May 2020
M T W T F S S
« Mar    
 123
45678910
11121314151617
18192021222324
25262728293031

Categories

WordPress Quotes

History is a relentless master. It has no present, only the past rushing into the future. To try to hold fast is to be swept aside.
John F. Kennedy
May 2020
M T W T F S S
« Mar    
 123
45678910
11121314151617
18192021222324
25262728293031

Short Cuts

2012 SERVER (64)
2016 windows (9)
AIX (13)
Amazon (40)
Ansibile (19)
Apache (135)
Asterisk (2)
cassandra (2)
Centos (211)
Centos RHEL 7 (270)
centos8 (3)
chef (3)
cloud (2)
cluster (3)
Coherence (1)
DB2 (5)
DISK (25)
DNS (9)
Docker (30)
Eassy (11)
ELKS (1)
EXCHANGE (3)
Fedora (6)
ftp (5)
GIT (3)
GOD (2)
Grub (1)
Hacking (10)
Hadoop (6)
health (2)
horoscope (23)
Hyper-V (10)
IIS (15)
IPTABLES (15)
JAVA (7)
JBOSS (32)
jenkins (1)
Kubernetes (7)
Ldap (5)
Linux (188)
Linux Commands (166)
Load balancer (5)
mariadb (14)
Mongodb (4)
MQ Server (24)
MYSQL (84)
Nagios (5)
NaturalOil (13)
Nginx (35)
Ngix (1)
openldap (1)
Openstack (6)
Oracle (35)
Perl (3)
Postfix (19)
Postgresql (1)
PowerShell (2)
Python (3)
qmail (36)
Redis (12)
RHCE (28)
SCALEIO (1)
Security on Centos (29)
SFTP (1)
Shell (64)
Solaris (58)
Sql Server 2012 (4)
squid (3)
SSH (10)
SSL (14)
Storage (1)
swap (3)
TIPS on Linux (28)
tomcat (62)
Ubuntu (1)
Uncategorized (30)
Veritas (2)
vfabric (1)
VMware (28)
Weblogic (38)
Websphere (71)
Windows (19)
Windows Software (2)
wordpress (1)
ZIMBRA (17)

WP Cumulus Flash tag cloud by Roy Tanck requires Flash Player 9 or better.

Who's Online

0 visitors online now
0 guests, 0 bots, 0 members

Hit Counter provided by dental implants orange county

Samba in CentOS 6.8 as Secondary DC with Microsoft Active Directory 2012R2

1 . https://bugzilla.samba.org/show_bug.cgi?id=10265
It’s necessary to manually lower the domain and forest functional levels on the Windows 2012 server first, via Powershell:
Set-ADForestMode -Identity “mydom.local” -ForestMode Windows2008R2Forest
Set-ADDomainMode -Identity “mydom.local” -DomainMode Windows2008R2Domain
2. Need a fresh installed minimal CentOS 6.x OS . Disable SELinux and firewall . Update software packages .
Please check above notes and do as it is . Lets start ,
Primary AD ( Microsoft ) : 192.168.1.10 / ad.rmohan.com
Secondary DC (CentOS ) : 192.168.1.11 / ldap.rmohan.com
Login to Linux server ,
# cat /etc/resolv.conf
search rmohan.com
nameserver 192.168.1.10
nameserver 192.168.1.11
# yum groupinstall “development tools” -y
# yum install python-devel libgnutls-dev gnutls-devel libacl1-dev libacl-devel libldap2-dev openldap-devel wget gcc gcc-c++ krb5-server krb5-workstation -y
# wget https://download.samba.org/pub/samba/stable/samba-4.5.0.tar.gz
# tar -xvzf samba-4.5.0.tar.gz
# cd samba-4.5.0
# ./configure
# make
# make install
Now we successfully compiled Samba source package . We need to remove default samba configuration first then remount file system ( Some times AD join will popup an ACL error ) .
# rm -rf /usr/local/samba/etc/smb.conf
# mount -o remount,acl,user_xattr /dev/mapper/vg_ldap-lv_root
Now we are ready to add our Linux machine to Windows AD .
# /usr/local/samba/bin/samba-tool domain join rmohan.com DC -Uadministrator –realm=rmohan.com
Now we successfully added our linux system to Active directory as a Secondary DC . But we need to configure some more settings . Lets check authentication .
Before that check both systems time (NTP) . If its not same authentication will get error .
# yum install ntp -y
# service ntpd start
# chkconfig ntpd on
Add Our primary DC as NTP server .
# vi /etc/ntp.conf
server ad.rmohan.com iburst
# service ntpd restart
Now we need to change Kerberos configuration file .
# rm -rf /etc/krb5.conf
# cp -vr /usr/local/samba/private/krb5.conf /etc/krb5.conf
# kinit administrator@rmohan.com
# klist
For successful AD replication we need to Add A record and CNAME record in Microsoft AD .
# /usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb ‘(invocationid=*)’ –cross-ncs objectguid
# record 1
dn: CN=NTDS Settings,CN=LDAP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
objectGUID: 640bcd46-cbc3-4451-8d82-cb37a255cbe1
# record 2
dn: CN=NTDS Settings,CN=AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
objectGUID: 89f017ee-dacf-4d51-a19b-fe54da97a79a

Copy that ObjectGUID and goto Microsoft Active directory .
First create A record for ldap.rmohan.com .
Then goto Forward Lookup Zone > _msdcs.rmohan.com .
Create a CNAME here with our host objectGUID . In my case it is like below ,

640bcd46-cbc3-4451-8d82-cb37a255cbe1 Alias(CNAME) ldap.rmohan.com
Now authentication is working fine .Now we need to start DC replication . Every user created by master or slave need to replicated .
# /usr/local/samba/sbin/samba
# /usr/local/samba/bin/samba-tool drs showrepl
Default-First-Site-Name\LDAP
DSA Options: 0x00000001
DSA object GUID: 640bcd46-cbc3-4451-8d82-cb37a255cbe1
DSA invocationId: 4c115875-28b5-4c91-bcf0-66f4d74d935b
==== INBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=example,DC=com
Default-First-Site-Name\AD01 via RPC
DSA object GUID: 89f017ee-dacf-4d51-a19b-fe54da97a79a
Last attempt @ Tue Oct 11 03:13:07 2016 EDT was successful
0 consecutive failure(s).
Last success @ Tue Oct 11 03:13:07 2016 EDT
Now we can see that replication is working fine . Lets check now ,
List all AD users.
# /usr/local/samba/bin/samba-tool user list
Create new user in Active directory and check again . If its showing all is good. Your secondary server is ready to go .
List all member computers .
# /usr/local/samba/bin/pdbedit -L -w | grep ‘\[[WI]’

This setup is very useful if you have single windows license and you need Active Directory replica . This is for you .
Enjoy .

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

  

  

  

Blue Captcha Image
Refresh

*

Protected by WP Anti Spam