Difference between revisions of "Joining a Samba DC to an Existing Active Directory"

From SambaWiki
m (added command for how to join with bind as DNS backend)
(Added section "Check required DNS entries of the new host", updated content a bit the present state of s4, all information here were tested that they are working on the latest s4 version (rc4))
Line 1: Line 1:
 
= Samba4 joining a domain as a DC =
 
= Samba4 joining a domain as a DC =
   
As of Samba4 alpha11, Samba4 now has the ability to join an existing
+
As of Samba4 alpha11, Samba4 has the ability to join an existing
 
Active Directory domain as an additional domain controller. The
 
Active Directory domain as an additional domain controller. The
 
process of joining a Samba4 server to an existing domain is a bit
 
process of joining a Samba4 server to an existing domain is a bit
Line 7: Line 7:
 
of the 'dcpromo' command on Windows servers.
 
of the 'dcpromo' command on Windows servers.
   
This HOWTO will assume you configured and installed Samba in the
+
This HOWTO will assume you had configured and installed Samba in the
 
default location of /usr/local/samba. It assumes you are joining Samba
 
default location of /usr/local/samba. It assumes you are joining Samba
 
to an existing domain called 'samba.example.com'.
 
to an existing domain called 'samba.example.com'.
   
  +
Please note that the following steps are the same regardless of whether
Note that some of the features mentioned in this HOWTO are only
 
available in versions of Samba4 later than alpha12, or using a git
 
checkout from February 26th 2010 or later.
 
 
Also note that the following steps are the same regardless of whether
 
 
you are joining Samba to an existing Windows based domain or an
 
you are joining Samba to an existing Windows based domain or an
 
existing Samba based domain.
 
existing Samba based domain.
  +
  +
   
 
== Getting ready for joining Samba as a DC to an existing domain ==
 
== Getting ready for joining Samba as a DC to an existing domain ==
   
You need to build Samba4 as usual, but don't do the provision step. You should remove any existing smb.conf in /usr/local/samba/etc/smb.conf
+
You need to build Samba4 as usual, but don't do the provision step.
  +
You should remove any existing smb.conf in /usr/local/samba/etc/.
   
  +
Be sure, that you have your setup your existing domain correctly
You should have your existing domain setup correctly as your default realm in /etc/krb5.conf, and you should have these options setup in /etc/krb5.conf:
 
  +
as your default realm in /etc/krb5.conf with the following options:
   
 
[libdefaults]
 
[libdefaults]
Line 34: Line 34:
 
all working by trying a kinit as a domain administration:
 
all working by trying a kinit as a domain administration:
   
kinit administrator
+
# kinit administrator
 
Password: XXXXXXXX
 
Password: XXXXXXXX
   
  +
klist should should give you an output like the following:
Once all that is setup you can move on to the main domain join step
 
  +
  +
Ticket cache: FILE:/tmp/krb5cc_0
  +
Default principal: administrator@SAMBA.EXAMPLE.COM
  +
  +
Valid starting Expires Service principal
  +
11/11/12 17:29:51 11/12/12 03:29:51 krbtgt/SAMBA.EXAMPLE.COM@SAMBA.EXAMPLE.COM
  +
renew until 11/12/12 17:29:49
  +
  +
Once all that is setup you can move on to the join domain step.
  +
  +
   
 
== Joining the existing domain as a DC ==
 
== Joining the existing domain as a DC ==
Line 43: Line 54:
 
Run the following command as root:
 
Run the following command as root:
   
bin/samba-tool join samba.example.com DC -Uadministrator --realm=samba.example.com
+
# bin/samba-tool domain join samba.example.com DC -Uadministrator --realm=samba.example.com
  +
  +
Since samba4 rc2 the internal DNS server is default. If you want to join
  +
this or a higher version with using Bind as DNS backend, use the following
  +
command:
  +
  +
# bin/samba-tool domain join samba.example.com DC -Uadministrator --realm=samba.example.com --dns-backend=BIND9_DLZ
  +
  +
During the join, you should see a set of debug messages about replicating
  +
the domains content, like this:
  +
  +
Partition[CN=Configuration,DC=samba,DC=example,DC=com] objects[1614/1614] linked_values[28/0]
  +
  +
At the end, you will see a message like this:
  +
  +
Joined domain SAMBA (SID S-1-5-21-3565189888-2228146013-2029845409) as a DC
  +
  +
Now you have joined your Samba4 server to your existing domain.
  +
  +
  +
  +
== Check required DNS entries of the new host ==
  +
  +
Before you start samba, you should check, if the new DCs DNS entries are set
  +
correctly during joining. This doesn't currently (rc4) work 100% and have to
  +
be done manually in that case.
  +
  +
From the new host, try to resolve its hostname:
  +
  +
# host -t A dc2.samba.example.com.
  +
  +
If this fails, you have to add the A record by hand. Run on your existing DC:
  +
  +
# samba-tool dns add {IP-of-your-DNS-server} samba.example.com DC2 A {IP-of-the-DC-you-had-joined} -Uadministrator
  +
  +
Also you should check, if the objectGUID is resolvable to the new hostname. For that, run
  +
  +
# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid
   
  +
to find out the objectGUID of the new server. The command should give you an output like
or in newer versions of Samba:
 
   
  +
# record 1
bin/samba-tool domain join samba.example.com DC -Uadministrator --realm=samba.example.com
 
  +
dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=example,DC=com
  +
objectGUID: 737506d0-bfe6-40c8-815d-08c3dff7a67f
  +
...
   
  +
In this case, 737506d0-bfe6-40c8-815d-08c3dff7a67f is the objectGUID of the new DC,
since rc2 samba4 internal DNS server is default. If you want to join with using bind as DNS backend, use the following command:
 
  +
we'll query with the following command:
   
  +
# host -t CNAME 737506d0-bfe6-40c8-815d-08c3dff7a67f._msdcs.samba.example.com.
bin/samba-tool domain join samba.example.com DC -Uadministrator --realm=samba.example.com --dns-backend=BIND9_DLZ
 
   
  +
This should output you the alias (CNAME) of this entry pointing to your new DC name.
It should show a set of debug messages about replicating the domain contents, like this:
 
  +
If this record is also missing, you have to add it, too:
   
  +
# samba-tool dns add {IP-of-your-DNS} _msdcs.samba.example.com 737506d0-bfe6-40c8-815d-08c3dff7a67f CNAME DC2.samba.example.com -Uadministrator
Partition[CN=Configuration,DC=sample,DC=example,DC=com] objects[1596] linked_values[1]
 
   
  +
You maybe have to restart samba4/named on your existing DC, if you have still
then it will show a message like this:
 
  +
problems querying the entries, after adding (that seems to be an issue currently,
  +
that the bind_DLZ plugin required to be restarted on new added entries).
   
Joined domain V2 (SID S-1-5-21-3565189888-2228146013-2029845409) as a DC
 
   
at this point you have joined your Samba4 server to the existing domain, and you are ready to start your Samba domain controller.
 
   
 
== Starting Samba ==
 
== Starting Samba ==
   
You start samba as a DC in the same way that you start it as a normal server, just run the command 'samba'
+
You start samba as a DC in the same way that you start it as a normal
from the sbin directory of your installation.
+
server, just run the command 'samba' from the sbin directory of your
  +
installation.
   
 
When you first start Samba as a new DC in an existing Windows domain,
 
When you first start Samba as a new DC in an existing Windows domain,
Line 73: Line 127:
 
UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT code 0xc00020f8 for 5344d0a6-78a1-4758be69-66d933f1123._msdcs.samba.example.com CN=RID Manager$,CN=System,DC=samba,DC=example,DC=com
 
UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT code 0xc00020f8 for 5344d0a6-78a1-4758be69-66d933f1123._msdcs.samba.example.com CN=RID Manager$,CN=System,DC=samba,DC=example,DC=com
   
This is caused by the Windows domain controller not yet having run its
+
This is caused by the Windows domain controller that haven't yet run its
Knowledge Consistency Checker (KCC) which means it has not yer created
+
Knowledge Consistency Checker (KCC), which means it has not yet created
 
connections to the new Samba DC.
 
connections to the new Samba DC.
   
Line 81: Line 135:
 
thing, like this:
 
thing, like this:
   
samba-tool drs kcc -Uadministrator windowsdc.samba.example.com
+
# samba-tool drs kcc -Uadministrator windowsdc.samba.example.com
   
 
You should then check that replication between the Windows DC and the
 
You should then check that replication between the Windows DC and the
 
Samba DC is working correctly by using:
 
Samba DC is working correctly by using:
   
samba-tool drs showrepl
+
# samba-tool drs showrepl
  +
 
Default-First-Site-Name\Windows
+
Default-First-Site-Name\DC2
 
DSA Options: 0x00000001
 
DSA Options: 0x00000001
  +
DSA object GUID: 737506d0-bfe6-40c8-815d-08c3dff7a67f
Site Options: (none)
 
  +
DSA invocationId: eb242434-ca7e-4da7-9b1d-b289ba1922e9
DSA object GUID: 794640f3-18cf-40ee-a211-a93992b67a64
 
DSA invocationID: 794640f3-18cf-40ee-a211-a93992b67a64
 
 
 
 
==== INBOUND NEIGHBORS ====
 
==== INBOUND NEIGHBORS ====
 
 
 
DC=samba,DC=example,DC=com
 
DC=samba,DC=example,DC=com
Default-First-Site-Name\SAMBA via RPC
+
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 5344d0a6-78a1-4758-be69-b66d933f1123
+
DSA object GUID: 25e33532-42f2-4082-b9f4-072f9108b565
Last attempt @ Fri Feb 26 17:25:41 2010 EST was successful.
+
Last attempt @ Sun Nov 11 18:02:02 2012 CET was successful
 
0 consecutive failure(s).
 
0 consecutive failure(s).
Last success @ Fri Feb 26 17:25:41 2010 EST
+
Last success @ Sun Nov 11 18:02:02 2012 CET
 
 
 
CN=Configuration,DC=samba,DC=example,DC=com
 
CN=Configuration,DC=samba,DC=example,DC=com
Default-First-Site-Name\SAMBA via RPC
+
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 5344d0a6-78a1-4758-be69-b66d933f1123
+
DSA object GUID: 25e33532-42f2-4082-b9f4-072f9108b565
Last attempt @ Fri Feb 26 17:25:41 2010 EST was successful.
+
Last attempt @ Sun Nov 11 18:02:02 2012 CET was successful
 
0 consecutive failure(s).
 
0 consecutive failure(s).
Last success @ Fri Feb 26 17:25:41 2010 EST
+
Last success @ Sun Nov 11 18:02:02 2012 CET
  +
.....
 
  +
CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com
 
  +
Default-First-Site-Name\SAMBA via RPC
 
DSA object GUID: 5344d0a6-78a1-4758-be69-b66d933f1123
 
Last attempt @ Fri Feb 26 17:25:41 2010 EST was successful.
 
0 consecutive failure(s).
 
Last success @ Fri Feb 26 17:25:41 2010 EST
 
   
 
== Testing Replication ==
 
== Testing Replication ==
Line 127: Line 176:
 
Similarly, try modifying a user on the Windows domain controller and
 
Similarly, try modifying a user on the Windows domain controller and
 
check that the modifies show up correctly on the Samba server
 
check that the modifies show up correctly on the Samba server
  +
  +
   
 
===ldapcmp===
 
===ldapcmp===
  +
You may wish to use [[Samba4/ldapcmp|ldapcmp]] to verify that the same data is being served from all domain controllers.
 
  +
You may wish to use [[Samba4/ldapcmp|ldapcmp]] to verify that the same data
  +
is being served from all domain controllers.
  +
  +
   
 
== Report your success/failure! ==
 
== Report your success/failure! ==
Line 135: Line 190:
 
Samba4 as a replicating domain controller is still developing rapidly,
 
Samba4 as a replicating domain controller is still developing rapidly,
 
and we like to hear from users about their successes and
 
and we like to hear from users about their successes and
failures. While Samba4 is still in alpha release we would encourage
+
failures. While Samba4 is still in rc state we would encourage
 
you to report both your successes and failures to the samba-technical
 
you to report both your successes and failures to the samba-technical
 
mailing list on http://lists.samba.org
 
mailing list on http://lists.samba.org
   
 
Please be aware that Samba4 is not complete, so you should deploy it
 
Please be aware that Samba4 is not complete, so you should deploy it
carefully until it is ready for a non-alpha release.
+
carefully until it is ready for production.
  +
  +
   
 
= A note on DNS updates =
 
= A note on DNS updates =
Line 198: Line 255:
 
The $IP entries for A records are replaced with the IP interface addresses that Samba detects at runtime,
 
The $IP entries for A records are replaced with the IP interface addresses that Samba detects at runtime,
 
based on the "interfaces=" smb.conf option.
 
based on the "interfaces=" smb.conf option.
  +
   
   

Revision as of 17:12, 11 November 2012

Samba4 joining a domain as a DC

As of Samba4 alpha11, Samba4 has the ability to join an existing Active Directory domain as an additional domain controller. The process of joining a Samba4 server to an existing domain is a bit different to provisioning a new domain. This process is the equivalent of the 'dcpromo' command on Windows servers.

This HOWTO will assume you had configured and installed Samba in the default location of /usr/local/samba. It assumes you are joining Samba to an existing domain called 'samba.example.com'.

Please note that the following steps are the same regardless of whether you are joining Samba to an existing Windows based domain or an existing Samba based domain.


Getting ready for joining Samba as a DC to an existing domain

You need to build Samba4 as usual, but don't do the provision step. You should remove any existing smb.conf in /usr/local/samba/etc/.

Be sure, that you have your setup your existing domain correctly as your default realm in /etc/krb5.conf with the following options:

[libdefaults]
 dns_lookup_realm = true
 dns_lookup_kdc = true
 default_realm = SAMBA.EXAMPLE.COM

You should then test to make sure that DNS and kerberos are setup correctly to point at your existing domain controller. Test that it is all working by trying a kinit as a domain administration:

# kinit administrator
Password: XXXXXXXX

klist should should give you an output like the following:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@SAMBA.EXAMPLE.COM

Valid starting     Expires            Service principal
11/11/12 17:29:51  11/12/12 03:29:51  krbtgt/SAMBA.EXAMPLE.COM@SAMBA.EXAMPLE.COM
       renew until 11/12/12 17:29:49

Once all that is setup you can move on to the join domain step.


Joining the existing domain as a DC

Run the following command as root:

# bin/samba-tool domain join samba.example.com DC -Uadministrator --realm=samba.example.com

Since samba4 rc2 the internal DNS server is default. If you want to join this or a higher version with using Bind as DNS backend, use the following command:

# bin/samba-tool domain join samba.example.com DC -Uadministrator --realm=samba.example.com --dns-backend=BIND9_DLZ

During the join, you should see a set of debug messages about replicating the domains content, like this:

Partition[CN=Configuration,DC=samba,DC=example,DC=com] objects[1614/1614] linked_values[28/0]

At the end, you will see a message like this:

Joined domain SAMBA (SID S-1-5-21-3565189888-2228146013-2029845409) as a DC

Now you have joined your Samba4 server to your existing domain.


Check required DNS entries of the new host

Before you start samba, you should check, if the new DCs DNS entries are set correctly during joining. This doesn't currently (rc4) work 100% and have to be done manually in that case.

From the new host, try to resolve its hostname:

# host -t A dc2.samba.example.com.

If this fails, you have to add the A record by hand. Run on your existing DC:

# samba-tool dns add {IP-of-your-DNS-server} samba.example.com DC2 A {IP-of-the-DC-you-had-joined} -Uadministrator

Also you should check, if the objectGUID is resolvable to the new hostname. For that, run

# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid

to find out the objectGUID of the new server. The command should give you an output like

# record 1
dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=example,DC=com
objectGUID: 737506d0-bfe6-40c8-815d-08c3dff7a67f
...

In this case, 737506d0-bfe6-40c8-815d-08c3dff7a67f is the objectGUID of the new DC, we'll query with the following command:

# host -t CNAME 737506d0-bfe6-40c8-815d-08c3dff7a67f._msdcs.samba.example.com.

This should output you the alias (CNAME) of this entry pointing to your new DC name. If this record is also missing, you have to add it, too:

# samba-tool dns add {IP-of-your-DNS} _msdcs.samba.example.com 737506d0-bfe6-40c8-815d-08c3dff7a67f CNAME DC2.samba.example.com -Uadministrator

You maybe have to restart samba4/named on your existing DC, if you have still problems querying the entries, after adding (that seems to be an issue currently, that the bind_DLZ plugin required to be restarted on new added entries).


Starting Samba

You start samba as a DC in the same way that you start it as a normal server, just run the command 'samba' from the sbin directory of your installation.

When you first start Samba as a new DC in an existing Windows domain, you may find errors messages like these in the samba log file:

UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT code 0xc00020f8 for 5344d0a6-78a1-4758be69-66d933f1123._msdcs.samba.example.com CN=RID Manager$,CN=System,DC=samba,DC=example,DC=com

This is caused by the Windows domain controller that haven't yet run its Knowledge Consistency Checker (KCC), which means it has not yet created connections to the new Samba DC.

To fix this, you can either run "repadmin /kcc" on the Windows DC as an administrator, or you can use the samba-tool command to do the same thing, like this:

# samba-tool drs kcc -Uadministrator windowsdc.samba.example.com

You should then check that replication between the Windows DC and the Samba DC is working correctly by using:

# samba-tool drs showrepl

Default-First-Site-Name\DC2
DSA Options: 0x00000001
DSA object GUID: 737506d0-bfe6-40c8-815d-08c3dff7a67f
DSA invocationId: eb242434-ca7e-4da7-9b1d-b289ba1922e9

==== INBOUND NEIGHBORS ====

DC=samba,DC=example,DC=com
       Default-First-Site-Name\DC1 via RPC
               DSA object GUID: 25e33532-42f2-4082-b9f4-072f9108b565
               Last attempt @ Sun Nov 11 18:02:02 2012 CET was successful
               0 consecutive failure(s).
               Last success @ Sun Nov 11 18:02:02 2012 CET

CN=Configuration,DC=samba,DC=example,DC=com
       Default-First-Site-Name\DC1 via RPC
               DSA object GUID: 25e33532-42f2-4082-b9f4-072f9108b565
               Last attempt @ Sun Nov 11 18:02:02 2012 CET was successful
               0 consecutive failure(s).
               Last success @ Sun Nov 11 18:02:02 2012 CET
.....


Testing Replication

To check that replication is working correctly between your two domain controllers, try adding a user on the Samba DC using either the Samba command line tools, or the Windows GUI admin tools. Then check that the user shows up within a few seconds on your Windows domain controller.

Similarly, try modifying a user on the Windows domain controller and check that the modifies show up correctly on the Samba server


ldapcmp

You may wish to use ldapcmp to verify that the same data is being served from all domain controllers.


Report your success/failure!

Samba4 as a replicating domain controller is still developing rapidly, and we like to hear from users about their successes and failures. While Samba4 is still in rc state we would encourage you to report both your successes and failures to the samba-technical mailing list on http://lists.samba.org

Please be aware that Samba4 is not complete, so you should deploy it carefully until it is ready for production.


A note on DNS updates

As of Samba4 alpha12 Samba4 has the ability to automatically update a Windows or bind9 DNS server with the correct set of DNS entries when it becomes a domain controller.

For this to work correctly between Samba and Windows you may find that you need a set of 5 patches to bind9. Those patches are located in the examples/bind9-patches directory of the Samba4 source tree. The patches have been submitted to the bind9 developers and will be incorporated in the future release of bind, but in the meantime you should be able to build bind9 yourself from sources and apply the patches.

The way the automatic DNS updates works is that Samba regularly (every 10 minutes) calls out to the samba_dnsupdate script that is installed along with Samba. That script reads a template file of DNS names to update in the DNS zone from /usr/local/samba/private/dns_update_list.

The contents of this file look like this:

A                                                        ${DNSDOMAIN} $IP
A                                                        ${HOSTNAME} $IP
CNAME ${NTDSGUID}._msdcs.${DNSDOMAIN}                    ${HOSTNAME}
SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88
SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}     ${HOSTNAME} 389
SRV _kerberos._tcp.dc.dc._msdcs.${DNSDOMAIN}             ${HOSTNAME} 88
SRV _ldap._tcp.dc.dc._msdcs.${DNSDOMAIN}                 ${HOSTNAME} 389
SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSDOMAIN}     ${HOSTNAME} 3268
SRV _ldap._tcp.gc._msdcs.${DNSDOMAIN}                    ${HOSTNAME} 3268
SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN}                   ${HOSTNAME} 389
SRV _gc._tcp.${SITE}._sites.${DNSDOMAIN}                 ${HOSTNAME} 3268
SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN}           ${HOSTNAME} 88
SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN}	         ${HOSTNAME} 389
SRV _gc._tcp.${DNSDOMAIN}                                ${HOSTNAME} 3268
SRV _kerberos._tcp.${DNSDOMAIN}                          ${HOSTNAME} 88
SRV _kpasswd._tcp.${DNSDOMAIN}                           ${HOSTNAME} 464
SRV _ldap._tcp.${DNSDOMAIN}                              ${HOSTNAME} 389
SRV _kerberos._udp.${DNSDOMAIN}                          ${HOSTNAME} 88
SRV _kpasswd._udp.${DNSDOMAIN}                           ${HOSTNAME} 464

at runtime, Samba will substitute the variables in this file, and call out to the bind9 nsupdate command using the -g option to enable TSIG-GSS DNS updates. It will only make updates for DNS names that it detects are not currently correctly set.

You can add your own names to dns_update_list list if you want, and Samba will add those on the DNS server. You may also choose not to use TSIG-GSS and instead use a fixed DNS key setup in another bind9 server. To do that you will need to modify the 'nsupdate' command that Samba runs, which is settable using the "nsupdate command" smb.conf option. The default is "/usr/bin/nsupdate -g"

The $IP entries for A records are replaced with the IP interface addresses that Samba detects at runtime, based on the "interfaces=" smb.conf option.


Samba4 joining a domain as a RODC (Status for a work in progress)

For the TODO list see Support RODC TODO

Main features implemented

  • Joinining as a RODC to Windows DC

To do that one should do a samba-tool join (or samba-tool domain join), something like this:

sudo bin/samba-tool join win.dev RODC -UAdministrator%password --target-dir=/home/ant/prefix.win/

or (for newer versions of Samba):

sudo bin/samba-tool domain join win.dev RODC -Uadministrator%password --target-dir=/home/ant/prefix.win/
  • Added support for RODC FAS
  • Added support for unidirectional replication
  • Added support for read-only database

Main features in the TODO list

  • Support Administrator role separation
  • Support Credential caching
  • Join Windows as a RODC in Samba4 domain - blocked by kerberos tgt stuff.