Stephen
2019-Mar-22 15:03 UTC
[Samba] Problems with Samba 4.5.16 - configuring a second failover AD DC and joining this to an existing domain SAMDOM
Hello I wonder if anyone here could possibly help me? I am using Samba version 4.5.16-Debian (version information taken from sudo smbstatus) on Raspbian and attempting to prototype some future network infrastructure with a couple of Raspberry Pis. So far I have sucessfully created a Samba 4 AD DC ad1.samdom.example.com. I have successfully joined my Windows 10 dekstop client to the SAMDOM domain provided by ad1 and it authenticated OK, and appears to synchronise the network time correctly. So far so good! Ideally I would now like to add to this basic setup by creating an additional DC, ad2, with ip ad2.samdom.example.com, and join this to the existing SAMDOM domain provided by ad1 to provide some extra redundancy and failover. This is where my problems begin unfortunately. I have used two separate shell-scripts to commission my two servers ad1.sh and ad2.sh (please find both scripts attached for scrutiny) * These two scripts are based heavily upon the tutorial series found at TechMint here: https://www.tecmint.com/install-samba4-active-directory-ubuntu/ * The script to build ad1 is the main DC and is based upon section 1 and 2 of the tutorial, and as far as I can tell appears to work correctly. As discussed I can connect to the server that results from a Windows 10 client. * The script to build the second DC used for failover is based upon part 5 of the linked tutorial series, and this is where I am having problems. * Both ad1 and ad2 are assigned static ips, ad1 = 192.168.1.229 and ad2=192.168.1.228. I am encountering baffling issues with LDAP when I run my script ad2.sh. What I don't understand here is that I am apparently able to join domain SAMDOM without issue, ie in the ad2 script when I do pi at ad2 $ sudo samba-tool domain join samdom DC -U"SAMDOM\administrator" --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes' --option="dns forwarder = $EXTERNAL_DNS2 $EXTERNAL_DNS3 $EXTERNAL_DNS4" This appears to work just fine, and I obtain the following seemingly plausible output from this command: Finding a writeable DC for domain 'samdom.example.com' Found DC ad1.samdom.example.com Password for [=SAMDOM\administrator]: workgroup is SAMDOM realm is samdom.example.com Adding CN=AD2,OU=Domain Controllers,DC=samdom,DC=example,DC=com Adding CN=AD2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com Adding CN=NTDS Settings,CN=AD2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com Adding SPNs to CN=AD2,OU=Domain Controllers,DC=samdom,DC=example,DC=com Setting account password for AD2$ Enabling account Calling bare provision Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf Provision OK for domain DN DC=samdom,DC=example,DC=com Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[402/1614] linked_values[0/0] Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[804/1614] linked_values[0/0] Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1206/1614] linked_values[0/0] Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1608/1614] linked_values[0/0] Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1614/1614] linked_values[30/0] Replicating critical objects from the base DN of the domain Partition[DC=samdom,DC=example,DC=com] objects[97/97] linked_values[23/0] Partition[DC=samdom,DC=example,DC=com] objects[360/263] linked_values[23/0] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=samdom,DC=example,DC=com Partition[DC=DomainDnsZones,DC=samdom,DC=example,DC=com] objects[40/40] linked_values[0/0] Replicating DC=ForestDnsZones,DC=samdom,DC=example,DC=com Partition[DC=ForestDnsZones,DC=samdom,DC=example,DC=com] objects[18/18] linked_values[0/0] Committing SAM database Sending DsReplicaUpdateRefs for all the replicated partitions Setting isSynchronized and dsServiceName Setting up secrets database Joined domain SAMDOM (SID S-1-5-21-1810456019-651403982-3541939936) as a DC Unfortunately it is after this I then have major problems after that with LDAP when I try and perform the actual replication. When I attempt: pi at ad2 ~ $ sudo systemctl unmask samba-ad-dc pi at ad2 ~ $ sudo systemctl restart samba-ad-dc pi at ad2 ~ $ sudo samba-tool drs showrepl I get the following error messages: 17) Replicate Samba Account Details between Primary and Secondary DCs Failed to connect to ldap URL 'ldap://ad2.samdom.example.com' - LDAP client internal error: NT_STATUS_CONNECTION_REFUSED Failed to connect to 'ldap://ad2.samdom.example.com' with backend 'ldap': LDAP client internal error: NT_STATUS_CONNECTION_REFUSED ERROR(ldb): LDAP connection to ad2.samdom.example.com failed - LDAP client internal error: NT_STATUS_CONNECTION_REFUSED Initially I thought this was something simple such as an error in name or host resolution due to network misconfiguration. But I have double checked my /etc/hosts file content and my resolv.conf on ad2 and I believe these to be correct, please find these below for ad2 along with my smb.conf file: pi at ad2:~ $ cat /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 192.168.1.229 ad1.samdom.example.com ad1 192.168.1.228 ad2.samdom.example.com ad2 pi at ad2:~ $ cat /etc/hostname ad2 pi at ad2:~ $ cat /etc/resolv.conf # Generated by resolvconf search samdom.example.com nameserver 192.168.1.229 nameserver 192.168.1.228 nameserver 88.215.63.255 nameserver 88.215.61.255 nameserver 8.8.8.8 pi at ad2:~ $ ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.228 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::1cb0:8751:ad6b:6df0 prefixlen 64 scopeid 0x20<link> ether b8:27:eb:9c:98:34 txqueuelen 1000 (Ethernet) RX packets 703 bytes 136445 (133.2 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 308 bytes 49680 (48.5 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 pi at ad2:~ $ cat /etc/samba/smb.conf # Global parameters [global] netbios name = AD2 realm = SAMDOM.EXAMPLE.COM workgroup = SAMDOM dns forwarder = 88.215.63.255 88.215.61.255 8.8.8.8 server role = active directory domain controller idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/samdom.example.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No pi at ad2:~ $ ping ad1.samdom.example.com PING ad1.samdom.example.com (192.168.1.229) 56(84) bytes of data. 64 bytes from ad1.samdom.example.com (192.168.1.229): icmp_seq=1 ttl=64 time=0.604 ms 64 bytes from ad1.samdom.example.com (192.168.1.229): icmp_seq=2 ttl=64 time=0.460 ms 64 bytes from ad1.samdom.example.com (192.168.1.229): icmp_seq=3 ttl=64 time=0.353 ms 64 bytes from ad1.samdom.example.com (192.168.1.229): icmp_seq=4 ttl=64 time=0.361 ms pi at ad2:~ $ host -tA ad1.samdom.example.com ad1.samdom.example.com has address 192.168.1.229 Likewise for ad1: pi at ad1:~ $ cat /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 192.168.1.229 ad1.samdom.example.com ad1 192.168.1.228 ad2.samdom.example.com ad2 pi at ad1:~ $ cat /etc/hostname ad1 pi at ad1:~ $ cat /etc/resolv.conf # Generated by resolvconf search samdom.example.com nameserver 192.168.1.229 nameserver 192.168.1.228 nameserver 88.215.63.255 nameserver 88.215.61.255 nameserver 8.8.8.8 pi at ad1:~ $ ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.229 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::446b:2bdc:7765:11e2 prefixlen 64 scopeid 0x20<link> ether b8:27:eb:2f:93:7d txqueuelen 1000 (Ethernet) RX packets 5724 bytes 572625 (559.2 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 7476 bytes 9492118 (9.0 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 pi at ad1:~ $ cat /etc/samba/smb.conf # Global parameters [global] netbios name = AD1 realm = SAMDOM.EXAMPLE.COM workgroup = SAMDOM dns forwarder = 8.8.8.8 server role = active directory domain controller idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/samdom.example.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No pi at ad1:~ $ ping ad2.samdom.example.com PING ad2.samdom.example.com (192.168.1.228) 56(84) bytes of data. 64 bytes from ad2.samdom.example.com (192.168.1.228): icmp_seq=1 ttl=64 time=0.497 ms 64 bytes from ad2.samdom.example.com (192.168.1.228): icmp_seq=2 ttl=64 time=0.469 ms 64 bytes from ad2.samdom.example.com (192.168.1.228): icmp_seq=3 ttl=64 time=0.353 ms 64 bytes from ad2.samdom.example.com (192.168.1.228): icmp_seq=4 ttl=64 time=0.327 ms Interestingly I note that when I do a host lookup on ad1 I get: pi at ad1:~ $ host -tA ad2.samdom.example.com Host ad2.samdom.example.com not found: 3(NXDOMAIN) There are some official samba articles that suggest that for Samba <4.6 you need to manually setup DNS entries manually on AD1 prior to configuring AD2 ie https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record, but this seems a bit of a hacky workaround. This advice appears to contradict the TechMint tutorials and other advice I have seen elsewhere on the net though so I am unsure how much weight to lend to this. Can anyone advise what I am doing wrong here? Any help rendered would be hugely appreciated :O) Thanks Stephen Ellwood -------------- next part -------------- #---------------------------------------------------------------| #---------------------------------------------------------------| # Setup a primary Active Directory controller server | #---------------------------------------------------------------| #---------------------------------------------------------------| PROGRESS_FILE="adprogressprimary"; # ---------------------------------------------------------------| # Active directory server configuration settings # ---------------------------------------------------------------| IP_ADDRESS="192.168.1.229"; IP_ADDRESS_SECONDARY_AD="192.168.1.228"; HOSTNAME_SECONDARY_AD="ad2" GATEWAY="192.168.1.1"; EXTERNAL_DNS1="88.215.63.255" EXTERNAL_DNS2="88.215.61.255" EXTERNAL_DNS3="8.8.8.8" DNS_SERVERS="$IP_ADDRESS $IP_ADDRESS_SECONDARY_AD $EXTERNAL_DNS1 $EXTERNAL_DNS2 $EXTERNAL_DNS3"; DOMAIN="samdom.example.com"; WIN_DOMAIN="samdom" HOSTNAME="ad1"; # ---------------------------------------------------------------| # Shell colour definitions # ---------------------------------------------------------------| RCol='\e[0m' # Text Reset # Regular Bold Underline High Intensity BoldHigh Intens Background High Intensity Backgrounds Bla='\e[0;30m'; BBla='\e[1;30m'; UBla='\e[4;30m'; IBla='\e[0;90m'; BIBla='\e[1;90m'; On_Bla='\e[40m'; On_IBla='\e[0;100m'; Red='\e[0;31m'; BRed='\e[1;31m'; URed='\e[4;31m'; IRed='\e[0;91m'; BIRed='\e[1;91m'; On_Red='\e[41m'; On_IRed='\e[0;101m'; Gre='\e[0;32m'; BGre='\e[1;32m'; UGre='\e[4;32m'; IGre='\e[0;92m'; BIGre='\e[1;92m'; On_Gre='\e[42m'; On_IGre='\e[0;102m'; Yel='\e[0;33m'; BYel='\e[1;33m'; UYel='\e[4;33m'; IYel='\e[0;93m'; BIYel='\e[1;93m'; On_Yel='\e[43m'; On_IYel='\e[0;103m'; Blu='\e[0;34m'; BBlu='\e[1;34m'; UBlu='\e[4;34m'; IBlu='\e[0;94m'; BIBlu='\e[1;94m'; On_Blu='\e[44m'; On_IBlu='\e[0;104m'; Pur='\e[0;35m'; BPur='\e[1;35m'; UPur='\e[4;35m'; IPur='\e[0;95m'; BIPur='\e[1;95m'; On_Pur='\e[45m'; On_IPur='\e[0;105m'; Cya='\e[0;36m'; BCya='\e[1;36m'; UCya='\e[4;36m'; ICya='\e[0;96m'; BICya='\e[1;96m'; On_Cya='\e[46m'; On_ICya='\e[0;106m'; Whi='\e[0;37m'; BWhi='\e[1;37m'; UWhi='\e[4;37m'; IWhi='\e[0;97m'; BIWhi='\e[1;97m'; On_Whi='\e[47m'; On_IWhi='\e[0;107m'; # ---------------------------------------------------------------| # Cleanup code # ---------------------------------------------------------------| # Make sure we update our bash prompt to reflect our change of hostname function finish { exec bash } trap finish EXIT # ---------------------------------------------------------------| # Script Code # ---------------------------------------------------------------| # Explain what script actually does echo -e "${Yel}---------------------------------------------------------${RCol}" echo -e "${Yel} Setup Samba 4 Active Directory Domain Controller${RCol}" echo -e "${Yel}---------------------------------------------------------${RCol}" echo -e "${Yel} This script configures the current Raspberry Pi to be ${RCol}" echo -e "${Yel} a Samba 4 Active Directory controller.${RCol}" echo "" echo -e "${Red} Note: This script should be used for local installation only${RCol}" echo -e "${Red} and should not be used via SSH or similar remote access tools${RCol}" echo "" echo -e "${Yel}---------------------------------------------------------${RCol}" echo "" # Create progress file if it doesn't already exists if [ ! -f ${PROGRESS_FILE} ]; then echo -e "${Cya} Create file to track installation progress${RCol}" touch ${PROGRESS_FILE} fi # Disable Pi WiFi and Bluetooth RF Interfaces if ! grep -q 'disable-rf' ${PROGRESS_FILE}; then echo -e "${Cya}1) Disabling RF Interfaces${RCol}" sudo systemctl disable wpa_supplicant sudo systemctl disable bluetooth sudo systemctl disable hciuart echo "dtoverlay=pi3-disable-wifi" | sudo tee -a /boot/config.txt; echo "pi3-disable-bt" | sudo tee -a /boot/config.txt; echo "disable-rf" >> ${PROGRESS_FILE} fi # Enable ACL for main AD drive partition "/" # (change "defaults,noatime" to "default,noatime,acl" there, and backup old /etc/fstab) if ! grep -q 'enable-acl' ${PROGRESS_FILE}; then echo -e "${Cya}2) Enabling ACL${RCol}" awk '/^.*\/.*ext4/{if ($3="ext4") $4="defaults,noatime,acl"};{print}' /etc/fstab > ~/fstab.new sudo cp /etc/fstab /etc/fstab.backup sudo mv ~/fstab.new /etc/fstab echo "enable-acl" >> ${PROGRESS_FILE} fi # Change user Pi default logon password # !!! We MUST do this BEFORE enabling SSH !!! if ! grep -q 'change-default-password' ${PROGRESS_FILE}; then echo -e "${Cya}3) Changing Pi default password${RCol}" echo -e "${Red} Note that during this process you will be prompted to choose and enter a new password for user pi.${RCol}" echo -e "${Red} This is the main login account for this Raspberry pi server, and is also used for remote access via SSH!${RCol}" echo -e "${Red} Store these credentials somewhere safe! You will need these to login and administer the machine.${RCol}" if ! passwd; then echo "Failed to change default user password. THIS IS A SECURITY RISK so exiting..." exit 1 else echo "change-default-password" >> ${PROGRESS_FILE} fi fi # Update Raspbian package lists if ! grep -q 'update-raspbian' ${PROGRESS_FILE}; then echo -e "${Cya}4) Updating Raspbian Package Server List(s)${RCol}" sudo apt-get update echo "update-raspbian" >> ${PROGRESS_FILE} fi # Upgrade Raspbian packages if ! grep -q 'upgrade-raspbian' ${PROGRESS_FILE}; then echo -e "${Cya}5) Upgrading Raspbian${RCol}" sudo apt-get -y upgrade echo "upgrade-raspbian" >> ${PROGRESS_FILE} fi # Update IP address settings for Pi in /etc/dhcpcd.conf if ! grep -q 'change-eth0-settings' ${PROGRESS_FILE}; then echo -e "${Cya}6) Changing Pi Network settings${RCol}" sudo cp /etc/dhcpcd.conf /etc/dhcpcd.conf.backup sudo sed -i '/# static IP configuration for Ogden Active Directory service:/,$d' /etc/dhcpcd.conf; sudo sed -i '/# Example static IP configuration:/,$d' /etc/dhcpcd.conf; echo "# static IP configuration for Ogden Active Directory service:" | sudo tee -a /etc/dhcpcd.conf echo "interface eth0" | sudo tee -a /etc/dhcpcd.conf; echo "static routers=$GATEWAY" | sudo tee -a /etc/dhcpcd.conf; echo "static ip_address=$IP_ADDRESS" | sudo tee -a /etc/dhcpcd.conf; echo "static domain_name_servers=$DNS_SERVERS" | sudo tee -a /etc/dhcpcd.conf; echo "static domain_search=$DOMAIN" | sudo tee -a /etc/dhcpcd.conf; # Force immediate update to ip address sudo ifconfig eth0 down sudo ifconfig eth0 up sudo service networking restart; echo "change-eth0-settings" >> ${PROGRESS_FILE}; fi # Change default pi hostname if ! grep -q 'change-hostname' ${PROGRESS_FILE}; then echo -e "${Cya}7) Changing Pi hostname settings${RCol}" # Update /etc/hosts file prior to hostname change sudo sed -i "/$HOSTNAME/d" /etc/hosts; echo "$IP_ADDRESS $HOSTNAME.$DOMAIN $HOSTNAME" | sudo tee -a /etc/hosts; echo "$IP_ADDRESS_SECONDARY_AD $HOSTNAME_SECONDARY_AD.$DOMAIN $HOSTNAME_SECONDARY_AD" | sudo tee -a /etc/hosts; # Set new hostname by modifying /etc/hostname - only then delete our old hostname entry sudo hostnamectl set-hostname $HOSTNAME sudo sed -i '/raspberrypi/d' /etc/hosts; sudo systemctl restart systemd-logind.service; sudo service networking restart; echo "change-hostname" >> ${PROGRESS_FILE}; fi # Install Samba4 software if ! grep -q 'install-samba' ${PROGRESS_FILE}; then echo -e "${Cya}8) Installing Samba${RCol}" echo "When prompted during installation please enter the following options at the installer prompt:"; echo -n "Default Kerberos realm: "; echo "$DOMAIN"|awk '{print toupper($0)}'; echo "Kerberos servers: $DOMAIN"; echo "Administrative server: $HOSTNAME.$DOMAIN"; echo "Please press a key to continue..."; read -n 1 -s; sudo apt-get install -y samba krb5-user krb5-config winbind libpam-winbind libnss-winbind; echo "install-samba" >> ${PROGRESS_FILE} fi # Stop Samba4 services prior to provisioning if ! grep -q 'stop-samba-services' ${PROGRESS_FILE}; then echo -e "${Cya}9) Temporarily disable Samba prior to provisioning${RCol}" sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.backup sudo rm /etc/krb5.conf echo "stop-samba-services" >> ${PROGRESS_FILE} fi # Provision the new Samba 4 AD controller if ! grep -q 'provision-samba' ${PROGRESS_FILE}; then echo -e "${Cya}10) Provision new Samba instance${RCol}" echo "" echo "When prompted during installation please enter the following options at the installer prompt:"; echo -n "realm: "; echo "$DOMAIN"|awk '{print toupper($0)}'; echo -n "domain: "; echo "$WIN_DOMAIN"|awk '{print toupper($0)}'; echo "server role: dc"; echo "DNS backend: SAMBA_INTERNAL"; echo "DNS Forwarder: 8.8.8.8"; echo "" echo -e "${Red} Note that during this process you will be prompted to choose and enter an administrator password.${RCol}" echo -e "${Red} This is the superuser password for the specified Samba domain and is used to create all other accounts!${RCol}" echo -e "${Red} Store these credentials somewhere safe!${RCol}" echo "" sudo samba-tool domain provision --use-rfc2307 --interactive; echo "provision-samba" >> ${PROGRESS_FILE} fi # Link to update kerberos configuration if ! grep -q 'update-kerberos-config' ${PROGRESS_FILE}; then echo -e "${Cya}11) Update Kerberos configuration file${RCol}"281 sudo ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf; echo "update-kerberos-config" >> ${PROGRESS_FILE} fi # Enable samba-ad-dc daemon to run at boottime if ! grep -q 'unmask-enable-samba-daemons' ${PROGRESS_FILE}; then echo -e "${Cya}12) Unmask Samba services${RCol}" sudo systemctl unmask samba-ad-dc.service sudo systemctl start samba-ad-dc.service sudo systemctl status samba-ad-dc.service sudo systemctl enable samba-ad-dc.service echo "unmask-enable-samba-daemons" >> ${PROGRESS_FILE} fi # Regenerate resolv.conf, using our updated dhcpcd.conf entries if ! grep -q 'update-resolve-file' ${PROGRESS_FILE}; then echo -e "${Cya}13) Update /etc/resolv.conf filename${RCol}" echo -e "search $DOMAIN\nnameserver $IP_ADDRESS\nnameserver $IP_ADDRESS_SECONDARY_AD\nnameserver $EXTERNAL_DNS1\nnameserver $EXTERNAL_DNS2\nnameserver $EXTERNAL_DNS3" | sudo resolvconf -a eth0.inet echo "update-resolve-file" >> ${PROGRESS_FILE} fi # Manually verify required samba ports have been opened if ! grep -q 'check-samba-ad-ports' ${PROGRESS_FILE}; then echo -e "${Cya}14) Check Samba AD ports ${RCol}" sudo netstat -tulpn | egrep 'smbd|samba'; echo "check-samba-ad-ports" >> ${PROGRESS_FILE} fi # Manually verify required samba is correctly emulating windows server if ! grep -q 'check-winserv-emu' ${PROGRESS_FILE}; then echo -e "${Cya}15) Check Windows Server Emulation ${RCol}" sudo samba-tool domain level show echo "check-winserv-emu" >> ${PROGRESS_FILE} fi # Ping to check local domain and dns is working correctly if ! grep -q 'ping-check-local-domain' ${PROGRESS_FILE}; then echo -e "${Cya}16) Ping test AD DNS functionality${RCol}" ping -c3 "$HOSTNAME"; PING1CHK=$?; ping -c3 "$HOSTNAME.$DOMAIN"; PING2CHK=$?; ping -c3 "$DOMAIN"; PING3CHK=$?; if [ $PING1CHK -ne 0 ] || [ $PING2CHK -ne 0 ] || [ $PING3CHK -ne 0 ]; then echo "ERROR: Could not ping host(s) and/or dns server. Exiting." exit 2 fi echo "ping-check-local-domain" >> ${PROGRESS_FILE}; fi if ! grep -q 'dns-check-local-domain' ${PROGRESS_FILE}; then echo -e "${Cya}17) DNS lookup check AD domain and AD server${RCol}" host -t A "$DOMAIN" DNS1CHK=$?; host -t A "$HOSTNAME.$DOMAIN"; DNS2CHK=$?; host -t SRV "_kerberos._udp.$DOMAIN"; DNS3CHK=$?; host -t SRV "_ldap._tcp.$DOMAIN"; DNS4CHK=$?; if [ $DNS1CHK -ne 0 ] || [ $DNS2CHK -ne 0 ] || [ $DNS3CHK -ne 0 ] || [ $DNS4CHK -ne 0 ]; then echo "ERROR: Could not perform required DNS lookups! Exiting." exit 3 fi echo "dns-check-local-domain" >> ${PROGRESS_FILE}; fi # Request Kerberos ticket if ! grep -q 'kerberos-ticket-request-check' ${PROGRESS_FILE}; then echo -e "${Cya}18) Request Kerberos new ticket to check Kerberos${RCol}" echo "We will test Kerberos by requesting a new ticket for user administator."; echo "Please enter password for administrator@$WIN_DOMAIN when requested here"; KRB_ADMIN="administrator@`echo "$DOMAIN"|awk '{print toupper($0)}'`" kinit $KRB_ADMIN klist echo "kerberos-ticket-request-check" >> ${PROGRESS_FILE} fi # Install NTP functionality required for Active Directory if ! grep -q 'install-ntp' ${PROGRESS_FILE}; then echo -e "${Cya}19) Install required NTP functionality on server${RCol}" sudo apt-get install -y ntp ntpdate echo "install-ntp" >> ${PROGRESS_FILE} fi # Configure NTP settings required for Active Directory if ! grep -q 'configure-ntp' ${PROGRESS_FILE}; then echo -e "${Cya}20) Configure required NTP functionality on server${RCol}" sudo sed -i 's/pool 0.*/pool 0.uk.pool.ntp.org iburst/' /etc/ntp.conf sudo sed -i 's/pool 1.*/pool 1.uk.pool.ntp.org iburst/' /etc/ntp.conf sudo sed -i 's/pool 2.*/pool 2.uk.pool.ntp.org iburst/' /etc/ntp.conf sudo sed -i 's/pool 3.*/pool 3.uk.pool.ntp.org iburst/' /etc/ntp.conf sudo sed -i '/^driftfile/a ntpsigndsocket /var/lib/samba/ntp_signd/' /etc/ntp.conf sudo sed -i '/^restrict source/a restrict default kod nomodify notrap nopeer mssntp' /etc/ntp.conf echo "configure-ntp" >> ${PROGRESS_FILE} fi # Set permissions required for NTP server if ! grep -q 'permissions-ntp' ${PROGRESS_FILE}; then echo -e "${Cya}21) Set required NTP permissions${RCol}" sudo chown root:ntp /var/lib/samba/ntp_signd/ sudo chmod 750 /var/lib/samba/ntp_signd/ echo "permissions-ntp" >> ${PROGRESS_FILE} fi # Restart NTP if ! grep -q 'restart-ntp' ${PROGRESS_FILE}; then echo -e "${Cya}22) Restart NTP to update settings${RCol}" sudo systemctl restart ntp echo "restart-ntp" >> ${PROGRESS_FILE} fi # Check NTP port is listening if ! grep -q 'check-ntp-port' ${PROGRESS_FILE}; then echo -e "${Cya}23) Confirm required NTP ports opened${RCol}" sudo netstat -tulpn | grep ntp # Wait here for NTP to synchronise sleep 10s echo "check-ntp-port" >> ${PROGRESS_FILE} fi # List all NTP servers if ! grep -q 'list-ntp-servers' ${PROGRESS_FILE}; then echo -e "${Cya}24) Print list of NTP servers${RCol}" ntpq -p echo "list-ntp-servers" >> ${PROGRESS_FILE} fi # Check NTP time synchronisation if ! grep -q 'check-ntp-sync' ${PROGRESS_FILE}; then echo -e "${Cya}25) Confirm NTP time sychronisation${RCol}" NTPSYNCCHK=$(ntpdate -qu $HOSTNAME) if echo "$NTPSYNCCHK" | grep -q 'no server suitable for synchronization found'; then echo "ERROR: Could not synchronise to NTP servers. Exiting..." exit 4 fi echo "check-ntp-sync" >> ${PROGRESS_FILE} fi # Enable SSH service for remote access to AD server for configuration etc. if ! grep -q 'enable-ssh' ${PROGRESS_FILE}; then echo -e "${Cya}26) Enable SSH for remote AD server administration${RCol}" sudo systemctl enable ssh sudo systemctl start ssh echo "enable-ssh" >> ${PROGRESS_FILE} fi # Reboot to reflect hostname change if ! grep -q 'update-shell-prompt' ${PROGRESS_FILE}; then echo "update-shell-prompt" >> ${PROGRESS_FILE} sudo reboot fi -------------- next part -------------- #---------------------------------------------------------------| #---------------------------------------------------------------| # Setup a primary Active Directory controller server | #---------------------------------------------------------------| #---------------------------------------------------------------| PROGRESS_FILE="adprogresssecondary"; # ---------------------------------------------------------------| # Active directory server configuration settings # ---------------------------------------------------------------| IP_ADDRESS="192.168.1.228"; GATEWAY="192.168.1.1"; IP_ADDRESS_PRIMARY_AD="192.168.1.229"; # This first DNS server must be # our existing primary AD DC! PRIMARY_AD_HOSTNAME="ad1"; # Hostname for primary AD DC instance EXTERNAL_DNS2="88.215.63.255"; # These are all external DNS server EXTERNAL_DNS3="88.215.61.255"; EXTERNAL_DNS4="8.8.8.8"; DNS_SERVERS="$IP_ADDRESS_PRIMARY_AD $IP_ADDRESS $EXTERNAL_DNS2 $EXTERNAL_DNS3 $EXTERNAL_DNS4"; SAMBA_DNS_FORWARDER="$EXTERNAL_DNS4"; DOMAIN="samdom.example.com"; # Samba Domain details WIN_DOMAIN="samdom"; # Windows Domain name eg SAMDOM\\PC_NAME WIN_DOMAIN_UPPER=="`echo "$WIN_DOMAIN"|awk '{print toupper($0)}'`" HOSTNAME="ad2"; # Hostname for this AD DC instance # ---------------------------------------------------------------| # Shell colour definitions # ---------------------------------------------------------------| RCol='\e[0m' # Text Reset # Regular Bold Underline High Intensity BoldHigh Intens Background High Intensity Backgrounds Bla='\e[0;30m'; BBla='\e[1;30m'; UBla='\e[4;30m'; IBla='\e[0;90m'; BIBla='\e[1;90m'; On_Bla='\e[40m'; On_IBla='\e[0;100m'; Red='\e[0;31m'; BRed='\e[1;31m'; URed='\e[4;31m'; IRed='\e[0;91m'; BIRed='\e[1;91m'; On_Red='\e[41m'; On_IRed='\e[0;101m'; Gre='\e[0;32m'; BGre='\e[1;32m'; UGre='\e[4;32m'; IGre='\e[0;92m'; BIGre='\e[1;92m'; On_Gre='\e[42m'; On_IGre='\e[0;102m'; Yel='\e[0;33m'; BYel='\e[1;33m'; UYel='\e[4;33m'; IYel='\e[0;93m'; BIYel='\e[1;93m'; On_Yel='\e[43m'; On_IYel='\e[0;103m'; Blu='\e[0;34m'; BBlu='\e[1;34m'; UBlu='\e[4;34m'; IBlu='\e[0;94m'; BIBlu='\e[1;94m'; On_Blu='\e[44m'; On_IBlu='\e[0;104m'; Pur='\e[0;35m'; BPur='\e[1;35m'; UPur='\e[4;35m'; IPur='\e[0;95m'; BIPur='\e[1;95m'; On_Pur='\e[45m'; On_IPur='\e[0;105m'; Cya='\e[0;36m'; BCya='\e[1;36m'; UCya='\e[;36m'; ICya='\e[0;96m'; BICya='\e[1;96m'; On_Cya='\e[46m'; On_ICya='\e[0;106m'; Whi='\e[0;37m'; BWhi='\e[1;37m'; UWhi='\e[4;37m'; IWhi='\e[0;97m'; BIWhi='\e[1;97m'; On_Whi='\e[47m'; On_IWhi='\e[0;107m'; # ---------------------------------------------------------------| # Cleanup code # ---------------------------------------------------------------| # Make sure we update our bash prompt to reflect our change of hostname function finish { exec bash } trap finish EXIT # ---------------------------------------------------------------| # Script Code # ---------------------------------------------------------------| # Explain what script actually does echo -e "${Yel}---------------------------------------------------------${RCol}" echo -e "${Yel} Setup Additional Backup Samba 4 Domain Controller(s)${RCol}" echo -e "${Yel}---------------------------------------------------------${RCol}" echo -e "${Yel} This script configures the current Raspberry Pi to be ${RCol}" echo -e "${Yel} an additional Samba 4 Domain Controller, that will join${RCol}" echo -e "${Yel} to a pre-existing AD forest as a backup or failover server.${RCol}" echo -e "${Red} Note: This script should be used for local installation only${RCol}" echo -e "${Red} and should not be used via SSH or similar remote access tools.${RCol}" echo -e "${Red} To minimise the chance of misconfiguration this script should be${RCol}" echo -e "${Red} applied to a fresh Raspbian installations ONLY.${RCol}" echo "" echo -e "${Yel}---------------------------------------------------------${RCol}" echo "" # Create progress file if it doesn't already exists if [ ! -f ${PROGRESS_FILE} ]; then echo -e "${Cya} Create file to track installation progress${RCol}" touch ${PROGRESS_FILE} fi # Disable Pi WiFi and Bluetooth RF Interfaces if ! grep -q 'disable-rf' ${PROGRESS_FILE}; then echo -e "${Cya}1) Disabling RF Interfaces${RCol}" sudo systemctl disable wpa_supplicant sudo systemctl disable bluetooth sudo systemctl disable hciuart echo "dtoverlay=pi3-disable-wifi" | sudo tee -a /boot/config.txt; echo "pi3-disable-bt" | sudo tee -a /boot/config.txt; echo "disable-rf" >> ${PROGRESS_FILE} fi # Enable ACL for main AD drive partition "/" # (change "defaults,noatime" to "default,noatime,acl" there, and backup old /etc/fstab) if ! grep -q 'enable-acl' ${PROGRESS_FILE}; then echo -e "${Cya}2) Enabling ACL${RCol}" awk '/^.*\/.*ext4/{if ($3="ext4") $4="defaults,noatime,acl"};{print}' /etc/fstab > ~/fstab.new sudo cp /etc/fstab /etc/fstab.backup sudo mv ~/fstab.new /etc/fstab echo "enable-acl" >> ${PROGRESS_FILE} fi # Change user Pi default logon password # !!! We MUST do this BEFORE enabling SSH !!! if ! grep -q 'change-default-password' ${PROGRESS_FILE}; then echo -e "${Cya}3) Changing Pi default password${RCol}" echo -e "${Red} Note that during this process you will be prompted to choose and enter a new password for user pi.${RCol}" echo -e "${Red} This is the main login account for this Raspberry pi server, and is also used for remote access via SSH!${RCol}" echo -e "${Red} Store these credentials somewhere safe! You will need these to login and administer the machine.${RCol}" if ! passwd; then echo "Failed to change default user password. THIS IS A SECURITY RISK so exiting..." exit 1 else echo "change-default-password" >> ${PROGRESS_FILE} fi fi # Update Raspbian package lists if ! grep -q 'update-raspbian' ${PROGRESS_FILE}; then echo -e "${Cya}4) Updating Raspbian Package Server List(s)${RCol}" sudo apt-get update echo "update-raspbian" >> ${PROGRESS_FILE} fi # Upgrade Raspbian packages if ! grep -q 'upgrade-raspbian' ${PROGRESS_FILE}; then echo -e "${Cya}5) Upgrading Raspbian${RCol}" sudo apt-get -y upgrade echo "upgrade-raspbian" >> ${PROGRESS_FILE} fi # Update IP address settings for Pi in /etc/dhcpcd.conf if ! grep -q 'change-eth0-settings' ${PROGRESS_FILE}; then echo -e "${Cya}6) Changing Pi Network settings${RCol}" sudo cp /etc/dhcpcd.conf /etc/dhcpcd.conf.backup sudo sed -i '/# static IP configuration for Ogden Active Directory service:/,$d' /etc/dhcpcd.conf; sudo sed -i '/# Example static IP configuration:/,$d' /etc/dhcpcd.conf; echo "# static IP configuration for Ogden Active Directory service:" | sudo tee -a /etc/dhcpcd.conf echo "interface eth0" | sudo tee -a /etc/dhcpcd.conf; echo "static routers=$GATEWAY" | sudo tee -a /etc/dhcpcd.conf; echo "static ip_address=$IP_ADDRESS" | sudo tee -a /etc/dhcpcd.conf; echo "static domain_name_servers=$DNS_SERVERS" | sudo tee -a /etc/dhcpcd.conf; echo "static domain_search=$DOMAIN" | sudo tee -a /etc/dhcpcd.conf; # Force immediate update to ip address sudo ifconfig eth0 down sudo ifconfig eth0 up sudo service networking restart; echo "change-eth0-settings" >> ${PROGRESS_FILE}; fi # Change default pi hostname if ! grep -q 'change-hostname' ${PROGRESS_FILE}; then echo -e "${Cya}7) Changing Pi hostname settings${RCol}" # Update /etc/hosts file prior to hostname change sudo sed -i "/$HOSTNAME/d" /etc/hosts; echo "$IP_ADDRESS_PRIMARY_AD $PRIMARY_AD_HOSTNAME.$DOMAIN $PRIMARY_AD_HOSTNAME" | sudo tee -a /etc/hosts; echo "$IP_ADDRESS $HOSTNAME.$DOMAIN $HOSTNAME" | sudo tee -a /etc/hosts; # Set new hostname by modifying /etc/hostname - only then delete our old hostname entry sudo hostnamectl set-hostname $HOSTNAME sudo sed -i '/raspberrypi/d' /etc/hosts; sudo systemctl restart systemd-logind.service; sudo service networking restart; sleep 5s echo "change-hostname" >> ${PROGRESS_FILE}; fi # Ping to check local domain and dns is configured correctly prior to Samba installation if ! grep -q 'ping-check-local-domain' ${PROGRESS_FILE}; then echo -e "${Cya}8) Ping test AD DNS functionality${RCol}" ping -c3 "$HOSTNAME"; PING1CHK=$?; ping -c3 "$PRIMARY_AD_HOSTNAME.$DOMAIN"; PING2CHK=$?; ping -c3 "$DOMAIN"; PING3CHK=$?; ping -c3 "$HOSTNAME.$DOMAIN"; PING4CHK=$?; if [ $PING1CHK -ne 0 ] || [ $PING2CHK -ne 0 ] || [ $PING3CHK -ne 0 ] || [ $PING4CHK -ne 0 ]; then echo "ERROR: Could not ping host(s) and/or dns server. Exiting." exit 2 fi echo "ping-check-local-domain" >> ${PROGRESS_FILE}; fi # Install NTP client functionality required for additional Active Directory instance if ! grep -q 'install-ntp' ${PROGRESS_FILE}; then echo -e "${Cya}9) Install NTP client functionality on server${RCol}" sudo apt-get install -y ntpdate echo "install-ntp" >> ${PROGRESS_FILE} fi # Force server time to synchronise with existing AD NTP server instance if ! grep -q 'check-ntp-sync' ${PROGRESS_FILE}; then echo -e "${Cya}10) Force server NTP client to sychronise time with existing AD instance $PRIMARY_AD_HOSTNAME.$DOMAIN ${RCol}" NTPSYNCCHK=$(ntpdate -qu $PRIMARY_AD_HOSTNAME) if echo "$NTPSYNCCHK" | grep -q 'no server suitable for synchronization found'; then echo "ERROR: Could not synchronise to NTP servers. Exiting..." exit 4 fi echo "check-ntp-sync" >> ${PROGRESS_FILE} fi # Install Samba4 software if ! grep -q 'install-samba' ${PROGRESS_FILE}; then echo -e "${Cya}11) Installing Samba${RCol}" echo "When prompted during installation please enter the following options at the installer prompt:"; echo -n "Default Kerberos realm: "; echo "$DOMAIN"|awk '{print toupper($0)}'; sudo apt-get install -y samba krb5-user krb5-config winbind libpam-winbind libnss-winbind echo "install-samba" >> ${PROGRESS_FILE} fi # Verify Samba installation by retrieving a Kerberos ticket if ! grep -q 'kerberos-ticket-request-check' ${PROGRESS_FILE}; then echo -e "${Cya}12) Request Kerberos new ticket to check Kerberos${RCol}" echo "We will test Kerberos by requesting a new ticket for user administator."; echo "Please enter password for administrator@$WIN_DOMAIN when requested here"; KRB_ADMIN="administrator@`echo "$DOMAIN"|awk '{print toupper($0)}'`" kinit $KRB_ADMIN klist echo "kerberos-ticket-request-check" >> ${PROGRESS_FILE} fi # Stop Samba4 services prior to provisioning if ! grep -q 'stop-samba-services' ${PROGRESS_FILE}; then echo -e "${Cya}13) Temporarily disable Samba prior to provisioning${RCol}" sudo systemctl stop samba-ad-dc smbd nmbd winbind; sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.initial echo "stop-samba-services" >> ${PROGRESS_FILE} fi # Join new DC to pre-existing Samba 4 AD Domain: if ! grep -q 'join-domain' ${PROGRESS_FILE}; then echo -e "${Cya}14) Join new AD DC to existing Samba Domain${RCol}" sudo samba-tool domain join $DOMAIN DC -U"$WIN_DOMAIN_UPPER\administrator" --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes' --option="dns forwarder = $EXTERNAL_DNS2 $EXTERNAL_DNS3 $EXTERNAL_DNS4" echo "join-domain" >> ${PROGRESS_FILE} fi # Edit smb.conf and add some modified settings #if ! grep -q 'modify-smb-config' ${PROGRESS_FILE}; then # # echo -e "${Cya}15) Modify Samba Configuration${RCol}" # # FIXME For now just fudge this by hardcoding IP addresses # sudo sed -i '/^.global.$/a dns forwarder = 8.8.8.8\nidmap_ldb:use rfc2307 = yes\n\ntemplate shell = /bin/bash\nwinbind use default domain = true\nwinbind nss info = rfc2307\nwinbind enum users = yes\nwinbind enum groups = yes' /etc/samba/smb.conf # echo "modify-smb-config" >> ${PROGRESS_FILE} #fi # Restart Samba following configuration changes if ! grep -q 'restart-samba' ${PROGRESS_FILE}; then echo -e "${Cya}16) Restart Samba Instance${RCol}" sudo systemctl unmask samba-ad-dc sudo systemctl restart samba-ad-dc sleep 10s echo "restart-samba" >> ${PROGRESS_FILE} fi # Replicate Samba account details between both of our DCs if ! grep -q 'samba-replicate-accounts' ${PROGRESS_FILE}; then echo -e "${Cya}17) Replicate Samba Account Details between Primary and Secondary DCs${RCol}" sudo samba-tool drs showrepl echo "samba-replicate-accounts" >> ${PROGRESS_FILE} fi # Update Kerberos configuration if ! grep -q 'update-krb-config' ${PROGRESS_FILE}; then echo -e "${Cya}18) Update Kerberos configuration${RCol}" sudo mv /etc/krb5.conf /etc/krb5.conf.initial sudo ln -s /var/lib/samba/private/krb5.conf /etc/ sudo cat /etc/krb5.conf echo "update-krb-config" >> ${PROGRESS_FILE} fi # Verify Samba installation by retrieving a Kerberos ticket if ! grep -q 'kerberos-ticket-request-check' ${PROGRESS_FILE}; then echo -e "${Cya}19) Request Kerberos new ticket to check Kerberos${RCol}" echo "We will test Kerberos by requesting a new ticket for user administator."; echo "Please enter password for administrator@$WIN_DOMAIN when requested here"; KRB_ADMIN="administrator@`echo "$DOMAIN"|awk '{print toupper($0)}'`" kinit $KRB_ADMIN klist echo "kerberos-ticket-request-check" >> ${PROGRESS_FILE} fi # Do DNS test to verify everything if ! grep -q 'dns-check-local-domain' ${PROGRESS_FILE}; then echo -e "${Cya}20) DNS lookup check AD domain and AD server.${RCol}" echo -e "${Red} Note that TWO separate IP addresses should be listed here.${RCol}" host -t A "$DOMAIN" DNS1CHK=$?; host -t SRV "_kerberos._udp.$DOMAIN"; DNS2CHK=$?; host -t SRV "_ldap._tcp.$DOMAIN"; DNS3CHK=$?; if [ $DNS1CHK -ne 0 ] || [ $DNS2CHK -ne 0 ] || [ $DNS3CHK -ne 0 ]; then echo "ERROR: Could not perform required DNS lookups! Exiting." exit 3 fi echo "dns-check-local-domain" >> ${PROGRESS_FILE}; fi # Finally startup dameons if ! grep -q 'configure-samba-daemons' ${PROGRESS_FILE}; then echo -e "${Cya}21) DNS lookup check AD domain and AD server.${RCol}" sudo systemctl disable smbd nmbd winbind sudo systemctl enable samba-ad-dc echo "configure-samba-daemons" >> ${PROGRESS_FILE}; fi # Enable SSH service for remote access to AD server for configuration etc. if ! grep -q 'enable-ssh' ${PROGRESS_FILE}; then echo -e "${Cya}22) Enable SSH for remote AD server administration${RCol}" sudo systemctl enable ssh sudo systemctl start ssh echo "enable-ssh" >> ${PROGRESS_FILE} fi # Update shell prompt to reflect change in local hostname if ! grep -q 'update-shell-prompt' ${PROGRESS_FILE}; then echo -e "${Cya}23) Restart shell to reflect changed hostname${RCol}" echo "update-shell-prompt" >> ${PROGRESS_FILE} sudo reboot fi
Rowland Penny
2019-Mar-22 16:07 UTC
[Samba] Problems with Samba 4.5.16 - configuring a second failover AD DC and joining this to an existing domain SAMDOM
On Fri, 22 Mar 2019 15:03:51 +0000 Stephen via samba <samba at lists.samba.org> wrote:> Hello I wonder if anyone here could possibly help me? I am using > Samba version 4.5.16-Debian (version information taken from sudo > smbstatus) on Raspbian and attempting to prototype some future > network infrastructure with a couple of Raspberry Pis. > > So far I have sucessfully created a Samba 4 AD DC > ad1.samdom.example.com. I have successfully joined my Windows 10 > dekstop client to the SAMDOM domain provided by ad1 and it > authenticated OK, and appears to synchronise the network time > correctly. So far so good! Ideally I would now like to add to this > basic setup by creating an additional DC, ad2, with ip > ad2.samdom.example.com, and join this to the existing SAMDOM domain > provided by ad1 to provide some extra redundancy and failover. > > This is where my problems begin unfortunately. > > I have used two separate shell-scripts to commission my two servers > ad1.sh and ad2.sh (please find both scripts attached for scrutiny) > > * These two scripts are based heavily upon the tutorial series found > at TechMint here: > https://www.tecmint.com/install-samba4-active-directory-ubuntu/ > * The script to build ad1 is the main DC and is based upon section 1 > and 2 of the tutorial, and as far as I can tell appears to work > correctly. As discussed I can connect to the server that results > from a Windows 10 client. > * The script to build the second DC used for failover is based upon > part 5 of the linked tutorial series, and this is where I am > having problems. > * Both ad1 and ad2 are assigned static ips, ad1 = 192.168.1.229 and > ad2=192.168.1.228. > > I am encountering baffling issues with LDAP when I run my script > ad2.sh. What I don't understand here is that I am apparently able to > join domain SAMDOM without issue, ie in the ad2 script when I do > > pi at ad2 $ sudo samba-tool domain join samdom DC > -U"SAMDOM\administrator" --dns-backend=SAMBA_INTERNAL > --option='idmap_ldb:use rfc2307 = yes' --option="dns forwarder > $EXTERNAL_DNS2 $EXTERNAL_DNS3 $EXTERNAL_DNS4" > > This appears to work just fine, and I obtain the following seemingly > plausible output from this command: > > Finding a writeable DC for domain 'samdom.example.com' > Found DC ad1.samdom.example.com > Password for [=SAMDOM\administrator]: > workgroup is SAMDOM > realm is samdom.example.com > Adding CN=AD2,OU=Domain Controllers,DC=samdom,DC=example,DC=com > Adding > CN=AD2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > Adding CN=NTDS > Settings,CN=AD2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > Adding SPNs to CN=AD2,OU=Domain > Controllers,DC=samdom,DC=example,DC=com Setting account password for > AD2$ Enabling account > Calling bare provision > Looking up IPv4 addresses > Looking up IPv6 addresses > No IPv6 address will be assigned > Setting up share.ldb > Setting up secrets.ldb > Setting up the registry > Setting up the privileges database > Setting up idmap db > Setting up SAM db > Setting up sam.ldb partitions and settings > Setting up sam.ldb rootDSE > Pre-loading the Samba 4 and AD schema > A Kerberos configuration suitable for Samba 4 has been generated at > /var/lib/samba/private/krb5.conf > Provision OK for domain DN DC=samdom,DC=example,DC=com > Starting replication > Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] > objects[402/1550] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] > objects[804/1550] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] > objects[1206/1550] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] > objects[1550/1550] linked_values[0/0] > Analyze and apply schema objects > Partition[CN=Configuration,DC=samdom,DC=example,DC=com] > objects[402/1614] linked_values[0/0] > Partition[CN=Configuration,DC=samdom,DC=example,DC=com] > objects[804/1614] linked_values[0/0] > Partition[CN=Configuration,DC=samdom,DC=example,DC=com] > objects[1206/1614] linked_values[0/0] > Partition[CN=Configuration,DC=samdom,DC=example,DC=com] > objects[1608/1614] linked_values[0/0] > Partition[CN=Configuration,DC=samdom,DC=example,DC=com] > objects[1614/1614] linked_values[30/0] > Replicating critical objects from the base DN of the domain > Partition[DC=samdom,DC=example,DC=com] objects[97/97] > linked_values[23/0] Partition[DC=samdom,DC=example,DC=com] > objects[360/263] linked_values[23/0] Done with always replicated NC > (base, config, schema) Replicating > DC=DomainDnsZones,DC=samdom,DC=example,DC=com > Partition[DC=DomainDnsZones,DC=samdom,DC=example,DC=com] > objects[40/40] linked_values[0/0] Replicating > DC=ForestDnsZones,DC=samdom,DC=example,DC=com > Partition[DC=ForestDnsZones,DC=samdom,DC=example,DC=com] > objects[18/18] linked_values[0/0] Committing SAM database > Sending DsReplicaUpdateRefs for all the replicated partitions > Setting isSynchronized and dsServiceName > Setting up secrets database > Joined domain SAMDOM (SID S-1-5-21-1810456019-651403982-3541939936) > as a DC > > Unfortunately it is after this I then have major problems after that > with LDAP when I try and perform the actual replication. When I > attempt: > > pi at ad2 ~ $ sudo systemctl unmask samba-ad-dc > > pi at ad2 ~ $ sudo systemctl restart samba-ad-dc > > pi at ad2 ~ $ sudo samba-tool drs showrepl > > I get the following error messages: > > 17) Replicate Samba Account Details between Primary and Secondary DCs > Failed to connect to ldap URL 'ldap://ad2.samdom.example.com' - LDAP > client internal error: NT_STATUS_CONNECTION_REFUSED > Failed to connect to 'ldap://ad2.samdom.example.com' with backend > 'ldap': LDAP client internal error: NT_STATUS_CONNECTION_REFUSED > ERROR(ldb): LDAP connection to ad2.samdom.example.com failed - LDAP > client internal error: NT_STATUS_CONNECTION_REFUSED > > Initially I thought this was something simple such as an error in > name or host resolution due to network misconfiguration. But I have > double checked my /etc/hosts file content and my resolv.conf on ad2 > and I believe these to be correct, please find these below for ad2 > along with my smb.conf file: > > pi at ad2:~ $ cat /etc/hosts > 127.0.0.1 localhost > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > 192.168.1.229 ad1.samdom.example.com ad1 > 192.168.1.228 ad2.samdom.example.com ad2 > > pi at ad2:~ $ cat /etc/hostname > ad2 > > pi at ad2:~ $ cat /etc/resolv.conf > # Generated by resolvconf > search samdom.example.com > nameserver 192.168.1.229 > nameserver 192.168.1.228 > nameserver 88.215.63.255 > nameserver 88.215.61.255 > nameserver 8.8.8.8 > > pi at ad2:~ $ ifconfig > eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 > inet 192.168.1.228 netmask 255.255.255.0 broadcast > 192.168.1.255 inet6 fe80::1cb0:8751:ad6b:6df0 prefixlen 64 scopeid > 0x20<link> ether b8:27:eb:9c:98:34 txqueuelen 1000 (Ethernet) > RX packets 703 bytes 136445 (133.2 KiB) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 308 bytes 49680 (48.5 KiB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > pi at ad2:~ $ cat /etc/samba/smb.conf > # Global parameters > [global] > netbios name = AD2 > realm = SAMDOM.EXAMPLE.COM > workgroup = SAMDOM > dns forwarder = 88.215.63.255 88.215.61.255 8.8.8.8 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /var/lib/samba/sysvol/samdom.example.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > > pi at ad2:~ $ ping ad1.samdom.example.com > > PING ad1.samdom.example.com (192.168.1.229) 56(84) bytes of data. > 64 bytes from ad1.samdom.example.com (192.168.1.229): icmp_seq=1 > ttl=64 time=0.604 ms > 64 bytes from ad1.samdom.example.com (192.168.1.229): icmp_seq=2 > ttl=64 time=0.460 ms > 64 bytes from ad1.samdom.example.com (192.168.1.229): icmp_seq=3 > ttl=64 time=0.353 ms > 64 bytes from ad1.samdom.example.com (192.168.1.229): icmp_seq=4 > ttl=64 time=0.361 ms > > pi at ad2:~ $ host -tA ad1.samdom.example.com > ad1.samdom.example.com has address 192.168.1.229 > > > Likewise for ad1: > > pi at ad1:~ $ cat /etc/hosts > 127.0.0.1 localhost > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > 192.168.1.229 ad1.samdom.example.com ad1 > 192.168.1.228 ad2.samdom.example.com ad2 > > pi at ad1:~ $ cat /etc/hostname > ad1 > > pi at ad1:~ $ cat /etc/resolv.conf > # Generated by resolvconf > search samdom.example.com > nameserver 192.168.1.229 > nameserver 192.168.1.228 > nameserver 88.215.63.255 > nameserver 88.215.61.255 > nameserver 8.8.8.8 > > pi at ad1:~ $ ifconfig > > eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 > inet 192.168.1.229 netmask 255.255.255.0 broadcast > 192.168.1.255 inet6 fe80::446b:2bdc:7765:11e2 prefixlen 64 scopeid > 0x20<link> ether b8:27:eb:2f:93:7d txqueuelen 1000 (Ethernet) > RX packets 5724 bytes 572625 (559.2 KiB) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 7476 bytes 9492118 (9.0 MiB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > > pi at ad1:~ $ cat /etc/samba/smb.conf > # Global parameters > [global] > netbios name = AD1 > realm = SAMDOM.EXAMPLE.COM > workgroup = SAMDOM > dns forwarder = 8.8.8.8 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /var/lib/samba/sysvol/samdom.example.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > pi at ad1:~ $ ping ad2.samdom.example.com > PING ad2.samdom.example.com (192.168.1.228) 56(84) bytes of data. > 64 bytes from ad2.samdom.example.com (192.168.1.228): icmp_seq=1 > ttl=64 time=0.497 ms > 64 bytes from ad2.samdom.example.com (192.168.1.228): icmp_seq=2 > ttl=64 time=0.469 ms > 64 bytes from ad2.samdom.example.com (192.168.1.228): icmp_seq=3 > ttl=64 time=0.353 ms > 64 bytes from ad2.samdom.example.com (192.168.1.228): icmp_seq=4 > ttl=64 time=0.327 ms > > Interestingly I note that when I do a host lookup on ad1 I get: > > pi at ad1:~ $ host -tA ad2.samdom.example.com > Host ad2.samdom.example.com not found: 3(NXDOMAIN) > > There are some official samba articles that suggest that for Samba > <4.6 you need to manually setup DNS entries manually on AD1 prior to > configuring AD2 ie > https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record, > but this seems a bit of a hacky workaround. This advice appears to > contradict the TechMint tutorials and other advice I have seen > elsewhere on the net though so I am unsure how much weight to lend to > this. > > Can anyone advise what I am doing wrong here?not much, apart from adding 'acl' to /etc/fstab, this isn't required, it is one of ext4's defaults. There are things I would do differently (the main one would be 'apt-get purge dhcpcd5). I also don't really understand why you are running the provision interactively in a script. Have you tried restarting Samba on the second DC ? If this doesn't work, try adding this to its smb.conf: dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool restart Samba and see if this helps Rowland
Stephen
2019-Mar-22 16:44 UTC
[Samba] Problems with Samba 4.5.16 - configuring a second failover AD DC and joining this to an existing domain SAMDOM
Thanks for taking a look Roland, and I appreciate your comments regarding your scripts. I am not a professional sysadmin so there likely is stuff there that the grizzled unix veterans on this list will find a little odd :) I just restarted samba on ad2 as per your suggestion and I got the following output: pi at ad2:~ $ sudo systemctl restart samba-ad-dc.service pi at ad2:~ $ sudo samba-tool drs showrepl Default-First-Site-Name\AD2 DSA Options: 0x00000001 DSA object GUID: e676dfc3-670d-46bb-b1f7-756bae990a30 DSA invocationId: b7fb9a73-a5c5-4672-9d0f-83e0323f9f3b ==== INBOUND NEIGHBORS === CN=Configuration,DC=samdom,DC=example,DC=com Default-First-Site-Name\AD1 via RPC DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a Last attempt @ Fri Mar 22 16:16:01 2019 GMT was successful 0 consecutive failure(s). Last success @ Fri Mar 22 16:16:01 2019 GMT DC=DomainDnsZones,DC=samdom,DC=example,DC=com Default-First-Site-Name\AD1 via RPC DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a Last attempt @ Fri Mar 22 16:16:00 2019 GMT was successful 0 consecutive failure(s). Last success @ Fri Mar 22 16:16:00 2019 GMT CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com Default-First-Site-Name\AD1 via RPC DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a Last attempt @ Fri Mar 22 16:16:01 2019 GMT was successful 0 consecutive failure(s). Last success @ Fri Mar 22 16:16:01 2019 GMT DC=ForestDnsZones,DC=samdom,DC=example,DC=com Default-First-Site-Name\AD1 via RPC DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a Last attempt @ Fri Mar 22 16:16:00 2019 GMT was successful 0 consecutive failure(s). Last success @ Fri Mar 22 16:16:00 2019 GMT DC=samdom,DC=example,DC=com Default-First-Site-Name\AD1 via RPC DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a Last attempt @ Fri Mar 22 16:16:01 2019 GMT was successful 0 consecutive failure(s). Last success @ Fri Mar 22 16:16:01 2019 GMT ==== OUTBOUND NEIGHBORS === ==== KCC CONNECTION OBJECTS === Connection -- Connection name: c2f83b11-0d06-41d3-b6c1-438ae935852c Enabled : TRUE Server DNS name : ad1.samdom.example.com Server DN name : CN=NTDS Settings,CN=AD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com TransportType: RPC options: 0x00000001 Warning: No NC replicated for Connection! The LDAP error doesn't appear to reoccur after restart, but should the outbound neighbours section be empty here in this output? That seems odd. To further verify correctness and overall sanity I tried to create some user accounts, both on ad1 and ad2. I would expect these accounts to automatically replicate across all DCs if everything is working properly. First on ad1: pi at ad1:~ $ sudo samba-tool user add test_user Note: samba-tool user add is deprecated. Please use samba-tool user create for the same function. New Password: Retype Password: User 'test_user' created successfully Verifying this on ad2: pi at ad2:~ $ sudo samba-tool user list Administrator test_user krbtgt Guest [WORKS OK] Likewise on ad2: pi at ad2:~ $ sudo samba-tool user add test_user2 Note: samba-tool user add is deprecated. Please use samba-tool user create for the same function. New Password: Retype Password: User 'test_user2' created successfully Verifying on ad1: pi at ad1:~ $ sudo samba-tool user list Administrator test_user krbtgt Guest [FAILURE, test_user2 doesnt replicate as expected] So something is clearly wrong here! * I can create users on ad1 and these transfer to ad2 without issue * However the converse is not true, users created on ad2 do not seem to transfer to ad1. I did try a sudo systemctl restart samba-ad-dc after each user creation, but that didn't seem to make a difference. Thanks Stephen
Rowland Penny
2019-Mar-22 17:06 UTC
[Samba] Problems with Samba 4.5.16 - configuring a second failover AD DC and joining this to an existing domain SAMDOM
On Fri, 22 Mar 2019 16:37:23 +0000 Stephen <stephen at ogdenradar.com> wrote:> Thanks for taking a look Roland, and I appreciate your comments > regarding your scripts. I am not a professional sysadmin so there > likely is stuff there that the grizzled unix veterans on this list > will find a little odd :) > > I just restarted samba on ad2 as per your suggestion and I got the > following output: > > pi at ad2:~ $ sudo systemctl restart samba-ad-dc.service > pi at ad2:~ $ sudo samba-tool drs showrepl > Default-First-Site-Name\AD2 > DSA Options: 0x00000001 > DSA object GUID: e676dfc3-670d-46bb-b1f7-756bae990a30 > DSA invocationId: b7fb9a73-a5c5-4672-9d0f-83e0323f9f3b > > ==== INBOUND NEIGHBORS ===> > CN=Configuration,DC=samdom,DC=example,DC=com > Default-First-Site-Name\AD1 via RPC > DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a > Last attempt @ Fri Mar 22 16:16:01 2019 GMT was > successful 0 consecutive failure(s). > Last success @ Fri Mar 22 16:16:01 2019 GMT > > DC=DomainDnsZones,DC=samdom,DC=example,DC=com > Default-First-Site-Name\AD1 via RPC > DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a > Last attempt @ Fri Mar 22 16:16:00 2019 GMT was > successful 0 consecutive failure(s). > Last success @ Fri Mar 22 16:16:00 2019 GMT > > CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com > Default-First-Site-Name\AD1 via RPC > DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a > Last attempt @ Fri Mar 22 16:16:01 2019 GMT was > successful 0 consecutive failure(s). > Last success @ Fri Mar 22 16:16:01 2019 GMT > > DC=ForestDnsZones,DC=samdom,DC=example,DC=com > Default-First-Site-Name\AD1 via RPC > DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a > Last attempt @ Fri Mar 22 16:16:00 2019 GMT was > successful 0 consecutive failure(s). > Last success @ Fri Mar 22 16:16:00 2019 GMT > > DC=samdom,DC=example,DC=com > Default-First-Site-Name\AD1 via RPC > DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a > Last attempt @ Fri Mar 22 16:16:01 2019 GMT was > successful 0 consecutive failure(s). > Last success @ Fri Mar 22 16:16:01 2019 GMT > > ==== OUTBOUND NEIGHBORS ===> > ==== KCC CONNECTION OBJECTS ===> > Connection -- > Connection name: c2f83b11-0d06-41d3-b6c1-438ae935852c > Enabled : TRUE > Server DNS name : ad1.samdom.example.com > Server DN name : CN=NTDS > Settings,CN=AD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > TransportType: RPC > options: 0x00000001 > Warning: No NC replicated for Connection! >Try reading this: https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record The problem is that things have changed greatly in Samba AD since 4.5.x was released, the latest Samba version is 4.10.0 Rowland
Stephen
2019-Mar-22 17:39 UTC
[Samba] Problems with Samba 4.5.16 - configuring a second failover AD DC and joining this to an existing domain SAMDOM
Rowland - good news - the instructions in that document you suggested appear to have made all the difference! Now I find that if I do: pi at ad2:~ $ sudo systemctl restart samba-ad-dc pi at ad2:~ $ sudo samba-tool drs showrepl Default-First-Site-Name\AD2 DSA Options: 0x00000001 DSA object GUID: e676dfc3-670d-46bb-b1f7-756bae990a30 DSA invocationId: b7fb9a73-a5c5-4672-9d0f-83e0323f9f3b ==== INBOUND NEIGHBORS === CN=Configuration,DC=samdom,DC=example,DC=com Default-First-Site-Name\AD1 via RPC DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a Last attempt @ Fri Mar 22 17:11:56 2019 GMT was successful 0 consecutive failure(s). Last success @ Fri Mar 22 17:11:56 2019 GMT DC=DomainDnsZones,DC=samdom,DC=example,DC=com Default-First-Site-Name\AD1 via RPC DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a Last attempt @ Fri Mar 22 17:11:55 2019 GMT was successful 0 consecutive failure(s). Last success @ Fri Mar 22 17:11:55 2019 GMT CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com Default-First-Site-Name\AD1 via RPC DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a Last attempt @ Fri Mar 22 17:11:57 2019 GMT was successful 0 consecutive failure(s). Last success @ Fri Mar 22 17:11:57 2019 GMT DC=ForestDnsZones,DC=samdom,DC=example,DC=com Default-First-Site-Name\AD1 via RPC DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a Last attempt @ Fri Mar 22 17:11:56 2019 GMT was successful 0 consecutive failure(s). Last success @ Fri Mar 22 17:11:56 2019 GMT DC=samdom,DC=example,DC=com Default-First-Site-Name\AD1 via RPC DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a Last attempt @ Fri Mar 22 17:11:57 2019 GMT was successful 0 consecutive failure(s). Last success @ Fri Mar 22 17:11:57 2019 GMT ==== OUTBOUND NEIGHBORS === CN=Configuration,DC=samdom,DC=example,DC=com Default-First-Site-Name\AD1 via RPC DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=DomainDnsZones,DC=samdom,DC=example,DC=com Default-First-Site-Name\AD1 via RPC DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a Last attempt @ Fri Mar 22 17:11:46 2019 GMT was successful 0 consecutive failure(s). Last success @ Fri Mar 22 17:11:46 2019 GMT CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com Default-First-Site-Name\AD1 via RPC DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=ForestDnsZones,DC=samdom,DC=example,DC=com Default-First-Site-Name\AD1 via RPC DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=samdom,DC=example,DC=com Default-First-Site-Name\AD1 via RPC DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) ==== KCC CONNECTION OBJECTS === Connection -- Connection name: c2f83b11-0d06-41d3-b6c1-438ae935852c Enabled : TRUE Server DNS name : ad1.samdom.example.com Server DN name : CN=NTDS Settings,CN=AD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com TransportType: RPC options: 0x00000001 Warning: No NC replicated for Connection! Notice now crucially that the *outbound section here in this output is now fully completed whereas it was empty previously*. My manual testing suggests that newly created accounts replicate from ad2 to ad1 following this change successfully. It looks like later versions of Samba setup these additional CNAME DNS records behind the scenes whereas 4.5 on my Pi seems to requires these additional incantations and goat sacrifice to make things work successfully. C`est la vie. Happily, the change you have suggested there also appears to have also cascaded to the AD SRV records on both DCs which was the other question I was going to ask. pi at ad1:~ $ host -t SRV _kerberos._udp.samdom.example.com _kerberos._udp.samdom.example.com has SRV record 0 100 88 ad1.samdom.example.com. _kerberos._udp.samdom.example.com has SRV record 0 100 88 ad2.samdom.example.com. pi at ad1:~ $ host -t SRV _ldap._tcp.samdom.example.com _ldap._tcp.samdom.example.com has SRV record 0 100 389 ad1.samdom.example.com. _ldap._tcp.samdom.example.com has SRV record 0 100 389 ad2.samdom.example.com. Thanks once again for your help its very much appreciated! Kind Regards Stephen Ellwood
Reasonably Related Threads
- Problems with Samba 4.5.16 - configuring a second failover AD DC and joining this to an existing domain SAMDOM
- Problems with Samba 4.5.16 - configuring a second failover AD DC and joining this to an existing domain SAMDOM
- Problems with Samba 4.5.16 - configuring a second failover AD DC and joining this to an existing domain SAMDOM
- Questions about time synchronisation in a multi-DC Samba environment
- Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs