Haɗa ƙarin Ubuntu DC zuwa Samba4 AD DC don FailOver Replication - Part 5


Wannan koyawa za ta nuna maka yadda ake ƙara mai sarrafa yanki na Samba4 na biyu, wanda aka tanadar akan uwar garken Ubuntu 16.04, zuwa dajin Samba AD DC da ke wanzu don samar da ƙimar daidaitawa/gazawa ga wasu mahimman ayyukan AD DC, musamman don ayyuka kamar su. DNS da AD DC LDAP makirci tare da bayanan SAM.

  1. Ƙirƙiri Kayan Aikin Gida na Active tare da Samba4 akan Ubuntu - Kashi na 1

Wannan labarin shine Sashe-5 na jerin Samba4 AD DC kamar haka:

Mataki 1: Kanfigareshan Farko don Saitin Samba4

1. Kafin ka fara aiwatar da haɗa yankin a zahiri don DC na biyu, kana buƙatar kula da wasu saitunan farko. Da farko, tabbatar da sunan mai masaukin tsarin wanda za a haɗa shi cikin Samba4 AD DC ya ƙunshi suna mai bayyanawa.

Da ɗauka cewa ana kiran sunan masaukin daular da aka tanada na farko adc1, za ka iya suna DC ta biyu tare da adc2 don samar da daidaitaccen tsarin saka suna a cikin Masu Gudanar da yanki.

Don canza sunan mai masaukin tsarin za ku iya ba da umarnin da ke ƙasa.

# hostnamectl set-hostname adc2

in ba haka ba za ku iya gyara /etc/hostname fayil da hannu kuma ƙara sabon layi tare da sunan da ake so.

# nano /etc/hostname

Anan ƙara sunan mai masauki.

adc2

2. Na gaba, buɗe fayil ɗin ƙudurin tsarin gida kuma ƙara shigarwa tare da mayukan adireshin IP zuwa gajeriyar suna da FQDN na babban mai sarrafa yanki, kamar yadda aka kwatanta a hoton da ke ƙasa.

Ta hanyar wannan koyawa, babban sunan DC shine adc1.tecmint.lankuma yana warwarewa zuwa adireshin IP na 192.168.1.254.

# nano /etc/hosts

Ƙara layi mai zuwa:

IP_of_main_DC		FQDN_of_main_DC 	short_name_of_main_DC

3. A mataki na gaba, buɗe /etc/network/interfaces kuma sanya adreshin IP na tsaye don tsarin ku kamar yadda aka kwatanta a hoton da ke ƙasa.

Kula da DNS-nameservers da dns-search variables. Ya kamata a saita waɗannan ƙimar don komawa zuwa adireshin IP na Samba4 AD DC na farko da kuma daula domin ƙudurin DNS yayi aiki daidai.

Sake kunna daemon cibiyar sadarwa don nuna canje-canje. Tabbatar da /etc/resolv.conf fayil don tabbatar da cewa duka ƙimar DNS daga cibiyar sadarwar ku an sabunta su zuwa wannan fayil ɗin.

# nano /etc/network/interfaces

Shirya ku maye gurbin tare da saitunan IP na al'ada:

auto ens33
iface ens33 inet static
        address 192.168.1.253
        netmask 255.255.255.0
        brodcast 192.168.1.1
        gateway 192.168.1.1
        dns-nameservers 192.168.1.254
        dns-search tecmint.lan

Sake kunna sabis na cibiyar sadarwa kuma tabbatar da canje-canje.

# systemctl restart networking.service
# cat /etc/resolv.conf

Ƙimar dns-search za ta ƙara sunan yankin kai tsaye lokacin da kuka tambayi mai watsa shiri ta gajeriyar sunansa (zai samar da FQDN).

4. Domin gwada idan ƙudurin DNS yana aiki kamar yadda ake tsammani, ba da jerin umarnin ping akan gajeriyar sunan yankinku, FQDN da daula kamar yadda aka nuna a hoton da ke ƙasa.

A duk waɗannan lokuta Samba4 AD DC uwar garken DNS yakamata ya amsa da adireshin IP na babban DC ɗin ku.

5. Ƙarin ƙarin mataki na ƙarshe da kuke buƙatar kulawa shine aiki tare da lokaci tare da babban Mai sarrafa Domain ku. Ana iya cika wannan ta hanyar shigar da kayan aikin abokin ciniki na NTP akan tsarin ku ta hanyar ba da umarnin da ke ƙasa:

# apt-get install ntpdate

6. Zaton cewa kana so ka tilasta lokaci tare da samba4 AD DC da hannu, gudanar da ntpdate umurnin a kan primary DC ta hanyar ba da umarni mai zuwa.

# ntpdate adc1

Mataki 2: Sanya Samba4 tare da Dogara da ake buƙata

7. Domin shigar da tsarin Ubuntu 16.04 a cikin yankinku, fara shigar da Samba4, abokin ciniki na Kerberos da wasu wasu mahimman fakiti don amfani daga baya daga ma'ajin hukuma ta Ubuntu ta hanyar ba da umarnin da ke ƙasa:

# apt-get install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind

8. Yayin shigarwa za ku buƙaci samar da sunan yankin Kerberos. Rubuta sunan yankinku tare da manyan lokuta kuma danna maɓallin [Enter] don kammala aikin shigarwa.

9. Bayan kun gama shigarwa na fakiti, tabbatar da saitunan ta hanyar neman tikitin Kerberos don mai gudanar da yanki ta amfani da umarnin kinit. Yi amfani da umarnin klist don lissafin tikitin Kerberos da aka bayar.

# kinit [email _DOMAIN.TLD
# klist

Mataki 3: Haɗa zuwa Samba4 AD DC azaman Mai Kula da Yanki

10. Kafin haɗa na'urar ku zuwa Samba4 DC, da farko tabbatar da duk Samba4 daemons da ke aiki akan tsarin ku an dakatar da su kuma, kuma, sake suna tsohon fayil ɗin Samba na asali don fara tsabta. Yayin samar da mai sarrafa yanki, samba zai ƙirƙiri sabon fayil ɗin sanyi daga karce.

# systemctl stop samba-ad-dc smbd nmbd winbind
# mv /etc/samba/smb.conf /etc/samba/smb.conf.initial

11. Domin fara tsarin shiga yankin, fara farawa kawai samba-ad-dc daemon, bayan haka zaku gudanar da umarnin samba-tool don shiga cikin daular ta amfani da asusu tare da gata na gudanarwa akan yankinku.

# samba-tool domain join your_domain DC -U "your_domain_admin"

Tsare-tsaren haɗin kai na yanki:

# samba-tool domain join tecmint.lan DC -U"tecmint_user"
Finding a writeable DC for domain 'tecmint.lan'
Found DC adc1.tecmint.lan
Password for [WORKGROUP\tecmint_user]:
workgroup is TECMINT
realm is tecmint.lan
checking sAMAccountName
Deleted CN=ADC2,CN=Computers,DC=tecmint,DC=lan
Adding CN=ADC2,OU=Domain Controllers,DC=tecmint,DC=lan
Adding CN=ADC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tecmint,DC=lan
Adding CN=NTDS Settings,CN=ADC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tecmint,DC=lan
Adding SPNs to CN=ADC2,OU=Domain Controllers,DC=tecmint,DC=lan
Setting account password for ADC2$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=tecmint,DC=lan
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=tecmint,DC=lan] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=tecmint,DC=lan] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=tecmint,DC=lan] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=tecmint,DC=lan] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=tecmint,DC=lan] objects[402/1614] linked_values[0/0]
Partition[CN=Configuration,DC=tecmint,DC=lan] objects[804/1614] linked_values[0/0]
Partition[CN=Configuration,DC=tecmint,DC=lan] objects[1206/1614] linked_values[0/0]
Partition[CN=Configuration,DC=tecmint,DC=lan] objects[1608/1614] linked_values[0/0]
Partition[CN=Configuration,DC=tecmint,DC=lan] objects[1614/1614] linked_values[28/0]
Replicating critical objects from the base DN of the domain
Partition[DC=tecmint,DC=lan] objects[97/97] linked_values[24/0]
Partition[DC=tecmint,DC=lan] objects[380/283] linked_values[27/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=tecmint,DC=lan
Partition[DC=DomainDnsZones,DC=tecmint,DC=lan] objects[45/45] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=tecmint,DC=lan
Partition[DC=ForestDnsZones,DC=tecmint,DC=lan] objects[18/18] linked_values[0/0]
Committing SAM database
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain TECMINT (SID S-1-5-21-715537322-3397311598-55032968) as a DC

12. Bayan an haɗa Ubuntu tare da software na samba4 a cikin yankin, buɗe babban fayil ɗin samba kuma ƙara layin masu zuwa:

# nano /etc/samba/smb.conf

Ƙara abin da ke biyo baya zuwa fayil ɗin smb.conf.

dns forwarder = 192.168.1.1
idmap_ldb:use rfc2307 = yes

   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false
   winbind nss info = rfc2307
        winbind enum users = yes
        winbind enum groups = yes

Sauya adireshin IP na mai tura dns tare da IP mai tura DNS na ku. Samba zai tura duk tambayoyin ƙudurin DNS waɗanda ke wajen yankin ikon yankinku zuwa wannan adireshin IP.

13. A ƙarshe, sake kunna samba daemon don yin la'akari da canje-canje kuma duba kwafin kundin adireshi ta hanyar aiwatar da umarni masu zuwa.

# systemctl restart samba-ad-dc
# samba-tool drs showrepl

14. Bugu da ƙari, sake suna na farko na Kerberos sanyi fayil daga/sauransu hanya kuma maye gurbin shi da sabon fayil ɗin sanyi na krb5.conf wanda samba ya haifar yayin samar da yankin.

Fayil ɗin yana cikin /var/lib/samba/ directory mai zaman kansa. Yi amfani da alamar alamar Linux don haɗa wannan fayil zuwa /etc directory.

# mv /etc/krb5.conf /etc/krb5.conf.initial
# ln -s /var/lib/samba/private/krb5.conf /etc/
# cat /etc/krb5.conf

15. Hakanan, tabbatar da amincin Kerberos tare da fayil ɗin samba krb5.conf. Nemi tikiti ga mai amfani da gudanarwa kuma jera tikitin da aka adana ta hanyar ba da umarni na ƙasa.

# kinit administrator
# klist

Mataki 4: Ƙarin Haɓaka Sabis na Yanki

16. Gwajin farko da kuke buƙatar yi shine Samba4 DC DNS ƙuduri. Don tabbatar da ƙudurin yankinku na DNS, bincika sunan yankin ta amfani da umarnin runduna akan wasu mahimman bayanan AD DNS kamar yadda aka gabatar akan hoton da ke ƙasa.

Ya kamata uwar garken DNS ta sake kunnawa yanzu tare da adiresoshin IP guda biyu don kowace tambaya.

# host your_domain.tld
# host -t SRV _kerberos._udp.your_domain.tld  # UDP Kerberos SRV record
# host -t SRV _ldap._tcp.your_domain.tld  # TCP LDAP SRV record

17. Ya kamata kuma a iya ganin waɗannan bayanan DNS daga injin Windows mai rajista tare da shigar da kayan aikin RSAT. Bude Manajan DNS kuma fadada zuwa bayanan tcp na yankinku kamar yadda aka nuna a hoton da ke ƙasa.

18. Gwajin na gaba yakamata ya nuna idan kwafin LDAP na yanki yana aiki kamar yadda aka zata. Ta amfani da kayan aikin samba, ƙirƙiri asusu akan mai sarrafa yanki na biyu kuma tabbatar da idan an kwafi asusun ta atomatik akan Samba4 AD DC na farko.

# samba-tool user add test_user
# samba-tool user list | grep test_user

19. Hakanan zaka iya ƙirƙirar asusu daga Microsoft AD UC console kuma tabbatar da idan asusun ya bayyana akan duka masu sarrafa yanki.

Ta hanyar tsoho, yakamata a ƙirƙiri asusun ta atomatik akan duka masu kula da yankin samba. Yi tambaya sunan asusun daga adc1 ta amfani da umarnin wbinfo.

20. A zahiri, buɗe AD UC console daga Windows, faɗaɗa zuwa Domain Controllers kuma yakamata ku ga injinan DC da aka yiwa rajista.

Mataki 5: Kunna Samba4 AD DC Sabis

21. Domin kunna tsarin sabis na samba4 AD DC gabaɗaya, da farko musaki wasu tsoffin daemons na Samba da ba a yi amfani da su ba kuma ba da damar sabis na samba-ad-dc kawai ta hanyar aiwatar da umarni na ƙasa:

# systemctl disable smbd nmbd winbind
# systemctl enable samba-ad-dc

22. Idan kuna gudanar da mai sarrafa yankin Samba4 daga nesa daga abokin ciniki na Microsoft ko kuna da wasu kwastomomi na Linux ko Windows da aka haɗa cikin yankinku, tabbatar kun ambaci adireshin IP na na'urar adc2 zuwa uwar garken DNS na cibiyar sadarwar su. Saitunan IP don samun matakin sakewa.

Hotunan da ke ƙasa suna kwatanta tsarin da ake buƙata don Windows ko abokin ciniki na Debian/Ubuntu.

Tsammanin cewa DC na farko tare da 192.168.1.254 yana tafiya a layi, juya tsarin adiresoshin IP na uwar garken DNS a cikin fayil ɗin sanyi don haka ba zai yi ƙoƙarin fara tambaya sabar DNS ba.

A ƙarshe, idan kuna son yin amincin gida akan tsarin Linux tare da asusun Samba4 Active Directory ko ba da gata ga tushen asusun AD LDAP a cikin Linux, karanta matakan 2 da 3 daga koyawa Sarrafa Samba4 AD Infrastructure daga Linux Command Line.