[Samba] Setup a new samba AD DC

Dario Lesca d.lesca at solinos.it
Tue Apr 25 13:09:55 UTC 2017 

Il giorno mar, 25/04/2017 alle 13.26 +0100, Rowland Penny via samba ha
scritto:
> On Tue, 25 Apr 2017 14:07:05 +0200
> Dario Lesca via samba <samba at lists.samba.org> wrote:
> 
> > I have setup a new Samba Active Directory DC on Fedora 25 and
> > samba-
> > 4.5.8-1.fc25.x86_64, rebuild from src.rpm with dc option enable.
> > 
> > This system (fedora-addc) is only an AD-DC. In the next days I will
> > deploy another Centos 7 samba member server with standard samba-
> > 4.4.4
> > rpm (without dc enabled) and join it to Fedora AD-DC for manage
> > data
> > users.
> >  
> > After install bind dns and samba new rebuild rpms, I have follow
> > this
> > howto and setting up the AD:  
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Dire
> > ctory_Domain_Controller
> > 
> > I have use this samba tool deploy:
> > 
> >     samba-tool domain provision --realm=solinos.loc --
> > domain=solinos \
> >      --dns-backend=BIND9_DLZ --use-rfc2307 \
> >      --server-role=dc --function-level=2008_R2 \
> >      --use-xattr=yes
> > 
> > At this point, in this test environment, all work fine, I can
> > manage
> > users, groups and dns entry, and join for test some windows client
> > to
> > it, the new samba users are recognized from Linux:
> > 
> >     [    root at fedora-addc     ~]# id ospite
> >     uid=3000017(SOLINOS\ospite) gid=100(users)
> >     gruppi=100(users),3000017(SOLINOS\ospite),3000009(BUILTIN\users
> > )
> > 
> 
> This is ONLY on the Samba AD DC, when you come to setup a Unix domain
> member you will need to set it up so that the OS can recognise the AD
> users, all the info is the wiki.
> 
> > Now my question is:
> > 
> > There are other thinks I must to do on AD DC?
> 
> Only if you are going to use the DC as a fileserver as well.
>  
> > 
> > What parameter is better add to smb.conf?
> 
> Do not add anything until you have researched it properly and only
> then
> if you are 100% sure you need it and you probably don't need to add
> anything.
> 
> > 
> > Why administrator is mapped like root?:
> >     [    root at fedora-addc     ~]# id
> >     administrator
> >     uid=0(root) gid=0(root) gruppi=0(root)
> 
> So that Administrator can do the things that root can do.
> 
> > 
> > and if I add administrator to "Domain Admins" nothing change 
> 
> That was a waste of time, Administrator was already a member of
> Domain
> Admins.
> 
> >     # samba-tool group addmembers 'Domain Admins' Administrator
> >     # samba-tool group listmembers 'Domain Admins'
> >     Administrator
> >     # id administrator
> >     uid=0(root) gid=0(root) gruppi=0(root)
> > 
> > Please, let me know, this is my first samba AD-DC + samba AD-Member
> > server implementation, and tomorrow I must deploy all into a
> > servers
> > production.
> > 
> 
> You seem to be doing okay at the moment, next stop the Unix domain
> member ;-)

Thanks Rowland, then the AD-DC is ok.
This little virtual server (3Gb of disk) must do only the DNS and AD-DC 
for my network.

However I would like to enable also the DHCP service, and think it's
right to activate it on this server.

What is the best way to do so?

It's possible enable ISC DHCP and automatically update the AD-DC zone,
in this case solinos.loc zone?

Let me know some suggest. Thanks 

Now I try to setup a samba domain member and join it to this AD-DC.


-- 
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)

More information about the samba mailing list