setup AD controller on linux

本文最后更新于：2024年8月9日晚上

Setup AD controller with Samba on linux

Server:

root@ad:~# cat /etc/resolv.conf 
search hubo.io
nameserver 10.157.17.12

root@ad:~# cat /etc/hosts | grep ad
10.157.17.12 ad.hubo.io ad
root@ad:~# egrep -v "^#|^$|#" /etc/samba/smb.conf
[global]
        dns forwarder = 10.50.50.50
        netbios name = AD
        realm = HUBO.IO
        server role = active directory domain controller
        workgroup = HUBO
        idmap_ldb:use rfc2307 = yes
[netlogon]
        path = /var/lib/samba/sysvol/dc.hubo.io/scripts
        read only = No
[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
root@ad:~# sudo apt install -y acl attr samba samba-dsdb-modules samba-vfs-modules smbclient winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user dnsutils chrony net-tools
root@ad:~# sudo samba-tool domain provision 
Realm [HUBO.IO]: 
 Domain [HUBO]: 
 Server Role (dc, member, standalone) [dc]: 
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: 
 DNS forwarder IP address (write 'none' to disable forwarding) [10.157.17.12]: 10.50.50.50
Administrator password: 
root@ad:~# samba-tool user create jason Huawei12#$
User 'jason' created successfully
root@ad:~# samba-tool user create root Huawei12#$
User 'root' created successfully
root@ad:~# samba-tool user list
Administrator
jasonoss
krbtgt
Guest
jason
root
root@ad:~# nslookup ad
Server:         10.157.17.12
Address:        10.157.17.12#53

Name:   ad.hubo.io
Address: 10.157.17.12
Name:   ad.hubo.io
Address: 2404:f801:1f:10a:21d:d8ff:fec1:372c

client

 * Resolving: _ldap._tcp.hubo.io
 * Performing LDAP DSE lookup on: 10.157.17.12
 * Performing LDAP DSE lookup on: 2404:f801:1f:10a:21d:d8ff:fec1:372c
 * Successfully discovered: hubo.io
Password for Administrator@HUBO.IO: 
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.X1SLQ1 -U Administrator@HUBO.IO ads join hubo.io
Enter Administrator@HUBO.IO's password:DNS update failed: NT_STATUS_INVALID_PARAMETER

Using short domain name -- HUBO
Joined 'SQL1' to dns domain 'hubo.io'
No DNS domain configured for sql1. Unable to perform DNS Update.
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.X1SLQ1 -U Administrator@HUBO.IO ads keytab create
Enter Administrator@HUBO.IO's password:
 * /usr/bin/systemctl enable sssd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/sssd.service to /usr/lib/systemd/system/sssd.service.
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
 * Successfully enrolled machine in realm
[root@sql1 ~]# realm discover hubo.io
    hubo.io
      type: kerberos
      realm-name: HUBO.IO
      domain-name: hubo.io
      configured: kerberos-member
      server-software: active-directory
      client-software: sssd
      required-package: oddjob
      required-package: oddjob-mkhomedir
      required-package: sssd
      required-package: adcli
      required-package: samba-common-tools
      login-formats: %U@hubo.io
      login-policy: allow-realm-logins
[root@sql1 ~]# id jason@hubo.io
uid=1064201104(jason@hubo.io) gid=1064200513(domain users@hubo.io) groups=1064200513(domain users@hubo.io)
[root@sql1 ~]# ssh jason@hubo.io@localhost
jason@hubo.io@localhost's password: 
Creating home directory for jason@hubo.io.
[jason@hubo.io@sql1 ~]$ pwd
/home/jason@hubo.io