.. Reminder for header structure: Parts (H1) : #################### with overline Chapters (H2) : ******************** with overline Sections (H3) : ==================== Subsections (H4) : -------------------- Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^ Paragraphs (H6) : """"""""""""""""""""" .. |date| date:: .. meta:: :description: Installing and configuring a secondary Samba-AD on Redhat8 and derivatives :keywords: Redhat8, Samba-AD, documentation, secondary Domain Controller .. _server_secondary_redhat: ########################################################################## Installing and configuring a secondary Samba-AD on Redhat and derivatives ########################################################################## .. note:: In this documentation, it is assumed: * That the main domain controller is called *srvads1*. * That the secondary domain controller is called *srvads2*. * That the domain is called *mydomain.lan*. In the instructions below, you will replace *mydomain.lan* with your own domain name and *srvads1* and *srvads2* with the machine names of your choice. * On a 64-bit Redhat8 (or derivative) base, prepare a clean network configuration by following :ref:`this documentation `. .. include:: server_install_samba_redhat_repo.rst.inc *********************************** Finalizing your basic configuration *********************************** * Change :file:`/etc/hostname` to contain the :abbr:`FQDN (Fully Qualified Domain Name)` name of the machine: .. code-block:: ini srvads2.mydomain.lan * Modify :file:`/etc/hosts` so that it contains the :abbr:`DNS (Domain Name Service)` resolution of the machine's :abbr:`FQDN (Fully Qualified Domain Name)` on its IP (i.e. not 127.0.0.1), with the long name then the short name: .. code-block:: ini 127.0.0.1 localhost 192.168.1.12 srvads2.mydomain.lan srvads2 * Reboot the machine so that it takes its new name into account by doing a :command:`reboot`. .. note:: a :command:`hostname -F /etc/hostname` does not seem to be enough for the samba script which still gets the old name ... ********************************************** Joining the secondary controller to the domain ********************************************** * Configure the DNS to point to a Windows or Samba domain controller in :file:`/etc/resolv.conf`: .. code-block:: ini search mydomain.lan nameserver 192.168.1.11 .. include:: ../server_config_krb_secondary_server.rst.inc Configuring Samba as a Secondary Domain Controller ================================================== * Remove the configuration file :file:`/etc/samba/smb.conf` which was automatically generated during package installation: .. code-block:: bash rm -f /etc/samba/smb.conf * Join *srvads2* as a member of the domain: .. code-block:: bash samba-tool domain join mydomain.lan DC -U administrator --realm=MYDOMAIN.LAN -W MYDOMAIN * Modify the DNS to point to itself in :file:`/etc/resolv.conf`: .. code-block:: ini nameserver 127.0.0.1 * In :file:`/etc/samba/smb.conf`, add the DNS forwarder: .. code-block:: ini [global] ... dns forwarder = 8.8.8.8 ... * Activate the automatic start of the AD service: .. code-block:: bash systemctl enable samba systemctl disable winbind nmb smb systemctl mask winbind nmb smb * Point your Kerberos to the correct configuration file: .. hint:: By default Samba-AD provisioning creates an example file ``krb5.conf`` in the directory :file:`/var/lib/samba/private`. This file is used by default by some Samba calls. It is best to replace it with a symbolic link to :file:`/etc/kbr5.conf` to avoid some side effects. .. code-block:: bash rm /var/lib/samba/private/krb5.conf ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf * Restart Samba: .. code-block:: bash systemctl restart samba * Check that the DNS entries are correct: .. code-block:: bash samba_dnsupdate --verbose * If there are still some *fails*, use this method which allows to bypass kerberos: .. code-block:: bash samba_dnsupdate --use-samba-tool ****************** Configuring SYSVOL ****************** * Retrieve the contents of :file:`\\srvads\sysvol` from *srvads1* and copy it to *srvads2* from a Windows workstation as Domain Administrator. On *srvads2*, run the command: .. code-block:: bash rsync -aP root@srvads1:/var/lib/samba/sysvol/ /var/lib/samba/sysvol/ * Then check the :abbr:`ACL (Access Control List)` on SYSVOL, and if necessary reset the ACLs: .. code-block:: bash samba-tool ntacl sysvolreset samba-tool ntacl sysvolcheck .. hint:: While waiting for the development of a DFS-R officially supported by the Samba-team, Tranquil IT proposes the :ref:`tis-sysvolsync ` tool to synchronize SYSVOL shares between Samba domain controllers. ******************************* Validating the new installation ******************************* * Test the DNS connection from the DNS Active Directory console from the :guilabel:`DNS Active Directory`. * Test the connection from the :guilabel:`Users and Computers Active Directory`. * Check the status of the replications: .. code-block:: bash samba-tool drs showrepl ********************** Configuring signed NTP ********************** * Configure the :abbr:`NTP (Network Time Protocol)` by following the :ref:`NTP service configuration documentation with Samba `. ******************** Configuring Bind-DLZ ******************** Before going into production, the internal Samba :abbr:`DNS (Domain Name Service)` must be replaced by the Bind-DLZ module. To do this, follow the :ref:`documentation to integrate Samba with Bind9 `. Great, if you have made it this far, then everything went well and you have a new operational secondary domain controller.