This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
контроллер_домена_samba_4 [2016/10/03 16:10] val [Управление пользователями] |
контроллер_домена_samba_4 [2023/10/19 07:00] val [Управление DNS] |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Контроллер домена SAMBA 4 ====== | ====== Контроллер домена SAMBA 4 ====== | ||
- | * [[http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO]] | + | * [[https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller|Setting up Samba as an Active Directory Domain Controller]] |
+ | * [[https://medium.com/p/d284cd3f5db4|Доменный контроллер Samba4]] | ||
===== Установка Samba4 из пакетов ===== | ===== Установка Samba4 из пакетов ===== | ||
- | ==== FreeBSD ==== | ||
- | * Был перод, когда не работала !!! | ||
- | * [[https://bugzilla.samba.org/show_bug.cgi?id=11455]] | ||
- | * [[https://bugzilla.samba.org/show_bug.cgi?id=11497]] | ||
- | * [[POSIX ACL]] | + | ==== Debian/Ubuntu ==== |
- | + | ||
- | <code> | + | |
- | # pkg install samba41 | + | |
- | + | ||
- | # service samba_server rcvar | + | |
- | </code> | + | |
- | + | ||
- | ==== Ubuntu ==== | + | |
<code> | <code> | ||
# apt install samba winbind | # apt install samba winbind | ||
Line 27: | Line 16: | ||
===== Инициализация домена ===== | ===== Инициализация домена ===== | ||
- | |||
- | * [[http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO]] | ||
<code> | <code> | ||
Line 42: | Line 29: | ||
Retype password: Pa$$w0rd | Retype password: Pa$$w0rd | ||
... | ... | ||
- | </code><code> | + | </code> |
+ | |||
+ | ===== Запуск сервиса ===== | ||
+ | |||
+ | * [[Настройка KDC серверов и клиентов#Настройка Kerberos клиента]] | ||
+ | |||
+ | <code> | ||
+ | server#### cp /var/lib/samba/private/krb5.conf /etc/krb5.conf | ||
server# testparm | server# testparm | ||
- | linux# init 6 | + | debian# systemctl disable smbd |
- | freebsd# service samba_server start | + | debian# systemctl unmask samba-ad-dc.service |
+ | |||
+ | debian# systemctl enable samba-ad-dc.service | ||
+ | |||
+ | server# cat /etc/samba/smb.conf | ||
+ | </code><code> | ||
+ | [global] | ||
+ | ldap server require strong auth = no | ||
+ | ... | ||
+ | </code><code> | ||
+ | server# init 6 | ||
server# cat /etc/resolv.conf | server# cat /etc/resolv.conf | ||
Line 62: | Line 67: | ||
<code> | <code> | ||
- | # samba-tool user add user2 | + | # samba-tool user create user1 'Pa$$w0rd1' --given-name Ivan --initials I --surname Ivanov --uid-number 10001 --gid-number 10001 --login-shell /bin/bash --unix-home /home/user1 |
+ | # samba-tool group add guser1 --nis-domain=CORP13 --gid-number=10001 | ||
+ | |||
+ | # samba-tool user create user2 --given-name Petr --initials P --surname Petrov | ||
+ | # samba-tool user setpassword user2 | ||
# samba-tool user list | # samba-tool user list | ||
+ | </code> | ||
+ | |||
+ | ==== Управление DNS ==== | ||
+ | |||
+ | * [[https://wiki.samba.org/index.php/DNS_Administration|wiki.samba DNS Administration]] | ||
+ | |||
+ | <code> | ||
+ | # kinit Administrator | ||
+ | |||
+ | # samba-tool dns add server corpX.un gate A 192.168.X.1 | ||
+ | |||
+ | # samba-tool dns delete server corpX.un gate A 192.168.X.1 | ||
+ | |||
+ | # samba-tool dns add server corpX.un _xmpp-client._tcp SRV 'gate.corpX.un 5222 0 0' | ||
+ | |||
+ | # samba-tool dns add server corpX.un @ MX "server.corpX.un 1" | ||
</code> | </code> | ||
==== Управление всем остальным ==== | ==== Управление всем остальным ==== | ||
- | * [[https://wiki.samba.org/index.php/Installing_RSAT_on_Windows_for_AD_Management|Installing RSAT on Windows for AD Management]] | + | * [[Материалы по Windows#Развертывание средств администрирования Active Directory]] |
+ | |||
+ | ===== Настройка контроллером существующего домена ===== | ||
+ | |||
+ | * [[https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory|Joining a Samba DC to an Existing Active Directory]] | ||
+ | * [[https://habr.com/ru/post/450572/|Samba DC в качестве второго контроллера в домене AD Windows 2012R2 и перемещаемые папки для клиентов на Windows и Linux]] | ||
+ | * [[https://wiki.astralinux.ru/pages/viewpage.action?pageId=27363212|Присоединение Samba к существующему домену AD]] | ||
+ | |||
+ | * [[https://www.rebeladmin.com/2016/01/step-by-step-guide-to-downgrade-domain-and-forest-functional-level/|Step by Step Guide to downgrade domain and forest functional level]] | ||
+ | |||
+ | <code> | ||
+ | PS C:\Users\Administrator> Get-ADForest | ||
+ | PS C:\Users\Administrator> Get-ADDomain | ||
+ | |||
+ | PS C:\Users\Administrator> Set-ADForestMode –Identity "corp13.un" -ForestMode Windows2008R2Forest | ||
+ | |||
+ | PS C:\Users\Administrator> Set-ADDomainMode –Identity "corp13.un" –DomainMode Windows2008R2Domain | ||
+ | </code> | ||
+ | |||
+ | * [[Настройка KDC серверов и клиентов#Настройка Kerberos клиента]] | ||
+ | |||
+ | <code> | ||
+ | server2.corp13.un:~# kinit administrator | ||
+ | |||
+ | server2.corp13.un:~# samba-tool domain join corp13.un DC -k yes --dns-backend=SAMBA_INTERNAL --option="dns forwarder=172.16.1.254" | ||
+ | </code> | ||
+ | |||
+ | * [[#Запуск сервиса]] | ||
+ | |||
+ | ==== Настройка репликации ==== | ||
+ | |||
+ | * [[https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47|[MS-DRSR]: Directory Replication Service (DRS) Remote Protocol]] | ||
+ | * [[https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)|SysVol replication (DFS-R)]] | ||
+ | * [[https://wiki.samba.org/index.php/Robocopy_based_SysVol_replication_workaround|Robocopy based SysVol replication workaround]] | ||
+ | |||
+ | <code> | ||
+ | server2.corp13.un:~# samba-tool drs showrepl | ||
+ | |||
+ | server2.corp13.un:~# samba-tool user list | ||
+ | |||
+ | server2.corp13.un:~# samba-tool user create user4 'Pa$$w0rd4' --given-name 'Василий' --initials 'М' --surname 'Кошкин' | ||
+ | В AD появится с задержкой до 10 минут | ||
+ | |||
+ | server2.corp13.un:~#### samba-tool ldapcmp ldap://server.corp13.un ldap://server2.corp13.un -Uadministrator | ||
+ | Допустимы ERROR, но должны быть и SUCCESS | ||
+ | |||
+ | server2.corp13.un:~# find /var/lib/samba/sysvol | ||
+ | PS C:\Users\Administrator> robocopy \\SERVER\SYSVOL\corp13.un\ \\SERVER2\SYSVOL\corp13.un\ /mir /sec | ||
+ | server2.corp13.un:~# find /var/lib/samba/sysvol | grep aas | ||
+ | |||
+ | server2.corp13.un:~#### samba-tool ntacl sysvolcheck | ||
+ | ошибки | ||
+ | </code> | ||
+ | |||
+ | ===== Замена MS AD на Samba4 ===== | ||
+ | |||
+ | * [[https://medium.com/@alexander.bazhenov/%D0%BC%D0%B8%D0%B3%D1%80%D0%B0%D1%86%D0%B8%D1%8F-%D0%B4%D0%BE%D0%BC%D0%B5%D0%BD%D0%BD%D0%BE%D0%B3%D0%BE-%D0%BA%D0%BE%D0%BD%D1%82%D1%80%D0%BE%D0%BB%D0%BB%D0%B5%D1%80%D0%B0-windows-2008r2-%D0%B2-samba4-4718c15c44c8|Миграция доменного контроллера Windows 2008R2 в Samba4]] | ||
+ | |||
+ | |||
+ | ==== Переносим FSMO на новый сервер ==== | ||
+ | |||
+ | * Flexible Single Master Operations | ||
+ | * [[https://habr.com/ru/post/133370/|Все что вы хотели знать о мастерах операций, но боялись спросить]] | ||
+ | |||
+ | <code> | ||
+ | server2.corp13.un:~# samba-tool fsmo show | ||
+ | </code> | ||
+ | <code> | ||
+ | PS C:\Users\Administrator> ntdsutil | ||
+ | </code><code> | ||
+ | roles | ||
+ | connections | ||
+ | connect to server server2 | ||
+ | q | ||
+ | transfer naming master | ||
+ | transfer infrastructure master | ||
+ | transfer rid master | ||
+ | transfer schema master | ||
+ | transfer pdc | ||
+ | q | ||
+ | q | ||
+ | </code><code> | ||
+ | server2.corp13.un:~# samba-tool fsmo seize --role=forestdns | ||
+ | |||
+ | server2.corp13.un:~# samba-tool fsmo seize --role=domaindns | ||
+ | |||
+ | server2.corp13.un:~# samba-tool fsmo show | ||
+ | </code> | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ==== Удаляем старый сервер ==== | ||
+ | |||
+ | * Останавливаем SERVER | ||
+ | <code> | ||
+ | server2# nslookup -q=SRV _kerberos._tcp.corp13.un | ||
+ | |||
+ | server2# samba-tool domain demote --remove-other-dead-server=SERVER | ||
+ | |||
+ | server2# nslookup -q=SRV _kerberos._tcp.corp13.un | ||
+ | </code> | ||