[Samba] Problems with Samba 4.5.16 - configuring a second failover AD DC and joining this to an existing domain SAMDOM
Stephen
stephen at ogdenradar.com
Fri Mar 22 15:03:51 UTC 2019
Hello I wonder if anyone here could possibly help me? I am using Samba
version 4.5.16-Debian (version information taken from sudo smbstatus) on
Raspbian and attempting to prototype some future network infrastructure
with a couple of Raspberry Pis.
So far I have sucessfully created a Samba 4 AD DC
ad1.samdom.example.com. I have successfully joined my Windows 10 dekstop
client to the SAMDOM domain provided by ad1 and it authenticated OK, and
appears to synchronise the network time correctly. So far so good!
Ideally I would now like to add to this basic setup by creating an
additional DC, ad2, with ip ad2.samdom.example.com, and join this to the
existing SAMDOM domain provided by ad1 to provide some extra redundancy
and failover.
This is where my problems begin unfortunately.
I have used two separate shell-scripts to commission my two servers
ad1.sh and ad2.sh (please find both scripts attached for scrutiny)
* These two scripts are based heavily upon the tutorial series found
at TechMint here:
https://www.tecmint.com/install-samba4-active-directory-ubuntu/
* The script to build ad1 is the main DC and is based upon section 1
and 2 of the tutorial, and as far as I can tell appears to work
correctly. As discussed I can connect to the server that results
from a Windows 10 client.
* The script to build the second DC used for failover is based upon
part 5 of the linked tutorial series, and this is where I am having
problems.
* Both ad1 and ad2 are assigned static ips, ad1 = 192.168.1.229 and
ad2=192.168.1.228.
I am encountering baffling issues with LDAP when I run my script ad2.sh.
What I don't understand here is that I am apparently able to join domain
SAMDOM without issue, ie in the ad2 script when I do
pi at ad2 $ sudo samba-tool domain join samdom DC -U"SAMDOM\administrator"
--dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes'
--option="dns forwarder = $EXTERNAL_DNS2 $EXTERNAL_DNS3 $EXTERNAL_DNS4"
This appears to work just fine, and I obtain the following seemingly
plausible output from this command:
Finding a writeable DC for domain 'samdom.example.com'
Found DC ad1.samdom.example.com
Password for [=SAMDOM\administrator]:
workgroup is SAMDOM
realm is samdom.example.com
Adding CN=AD2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
Adding
CN=AD2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Adding CN=NTDS
Settings,CN=AD2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Adding SPNs to CN=AD2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
Setting account password for AD2$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba 4 has been generated at
/var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=samdom,DC=example,DC=com
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com]
objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com]
objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com]
objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com]
objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=samdom,DC=example,DC=com]
objects[402/1614] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com]
objects[804/1614] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com]
objects[1206/1614] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com]
objects[1608/1614] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com]
objects[1614/1614] linked_values[30/0]
Replicating critical objects from the base DN of the domain
Partition[DC=samdom,DC=example,DC=com] objects[97/97] linked_values[23/0]
Partition[DC=samdom,DC=example,DC=com] objects[360/263] linked_values[23/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=samdom,DC=example,DC=com
Partition[DC=DomainDnsZones,DC=samdom,DC=example,DC=com] objects[40/40]
linked_values[0/0]
Replicating DC=ForestDnsZones,DC=samdom,DC=example,DC=com
Partition[DC=ForestDnsZones,DC=samdom,DC=example,DC=com] objects[18/18]
linked_values[0/0]
Committing SAM database
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain SAMDOM (SID S-1-5-21-1810456019-651403982-3541939936) as a DC
Unfortunately it is after this I then have major problems after that
with LDAP when I try and perform the actual replication. When I attempt:
pi at ad2 ~ $ sudo systemctl unmask samba-ad-dc
pi at ad2 ~ $ sudo systemctl restart samba-ad-dc
pi at ad2 ~ $ sudo samba-tool drs showrepl
I get the following error messages:
17) Replicate Samba Account Details between Primary and Secondary DCs
Failed to connect to ldap URL 'ldap://ad2.samdom.example.com' - LDAP
client internal error: NT_STATUS_CONNECTION_REFUSED
Failed to connect to 'ldap://ad2.samdom.example.com' with backend
'ldap': LDAP client internal error: NT_STATUS_CONNECTION_REFUSED
ERROR(ldb): LDAP connection to ad2.samdom.example.com failed - LDAP
client internal error: NT_STATUS_CONNECTION_REFUSED
Initially I thought this was something simple such as an error in name
or host resolution due to network misconfiguration. But I have double
checked my /etc/hosts file content and my resolv.conf on ad2 and I
believe these to be correct, please find these below for ad2 along with
my smb.conf file:
pi at ad2:~ $ cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.1.229 ad1.samdom.example.com ad1
192.168.1.228 ad2.samdom.example.com ad2
pi at ad2:~ $ cat /etc/hostname
ad2
pi at ad2:~ $ cat /etc/resolv.conf
# Generated by resolvconf
search samdom.example.com
nameserver 192.168.1.229
nameserver 192.168.1.228
nameserver 88.215.63.255
nameserver 88.215.61.255
nameserver 8.8.8.8
pi at ad2:~ $ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.228 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::1cb0:8751:ad6b:6df0 prefixlen 64 scopeid 0x20<link>
ether b8:27:eb:9c:98:34 txqueuelen 1000 (Ethernet)
RX packets 703 bytes 136445 (133.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 308 bytes 49680 (48.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
pi at ad2:~ $ cat /etc/samba/smb.conf
# Global parameters
[global]
netbios name = AD2
realm = SAMDOM.EXAMPLE.COM
workgroup = SAMDOM
dns forwarder = 88.215.63.255 88.215.61.255 8.8.8.8
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/samdom.example.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
pi at ad2:~ $ ping ad1.samdom.example.com
PING ad1.samdom.example.com (192.168.1.229) 56(84) bytes of data.
64 bytes from ad1.samdom.example.com (192.168.1.229): icmp_seq=1 ttl=64
time=0.604 ms
64 bytes from ad1.samdom.example.com (192.168.1.229): icmp_seq=2 ttl=64
time=0.460 ms
64 bytes from ad1.samdom.example.com (192.168.1.229): icmp_seq=3 ttl=64
time=0.353 ms
64 bytes from ad1.samdom.example.com (192.168.1.229): icmp_seq=4 ttl=64
time=0.361 ms
pi at ad2:~ $ host -tA ad1.samdom.example.com
ad1.samdom.example.com has address 192.168.1.229
Likewise for ad1:
pi at ad1:~ $ cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.1.229 ad1.samdom.example.com ad1
192.168.1.228 ad2.samdom.example.com ad2
pi at ad1:~ $ cat /etc/hostname
ad1
pi at ad1:~ $ cat /etc/resolv.conf
# Generated by resolvconf
search samdom.example.com
nameserver 192.168.1.229
nameserver 192.168.1.228
nameserver 88.215.63.255
nameserver 88.215.61.255
nameserver 8.8.8.8
pi at ad1:~ $ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.229 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::446b:2bdc:7765:11e2 prefixlen 64 scopeid 0x20<link>
ether b8:27:eb:2f:93:7d txqueuelen 1000 (Ethernet)
RX packets 5724 bytes 572625 (559.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7476 bytes 9492118 (9.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
pi at ad1:~ $ cat /etc/samba/smb.conf
# Global parameters
[global]
netbios name = AD1
realm = SAMDOM.EXAMPLE.COM
workgroup = SAMDOM
dns forwarder = 8.8.8.8
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/samdom.example.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
pi at ad1:~ $ ping ad2.samdom.example.com
PING ad2.samdom.example.com (192.168.1.228) 56(84) bytes of data.
64 bytes from ad2.samdom.example.com (192.168.1.228): icmp_seq=1 ttl=64
time=0.497 ms
64 bytes from ad2.samdom.example.com (192.168.1.228): icmp_seq=2 ttl=64
time=0.469 ms
64 bytes from ad2.samdom.example.com (192.168.1.228): icmp_seq=3 ttl=64
time=0.353 ms
64 bytes from ad2.samdom.example.com (192.168.1.228): icmp_seq=4 ttl=64
time=0.327 ms
Interestingly I note that when I do a host lookup on ad1 I get:
pi at ad1:~ $ host -tA ad2.samdom.example.com
Host ad2.samdom.example.com not found: 3(NXDOMAIN)
There are some official samba articles that suggest that for Samba <4.6
you need to manually setup DNS entries manually on AD1 prior to
configuring AD2 ie
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record,
but this seems a bit of a hacky workaround. This advice appears to
contradict the TechMint tutorials and other advice I have seen elsewhere
on the net though so I am unsure how much weight to lend to this.
Can anyone advise what I am doing wrong here? Any help rendered would be
hugely appreciated :O)
Thanks
Stephen Ellwood
-------------- next part --------------
#---------------------------------------------------------------|
#---------------------------------------------------------------|
# Setup a primary Active Directory controller server |
#---------------------------------------------------------------|
#---------------------------------------------------------------|
PROGRESS_FILE="adprogressprimary";
# ---------------------------------------------------------------|
# Active directory server configuration settings
# ---------------------------------------------------------------|
IP_ADDRESS="192.168.1.229";
IP_ADDRESS_SECONDARY_AD="192.168.1.228";
HOSTNAME_SECONDARY_AD="ad2"
GATEWAY="192.168.1.1";
EXTERNAL_DNS1="88.215.63.255"
EXTERNAL_DNS2="88.215.61.255"
EXTERNAL_DNS3="8.8.8.8"
DNS_SERVERS="$IP_ADDRESS $IP_ADDRESS_SECONDARY_AD $EXTERNAL_DNS1 $EXTERNAL_DNS2 $EXTERNAL_DNS3";
DOMAIN="samdom.example.com";
WIN_DOMAIN="samdom"
HOSTNAME="ad1";
# ---------------------------------------------------------------|
# Shell colour definitions
# ---------------------------------------------------------------|
RCol='\e[0m' # Text Reset
# Regular Bold Underline High Intensity BoldHigh Intens Background High Intensity Backgrounds
Bla='\e[0;30m'; BBla='\e[1;30m'; UBla='\e[4;30m'; IBla='\e[0;90m'; BIBla='\e[1;90m'; On_Bla='\e[40m'; On_IBla='\e[0;100m';
Red='\e[0;31m'; BRed='\e[1;31m'; URed='\e[4;31m'; IRed='\e[0;91m'; BIRed='\e[1;91m'; On_Red='\e[41m'; On_IRed='\e[0;101m';
Gre='\e[0;32m'; BGre='\e[1;32m'; UGre='\e[4;32m'; IGre='\e[0;92m'; BIGre='\e[1;92m'; On_Gre='\e[42m'; On_IGre='\e[0;102m';
Yel='\e[0;33m'; BYel='\e[1;33m'; UYel='\e[4;33m'; IYel='\e[0;93m'; BIYel='\e[1;93m'; On_Yel='\e[43m'; On_IYel='\e[0;103m';
Blu='\e[0;34m'; BBlu='\e[1;34m'; UBlu='\e[4;34m'; IBlu='\e[0;94m'; BIBlu='\e[1;94m'; On_Blu='\e[44m'; On_IBlu='\e[0;104m';
Pur='\e[0;35m'; BPur='\e[1;35m'; UPur='\e[4;35m'; IPur='\e[0;95m'; BIPur='\e[1;95m'; On_Pur='\e[45m'; On_IPur='\e[0;105m';
Cya='\e[0;36m'; BCya='\e[1;36m'; UCya='\e[4;36m'; ICya='\e[0;96m'; BICya='\e[1;96m'; On_Cya='\e[46m'; On_ICya='\e[0;106m';
Whi='\e[0;37m'; BWhi='\e[1;37m'; UWhi='\e[4;37m'; IWhi='\e[0;97m'; BIWhi='\e[1;97m'; On_Whi='\e[47m'; On_IWhi='\e[0;107m';
# ---------------------------------------------------------------|
# Cleanup code
# ---------------------------------------------------------------|
# Make sure we update our bash prompt to reflect our change of hostname
function finish
{
exec bash
}
trap finish EXIT
# ---------------------------------------------------------------|
# Script Code
# ---------------------------------------------------------------|
# Explain what script actually does
echo -e "${Yel}---------------------------------------------------------${RCol}"
echo -e "${Yel} Setup Samba 4 Active Directory Domain Controller${RCol}"
echo -e "${Yel}---------------------------------------------------------${RCol}"
echo -e "${Yel} This script configures the current Raspberry Pi to be ${RCol}"
echo -e "${Yel} a Samba 4 Active Directory controller.${RCol}"
echo ""
echo -e "${Red} Note: This script should be used for local installation only${RCol}"
echo -e "${Red} and should not be used via SSH or similar remote access tools${RCol}"
echo ""
echo -e "${Yel}---------------------------------------------------------${RCol}"
echo ""
# Create progress file if it doesn't already exists
if [ ! -f ${PROGRESS_FILE} ]; then
echo -e "${Cya} Create file to track installation progress${RCol}"
touch ${PROGRESS_FILE}
fi
# Disable Pi WiFi and Bluetooth RF Interfaces
if ! grep -q 'disable-rf' ${PROGRESS_FILE}; then
echo -e "${Cya}1) Disabling RF Interfaces${RCol}"
sudo systemctl disable wpa_supplicant
sudo systemctl disable bluetooth
sudo systemctl disable hciuart
echo "dtoverlay=pi3-disable-wifi" | sudo tee -a /boot/config.txt;
echo "pi3-disable-bt" | sudo tee -a /boot/config.txt;
echo "disable-rf" >> ${PROGRESS_FILE}
fi
# Enable ACL for main AD drive partition "/"
# (change "defaults,noatime" to "default,noatime,acl" there, and backup old /etc/fstab)
if ! grep -q 'enable-acl' ${PROGRESS_FILE}; then
echo -e "${Cya}2) Enabling ACL${RCol}"
awk '/^.*\/.*ext4/{if ($3="ext4") $4="defaults,noatime,acl"};{print}' /etc/fstab > ~/fstab.new
sudo cp /etc/fstab /etc/fstab.backup
sudo mv ~/fstab.new /etc/fstab
echo "enable-acl" >> ${PROGRESS_FILE}
fi
# Change user Pi default logon password
# !!! We MUST do this BEFORE enabling SSH !!!
if ! grep -q 'change-default-password' ${PROGRESS_FILE}; then
echo -e "${Cya}3) Changing Pi default password${RCol}"
echo -e "${Red} Note that during this process you will be prompted to choose and enter a new password for user pi.${RCol}"
echo -e "${Red} This is the main login account for this Raspberry pi server, and is also used for remote access via SSH!${RCol}"
echo -e "${Red} Store these credentials somewhere safe! You will need these to login and administer the machine.${RCol}"
if ! passwd; then
echo "Failed to change default user password. THIS IS A SECURITY RISK so exiting..."
exit 1
else
echo "change-default-password" >> ${PROGRESS_FILE}
fi
fi
# Update Raspbian package lists
if ! grep -q 'update-raspbian' ${PROGRESS_FILE}; then
echo -e "${Cya}4) Updating Raspbian Package Server List(s)${RCol}"
sudo apt-get update
echo "update-raspbian" >> ${PROGRESS_FILE}
fi
# Upgrade Raspbian packages
if ! grep -q 'upgrade-raspbian' ${PROGRESS_FILE}; then
echo -e "${Cya}5) Upgrading Raspbian${RCol}"
sudo apt-get -y upgrade
echo "upgrade-raspbian" >> ${PROGRESS_FILE}
fi
# Update IP address settings for Pi in /etc/dhcpcd.conf
if ! grep -q 'change-eth0-settings' ${PROGRESS_FILE}; then
echo -e "${Cya}6) Changing Pi Network settings${RCol}"
sudo cp /etc/dhcpcd.conf /etc/dhcpcd.conf.backup
sudo sed -i '/# static IP configuration for Ogden Active Directory service:/,$d' /etc/dhcpcd.conf;
sudo sed -i '/# Example static IP configuration:/,$d' /etc/dhcpcd.conf;
echo "# static IP configuration for Ogden Active Directory service:" | sudo tee -a /etc/dhcpcd.conf
echo "interface eth0" | sudo tee -a /etc/dhcpcd.conf;
echo "static routers=$GATEWAY" | sudo tee -a /etc/dhcpcd.conf;
echo "static ip_address=$IP_ADDRESS" | sudo tee -a /etc/dhcpcd.conf;
echo "static domain_name_servers=$DNS_SERVERS" | sudo tee -a /etc/dhcpcd.conf;
echo "static domain_search=$DOMAIN" | sudo tee -a /etc/dhcpcd.conf;
# Force immediate update to ip address
sudo ifconfig eth0 down
sudo ifconfig eth0 up
sudo service networking restart;
echo "change-eth0-settings" >> ${PROGRESS_FILE};
fi
# Change default pi hostname
if ! grep -q 'change-hostname' ${PROGRESS_FILE}; then
echo -e "${Cya}7) Changing Pi hostname settings${RCol}"
# Update /etc/hosts file prior to hostname change
sudo sed -i "/$HOSTNAME/d" /etc/hosts;
echo "$IP_ADDRESS $HOSTNAME.$DOMAIN $HOSTNAME" | sudo tee -a /etc/hosts;
echo "$IP_ADDRESS_SECONDARY_AD $HOSTNAME_SECONDARY_AD.$DOMAIN $HOSTNAME_SECONDARY_AD" | sudo tee -a /etc/hosts;
# Set new hostname by modifying /etc/hostname - only then delete our old hostname entry
sudo hostnamectl set-hostname $HOSTNAME
sudo sed -i '/raspberrypi/d' /etc/hosts;
sudo systemctl restart systemd-logind.service;
sudo service networking restart;
echo "change-hostname" >> ${PROGRESS_FILE};
fi
# Install Samba4 software
if ! grep -q 'install-samba' ${PROGRESS_FILE}; then
echo -e "${Cya}8) Installing Samba${RCol}"
echo "When prompted during installation please enter the following options at the installer prompt:";
echo -n "Default Kerberos realm: "; echo "$DOMAIN"|awk '{print toupper($0)}';
echo "Kerberos servers: $DOMAIN";
echo "Administrative server: $HOSTNAME.$DOMAIN";
echo "Please press a key to continue...";
read -n 1 -s;
sudo apt-get install -y samba krb5-user krb5-config winbind libpam-winbind libnss-winbind;
echo "install-samba" >> ${PROGRESS_FILE}
fi
# Stop Samba4 services prior to provisioning
if ! grep -q 'stop-samba-services' ${PROGRESS_FILE}; then
echo -e "${Cya}9) Temporarily disable Samba prior to provisioning${RCol}"
sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.backup
sudo rm /etc/krb5.conf
echo "stop-samba-services" >> ${PROGRESS_FILE}
fi
# Provision the new Samba 4 AD controller
if ! grep -q 'provision-samba' ${PROGRESS_FILE}; then
echo -e "${Cya}10) Provision new Samba instance${RCol}"
echo ""
echo "When prompted during installation please enter the following options at the installer prompt:";
echo -n "realm: "; echo "$DOMAIN"|awk '{print toupper($0)}';
echo -n "domain: "; echo "$WIN_DOMAIN"|awk '{print toupper($0)}';
echo "server role: dc";
echo "DNS backend: SAMBA_INTERNAL";
echo "DNS Forwarder: 8.8.8.8";
echo ""
echo -e "${Red} Note that during this process you will be prompted to choose and enter an administrator password.${RCol}"
echo -e "${Red} This is the superuser password for the specified Samba domain and is used to create all other accounts!${RCol}"
echo -e "${Red} Store these credentials somewhere safe!${RCol}"
echo ""
sudo samba-tool domain provision --use-rfc2307 --interactive;
echo "provision-samba" >> ${PROGRESS_FILE}
fi
# Link to update kerberos configuration
if ! grep -q 'update-kerberos-config' ${PROGRESS_FILE}; then
echo -e "${Cya}11) Update Kerberos configuration file${RCol}"281
sudo ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf;
echo "update-kerberos-config" >> ${PROGRESS_FILE}
fi
# Enable samba-ad-dc daemon to run at boottime
if ! grep -q 'unmask-enable-samba-daemons' ${PROGRESS_FILE}; then
echo -e "${Cya}12) Unmask Samba services${RCol}"
sudo systemctl unmask samba-ad-dc.service
sudo systemctl start samba-ad-dc.service
sudo systemctl status samba-ad-dc.service
sudo systemctl enable samba-ad-dc.service
echo "unmask-enable-samba-daemons" >> ${PROGRESS_FILE}
fi
# Regenerate resolv.conf, using our updated dhcpcd.conf entries
if ! grep -q 'update-resolve-file' ${PROGRESS_FILE}; then
echo -e "${Cya}13) Update /etc/resolv.conf filename${RCol}"
echo -e "search $DOMAIN\nnameserver $IP_ADDRESS\nnameserver $IP_ADDRESS_SECONDARY_AD\nnameserver $EXTERNAL_DNS1\nnameserver $EXTERNAL_DNS2\nnameserver $EXTERNAL_DNS3" | sudo resolvconf -a eth0.inet
echo "update-resolve-file" >> ${PROGRESS_FILE}
fi
# Manually verify required samba ports have been opened
if ! grep -q 'check-samba-ad-ports' ${PROGRESS_FILE}; then
echo -e "${Cya}14) Check Samba AD ports ${RCol}"
sudo netstat -tulpn | egrep 'smbd|samba';
echo "check-samba-ad-ports" >> ${PROGRESS_FILE}
fi
# Manually verify required samba is correctly emulating windows server
if ! grep -q 'check-winserv-emu' ${PROGRESS_FILE}; then
echo -e "${Cya}15) Check Windows Server Emulation ${RCol}"
sudo samba-tool domain level show
echo "check-winserv-emu" >> ${PROGRESS_FILE}
fi
# Ping to check local domain and dns is working correctly
if ! grep -q 'ping-check-local-domain' ${PROGRESS_FILE}; then
echo -e "${Cya}16) Ping test AD DNS functionality${RCol}"
ping -c3 "$HOSTNAME";
PING1CHK=$?;
ping -c3 "$HOSTNAME.$DOMAIN";
PING2CHK=$?;
ping -c3 "$DOMAIN";
PING3CHK=$?;
if [ $PING1CHK -ne 0 ] || [ $PING2CHK -ne 0 ] || [ $PING3CHK -ne 0 ]; then
echo "ERROR: Could not ping host(s) and/or dns server. Exiting."
exit 2
fi
echo "ping-check-local-domain" >> ${PROGRESS_FILE};
fi
if ! grep -q 'dns-check-local-domain' ${PROGRESS_FILE}; then
echo -e "${Cya}17) DNS lookup check AD domain and AD server${RCol}"
host -t A "$DOMAIN"
DNS1CHK=$?;
host -t A "$HOSTNAME.$DOMAIN";
DNS2CHK=$?;
host -t SRV "_kerberos._udp.$DOMAIN";
DNS3CHK=$?;
host -t SRV "_ldap._tcp.$DOMAIN";
DNS4CHK=$?;
if [ $DNS1CHK -ne 0 ] || [ $DNS2CHK -ne 0 ] || [ $DNS3CHK -ne 0 ] || [ $DNS4CHK -ne 0 ]; then
echo "ERROR: Could not perform required DNS lookups! Exiting."
exit 3
fi
echo "dns-check-local-domain" >> ${PROGRESS_FILE};
fi
# Request Kerberos ticket
if ! grep -q 'kerberos-ticket-request-check' ${PROGRESS_FILE}; then
echo -e "${Cya}18) Request Kerberos new ticket to check Kerberos${RCol}"
echo "We will test Kerberos by requesting a new ticket for user administator.";
echo "Please enter password for administrator@$WIN_DOMAIN when requested here";
KRB_ADMIN="administrator@`echo "$DOMAIN"|awk '{print toupper($0)}'`"
kinit $KRB_ADMIN
klist
echo "kerberos-ticket-request-check" >> ${PROGRESS_FILE}
fi
# Install NTP functionality required for Active Directory
if ! grep -q 'install-ntp' ${PROGRESS_FILE}; then
echo -e "${Cya}19) Install required NTP functionality on server${RCol}"
sudo apt-get install -y ntp ntpdate
echo "install-ntp" >> ${PROGRESS_FILE}
fi
# Configure NTP settings required for Active Directory
if ! grep -q 'configure-ntp' ${PROGRESS_FILE}; then
echo -e "${Cya}20) Configure required NTP functionality on server${RCol}"
sudo sed -i 's/pool 0.*/pool 0.uk.pool.ntp.org iburst/' /etc/ntp.conf
sudo sed -i 's/pool 1.*/pool 1.uk.pool.ntp.org iburst/' /etc/ntp.conf
sudo sed -i 's/pool 2.*/pool 2.uk.pool.ntp.org iburst/' /etc/ntp.conf
sudo sed -i 's/pool 3.*/pool 3.uk.pool.ntp.org iburst/' /etc/ntp.conf
sudo sed -i '/^driftfile/a ntpsigndsocket /var/lib/samba/ntp_signd/' /etc/ntp.conf
sudo sed -i '/^restrict source/a restrict default kod nomodify notrap nopeer mssntp' /etc/ntp.conf
echo "configure-ntp" >> ${PROGRESS_FILE}
fi
# Set permissions required for NTP server
if ! grep -q 'permissions-ntp' ${PROGRESS_FILE}; then
echo -e "${Cya}21) Set required NTP permissions${RCol}"
sudo chown root:ntp /var/lib/samba/ntp_signd/
sudo chmod 750 /var/lib/samba/ntp_signd/
echo "permissions-ntp" >> ${PROGRESS_FILE}
fi
# Restart NTP
if ! grep -q 'restart-ntp' ${PROGRESS_FILE}; then
echo -e "${Cya}22) Restart NTP to update settings${RCol}"
sudo systemctl restart ntp
echo "restart-ntp" >> ${PROGRESS_FILE}
fi
# Check NTP port is listening
if ! grep -q 'check-ntp-port' ${PROGRESS_FILE}; then
echo -e "${Cya}23) Confirm required NTP ports opened${RCol}"
sudo netstat -tulpn | grep ntp
# Wait here for NTP to synchronise
sleep 10s
echo "check-ntp-port" >> ${PROGRESS_FILE}
fi
# List all NTP servers
if ! grep -q 'list-ntp-servers' ${PROGRESS_FILE}; then
echo -e "${Cya}24) Print list of NTP servers${RCol}"
ntpq -p
echo "list-ntp-servers" >> ${PROGRESS_FILE}
fi
# Check NTP time synchronisation
if ! grep -q 'check-ntp-sync' ${PROGRESS_FILE}; then
echo -e "${Cya}25) Confirm NTP time sychronisation${RCol}"
NTPSYNCCHK=$(ntpdate -qu $HOSTNAME)
if echo "$NTPSYNCCHK" | grep -q 'no server suitable for synchronization found'; then
echo "ERROR: Could not synchronise to NTP servers. Exiting..."
exit 4
fi
echo "check-ntp-sync" >> ${PROGRESS_FILE}
fi
# Enable SSH service for remote access to AD server for configuration etc.
if ! grep -q 'enable-ssh' ${PROGRESS_FILE}; then
echo -e "${Cya}26) Enable SSH for remote AD server administration${RCol}"
sudo systemctl enable ssh
sudo systemctl start ssh
echo "enable-ssh" >> ${PROGRESS_FILE}
fi
# Reboot to reflect hostname change
if ! grep -q 'update-shell-prompt' ${PROGRESS_FILE}; then
echo "update-shell-prompt" >> ${PROGRESS_FILE}
sudo reboot
fi
-------------- next part --------------
#---------------------------------------------------------------|
#---------------------------------------------------------------|
# Setup a primary Active Directory controller server |
#---------------------------------------------------------------|
#---------------------------------------------------------------|
PROGRESS_FILE="adprogresssecondary";
# ---------------------------------------------------------------|
# Active directory server configuration settings
# ---------------------------------------------------------------|
IP_ADDRESS="192.168.1.228";
GATEWAY="192.168.1.1";
IP_ADDRESS_PRIMARY_AD="192.168.1.229"; # This first DNS server must be
# our existing primary AD DC!
PRIMARY_AD_HOSTNAME="ad1"; # Hostname for primary AD DC instance
EXTERNAL_DNS2="88.215.63.255"; # These are all external DNS server
EXTERNAL_DNS3="88.215.61.255";
EXTERNAL_DNS4="8.8.8.8";
DNS_SERVERS="$IP_ADDRESS_PRIMARY_AD $IP_ADDRESS $EXTERNAL_DNS2 $EXTERNAL_DNS3 $EXTERNAL_DNS4";
SAMBA_DNS_FORWARDER="$EXTERNAL_DNS4";
DOMAIN="samdom.example.com"; # Samba Domain details
WIN_DOMAIN="samdom"; # Windows Domain name eg SAMDOM\\PC_NAME
WIN_DOMAIN_UPPER=="`echo "$WIN_DOMAIN"|awk '{print toupper($0)}'`"
HOSTNAME="ad2"; # Hostname for this AD DC instance
# ---------------------------------------------------------------|
# Shell colour definitions
# ---------------------------------------------------------------|
RCol='\e[0m' # Text Reset
# Regular Bold Underline High Intensity BoldHigh Intens Background High Intensity Backgrounds
Bla='\e[0;30m'; BBla='\e[1;30m'; UBla='\e[4;30m'; IBla='\e[0;90m'; BIBla='\e[1;90m'; On_Bla='\e[40m'; On_IBla='\e[0;100m';
Red='\e[0;31m'; BRed='\e[1;31m'; URed='\e[4;31m'; IRed='\e[0;91m'; BIRed='\e[1;91m'; On_Red='\e[41m'; On_IRed='\e[0;101m';
Gre='\e[0;32m'; BGre='\e[1;32m'; UGre='\e[4;32m'; IGre='\e[0;92m'; BIGre='\e[1;92m'; On_Gre='\e[42m'; On_IGre='\e[0;102m';
Yel='\e[0;33m'; BYel='\e[1;33m'; UYel='\e[4;33m'; IYel='\e[0;93m'; BIYel='\e[1;93m'; On_Yel='\e[43m'; On_IYel='\e[0;103m';
Blu='\e[0;34m'; BBlu='\e[1;34m'; UBlu='\e[4;34m'; IBlu='\e[0;94m'; BIBlu='\e[1;94m'; On_Blu='\e[44m'; On_IBlu='\e[0;104m';
Pur='\e[0;35m'; BPur='\e[1;35m'; UPur='\e[4;35m'; IPur='\e[0;95m'; BIPur='\e[1;95m'; On_Pur='\e[45m'; On_IPur='\e[0;105m';
Cya='\e[0;36m'; BCya='\e[1;36m'; UCya='\e[;36m'; ICya='\e[0;96m'; BICya='\e[1;96m'; On_Cya='\e[46m'; On_ICya='\e[0;106m';
Whi='\e[0;37m'; BWhi='\e[1;37m'; UWhi='\e[4;37m'; IWhi='\e[0;97m'; BIWhi='\e[1;97m'; On_Whi='\e[47m'; On_IWhi='\e[0;107m';
# ---------------------------------------------------------------|
# Cleanup code
# ---------------------------------------------------------------|
# Make sure we update our bash prompt to reflect our change of hostname
function finish
{
exec bash
}
trap finish EXIT
# ---------------------------------------------------------------|
# Script Code
# ---------------------------------------------------------------|
# Explain what script actually does
echo -e "${Yel}---------------------------------------------------------${RCol}"
echo -e "${Yel} Setup Additional Backup Samba 4 Domain Controller(s)${RCol}"
echo -e "${Yel}---------------------------------------------------------${RCol}"
echo -e "${Yel} This script configures the current Raspberry Pi to be ${RCol}"
echo -e "${Yel} an additional Samba 4 Domain Controller, that will join${RCol}"
echo -e "${Yel} to a pre-existing AD forest as a backup or failover server.${RCol}"
echo -e "${Red} Note: This script should be used for local installation only${RCol}"
echo -e "${Red} and should not be used via SSH or similar remote access tools.${RCol}"
echo -e "${Red} To minimise the chance of misconfiguration this script should be${RCol}"
echo -e "${Red} applied to a fresh Raspbian installations ONLY.${RCol}"
echo ""
echo -e "${Yel}---------------------------------------------------------${RCol}"
echo ""
# Create progress file if it doesn't already exists
if [ ! -f ${PROGRESS_FILE} ]; then
echo -e "${Cya} Create file to track installation progress${RCol}"
touch ${PROGRESS_FILE}
fi
# Disable Pi WiFi and Bluetooth RF Interfaces
if ! grep -q 'disable-rf' ${PROGRESS_FILE}; then
echo -e "${Cya}1) Disabling RF Interfaces${RCol}"
sudo systemctl disable wpa_supplicant
sudo systemctl disable bluetooth
sudo systemctl disable hciuart
echo "dtoverlay=pi3-disable-wifi" | sudo tee -a /boot/config.txt;
echo "pi3-disable-bt" | sudo tee -a /boot/config.txt;
echo "disable-rf" >> ${PROGRESS_FILE}
fi
# Enable ACL for main AD drive partition "/"
# (change "defaults,noatime" to "default,noatime,acl" there, and backup old /etc/fstab)
if ! grep -q 'enable-acl' ${PROGRESS_FILE}; then
echo -e "${Cya}2) Enabling ACL${RCol}"
awk '/^.*\/.*ext4/{if ($3="ext4") $4="defaults,noatime,acl"};{print}' /etc/fstab > ~/fstab.new
sudo cp /etc/fstab /etc/fstab.backup
sudo mv ~/fstab.new /etc/fstab
echo "enable-acl" >> ${PROGRESS_FILE}
fi
# Change user Pi default logon password
# !!! We MUST do this BEFORE enabling SSH !!!
if ! grep -q 'change-default-password' ${PROGRESS_FILE}; then
echo -e "${Cya}3) Changing Pi default password${RCol}"
echo -e "${Red} Note that during this process you will be prompted to choose and enter a new password for user pi.${RCol}"
echo -e "${Red} This is the main login account for this Raspberry pi server, and is also used for remote access via SSH!${RCol}"
echo -e "${Red} Store these credentials somewhere safe! You will need these to login and administer the machine.${RCol}"
if ! passwd; then
echo "Failed to change default user password. THIS IS A SECURITY RISK so exiting..."
exit 1
else
echo "change-default-password" >> ${PROGRESS_FILE}
fi
fi
# Update Raspbian package lists
if ! grep -q 'update-raspbian' ${PROGRESS_FILE}; then
echo -e "${Cya}4) Updating Raspbian Package Server List(s)${RCol}"
sudo apt-get update
echo "update-raspbian" >> ${PROGRESS_FILE}
fi
# Upgrade Raspbian packages
if ! grep -q 'upgrade-raspbian' ${PROGRESS_FILE}; then
echo -e "${Cya}5) Upgrading Raspbian${RCol}"
sudo apt-get -y upgrade
echo "upgrade-raspbian" >> ${PROGRESS_FILE}
fi
# Update IP address settings for Pi in /etc/dhcpcd.conf
if ! grep -q 'change-eth0-settings' ${PROGRESS_FILE}; then
echo -e "${Cya}6) Changing Pi Network settings${RCol}"
sudo cp /etc/dhcpcd.conf /etc/dhcpcd.conf.backup
sudo sed -i '/# static IP configuration for Ogden Active Directory service:/,$d' /etc/dhcpcd.conf;
sudo sed -i '/# Example static IP configuration:/,$d' /etc/dhcpcd.conf;
echo "# static IP configuration for Ogden Active Directory service:" | sudo tee -a /etc/dhcpcd.conf
echo "interface eth0" | sudo tee -a /etc/dhcpcd.conf;
echo "static routers=$GATEWAY" | sudo tee -a /etc/dhcpcd.conf;
echo "static ip_address=$IP_ADDRESS" | sudo tee -a /etc/dhcpcd.conf;
echo "static domain_name_servers=$DNS_SERVERS" | sudo tee -a /etc/dhcpcd.conf;
echo "static domain_search=$DOMAIN" | sudo tee -a /etc/dhcpcd.conf;
# Force immediate update to ip address
sudo ifconfig eth0 down
sudo ifconfig eth0 up
sudo service networking restart;
echo "change-eth0-settings" >> ${PROGRESS_FILE};
fi
# Change default pi hostname
if ! grep -q 'change-hostname' ${PROGRESS_FILE}; then
echo -e "${Cya}7) Changing Pi hostname settings${RCol}"
# Update /etc/hosts file prior to hostname change
sudo sed -i "/$HOSTNAME/d" /etc/hosts;
echo "$IP_ADDRESS_PRIMARY_AD $PRIMARY_AD_HOSTNAME.$DOMAIN $PRIMARY_AD_HOSTNAME" | sudo tee -a /etc/hosts;
echo "$IP_ADDRESS $HOSTNAME.$DOMAIN $HOSTNAME" | sudo tee -a /etc/hosts;
# Set new hostname by modifying /etc/hostname - only then delete our old hostname entry
sudo hostnamectl set-hostname $HOSTNAME
sudo sed -i '/raspberrypi/d' /etc/hosts;
sudo systemctl restart systemd-logind.service;
sudo service networking restart;
sleep 5s
echo "change-hostname" >> ${PROGRESS_FILE};
fi
# Ping to check local domain and dns is configured correctly prior to Samba installation
if ! grep -q 'ping-check-local-domain' ${PROGRESS_FILE}; then
echo -e "${Cya}8) Ping test AD DNS functionality${RCol}"
ping -c3 "$HOSTNAME";
PING1CHK=$?;
ping -c3 "$PRIMARY_AD_HOSTNAME.$DOMAIN";
PING2CHK=$?;
ping -c3 "$DOMAIN";
PING3CHK=$?;
ping -c3 "$HOSTNAME.$DOMAIN";
PING4CHK=$?;
if [ $PING1CHK -ne 0 ] || [ $PING2CHK -ne 0 ] || [ $PING3CHK -ne 0 ] || [ $PING4CHK -ne 0 ]; then
echo "ERROR: Could not ping host(s) and/or dns server. Exiting."
exit 2
fi
echo "ping-check-local-domain" >> ${PROGRESS_FILE};
fi
# Install NTP client functionality required for additional Active Directory instance
if ! grep -q 'install-ntp' ${PROGRESS_FILE}; then
echo -e "${Cya}9) Install NTP client functionality on server${RCol}"
sudo apt-get install -y ntpdate
echo "install-ntp" >> ${PROGRESS_FILE}
fi
# Force server time to synchronise with existing AD NTP server instance
if ! grep -q 'check-ntp-sync' ${PROGRESS_FILE}; then
echo -e "${Cya}10) Force server NTP client to sychronise time with existing AD instance $PRIMARY_AD_HOSTNAME.$DOMAIN ${RCol}"
NTPSYNCCHK=$(ntpdate -qu $PRIMARY_AD_HOSTNAME)
if echo "$NTPSYNCCHK" | grep -q 'no server suitable for synchronization found'; then
echo "ERROR: Could not synchronise to NTP servers. Exiting..."
exit 4
fi
echo "check-ntp-sync" >> ${PROGRESS_FILE}
fi
# Install Samba4 software
if ! grep -q 'install-samba' ${PROGRESS_FILE}; then
echo -e "${Cya}11) Installing Samba${RCol}"
echo "When prompted during installation please enter the following options at the installer prompt:";
echo -n "Default Kerberos realm: "; echo "$DOMAIN"|awk '{print toupper($0)}';
sudo apt-get install -y samba krb5-user krb5-config winbind libpam-winbind libnss-winbind
echo "install-samba" >> ${PROGRESS_FILE}
fi
# Verify Samba installation by retrieving a Kerberos ticket
if ! grep -q 'kerberos-ticket-request-check' ${PROGRESS_FILE}; then
echo -e "${Cya}12) Request Kerberos new ticket to check Kerberos${RCol}"
echo "We will test Kerberos by requesting a new ticket for user administator.";
echo "Please enter password for administrator@$WIN_DOMAIN when requested here";
KRB_ADMIN="administrator@`echo "$DOMAIN"|awk '{print toupper($0)}'`"
kinit $KRB_ADMIN
klist
echo "kerberos-ticket-request-check" >> ${PROGRESS_FILE}
fi
# Stop Samba4 services prior to provisioning
if ! grep -q 'stop-samba-services' ${PROGRESS_FILE}; then
echo -e "${Cya}13) Temporarily disable Samba prior to provisioning${RCol}"
sudo systemctl stop samba-ad-dc smbd nmbd winbind;
sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.initial
echo "stop-samba-services" >> ${PROGRESS_FILE}
fi
# Join new DC to pre-existing Samba 4 AD Domain:
if ! grep -q 'join-domain' ${PROGRESS_FILE}; then
echo -e "${Cya}14) Join new AD DC to existing Samba Domain${RCol}"
sudo samba-tool domain join $DOMAIN DC -U"$WIN_DOMAIN_UPPER\administrator" --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes' --option="dns forwarder = $EXTERNAL_DNS2 $EXTERNAL_DNS3 $EXTERNAL_DNS4"
echo "join-domain" >> ${PROGRESS_FILE}
fi
# Edit smb.conf and add some modified settings
#if ! grep -q 'modify-smb-config' ${PROGRESS_FILE}; then
#
# echo -e "${Cya}15) Modify Samba Configuration${RCol}"
#
# FIXME For now just fudge this by hardcoding IP addresses
# sudo sed -i '/^.global.$/a dns forwarder = 8.8.8.8\nidmap_ldb:use rfc2307 = yes\n\ntemplate shell = /bin/bash\nwinbind use default domain = true\nwinbind nss info = rfc2307\nwinbind enum users = yes\nwinbind enum groups = yes' /etc/samba/smb.conf
# echo "modify-smb-config" >> ${PROGRESS_FILE}
#fi
# Restart Samba following configuration changes
if ! grep -q 'restart-samba' ${PROGRESS_FILE}; then
echo -e "${Cya}16) Restart Samba Instance${RCol}"
sudo systemctl unmask samba-ad-dc
sudo systemctl restart samba-ad-dc
sleep 10s
echo "restart-samba" >> ${PROGRESS_FILE}
fi
# Replicate Samba account details between both of our DCs
if ! grep -q 'samba-replicate-accounts' ${PROGRESS_FILE}; then
echo -e "${Cya}17) Replicate Samba Account Details between Primary and Secondary DCs${RCol}"
sudo samba-tool drs showrepl
echo "samba-replicate-accounts" >> ${PROGRESS_FILE}
fi
# Update Kerberos configuration
if ! grep -q 'update-krb-config' ${PROGRESS_FILE}; then
echo -e "${Cya}18) Update Kerberos configuration${RCol}"
sudo mv /etc/krb5.conf /etc/krb5.conf.initial
sudo ln -s /var/lib/samba/private/krb5.conf /etc/
sudo cat /etc/krb5.conf
echo "update-krb-config" >> ${PROGRESS_FILE}
fi
# Verify Samba installation by retrieving a Kerberos ticket
if ! grep -q 'kerberos-ticket-request-check' ${PROGRESS_FILE}; then
echo -e "${Cya}19) Request Kerberos new ticket to check Kerberos${RCol}"
echo "We will test Kerberos by requesting a new ticket for user administator.";
echo "Please enter password for administrator@$WIN_DOMAIN when requested here";
KRB_ADMIN="administrator@`echo "$DOMAIN"|awk '{print toupper($0)}'`"
kinit $KRB_ADMIN
klist
echo "kerberos-ticket-request-check" >> ${PROGRESS_FILE}
fi
# Do DNS test to verify everything
if ! grep -q 'dns-check-local-domain' ${PROGRESS_FILE}; then
echo -e "${Cya}20) DNS lookup check AD domain and AD server.${RCol}"
echo -e "${Red} Note that TWO separate IP addresses should be listed here.${RCol}"
host -t A "$DOMAIN"
DNS1CHK=$?;
host -t SRV "_kerberos._udp.$DOMAIN";
DNS2CHK=$?;
host -t SRV "_ldap._tcp.$DOMAIN";
DNS3CHK=$?;
if [ $DNS1CHK -ne 0 ] || [ $DNS2CHK -ne 0 ] || [ $DNS3CHK -ne 0 ]; then
echo "ERROR: Could not perform required DNS lookups! Exiting."
exit 3
fi
echo "dns-check-local-domain" >> ${PROGRESS_FILE};
fi
# Finally startup dameons
if ! grep -q 'configure-samba-daemons' ${PROGRESS_FILE}; then
echo -e "${Cya}21) DNS lookup check AD domain and AD server.${RCol}"
sudo systemctl disable smbd nmbd winbind
sudo systemctl enable samba-ad-dc
echo "configure-samba-daemons" >> ${PROGRESS_FILE};
fi
# Enable SSH service for remote access to AD server for configuration etc.
if ! grep -q 'enable-ssh' ${PROGRESS_FILE}; then
echo -e "${Cya}22) Enable SSH for remote AD server administration${RCol}"
sudo systemctl enable ssh
sudo systemctl start ssh
echo "enable-ssh" >> ${PROGRESS_FILE}
fi
# Update shell prompt to reflect change in local hostname
if ! grep -q 'update-shell-prompt' ${PROGRESS_FILE}; then
echo -e "${Cya}23) Restart shell to reflect changed hostname${RCol}"
echo "update-shell-prompt" >> ${PROGRESS_FILE}
sudo reboot
fi
More information about the samba
mailing list