Linux Samba4 AD-DC on Ubuntu 18.04 is the fourth of five Linux AD-DC customization articles I have at the moment on Ubuntu Server 18.04. At the moment, remembering the first three articles, let’s sum up the interim result. First we installed and pre-configured bind9. The second place was samba4 and the domain was initiated. In the third article, bind9 was completed. It has become ready to serve the local area of our free domain controller. By free I mean not only great strength but also great responsibility. After all, its free promises you not only saving money but also special rituals associated with its maintenance. Because on a par with them you get and restrictions.
Unlike the domain wind controller, you won’t be able to drive tens of thousands of machines into the linux controller and maintain them normally. Because you’ll be in the bind9 and DL’s limitations of the module that comes in the kit. You can’t build trust between domains. And other restrictions are necessary for super-large enterprises. But as long as you run a small network of small businesses, you’re in danger. Well, your jacket floating under the white flag in the neutral waters of the opensor and everything else and becomes well protected from the risk of scavenged administration or worse landing.
All articles in best to study order:
-
Configuring BIND9 for Linux AD-DC on Ubuntu 18.04 – Part 1
-
Linux AD-DC on Ubuntu 18.04 – Setting Samba4 – Part 1
-
Set up BIND9 for Linux AD-DC on Ubuntu 18.04 – Part 2
-
Linux Samba4 AD-DC on Ubuntu 18.04 – Settings – Part 2
-
DHCP server for Linux AD-DC Ubuntu 18.04. Integration with BIND9
-
Domain Controller on Ubuntu 18.04 – Time Synchronization – NTP
-
Administering the Linux domain controller
Linux Samba4 AD-DC – Settings – Part 2
-
-
Set up a startup
For proper work, all samba processes must be run by the samba itself and none else. If the samba process is run not by samba, but for example from the rue and this process will generate some necessary for the work of the domain controller fakel, then you can at least blow up the entire domain, because you have it will not take off. Because of this, in order to return to workability, you have to manually debauchery, look for where the joint, just really before blue to look for the cause of the error. I’ve done it with a few customers, so I don’t wish it on anyone. It’s easier to do it right away. Or if there is a mistake at this stage, spend 20 minutes and remake everything from scratch. And don’t tell me it’s not for 10 minutes. The longest webinar to set up a domain controller from and to, intermittently to the theory, takes me no more than 60 minutes.
sudo systemctl stop smbd nmbd winbind sudo systemctl disable smbd nmbd winbind sudo systemctl mask smbd nmbd winbind
Block samba-ad-dc for manual start, turn on the service and turn on his auto-launch
sudo systemctl unmask samba-ad-dc sudo systemctl start samba-ad-dc sudo systemctl enable samba-ad-dc
-
Set up a DNS address
We specify the server of the name, our own AD DC ipicnik
sudo nano /etc/netplan/*.yaml
To do this, you need to configure the parameters of the network on the following principle:
dhcp4: no dhcp6: no addresses: [192.168.1.100/24, ] gateway4: 192.168.1.1 nameservers: addresses: [192.168.1.100, ]
Set up the address of the server name, not forgetting to specify there the AP DC aipush, bringing it to mind:
sudo nano /etc/resolv.conf
nameserver 192.168.1.100 search adminguide.lan
-
Ubuntu Domain Controller – Kerberos Settings
When AD DC is initiated, the Kerberos configuration file will be created, which is indicated at the end of the initialization report. In order not to do double work, replace the existing Kerberos settings file that the file has just been created.
sudo cp /var/lib/samba/private/krb5.conf /etc/
-
Make sure everything works.
-
-
-
-
- We look at the general catalogs available on the controller
smbclient -L localhost -U%
emember that they are automatically created at the moment of initiation and if they are not present, it means somewhere a joint. And because of this shoal, nothing will function normally or will not even run
- See the ability to connect to netlogon
Now we’re going to see if the domain admin’s catalog is netlogonsmbclient //localhost/netlogon -UAdministrator -c 'ls'
- When authorization is required, we enter the password specified at the time of initiation. By successfully you will get access to the director
- Now we’re umbling the correctness of the DNS setting
If bind9 was configured incorrectly, THE D.D. ad will not take off. In order to check, let’s try to extract the necessary records from the server’s data - First, watch the SRV record _ldap
-
host -t SRV _ldap._tcp.adminguide.lan.
adminguideru@ag-dc-1:~$ host -t SRV _ldap._tcp.adminguide.lan. _ldap._tcp.adminguide.lan has SRV record 0 100 389 ag-dc-1.adminguide.lan.
- Second, watch the SRV record _kerberos
-
host -t SRV _kerberos._udp.adminguide.lan.
adminguideru@ag-dc-1:~$ host -t SRV _kerberos._udp.adminguide.lan. _kerberos._udp.adminguide.lan has SRV record 0 100 88 ag-dc-1.adminguide.lan.
- We look at the general catalogs available on the controller
-
- Third, check A domain controller record
-
host -t A ag-dc-1.adminguide.lan.
adminguideru@ag-dc-1:~$ host -t A ag-dc-1.adminguide.lan. ag-dc-1.adminguide.lan has address 192.168.1.100
-
-
-
-
-
Linux Samba4 AD-DC – Check Kerberos health
kinit administrator
adminguideru@ag-dc-1:~$ kinit administrator Password for administrator@ADMINGUIDE.LAN: Warning: Your password will expire in 39 days on Wet 06 Oct 2020 18:59:04
-
Linux Samba4 AD-DC – Watch kerberos cash
klist
adminguideru@ag-dc-1:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: administrator@ADMINGUIDE.LAN Valid starting Expires Service principal 27.08.2020 19:10:16 28.08.2020 05:10:16 krbtgt/ADMINGUIDE. LAN@ADMINGUIDE. Lan renew until 28.08.2020 19:10:14
At this point, we have a domain controller that updates its local area, and it regularly updates the changes of domain members and their ip addresses. But what about devices that are not in the domain? For example, network printers or non-sexuallycing machines banally not in need of joining the domain? Of course I’m not talking about poppies right now. Poppies is a rachin that should be burned out of the corporate network.
Let’s move on to setting up a DHCP server
At the moment, all text content a week earlier is published in my zen blog. Russian-language premieres of video lessons 🙂
The same videos are published on Youtube channel, but there are first English-language premieres 🙂
Vkontakte Comments
Default Comments