Joining a CentOS DC to existing Samba AD DC directory is quite like building a AD DC but a little bit different at the end, namely joining and instead of building a AD DC. Here are my directions to building a CentOS 7.1611 to a Samba Active Directory that I used for this post.

I will be using this information for the minimal Samba AD DC second server:

Samba Server: dc2
IP Address: 192.168.2.101
Netmask: 255.255.255.0
Default Gateway: 192.168.2.1
DNS1=192.168.2.100
DNS2=192.168.2.101
DNS3=192.168.2.1
DNS Domain Name: bales.lan
NetBIOS Domain Name: BALES# record 1 dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bales,DC=lan objectGUID: b490caa1-1fef-45ad-89b7-3a96c2666515 # record 2 dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bales,DC=lan objectGUID: c0754d24-ebaf-4cac-81b1-f28372e88bb6 # returned 2 records # 2 entries # 0 referrals

DNS Backend: SAMBA_INTERNAL

After Installing CentOS:

Using SSH with the root username, first update the server.

 yum update

Then disabled the firewall:

systemctl disable firewalld

Then install nano and wget.

yum install nano wget

Reboot.

Prerequisite CentOS:

I changed the network.  Note that I put the first DNS of the first Samba AD DC of ‘dc1’ IP address, 192.168.2.100, so that the second server will be able to find it.

nano /etc/sysconfig/network-scripts/ifcfg-ens33

TYPE="Ethernet"
BOOTPROTO="static"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="ens33"
UUID="1496869c-3a1c-4023-88b0-1d9733dff793"
DEVICE="ens33"
ONBOOT="yes"
DNS1="192.168.2.100"
DNS2="192.168.2.101"
DNS3="192.168.2.1"
IPADDR="192.168.2.101"
PREFIX="24"
GATEWAY="192.168.2.1"

Then I changed the /etc/hosts file to match the actual IP of my server (dc2):

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.2.101 dc2.bales.lan dc2
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

I then changed the path directory by adding’:/usr/local/samba/bin:/usr/local/samba/sbin’ a new file called samba-path.sh in the /etc/profile.d/ directory:

nano /etc/profile.d/samba-path.sh

PATH=${PATH}:/usr/local/samba/bin:/usr/local/samba/sbin

Installing the requirements/dependencies for Samba AD DC:

yum install perl gcc attr libacl-devel libblkid-devel \
    gnutls-devel readline-devel python-devel gdb pkgconfig \
    krb5-workstation zlib-devel setroubleshoot-server libaio-devel \
    setroubleshoot-plugins policycoreutils-python \
    libsemanage-python perl-ExtUtils-MakeMaker perl-Parse-Yapp \
    popt-devel libxml2-devel libattr-devel \
    keyutils-libs-devel cups-devel bind-utils libxslt \
    docbook-style-xsl openldap-devel autoconf python-crypto pam-devel

Reboot.

Installing Samba and Joining the bales.lan:

Make a directory for samba4 and download the current samba file:

mkdir /samba
cd /samba
wget https://download.samba.org/pub/samba/stable/samba-4.6.0.tar.gz

Then I extract the file.

tar -zxf samba-4.6.0.tar.gz

Go to /usr/src/samba4/samba-4.5.4 and first configure Samba.

./configure

Then a make:

make

Then make install:

make install

Then lastly making the /etc/krb5.conf with this only three lines:

[libdefaults]
    dns_lookup_realm = false
    dns_lookup_kdc = true
    default_realm = BALES.LAN

Reboot.

Time to join a Samba AD DC:

# samba-tool domain join bales.lan DC -U"BALES\administrator" --dns-backend=SAMBA_INTERNAL

Found DC dc1.bales.lan
Password for [WORKGROUP\administrator]:
workgroup is BALES
realm is bales.lan
checking sAMAccountName
Adding CN=DC2,OU=Domain Controllers,DC=bales,DC=lan
Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bales,DC=lan
Adding CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bales,DC=lan
Adding SPNs to CN=DC2,OU=Domain Controllers,DC=bales,DC=lan
Setting account password for DC2$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Provision OK for domain DN DC=bales,DC=lan
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=bales,DC=lan] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=bales,DC=lan] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=bales,DC=lan] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=bales,DC=lan] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=bales,DC=lan] objects[402/1614] linked_values[0/0]
Partition[CN=Configuration,DC=bales,DC=lan] objects[804/1614] linked_values[0/0]
Partition[CN=Configuration,DC=bales,DC=lan] objects[1206/1614] linked_values[0/0]
Partition[CN=Configuration,DC=bales,DC=lan] objects[1608/1614] linked_values[0/0]
Partition[CN=Configuration,DC=bales,DC=lan] objects[1614/1614] linked_values[28/0]
Replicating critical objects from the base DN of the domain
Partition[DC=bales,DC=lan] objects[97/97] linked_values[23/0]
Partition[DC=bales,DC=lan] objects[364/267] linked_values[23/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=bales,DC=lan
Partition[DC=DomainDnsZones,DC=bales,DC=lan] objects[40/40] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=bales,DC=lan
Partition[DC=ForestDnsZones,DC=bales,DC=lan] objects[18/18] linked_values[0/0]
Committing SAM database
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain BALES (SID S-1-5-21-2467930394-1560492651-202832562) as a DC

Start samba:

samba

Testing your new joined Centos2 domain controller:

Resolving your A record:

# record 1 dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bales,DC=lan objectGUID: b490caa1-1fef-45ad-89b7-3a96c2666515 # record 2 dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bales,DC=lan objectGUID: c0754d24-ebaf-4cac-81b1-f28372e88bb6 # returned 2 records # 2 entries # 0 referrals
host -t A dc2.bales.lan

dc2.bales.lan has address 192.168.2.101

If it cannot resolve it then add it.

# samba-tool dns add dc1 bales.lan dc2 A 192.168.2.101 -Uadministrator

Password for [BALES\administrator]: *
Record added successfully

According to this Samba Post you should also verify the CNAME is correct by doing this::

# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid

But instead of doing this:

# record 1 
dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bales,DC=lan
objectGUID: b490caa1-1fef-45ad-89b7-3a96c2666515 

# record 2 dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bales,DC=lan
 objectGUID: c0754d24-ebaf-4cac-81b1-f28372e88bb6 

# returned 2 records 
# 2 entries 
# 0 referrals

It does this – nothing:

[root@dc2 ~]# # ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid
[root@dc2 ~]#

Then test for the CNAME for centos2:

# host -t CNAME c0754d24-ebaf-4cac-81b1-f28372e88bb6._msdcs.bales.lan

c0754d24-ebaf-4cac-81b1-f28372e88bb6._msdcs.bales.lan is an alias for dc2.bales.lan.

If not found add it:

# samba-tool dns add dc1 _msdcs.bales.lan c0754d24-ebaf-4cac-81b1-f28372e88bb6 CNAME dc2.bales.lan -Uadministrator
Password for [BALES\administrator]: *
Record added successfully

But it shows the CNAME in the DNS in the Windows 10.

CNAME for dc2
CNAME for dc2

 

Configuring the dc2 smb.conf

Add dns forwarder and rfc2307 is the smb.conf file:

# Global parameters
[global]
 workgroup = BALES
 realm = bales.lan
 netbios name = dc2
 server role = active directory domain controller
 dns forwarder = 192.168.2.1
 idmap_ldb:use rfc2307 = yes

[netlogon]
 path = /usr/local/samba/var/locks/sysvol/bales.lan/scripts
 read only = No

[sysvol]
 path = /usr/local/samba/var/locks/sysvol
 read only = No

Check your servers are replicating.

You should have all 0 consecutive failure(s) both inbound and outbound connections. It may take several minutes to complete though; if it doesn’t complete after 15 minutes do it manually with Microsoft OS.

# samba-tool drs showrepl

Default-First-Site-Name\DC2
DSA Options: 0x00000001
DSA object GUID: 30533a7b-e92c-4e9e-bacc-cc00bd6f97b9
DSA invocationId: 8ef552b6-1f07-4d3e-98d4-b7942ab19037
Then test for the CNAME for centos2:

# host -t CNAME c0754d24-ebaf-4cac-81b1-f28372e88bb6._msdcs.bales.lan

c0754d24-ebaf-4cac-81b1-f28372e88bb6._msdcs.bales.lan is an alias for dc2.bales.lan.
If not found add it:

# samba-tool dns add dc1 _msdcs.bales.lan c0754d24-ebaf-4cac-81b1-f28372e88bb6 CNAME dc2.bales.lan -Uadministrator
Password for [BALES\administrator]: *
Record added successfullyThen test for the CNAME for centos2:

# host -t CNAME c0754d24-ebaf-4cac-81b1-f28372e88bb6._msdcs.bales.lan

c0754d24-ebaf-4cac-81b1-f28372e88bb6._msdcs.bales.lan is an alias for dc2.bales.lan.
If not found add it:

# samba-tool dns add dc1 _msdcs.bales.lan c0754d24-ebaf-4cac-81b1-f28372e88bb6 CNAME dc2.bales.lan -Uadministrator
Password for [BALES\administrator]: *
Record added successfully
==== INBOUND NEIGHBORS ====

CN=Configuration,DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: 8370c731-a994-49ca-9ba4-2383191ee6c2
 Last attempt @ Wed Mar 8 09:27:02 2017 PST was successful
 0 consecutive failure(s).
 Last success @ Wed Mar 8 09:27:02 2017 PST

DC=ForestDnsZones,DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: 8370c731-a994-49ca-9ba4-2383191ee6c2
 Last attempt @ Wed Mar 8 09:27:02 2017 PST was successful
 0 consecutive failure(s).
 Last success @ Wed Mar 8 09:27:02 2017 PST

DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: 8370c731-a994-49ca-9ba4-2383191ee6c2
 Last attempt @ Wed Mar 8 09:27:03 2017 PST was successful
 0 consecutive failure(s).
 Last success @ Wed Mar 8 09:27:03 2017 PST

CN=Schema,CN=Configuration,DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: 8370c731-a994-49ca-9ba4-2383191ee6c2
 Last attempt @ Wed Mar 8 09:27:03 2017 PST was successful
 0 consecutive failure(s).
 Last success @ Wed Mar 8 09:27:03 2017 PST

DC=DomainDnsZones,DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: 8370c731-a994-49ca-9ba4-2383191ee6c2
 Last attempt @ Wed Mar 8 09:27:02 2017 PST was successful
 0 consecutive failure(s).
 Last success @ Wed Mar 8 09:27:02 2017 PST

==== OUTBOUND NEIGHBORS ====

CN=Configuration,DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: 8370c731-a994-49ca-9ba4-2383191ee6c2
 Last attempt @ NTTIME(0) was successful
 0 consecutive failure(s).
 Last success @ NTTIME(0)

DC=ForestDnsZones,DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: 8370c731-a994-49ca-9ba4-2383191ee6c2
 Last attempt @ NTTIME(0) was successful
 0 consecutive failure(s).
 Last success @ NTTIME(0)

DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: 8370c731-a994-49ca-9ba4-2383191ee6c2
 Last attempt @ NTTIME(0) was successful
 0 consecutive failure(s).
 Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: 8370c731-a994-49ca-9ba4-2383191ee6c2
 Last attempt @ NTTIME(0) was successful
 0 consecutive failure(s).
 Last success @ NTTIME(0)

DC=DomainDnsZones,DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: 8370c731-a994-49ca-9ba4-2383191ee6c2
 Last attempt @ NTTIME(0) was successful
 0 consecutive failure(s).
 Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
 Connection name: 3dc913ac-06ee-4149-bfd3-0c9b41d172d0
 Enabled : TRUE
 Server DNS name : dc1.bales.lan
 Server DN name : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bales,DC=lan
 TransportType: RPC
 options: 0x00000001
Warning: No NC replicated for Connection!

If is everything is ok, you got a joined domain controller! If not, go to https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting.

The DNS configuration on domain controllers (DC) is important, because if it is unable to locate other DCs the replication will fail. If it all works make sure for the DNS of the domain controller that they crosswise direction, like I did the second server.

References:

https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s