4月 30, 2016
2台目のrapberrypiでsambaをmake。
事前に、1台目の/etc/krb5.confを2台目にコピーしておく。
ドメインへ参加する。
root@raspberrypi1:/opt/samba/etc# samba-tool domain join yamatomura.local DC -U administrator --realm=YAMATOMURA.LOCAL
Finding a writeable DC for domain 'yamatomura.local'
Found DC raspberrypi2.yamatomura.local
Password for [WORKGROUP\administrator]:
Password for [WORKGROUP\administrator]:
Password for [WORKGROUP\administrator]:
workgroup is YAMATOMURA
realm is yamatomura.local
checking sAMAccountName
Deleted CN=RID Set,CN=RASPBERRYPI1,OU=Domain Controllers,DC=yamatomura,DC=local
Deleted CN=RASPBERRYPI1,OU=Domain Controllers,DC=yamatomura,DC=local
Deleted CN=NTDS Settings,CN=RASPBERRYPI1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=yamatomura,DC=local
Deleted CN=RASPBERRYPI1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=yamatomura,DC=local
Adding CN=RASPBERRYPI1,OU=Domain Controllers,DC=yamatomura,DC=local
Adding CN=RASPBERRYPI1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=yamatomura,DC=local
Adding CN=NTDS Settings,CN=RASPBERRYPI1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=yamatomura,DC=local
Adding SPNs to CN=RASPBERRYPI1,OU=Domain Controllers,DC=yamatomura,DC=local
Setting account password for RASPBERRYPI1$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba 4 has been generated at /opt/samba/private/krb5.conf
Provision OK for domain DN DC=yamatomura,DC=local
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=yamatomura,DC=local] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=yamatomura,DC=local] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=yamatomura,DC=local] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=yamatomura,DC=local] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=yamatomura,DC=local] objects[402/1617] linked_values[0/0]
Partition[CN=Configuration,DC=yamatomura,DC=local] objects[804/1617] linked_values[0/0]
Partition[CN=Configuration,DC=yamatomura,DC=local] objects[1206/1617] linked_values[0/0]
Partition[CN=Configuration,DC=yamatomura,DC=local] objects[1608/1617] linked_values[0/0]
Partition[CN=Configuration,DC=yamatomura,DC=local] objects[1617/1617] linked_values[28/0]
Replicating critical objects from the base DN of the domain
Partition[DC=yamatomura,DC=local] objects[97/97] linked_values[24/0]
Partition[DC=yamatomura,DC=local] objects[367/270] linked_values[24/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=yamatomura,DC=local
Partition[DC=DomainDnsZones,DC=yamatomura,DC=local] objects[74/74] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=yamatomura,DC=local
Partition[DC=ForestDnsZones,DC=yamatomura,DC=local] objects[19/19] linked_values[0/0]
Committing SAM database
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain YAMATOMURA (SID S-1-5-21-1103419775-2087469381-2721633249) as a DC
Verifying and Creating a DC DNS Recordを参照して2台目をDNSへ登録する。説明ではsamba 4.6以降では本手順は不要となっているのだが、4.6.7で必要だった。
root@raspberrypi1:/opt/samba/etc# ldbsearch -H /opt/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid
# record 1
dn: CN=NTDS Settings,CN=RASPBERRYPI1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=yamatomura,DC=local
objectGUID: 47a81dec-2a7f-48a9-9312-08006115a3fa
# record 2
dn: CN=NTDS Settings,CN=RASPBERRYPI2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=yamatomura,DC=local
objectGUID: b5d3d0e3-4c3e-4253-adb1-6ab126adbb01
# returned 2 records
# 2 entries
# 0 referrals
root@raspberrypi1:/opt/samba/etc# host -t CNAME 47a81dec-2a7f-48a9-9312-08006115a3fa._msdcs.yamatomura.loccal.
47a81dec-2a7f-48a9-9312-08006115a3fa._msdcs.yamatomura.loccal has no CNAME record
root@raspberrypi1:/opt/samba/etc# samba-tool dns add raspberrypi2 _msdcs.yamatomura.local 47a81dec-2a7f-48a9-9312-08006115a3fa CNAME raspberrypi1.yamatomura.local -Uadministrator
Password for [YAMATOMURA\administrator]:
Record added successfully
root@raspberrypi1:/opt/samba/etc# host -t CNAME 47a81dec-2a7f-48a9-9312-08006115a3fa._msdcs.yamatomura.local.
47a81dec-2a7f-48a9-9312-08006115a3fa._msdcs.yamatomura.local is an alias for raspberrypi1.yamatomura.local.
root@raspberrypi1:/opt/samba/etc#
smb.confのdns forwarderを設定する。domainに参加したsambaで当該を設定しないとドメイン参加したコンピュータから名前解決がNGになる。
/etc/dhcpcd.confのdomain_name_serversを設定する。
送信側の設定
xinetd.dをapt-getする。
apt-get install xinetd
rsyncの起動設定と起動を行う。
root@raspberrypi2:/etc# echo "rsync --daemon --config /etc/rsyncd.conf">>/etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
# Print the IP address
_IP=$(hostname -I) || true
if [ "$_IP" ]; then
printf "My IP address is %s\n" "$_IP"
fi
rsync --daemon --config /etc/rsyncd.conf
exit 0
/etc/rc.local (END)
root@raspberrypi2:/etc# rsync --daemon --config /etc/rsyncd.conf
[SysVol]
path = /opt/samba/var/locks/sysvol/
comment = Samba Sysvol Share
uid = root
gid = root
read only = yes
auth users = sysvol-replication
secrets file = /opt/samba/etc/rsyncd.secret
/etc/rsyncd.conf (END)
パスワードファイルを作成する。
root@raspberrypi2:/opt/samba/etc# pico /opt/samba/etc/rsyncd.secret
sysvol-replication:pa$$w0rd
root@raspberrypi2:/opt/samba/etc# chmod 600 rsyncd.secret
権限を変更しないとrsyncに失敗する。
受信側の設定
まずはパスワードファイルを設定する。
root@raspberrypi1:/opt/samba/etc# pico rsync-client.secret
pa$$w0rd
permissionを変更しておく。
root@raspberrypi1:/opt/samba/etc# chmod 600 rsync-client.secret
最初にdry runをして正常に動作するか確認すること。本システムはraspberrypi2をFSMOというか送信側にしている。
root@raspberrypi1:/opt/samba/etc# rsync --dry-run -XAavz --delete-after --password-file=/opt/samba/etc/rsync-client.secret rsync://sysvol-replication@raspberrypi2/SysVol/ /opt/samba/var/locks/sysvol/
receiving file list ... done
./
yamatomura.local/
yamatomura.local/Policies/
yamatomura.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/
yamatomura.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
yamatomura.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/
yamatomura.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/
yamatomura.local/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/
yamatomura.local/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/GPT.INI
yamatomura.local/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/MACHINE/
yamatomura.local/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/USER/
yamatomura.local/scripts/
sent 59 bytes received 588 bytes 99.54 bytes/sec
total size is 40 speedup is 0.06 (DRY RUN)
正常にrsyncするのを確認後cronに登録する。
echo "*/5 * * * * root rsync -XAavz --delete-after --password-file=/opt/samba/etc/rsync-client.secret rsync://sysvol-replication@raspberrypi2/SysVol/ /opt/samba/var/locks/sysvol/">/etc/cron.d/sysvol-replication
同期後、権限の設定変更を行う部分を上記の設定に追記する。
echo "1-59/5 * * * * root /opt/samba/bin/samba-tool ntacl sysvolreset">>/etc/cron.d/sysvol-replication
0 コメント:
コメントを投稿