{"id":6603,"date":"2017-04-06T23:14:46","date_gmt":"2017-04-06T15:14:46","guid":{"rendered":"http:\/\/rmohan.com\/?p=6603"},"modified":"2017-04-06T23:14:46","modified_gmt":"2017-04-06T15:14:46","slug":"samba-in-centos-6-8-as-secondary-dc-with-microsoft-active-directory-2012r2","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=6603","title":{"rendered":"Samba  in CentOS 6.8 as Secondary DC with Microsoft Active Directory 2012R2"},"content":{"rendered":"<p>1 . https:\/\/bugzilla.samba.org\/show_bug.cgi?id=10265<br \/>\nIt\u2019s necessary to manually lower the domain and forest functional levels on the Windows 2012 server first, via Powershell:<br \/>\nSet-ADForestMode -Identity \u201cmydom.local\u201d -ForestMode Windows2008R2Forest<br \/>\nSet-ADDomainMode -Identity \u201cmydom.local\u201d -DomainMode Windows2008R2Domain<br \/>\n2. Need a fresh installed minimal CentOS 6.x OS . Disable SELinux and firewall . Update software packages .<br \/>\nPlease check above notes and do as it is . Lets start ,<br \/>\nPrimary AD ( Microsoft ) : 192.168.1.10 \/ ad.rmohan.com<br \/>\nSecondary DC (CentOS ) : 192.168.1.11 \/ ldap.rmohan.com<br \/>\nLogin to Linux server ,<br \/>\n# cat \/etc\/resolv.conf<br \/>\nsearch rmohan.com<br \/>\nnameserver 192.168.1.10<br \/>\nnameserver 192.168.1.11<br \/>\n# yum groupinstall \u201cdevelopment tools\u201d -y<br \/>\n# yum install python-devel libgnutls-dev gnutls-devel libacl1-dev libacl-devel libldap2-dev openldap-devel wget gcc gcc-c++ krb5-server krb5-workstation -y<br \/>\n# wget https:\/\/download.samba.org\/pub\/samba\/stable\/samba-4.5.0.tar.gz<br \/>\n# tar -xvzf samba-4.5.0.tar.gz<br \/>\n# cd samba-4.5.0<br \/>\n# .\/configure<br \/>\n# make<br \/>\n# make install<br \/>\nNow we successfully compiled Samba source package . We need to remove default samba configuration first then remount file system ( Some times AD join will popup an ACL error ) .<br \/>\n# rm -rf \/usr\/local\/samba\/etc\/smb.conf<br \/>\n# mount -o remount,acl,user_xattr \/dev\/mapper\/vg_ldap-lv_root<br \/>\nNow we are ready to add our Linux machine to Windows AD .<br \/>\n# \/usr\/local\/samba\/bin\/samba-tool domain join rmohan.com DC -Uadministrator \u2013realm=rmohan.com<br \/>\nNow we successfully added our linux system to Active directory as a Secondary DC . But we need to configure some more settings . Lets check authentication .<br \/>\nBefore that check both systems time (NTP) . If its not same authentication will get error .<br \/>\n# yum install ntp -y<br \/>\n# service ntpd start<br \/>\n# chkconfig ntpd on<br \/>\nAdd Our primary DC as NTP server .<br \/>\n# vi \/etc\/ntp.conf<br \/>\nserver ad.rmohan.com iburst<br \/>\n# service ntpd restart<br \/>\nNow we need to change Kerberos configuration file .<br \/>\n# rm -rf \/etc\/krb5.conf<br \/>\n# cp -vr \/usr\/local\/samba\/private\/krb5.conf \/etc\/krb5.conf<br \/>\n# kinit administrator@rmohan.com<br \/>\n# klist<br \/>\nFor successful AD replication we need to Add A record and CNAME record in Microsoft AD .<br \/>\n# \/usr\/local\/samba\/bin\/ldbsearch -H \/usr\/local\/samba\/private\/sam.ldb \u2018(invocationid=*)\u2019 \u2013cross-ncs objectguid<br \/>\n# record 1<br \/>\ndn: CN=NTDS Settings,CN=LDAP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com<br \/>\nobjectGUID: 640bcd46-cbc3-4451-8d82-cb37a255cbe1<br \/>\n# record 2<br \/>\ndn: CN=NTDS Settings,CN=AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com<br \/>\nobjectGUID: 89f017ee-dacf-4d51-a19b-fe54da97a79a<\/p>\n<p>Copy that ObjectGUID and goto Microsoft Active directory .<br \/>\nFirst create A record for ldap.rmohan.com .<br \/>\nThen goto Forward Lookup Zone &gt; _msdcs.rmohan.com .<br \/>\nCreate a CNAME here with our host objectGUID . In my case it is like below ,<\/p>\n<p>640bcd46-cbc3-4451-8d82-cb37a255cbe1 Alias(CNAME) ldap.rmohan.com<br \/>\nNow authentication is working fine .Now we need to start DC replication . Every user created by master or slave need to replicated .<br \/>\n# \/usr\/local\/samba\/sbin\/samba<br \/>\n# \/usr\/local\/samba\/bin\/samba-tool drs showrepl<br \/>\nDefault-First-Site-Name\\LDAP<br \/>\nDSA Options: 0x00000001<br \/>\nDSA object GUID: 640bcd46-cbc3-4451-8d82-cb37a255cbe1<br \/>\nDSA invocationId: 4c115875-28b5-4c91-bcf0-66f4d74d935b<br \/>\n==== INBOUND NEIGHBORS ====<br \/>\nDC=DomainDnsZones,DC=example,DC=com<br \/>\nDefault-First-Site-Name\\AD01 via RPC<br \/>\nDSA object GUID: 89f017ee-dacf-4d51-a19b-fe54da97a79a<br \/>\nLast attempt @ Tue Oct 11 03:13:07 2016 EDT was successful<br \/>\n0 consecutive failure(s).<br \/>\nLast success @ Tue Oct 11 03:13:07 2016 EDT<br \/>\nNow we can see that replication is working fine . Lets check now ,<br \/>\nList all AD users.<br \/>\n# \/usr\/local\/samba\/bin\/samba-tool user list<br \/>\nCreate new user in Active directory and check again . If its showing all is good. Your secondary server is ready to go .<br \/>\nList all member computers .<br \/>\n# \/usr\/local\/samba\/bin\/pdbedit -L -w | grep \u2018\\[[WI]\u2019<\/p>\n<p>This setup is very useful if you have single windows license and you need Active Directory replica . This is for you .<br \/>\nEnjoy .<\/p>\n","protected":false},"excerpt":{"rendered":"<p>1 . https:\/\/bugzilla.samba.org\/show_bug.cgi?id=10265 It\u2019s necessary to manually lower the domain and forest functional levels on the Windows 2012 server first, via Powershell: Set-ADForestMode -Identity \u201cmydom.local\u201d -ForestMode Windows2008R2Forest Set-ADDomainMode -Identity \u201cmydom.local\u201d -DomainMode Windows2008R2Domain 2. Need a fresh installed minimal CentOS 6.x OS . Disable SELinux and firewall . Update software packages . Please check above notes [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,59],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6603"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6603"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6603\/revisions"}],"predecessor-version":[{"id":6604,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6603\/revisions\/6604"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6603"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6603"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6603"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}