client internal error: NT_STATUS_CONNECTION_REFUSED > Failed to connect to 'ldap://ad2.samdom.example.com' with backend > 'ldap': LDAP client internal error: NT_STATUS_CONNECTION_REFUSED > ERROR(ldb): LDAP connection to ad2.samdom.example.com failed - LDAP > client internal error: NT_STATUS_CONNECTION_REFUSED > > Initially I thought this was something simple such as an error in > name or host resolution due to network misconfiguration. But I have > double checked my /etc/hosts file content and my resolv.conf on ad2 > and I believe these to be correct, please find these below for ad2 > along with my smb.conf file: > > pi at ad2:~ $ cat /etc/hosts > 127.0.0.1 localhost > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > 192.168.1.229 ad1.samdom.example.com ad1 > 192.168.1.228 ad2.samdom.example.com ad2 > > pi at ad2:~ $ cat /etc/hostname > ad2 > > pi at ad2:~ $ cat /etc/resolv.conf > # Generated by resolvconf > search samdom.example.com > nameserver 192.168.1.229 > nameserver 192.168.1.228 > nameserver 88.215.63.255 > nameserver 88.215.61.255 > nameserver 8.8.8.8 > > pi at ad2:~ $ ifconfig > eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 > inet 192.168.1.228 netmask 255.255.255.0 broadcast > 192.168.1.255 inet6 fe80::1cb0:8751:ad6b:6df0 prefixlen 64 scopeid > 0x20<link> ether b8:27:eb:9c:98:34 txqueuelen 1000 (Ethernet) > RX packets 703 bytes 136445 (133.2 KiB) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 308 bytes 49680 (48.5 KiB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > pi at ad2:~ $ cat /etc/samba/smb.conf > # Global parameters > [global] > netbios name = AD2 > realm = SAMDOM.EXAMPLE.COM > workgroup = SAMDOM > dns forwarder = 88.215.63.255 88.215.61.255 8.8.8.8 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /var/lib/samba/sysvol/samdom.example.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > > pi at ad2:~ $ ping ad1.samdom.example.com > > PING ad1.samdom.example.com (192.168.1.229) 56(84) bytes of data. > 64 bytes from ad1.samdom.example.com (192.168.1.229): icmp_seq=1 > ttl=64 time=0.604 ms > 64 bytes from ad1.samdom.example.com (192.168.1.229): icmp_seq=2 > ttl=64 time=0.460 ms > 64 bytes from ad1.samdom.example.com (192.168.1.229): icmp_seq=3 > ttl=64 time=0.353 ms > 64 bytes from ad1.samdom.example.com (192.168.1.229): icmp_seq=4 > ttl=64 time=0.361 ms > > pi at ad2:~ $ host -tA ad1.samdom.example.com > ad1.samdom.example.com has address 192.168.1.229 > > > Likewise for ad1: > > pi at ad1:~ $ cat /etc/hosts > 127.0.0.1 localhost > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > 192.168.1.229 ad1.samdom.example.com ad1 > 192.168.1.228 ad2.samdom.example.com ad2 > > pi at ad1:~ $ cat /etc/hostname > ad1 > > pi at ad1:~ $ cat /etc/resolv.conf > # Generated by resolvconf > search samdom.example.com > nameserver 192.168.1.229 > nameserver 192.168.1.228 > nameserver 88.215.63.255 > nameserver 88.215.61.255 > nameserver 8.8.8.8 > > pi at ad1:~ $ ifconfig > > eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 > inet 192.168.1.229 netmask 255.255.255.0 broadcast > 192.168.1.255 inet6 fe80::446b:2bdc:7765:11e2 prefixlen 64 scopeid > 0x20<link> ether b8:27:eb:2f:93:7d txqueuelen 1000 (Ethernet) > RX packets 5724 bytes 572625 (559.2 KiB) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 7476 bytes 9492118 (9.0 MiB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > > pi at ad1:~ $ cat /etc/samba/smb.conf > # Global parameters > [global] > netbios name = AD1 > realm = SAMDOM.EXAMPLE.COM > workgroup = SAMDOM > dns forwarder = 8.8.8.8 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /var/lib/samba/sysvol/samdom.example.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > pi at ad1:~ $ ping ad2.samdom.example.com > PING ad2.samdom.example.com (192.168.1.228) 56(84) bytes of data. > 64 bytes from ad2.samdom.example.com (192.168.1.228): icmp_seq=1 > ttl=64 time=0.497 ms > 64 bytes from ad2.samdom.example.com (192.168.1.228): icmp_seq=2 > ttl=64 time=0.469 ms > 64 bytes from ad2.samdom.example.com (192.168.1.228): icmp_seq=3 > ttl=64 time=0.353 ms > 64 bytes from ad2.samdom.example.com (192.168.1.228): icmp_seq=4 > ttl=64 time=0.327 ms > > Interestingly I note that when I do a host lookup on ad1 I get: > > pi at ad1:~ $ host -tA ad2.samdom.example.com > Host ad2.samdom.example.com not found: 3(NXDOMAIN) > > There are some official samba articles that suggest that for Samba > <4.6 you need to manually setup DNS entries manually on AD1 prior to > configuring AD2 ie > https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record, > but this seems a bit of a hacky workaround. This advice appears to > contradict the TechMint tutorials and other advice I have seen > elsewhere on the net though so I am unsure how much weight to lend to > this. > > Can anyone advise what I am doing wrong here?not much, apart from adding 'acl' to /etc/fstab, this isn't required, it is one of ext4's defaults. There are things I would do differently (the main one would be 'apt-get purge dhcpcd5). I also don't really understand why you are running the provision interactively in a script. Have you tried restarting Samba on the second DC ? If this doesn't work, try adding this to its smb.conf: dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool restart Samba and see if this helps Rowland
Stephen
2019-Mar-22 16:44 UTC
[Samba] Problems with Samba 4.5.16 - configuring a second failover AD DC and joining this to an existing domain SAMDOM
Thanks for taking a look Roland, and I appreciate your comments
regarding your scripts. I am not a professional sysadmin so there likely
is stuff there that the grizzled unix veterans on this list will find a
little odd :)
I just restarted samba on ad2 as per your suggestion and I got the
following output:
pi at ad2:~ $ sudo systemctl restart samba-ad-dc.service
pi at ad2:~ $ sudo samba-tool drs showrepl
Default-First-Site-Name\AD2
DSA Options: 0x00000001
DSA object GUID: e676dfc3-670d-46bb-b1f7-756bae990a30
DSA invocationId: b7fb9a73-a5c5-4672-9d0f-83e0323f9f3b
==== INBOUND NEIGHBORS ===
CN=Configuration,DC=samdom,DC=example,DC=com
Default-First-Site-Name\AD1 via RPC
DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a
Last attempt @ Fri Mar 22 16:16:01 2019 GMT was successful
0 consecutive failure(s).
Last success @ Fri Mar 22 16:16:01 2019 GMT
DC=DomainDnsZones,DC=samdom,DC=example,DC=com
Default-First-Site-Name\AD1 via RPC
DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a
Last attempt @ Fri Mar 22 16:16:00 2019 GMT was successful
0 consecutive failure(s).
Last success @ Fri Mar 22 16:16:00 2019 GMT
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
Default-First-Site-Name\AD1 via RPC
DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a
Last attempt @ Fri Mar 22 16:16:01 2019 GMT was successful
0 consecutive failure(s).
Last success @ Fri Mar 22 16:16:01 2019 GMT
DC=ForestDnsZones,DC=samdom,DC=example,DC=com
Default-First-Site-Name\AD1 via RPC
DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a
Last attempt @ Fri Mar 22 16:16:00 2019 GMT was successful
0 consecutive failure(s).
Last success @ Fri Mar 22 16:16:00 2019 GMT
DC=samdom,DC=example,DC=com
Default-First-Site-Name\AD1 via RPC
DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a
Last attempt @ Fri Mar 22 16:16:01 2019 GMT was successful
0 consecutive failure(s).
Last success @ Fri Mar 22 16:16:01 2019 GMT
==== OUTBOUND NEIGHBORS ===
==== KCC CONNECTION OBJECTS ===
Connection --
Connection name: c2f83b11-0d06-41d3-b6c1-438ae935852c
Enabled : TRUE
Server DNS name : ad1.samdom.example.com
Server DN name : CN=NTDS
Settings,CN=AD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
The LDAP error doesn't appear to reoccur after restart, but should the
outbound neighbours section be empty here in this output? That seems odd.
To further verify correctness and overall sanity I tried to create some
user accounts, both on ad1 and ad2. I would expect these accounts to
automatically replicate across all DCs if everything is working properly.
First on ad1:
pi at ad1:~ $ sudo samba-tool user add test_user
Note: samba-tool user add is deprecated. Please use samba-tool user
create for the same function.
New Password:
Retype Password:
User 'test_user' created successfully
Verifying this on ad2:
pi at ad2:~ $ sudo samba-tool user list
Administrator
test_user
krbtgt
Guest
[WORKS OK]
Likewise on ad2:
pi at ad2:~ $ sudo samba-tool user add test_user2
Note: samba-tool user add is deprecated. Please use samba-tool user
create for the same function.
New Password:
Retype Password:
User 'test_user2' created successfully
Verifying on ad1:
pi at ad1:~ $ sudo samba-tool user list
Administrator
test_user
krbtgt
Guest
[FAILURE, test_user2 doesnt replicate as expected]
So something is clearly wrong here!
* I can create users on ad1 and these transfer to ad2 without issue
* However the converse is not true, users created on ad2 do not seem
to transfer to ad1.
I did try a sudo systemctl restart samba-ad-dc after each user creation,
but that didn't seem to make a difference.
Thanks
Stephen
Rowland Penny
2019-Mar-22 17:06 UTC
[Samba] Problems with Samba 4.5.16 - configuring a second failover AD DC and joining this to an existing domain SAMDOM
On Fri, 22 Mar 2019 16:37:23 +0000 Stephen <stephen at ogdenradar.com> wrote:> Thanks for taking a look Roland, and I appreciate your comments > regarding your scripts. I am not a professional sysadmin so there > likely is stuff there that the grizzled unix veterans on this list > will find a little odd :) > > I just restarted samba on ad2 as per your suggestion and I got the > following output: > > pi at ad2:~ $ sudo systemctl restart samba-ad-dc.service > pi at ad2:~ $ sudo samba-tool drs showrepl > Default-First-Site-Name\AD2 > DSA Options: 0x00000001 > DSA object GUID: e676dfc3-670d-46bb-b1f7-756bae990a30 > DSA invocationId: b7fb9a73-a5c5-4672-9d0f-83e0323f9f3b > > ==== INBOUND NEIGHBORS ===> > CN=Configuration,DC=samdom,DC=example,DC=com > Default-First-Site-Name\AD1 via RPC > DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a > Last attempt @ Fri Mar 22 16:16:01 2019 GMT was > successful 0 consecutive failure(s). > Last success @ Fri Mar 22 16:16:01 2019 GMT > > DC=DomainDnsZones,DC=samdom,DC=example,DC=com > Default-First-Site-Name\AD1 via RPC > DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a > Last attempt @ Fri Mar 22 16:16:00 2019 GMT was > successful 0 consecutive failure(s). > Last success @ Fri Mar 22 16:16:00 2019 GMT > > CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com > Default-First-Site-Name\AD1 via RPC > DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a > Last attempt @ Fri Mar 22 16:16:01 2019 GMT was > successful 0 consecutive failure(s). > Last success @ Fri Mar 22 16:16:01 2019 GMT > > DC=ForestDnsZones,DC=samdom,DC=example,DC=com > Default-First-Site-Name\AD1 via RPC > DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a > Last attempt @ Fri Mar 22 16:16:00 2019 GMT was > successful 0 consecutive failure(s). > Last success @ Fri Mar 22 16:16:00 2019 GMT > > DC=samdom,DC=example,DC=com > Default-First-Site-Name\AD1 via RPC > DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a > Last attempt @ Fri Mar 22 16:16:01 2019 GMT was > successful 0 consecutive failure(s). > Last success @ Fri Mar 22 16:16:01 2019 GMT > > ==== OUTBOUND NEIGHBORS ===> > ==== KCC CONNECTION OBJECTS ===> > Connection -- > Connection name: c2f83b11-0d06-41d3-b6c1-438ae935852c > Enabled : TRUE > Server DNS name : ad1.samdom.example.com > Server DN name : CN=NTDS > Settings,CN=AD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > TransportType: RPC > options: 0x00000001 > Warning: No NC replicated for Connection! >Try reading this: https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record The problem is that things have changed greatly in Samba AD since 4.5.x was released, the latest Samba version is 4.10.0 Rowland
Stephen
2019-Mar-22 17:39 UTC
[Samba] Problems with Samba 4.5.16 - configuring a second failover AD DC and joining this to an existing domain SAMDOM
Rowland - good news - the instructions in that document you suggested appear to have made all the difference! Now I find that if I do: pi at ad2:~ $ sudo systemctl restart samba-ad-dc pi at ad2:~ $ sudo samba-tool drs showrepl Default-First-Site-Name\AD2 DSA Options: 0x00000001 DSA object GUID: e676dfc3-670d-46bb-b1f7-756bae990a30 DSA invocationId: b7fb9a73-a5c5-4672-9d0f-83e0323f9f3b ==== INBOUND NEIGHBORS === CN=Configuration,DC=samdom,DC=example,DC=com Default-First-Site-Name\AD1 via RPC DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a Last attempt @ Fri Mar 22 17:11:56 2019 GMT was successful 0 consecutive failure(s). Last success @ Fri Mar 22 17:11:56 2019 GMT DC=DomainDnsZones,DC=samdom,DC=example,DC=com Default-First-Site-Name\AD1 via RPC DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a Last attempt @ Fri Mar 22 17:11:55 2019 GMT was successful 0 consecutive failure(s). Last success @ Fri Mar 22 17:11:55 2019 GMT CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com Default-First-Site-Name\AD1 via RPC DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a Last attempt @ Fri Mar 22 17:11:57 2019 GMT was successful 0 consecutive failure(s). Last success @ Fri Mar 22 17:11:57 2019 GMT DC=ForestDnsZones,DC=samdom,DC=example,DC=com Default-First-Site-Name\AD1 via RPC DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a Last attempt @ Fri Mar 22 17:11:56 2019 GMT was successful 0 consecutive failure(s). Last success @ Fri Mar 22 17:11:56 2019 GMT DC=samdom,DC=example,DC=com Default-First-Site-Name\AD1 via RPC DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a Last attempt @ Fri Mar 22 17:11:57 2019 GMT was successful 0 consecutive failure(s). Last success @ Fri Mar 22 17:11:57 2019 GMT ==== OUTBOUND NEIGHBORS === CN=Configuration,DC=samdom,DC=example,DC=com Default-First-Site-Name\AD1 via RPC DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=DomainDnsZones,DC=samdom,DC=example,DC=com Default-First-Site-Name\AD1 via RPC DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a Last attempt @ Fri Mar 22 17:11:46 2019 GMT was successful 0 consecutive failure(s). Last success @ Fri Mar 22 17:11:46 2019 GMT CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com Default-First-Site-Name\AD1 via RPC DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=ForestDnsZones,DC=samdom,DC=example,DC=com Default-First-Site-Name\AD1 via RPC DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=samdom,DC=example,DC=com Default-First-Site-Name\AD1 via RPC DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) ==== KCC CONNECTION OBJECTS === Connection -- Connection name: c2f83b11-0d06-41d3-b6c1-438ae935852c Enabled : TRUE Server DNS name : ad1.samdom.example.com Server DN name : CN=NTDS Settings,CN=AD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com TransportType: RPC options: 0x00000001 Warning: No NC replicated for Connection! Notice now crucially that the *outbound section here in this output is now fully completed whereas it was empty previously*. My manual testing suggests that newly created accounts replicate from ad2 to ad1 following this change successfully. It looks like later versions of Samba setup these additional CNAME DNS records behind the scenes whereas 4.5 on my Pi seems to requires these additional incantations and goat sacrifice to make things work successfully. C`est la vie. Happily, the change you have suggested there also appears to have also cascaded to the AD SRV records on both DCs which was the other question I was going to ask. pi at ad1:~ $ host -t SRV _kerberos._udp.samdom.example.com _kerberos._udp.samdom.example.com has SRV record 0 100 88 ad1.samdom.example.com. _kerberos._udp.samdom.example.com has SRV record 0 100 88 ad2.samdom.example.com. pi at ad1:~ $ host -t SRV _ldap._tcp.samdom.example.com _ldap._tcp.samdom.example.com has SRV record 0 100 389 ad1.samdom.example.com. _ldap._tcp.samdom.example.com has SRV record 0 100 389 ad2.samdom.example.com. Thanks once again for your help its very much appreciated! Kind Regards Stephen Ellwood
Possibly Parallel Threads
- Problems with Samba 4.5.16 - configuring a second failover AD DC and joining this to an existing domain SAMDOM
- wbinfo isn't working on domain member
- Problems with Samba 4.5.16 - configuring a second failover AD DC and joining this to an existing domain SAMDOM
- Problems with Samba 4.5.16 - configuring a second failover AD DC and joining this to an existing domain SAMDOM
- Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.