Darapọ mọ Afikun Ubuntu DC si Samba4 AD DC fun Idapada FailOver - Apakan 5


Ikẹkọ yii yoo fihan ọ bi o ṣe le ṣafikun oludari agbegbe Samba4 keji, ti a pese lori olupin Ubuntu 16.04, si igbo Samba AD DC ti o wa tẹlẹ lati pese iwọn ti iwọntunwọnsi fifa/failover fun diẹ ninu awọn iṣẹ AD DC pataki, paapaa fun awọn iṣẹ bii Eto DNS ati AD DC LDAP pẹlu eto data SAM.

  1. Ṣẹda Amayederun Ilana Itọsọna pẹlu Samba4 lori Ubuntu - Apakan 1

Nkan yii jẹ Apakan-5 ti Samba4 AD DC jara bi atẹle:

Igbesẹ 1: Iṣeto Iṣaaju fun Eto Samba4

1. Ṣaaju ki o to bẹrẹ lati ṣe imuni ni ase fun DC keji, o nilo lati tọju awọn eto ibẹrẹ akọkọ. Ni akọkọ, rii daju pe orukọ ogun ti eto eyiti yoo ṣepọ sinu Samba4 AD DC ni orukọ asọye kan ninu.

A ro pe orukọ igbalejo ti ijọba akọkọ ti a pese ni a npe ni adc1 , o le lorukọ DC keji pẹlu adc2 lati le pese ilana orukọ lorukọ kan ti o kọja Awọn Oluṣakoso ase rẹ.

Lati yi orukọ ile-iṣẹ eto pada o le fun ni aṣẹ ni isalẹ.

# hostnamectl set-hostname adc2

omiiran ti o le ṣatunkọ pẹlu ọwọ/ati be be lo/faili orukọ ogun ati ṣafikun laini tuntun pẹlu orukọ ti o fẹ.

# nano /etc/hostname

Nibi ṣafikun orukọ olupin.

adc2

2. Itele, ṣii faili ipinnu eto agbegbe ati ṣafikun titẹ sii pẹlu awọn ami Aje adiresi IP si orukọ kukuru ati FQDN ti oluṣakoso ašẹ akọkọ, bi a ti ṣe apejuwe ninu sikirinifoto isalẹ.

Nipasẹ itọnisọna yii, orukọ DC akọkọ jẹ adc1.tecmint.lan ati pe o pinnu si adiresi IP 192.168.1.254.

# nano /etc/hosts

Ṣafikun laini atẹle:

IP_of_main_DC		FQDN_of_main_DC 	short_name_of_main_DC

3. Ni igbesẹ ti n tẹle, ṣii/ati be be lo/nẹtiwọọki/awọn atọkun ati fi adirẹsi IP aimi fun eto rẹ han bi a ti ṣe apejuwe ninu sikirinifoto isalẹ.

San ifojusi si awọn olupin-orukọ dns ati awọn oniyipada wiwa-dns. Awọn iye wọnyi yẹ ki o tunto lati tọka si adirẹsi IP ti akọkọ Samba4 AD DC ati ijọba ni ibere fun ipinnu DNS lati ṣiṣẹ ni deede.

Tun daemon nẹtiwọọki bẹrẹ lati le fi irisi awọn ayipada. Daju faili /etc/resolv.conf lati ṣe idaniloju pe awọn iye DNS mejeeji lati inu wiwo nẹtiwọọki rẹ ti ni imudojuiwọn si faili yii.

# nano /etc/network/interfaces

Ṣatunkọ ki o rọpo pẹlu awọn eto IP aṣa rẹ:

auto ens33
iface ens33 inet static
        address 192.168.1.253
        netmask 255.255.255.0
        brodcast 192.168.1.1
        gateway 192.168.1.1
        dns-nameservers 192.168.1.254
        dns-search tecmint.lan

Tun iṣẹ nẹtiwọọki bẹrẹ ki o jẹrisi awọn ayipada.

# systemctl restart networking.service
# cat /etc/resolv.conf

Iye dns-search yoo fi kun orukọ-ašẹ laifọwọyi nigbati o ba beere lọwọ ogun nipasẹ orukọ kukuru rẹ (yoo ṣe agbekalẹ FQDN).

4. Lati le ṣe idanwo ti ipinnu DNS ba n ṣiṣẹ bi o ti ṣe yẹ, ṣe atẹjade lẹsẹsẹ awọn aṣẹ pingi si orukọ kukuru orukọ rẹ, FQDN ati ijọba bi o ṣe han ninu sikirinifoto ti isalẹ.

Ninu gbogbo awọn ọran wọnyi Samba4 AD DC olupin DNS yẹ ki o fesi pẹlu adirẹsi IP ti DC akọkọ rẹ.

5. Igbese afikun ikẹhin ti o nilo lati tọju kuro ni amuṣiṣẹpọ akoko pẹlu Olutọju Aṣẹ akọkọ rẹ. Eyi le ṣaṣeyọri nipasẹ fifi sori ẹrọ iwulo alabara NTP lori ẹrọ rẹ nipa ipinfunni aṣẹ isalẹ:

# apt-get install ntpdate

6. A ro pe o fẹ fi agbara mu amuṣiṣẹpọ akoko pẹlu ọwọ pẹlu samba4 AD DC, ṣiṣe aṣẹ ntpdate si DC akọkọ nipasẹ ipinfunni aṣẹ atẹle.

# ntpdate adc1

Igbesẹ 2: Fi Samba4 sii pẹlu Awọn igbẹkẹle ti a beere

7. Lati le forukọsilẹ eto Ubuntu 16.04 sinu agbegbe rẹ, kọkọ fi Samba4 sii, alabara Kerberos ati awọn idii pataki miiran diẹ fun lilo nigbamii lati awọn ibi ipamọ osise Ubuntu nipasẹ ipinfunni aṣẹ isalẹ:

# apt-get install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind

8. Lakoko fifi sori iwọ yoo nilo lati pese orukọ ijọba ijọba Kerberos. Kọ orukọ ibugbe rẹ pẹlu awọn ọran oke ki o tẹ bọtini [Tẹ] lati pari ilana fifi sori ẹrọ.

9. Lẹhin fifi sori awọn idii pari, ṣayẹwo awọn eto nipa bibere tikẹti Kerberos fun olutọju agbegbe nipa lilo pipaṣẹ kinit. Lo pipaṣẹ klist lati ṣe atokọ tikẹti Kerberos ti a fun ni.

# kinit [email _DOMAIN.TLD
# klist

Igbesẹ 3: Darapọ mọ Samba4 AD DC bi Alakoso Adari

10. Ṣaaju ki o to ṣopọ ẹrọ rẹ sinu Samba4 DC, kọkọ rii daju pe gbogbo awọn daemons Samba4 ti n ṣiṣẹ lori ẹrọ rẹ ti duro ati, tun, tun lorukọ faili iṣeto Samba aiyipada lati bẹrẹ mimọ. Lakoko ti o n pese oluṣakoso ašẹ, samba yoo ṣẹda faili iṣeto tuntun lati ori.

# systemctl stop samba-ad-dc smbd nmbd winbind
# mv /etc/samba/smb.conf /etc/samba/smb.conf.initial

11. Lati bẹrẹ ilana isopọmọ agbegbe, kọkọ bẹrẹ samba-ad-dc daemon nikan, lẹhin eyi iwọ yoo ṣiṣe aṣẹ samba-tool lati darapọ mọ ijọba naa ni lilo akọọlẹ kan pẹlu awọn anfani iṣakoso lori agbegbe rẹ.

# samba-tool domain join your_domain DC -U "your_domain_admin"

Apapo ase ase:

# samba-tool domain join tecmint.lan DC -U"tecmint_user"
Finding a writeable DC for domain 'tecmint.lan'
Found DC adc1.tecmint.lan
Password for [WORKGROUP\tecmint_user]:
workgroup is TECMINT
realm is tecmint.lan
checking sAMAccountName
Deleted CN=ADC2,CN=Computers,DC=tecmint,DC=lan
Adding CN=ADC2,OU=Domain Controllers,DC=tecmint,DC=lan
Adding CN=ADC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tecmint,DC=lan
Adding CN=NTDS Settings,CN=ADC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tecmint,DC=lan
Adding SPNs to CN=ADC2,OU=Domain Controllers,DC=tecmint,DC=lan
Setting account password for ADC2$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=tecmint,DC=lan
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=tecmint,DC=lan] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=tecmint,DC=lan] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=tecmint,DC=lan] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=tecmint,DC=lan] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=tecmint,DC=lan] objects[402/1614] linked_values[0/0]
Partition[CN=Configuration,DC=tecmint,DC=lan] objects[804/1614] linked_values[0/0]
Partition[CN=Configuration,DC=tecmint,DC=lan] objects[1206/1614] linked_values[0/0]
Partition[CN=Configuration,DC=tecmint,DC=lan] objects[1608/1614] linked_values[0/0]
Partition[CN=Configuration,DC=tecmint,DC=lan] objects[1614/1614] linked_values[28/0]
Replicating critical objects from the base DN of the domain
Partition[DC=tecmint,DC=lan] objects[97/97] linked_values[24/0]
Partition[DC=tecmint,DC=lan] objects[380/283] linked_values[27/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=tecmint,DC=lan
Partition[DC=DomainDnsZones,DC=tecmint,DC=lan] objects[45/45] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=tecmint,DC=lan
Partition[DC=ForestDnsZones,DC=tecmint,DC=lan] objects[18/18] linked_values[0/0]
Committing SAM database
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain TECMINT (SID S-1-5-21-715537322-3397311598-55032968) as a DC

12. Lẹhin ti Ubuntu pẹlu sọfitiwia samba4 ti ni iṣọpọ sinu ibugbe, ṣii faili iṣeto akọkọ samba ki o ṣafikun awọn ila wọnyi:

# nano /etc/samba/smb.conf

Ṣafikun atẹle atẹle si faili smb.conf.

dns forwarder = 192.168.1.1
idmap_ldb:use rfc2307 = yes

   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false
   winbind nss info = rfc2307
        winbind enum users = yes
        winbind enum groups = yes

Rọpo adirẹsi IP ti ndari dns pẹlu IP ti ndari DNS tirẹ. Samba yoo siwaju gbogbo awọn ibeere ipinnu ipinnu DNS ti o wa ni ita agbegbe aṣẹ aṣẹ-aṣẹ rẹ si adirẹsi IP yii.

13. Lakotan, tun bẹrẹ samba daemon lati ṣe afihan awọn ayipada ati ṣayẹwo atunse itọsọna ti nṣiṣe lọwọ nipa ṣiṣe awọn ofin wọnyi.

# systemctl restart samba-ad-dc
# samba-tool drs showrepl

14. Ni afikun, tunrukọ faili atunto Kerberos akọkọ lati ọna/ati bẹbẹ ki o rọpo pẹlu faili iṣeto krb5.conf tuntun ti ipilẹṣẹ nipasẹ samba lakoko ti o n pese agbegbe naa.

Faili naa wa ni/var/lib/samba/itọsọna ikọkọ. Lo Linux synlink lati sopọ faili yii si/ati be be lo itọsọna.

# mv /etc/krb5.conf /etc/krb5.conf.initial
# ln -s /var/lib/samba/private/krb5.conf /etc/
# cat /etc/krb5.conf

15. Pẹlupẹlu, ṣayẹwo ijẹrisi Kerberos pẹlu faili samba krb5.conf. Beere tikẹti kan fun olumulo alakoso ati ṣe atokọ tikẹti ti o wa ni pamọ nipasẹ ipinfunni awọn ofin isalẹ.

# kinit administrator
# klist

Igbesẹ 4: Awọn Afikun Awọn ijẹrisi Awọn Iṣẹ Aṣẹ

16. Igbeyewo akọkọ ti o nilo lati ṣe ni ipinnu Samba4 DC DNS. Lati jẹrisi ipinnu DNS aṣẹ-aṣẹ rẹ, beere orukọ ìkápá naa nipa lilo pipaṣẹ ogun si awọn igbasilẹ AD DNS pataki diẹ bi a ti gbekalẹ lori sikirinifoto ti isalẹ.

Olupin DNS yẹ ki o tun ṣiṣẹ ni bayi pẹlu bata meji ti awọn adirẹsi IP fun ibeere kọọkan.

# host your_domain.tld
# host -t SRV _kerberos._udp.your_domain.tld  # UDP Kerberos SRV record
# host -t SRV _ldap._tcp.your_domain.tld  # TCP LDAP SRV record

17. Awọn igbasilẹ DNS wọnyi yẹ ki o tun han lati ẹrọ Windows ti a forukọsilẹ pẹlu awọn irinṣẹ RSAT ti a fi sii. Ṣii Oluṣakoso DNS ki o faagun si awọn igbasilẹ tcp ašẹ rẹ bi o ṣe han ninu aworan isalẹ.

18. Idanwo ti o tẹle yẹ ki o tọka ti atunse ase LDAP ba ṣiṣẹ bi o ti ṣe yẹ. Lilo ọpa-iṣẹ samba, ṣẹda akọọlẹ kan lori oludari adari keji ati rii daju ti o ba ṣe atunṣe akọọlẹ laifọwọyi ni akọkọ Samba4 AD DC.

# samba-tool user add test_user
# samba-tool user list | grep test_user

19. O tun le ṣẹda akọọlẹ kan lati inu itọnisọna Microsoft AD UC kan ki o ṣayẹwo bi akọọlẹ naa ba farahan lori awọn olutọsọna ase mejeeji.

Nipa aiyipada, o yẹ ki a ṣẹda akọọlẹ laifọwọyi lori awọn oludari ašẹ samba mejeeji. Beere orukọ akọọlẹ lati adc1 nipa lilo pipaṣẹ wbinfo.

20. Gẹgẹbi otitọ, ṣii console AD UC lati Windows, faagun si Awọn olutọsọna ase ati pe o yẹ ki o wo awọn ẹrọ DC ti o forukọsilẹ mejeeji.

Igbesẹ 5: Mu Iṣẹ Samba4 AD DC ṣiṣẹ

21. Lati le mu awọn iṣẹ samba4 AD DC ṣiṣẹ jakejado-gbogbo, kọkọ mu diẹ ninu atijọ ati awọn dapọ Samba ti ko lo ati mu iṣẹ samba-ad-dc ṣiṣẹ nikan ni ṣiṣe awọn ofin isalẹ:

# systemctl disable smbd nmbd winbind
# systemctl enable samba-ad-dc

22. Ti o ba ṣe abojuto latọna jijin oludari Samba4 lati ọdọ alabara Microsoft kan tabi ti o ni Linux miiran tabi awọn alabara Windows ti o ṣopọ si agbegbe rẹ, rii daju pe o darukọ adirẹsi IP ti ẹrọ adc2 si olupin nẹtiwọọki nẹtiwọọki wọn Awọn eto IP lati le ni ipele ti apọju.

Awọn sikirinisoti ti o wa ni isalẹ ṣe apejuwe awọn atunto ti o nilo fun Windows tabi alabara Debian/Ubuntu.

A ro pe DC akọkọ pẹlu 192.168.1.254 n lọ ni aisinipo, yiyipada aṣẹ ti awọn adirẹsi IP olupin DNS ni faili iṣeto nitorina ko ni gbiyanju lati beere akọkọ olupin DNS ti ko si.

Lakotan, ti o ba fẹ ṣe ijẹrisi agbegbe lori eto Linux pẹlu akọọlẹ Itọsọna Ṣiṣẹ Samba4 kan tabi fifun awọn anfani gbongbo fun awọn akọọlẹ AD LDAP ni Lainos, ka awọn igbesẹ 2 ati 3 lati inu ẹkọ Ṣakoso Samba4 AD Amayederun lati Lainos Command Line.