[Samba] Setup a new samba AD DC

Dario Lesca d.lesca at solinos.it
Tue Apr 25 16:29:47 UTC 2017 

Il giorno mar, 25/04/2017 alle 14.36 +0100, Rowland Penny via samba ha
scritto:
> On Tue, 25 Apr 2017 15:09:55 +0200
> Dario Lesca via samba <samba at lists.samba.org> wrote:
> 
> 
> > Thanks Rowland, then the AD-DC is ok.
> > This little virtual server (3Gb of disk) must do only the DNS and
> > AD-DC for my network.
> > 
> > However I would like to enable also the DHCP service, and think
> > it's
> > right to activate it on this server.
> > 
> > What is the best way to do so?
> 
> Well you could always do it the way I have been doing it for the last
> 5
> years, see here:
> 
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records
> _with_BIND9
> 
> Rowland

Ok, thank.

Tomorrow I try this procedure for DHCP.

Another questions:

Where is the better place to set:

 - logon script = netlogon.bat
   and other logon options

 - wins support = yes

 - load printers = yes

on AD-DC or on Member server? 

Then.

I have join a samba server to AD with success.

This is my member server smb.conf

[global]
   workgroup = SOLINOS
   password server = fedora-addc.solinos.loc
   realm = SOLINOS.LOC
   security = ads
   ; idmap config * : range = 16777216-33554431
   template homedir = /home/%U
   template shell = /bin/bash
   kerberos method = secrets only
   winbind use default domain = true
   winbind offline logon = false

	winbind enum users = yes
	winbind enum groups = yes

	store dos attributes = yes

        client signing = yes
        client use spnego = yes
        idmap config * : backend = tdb
        idmap config * : range = 10000-99999
        idmap config solinos:backend = rid
        idmap config solinos:range = 100000-199999
        idmap config solinos:schema_mode = rfc2307

this my /etc/krb5.conf

> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = SOLINOS.LOC
>  dns_lookup_realm = false
>  dns_lookup_kdc = true
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
>  forwardable = true
>  rdns = false
>  default_ccache_name = KEYRING:persistent:%{uid}
> 
> [realms]
>  SOLINOS.LOC = {
>  # kdc = fedora-addc.solinos.loc
>   admin_server = fedora-addc.solinos.loc
>   kdc = fedora-addc.solinos.loc
>  }
> 
> [domain_realm]
>  solinos.loc = SOLINOS.LOC
>  .solinos.loc = SOLINOS.LOC

Is always correct? You have some suggest to improve the configuration?

I have start with "idmap config * : range = 16777216-33554431" (now
commented) then I have change it to new per domain value.

I must to reset some cache? How to reset the local ID?

If I check the user still have the old id mapping (I believe)

# id ospite
uid=16777216(ospite) gid=16777216(domain users) gruppi=16777216(domain
users),10001(BUILTIN\users)

Is correct? (I not believe)

Thanks for reply

-- 
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)

More information about the samba mailing list