湖濱散記部落格的樹心幽徑[login][主頁]
481:20190208用Kerberos安全地分享NFS家目錄…尚未成。

(1)$ sudo -i

# MY_HOSTNAME=$(</etc/hostname)

# MY_DOMAIN=${MY_HOSTNAME#*.}

# echo $MY_DOMAIN
home.idv.tw

# echo $MY_HOSTNAME
sice.home.idv.tw

(2)# dnf install -y ntpdate

(3)#  ntpdate $MY_DOMAIN
 8 Feb 17:31:24 ntpdate[15877]: no server suitable for synchronization found

# ntpdate time.stdtime.gov.tw;
 8 Feb 17:40:49 ntpdate[16074]: adjust time server 118.163.81.61 offset 0.000618 sec

# ntpdate -s watch.stdtime.gov.tw;

# ntpdate  watch.stdtime.gov.tw;
 8 Feb 17:42:22 ntpdate[16081]: adjust time server 118.163.81.63 offset 0.000549 sec
#  hwclock -u -w

# date
五  2月  8 17:43:10 CST 2019

(4)# dnf install -y ntp

# MY_NETWORK=192.168.1.0

# MY_NETMASK=255.255.255.0

# MY_ADSERVER1=192.168.1.103

#  vi /etc/ntp.conf
# cat /etc/ntp.conf
tinker panic 0
restrict -6 default ignore

driftfile /var/lib/ntp/drift
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys

restrict default ignore
restrict 192.168.1.0 mask 255.255.255.0
restrict 127.0.0.1

server 192.168.1.103

# nslookup $MY_DOMAIN
Server:        192.168.1.1
Address:    192.168.1.1#53

Non-authoritative answer:
Name:    home.idv.tw
Address: 121.254.84.64

# sudo firewall-cmd --add-service=ntp --permanent

# sudo firewall-cmd --reload

# systemctl enable ntpd.service

# systemctl start ntpd.service

#  ntpq -4 -p

# firewall-cmd --runtime-to-permanent

#   ntpdate $MY_DOMAIN
 8 Feb 20:52:50 ntpdate[17733]: the NTP socket is in use, exiting

(5)# dnf install -y krb5-workstation

(6)# echo ${MY_DOMAIN^^}
HOME.IDV.TW

MY_REALM=${MY_DOMAIN^^}

# echo ${MY_DOMAIN%%.*}
home

# echo ${MY_DOMAIN}
home.idv.tw

# cat << END > /etc/krb5.conf.d/${MY_DOMAIN%%.*}
> [libdefaults]
>   default_realm = $MY_REALM
>   dns_lookup_kdc = true
>
> [domain_realm]
>   .$MY_DOMAIN = $MY_REALM
> END

# ls /etc/krb5.conf.d/ -t
home  crypto-policies

# cat /etc/krb5.conf.d/home
[libdefaults]
  default_realm = HOME.IDV.TW
  dns_lookup_kdc = true

[domain_realm]
  .home.idv.tw = HOME.IDV.TW

(7-1)# dnf install -y sssd

(7-2)# cat << END > /etc/sssd/sssd.conf
> [sssd]
>   services = nss
>   config_file_version = 2
>   domains = $MY_DOMAIN
>
> [domain/$MY_DOMAIN]
>   id_provider = ad
>   ldap_idmap_range_min = 0
>   ldap_idmap_range_max = 2100000000
>   ldap_idmap_range_size = 100000000
>   ldap_idmap_default_domain_sid = S-1-5-21-0-0-0
>   krb5_store_password_if_offline = true
>   cache_credentials = true
>   ignore_group_members = true
>   override_gid = 100
>   override_shell = /bin/bash
>   override_homedir = /home/%u
> END

(7-3)# cat /etc/sssd/sssd.conf
[sssd]
  services = nss
  config_file_version = 2
  domains = home.idv.tw

[domain/home.idv.tw]
  id_provider = ad
  ldap_idmap_range_min = 0
  ldap_idmap_range_max = 2100000000
  ldap_idmap_range_size = 100000000
  ldap_idmap_default_domain_sid = S-1-5-21-0-0-0
  krb5_store_password_if_offline = true
  cache_credentials = true
  ignore_group_members = true
  override_gid = 100
  override_shell = /bin/bash
  override_homedir = /home/%u

(7-5)# chmod 600 /etc/sssd/sssd.conf

(7-6)# echo DenyGroups users >> /etc/ssh/sshd_config && systemctl restart sshd.service

(8) 安裝SSSD(System Security Services Daemon )供遠端目錄存取與認證

(8-1)# systemctl start sssd.service
Job for sssd.service failed because the control process exited with error code.
See "systemctl status sssd.service" and "journalctl -xe" for details.

(8-2)# systemctl status sssd.service
● sssd.service - System Security Services Daemon
:
 2月 09 19:49:18 sice.home.idv.tw sssd[be[home.idv.tw]][5419]: Failed to read keytab [default]: 沒有此一檔案或目錄
:

(8-3)# dnf install -y authconfig

(9)安裝samba及samba-dc

dnf -y install samba samba-dc

(10-1) #  mv /etc/samba/smb.conf /etc/samba/smb.conf.org

(10-2) # cat  /etc/samba/smb.conf.org
:
[global]
    workgroup = SAMBA
    security = user

    passdb backend = tdbsam

    printing = cups
    printcap name = cups
    load printers = yes
    cups options = raw

[homes]
    comment = Home Directories
    valid users = %S, %D%w%S
    browseable = No
    read only = No
    inherit acls = Yes

[printers]
    comment = All Printers
    path = /var/tmp
    printable = Yes
    create mask = 0600
    browseable = No

[print$]
    comment = Printer Drivers
    path = /var/lib/samba/drivers
    write list = @printadmin root
    force group = @printadmin
    create mask = 0664
    directory mask = 0775

(10-3)# samba-tool domain provision
Realm [HOME.IDV.TW]:
 Domain [HOME]: SMB01
 Server Role (dc, member, standalone) [dc]:
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
 DNS forwarder IP address (write 'none' to disable forwarding) [192.168.1.1]:
Administrator password: !w?????
Retype password: !w?????
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs

Adding DomainDN: DC=home,DC=idv,DC=tw
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers and extended rights
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=home,DC=idv,DC=tw
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
The Kerberos KDC configuration for Samba AD is located at /var/lib/samba/private/kdc.conf
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
Once the above files are installed, your Samba AD server will be ready to use
Server Role:           active directory domain controller
Hostname:              sice
NetBIOS Domain:        SMB01
DNS Domain:            home.idv.tw
DOMAIN SID:            S-1-5-21-2956589458-940804405-3848506313
(10-4)

# samba-tool domain provision
Realm [HOME.IDV.TW]:
 Domain [HOME]: SMB01
 Server Role (dc, member, standalone) [dc]:
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
 DNS forwarder IP address (write 'none' to disable forwarding) [192.168.1.1]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs

Adding DomainDN: DC=home,DC=idv,DC=tw
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers and extended rights
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=home,DC=idv,DC=tw
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
The Kerberos KDC configuration for Samba AD is located at /var/lib/samba/private/kdc.conf
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
Once the above files are installed, your Samba AD server will be ready to use
Server Role:           active directory domain controller
Hostname:              sice
NetBIOS Domain:        SMB01
DNS Domain:            home.idv.tw
DOMAIN SID:            S-1-5-21-512889258-4134431294-676729561

(10-5) # cat /var/lib/samba/private/kdc.conf
[kdcdefaults]
    kdc_ports = 88
    kdc_tcp_ports = 88
    kadmind_port = 464

[realms]
    HOME.IDV.TW = {
    }

    home.idv.tw = {
    }

    SMB01 = {
    }

[dbmodules]
    db_module_dir = /usr/lib64/krb5/plugins/kdb

    HOME.IDV.TW = {
        db_library = samba
    }

    home.idv.tw = {
        db_library = samba
    }

    SMB01 = {
        db_library = samba
    }

[logging]
    kdc = FILE:/var/log/samba/mit_kdc.log
    admin_server = FILE:/var/log/samba/mit_kadmin.log

(10-6)# cat  /var/lib/samba/private/krb5.conf
[libdefaults]
    default_realm = HOME.IDV.TW
    dns_lookup_realm = false
    dns_lookup_kdc = true

(11-1)

#  cp /var/lib/samba/private/krb5.conf /etc/
cp:是否覆寫 '/etc/krb5.conf'? n

# mv /etc/krb5.conf /etc/krb5.conf.20190209

#  cp /var/lib/samba/private/krb5.conf /etc/

# systemctl start samba

# systemctl enable samba
Created symlink /etc/systemd/system/multi-user.target.wants/samba.service → /usr/lib/systemd/system/samba.service.

(11-2)

#  cp /var/lib/samba/private/krb5.conf /etc
cp:是否覆寫 '/etc/krb5.conf'? n

# mv /etc/krb5.conf /etc/krb5.conf.20190209b

#  cp /var/lib/samba/private/krb5.conf /etc

#  systemctl start samba

# systemctl enable samba

(12)

# samba-tool domain level show
Domain and forest function level for domain 'DC=home,DC=idv,DC=tw'

Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2

# samba-tool user create fedora
New Password:
Retype Password:
User 'fedora' created successfully

# samba-tool user create fedora28
New Password:
Retype Password:
User 'fedora28' created successfully

samba-tool user list
krbtgt
Administrator
fedora28
Guest

(13)

firewall-cmd --add-service={dns,kerberos,kpasswd,ldap,ldaps,samba} --permanent
success

# firewall-cmd --add-port={135/tcp,137-138/udp,139/tcp,3268-3269/tcp,49152-65535/tcp} --permanent
success

# firewall-cmd --reload
success

 

(14) #  MY_USERNAME=treehrt

adcli delete-computer "${MY_HOSTNAME%%.*}" -U "$MY_USERNAME"
adcli: couldn't connect to home.idv.tw domain: Couldn't find usable domain controller to connect to

(15) # rm -f /etc/krb5.keytab

# MY_OU="cn=computers,dc=${MY_DOMAIN//./,dc=}"

# echo $MY_OU
cn=computers,dc=home,dc=idv,dc=tw

# adcli join $MY_DOMAIN --login-user="$MY_USERNAME" --computer-name="${MY_HOSTNAME%%.*}" --host-fqdn="$MY_HOSTNAME" --user-principal="host/$MY_HOSTNAME@$MY_REALM" --service-name="host" --service-name="nfs" --domain-ou="$MY_OU"
adcli: couldn't connect to home.idv.tw domain: Couldn't find usable domain controller to connect to

# echo  $MY_DOMAIN --login-user="$MY_USERNAME" --computer-name="${MY_HOSTNAME%%.*}" --host-fqdn="$MY_HOSTNAME" --user-principal="host/$MY_HOSTNAME@$MY_REALM" --service-name="host" --service-name="nfs" --domain-ou="$MY_OU"
home.idv.tw --login-user=treehrt --computer-name=sice --host-fqdn=sice.home.idv.tw --user-principal=host/sice.home.idv.tw@HOME.IDV.TW --service-name=host --service-name=nfs --domain-ou=cn=computers,dc=home,dc=idv,dc=tw

(16)# cat /etc/samba/smb.conf
:
[global]
    dns forwarder = 192.168.1.1
    netbios name = SICE
    realm = HOME.IDV.TW
    server role = active directory domain controller
    workgroup = SMB01

[netlogon]
    path = /var/lib/samba/sysvol/home.idv.tw/scripts
    read only = No

[sysvol]
    path = /var/lib/samba/sysvol
    read only = No
[root@sice ~]#

 

(17)

#  groupadd security

#  mkdir /home/security

#  chgrp security /home/security

#  chmod 770 /home/security

# vi /etc/samba/smb.conf

# cat /etc/samba/smb.conf
# Global parameters
[global]
    dns forwarder = 192.168.1.1
    netbios name = SICE 

    realm = HOME.IDV.TW
    server role = active directory domain controller
    workgroup = SMB01

unix charset = UTF-8
dos charset = CP932
hosts allow =192.168.1. 127.
 

[Security]
    path = /home/security
    writable = yes
    create mode = 0770
    directory mode = 0770
    # not allow guest user
    guest ok = no
    # allow only security group
    valid users = @security

[netlogon]
    path = /var/lib/samba/sysvol/home.idv.tw/scripts
    read only = No

[sysvol]
    path = /var/lib/samba/sysvol
    read only = No

(18)

#  systemctl start smb nmb

Job for nmb.service failed because the control process exited with error code.
See "systemctl status nmb.service" and "journalctl -xe" for details.
Job for smb.service failed because the control process exited with error code.
See "systemctl status smb.service" and "journalctl -xe" for details.

systemctl enable smb nmb

Created symlink /etc/systemd/system/multi-user.target.wants/smb.service → /usr/lib/systemd/system/smb.service.
Created symlink /etc/systemd/system/multi-user.target.wants/nmb.service → /usr/lib/systemd/system/nmb.service.

(19)

# firewall-cmd --add-service=samba --permanent
Warning: ALREADY_ENABLED: samba
success

#  firewall-cmd --reload
success

# setsebool -P samba_enable_home_dirs on
setsebool:  SELinux is disabled.

#  restorecon -R /home/security

(20-1)# realm discover HOME.IDV.TW
home.idv.tw
  type: kerberos
  realm-name: HOME.IDV.TW
  domain-name: home.idv.tw
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U
  login-policy:
[root@sice ~]#

(20-2)# realm join HOME.IDV.TW
realm: Already joined to this domain

(20-3)# id  SMB01\\fedora28
id: ‘SMB01\\fedora28’: no such user

(20-4)# samba-tool group add fedoraGRP

(21)

# restorecon /etc/krb5.conf

# cat /etc/krb5.conf
[libdefaults]
    default_realm = HOME.IDV.TW
    dns_lookup_realm = false
    dns_lookup_kdc = true
[root@sice ~]#  systemctl restart sssd
Job for sssd.service failed because the control process exited with error code.
See "systemctl status sssd.service" and "journalctl -xe" for details.
[root@sice ~]#  systemctl status sssd
● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sat 2019-02-09 20:52:13 CST; 8s ago
  Process: 5933 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=1/FAILURE)
 Main PID: 5933 (code=exited, status=1/FAILURE)

 2月 09 20:52:08 sice.home.idv.tw sssd[be[home.idv.tw]][5937]: Failed to read keytab [default]: 沒有此一檔案或目錄
 2月 09 20:52:11 sice.home.idv.tw sssd[nss][5938]: Starting up
 2月 09 20:52:11 sice.home.idv.tw sssd[nss][5939]: Starting up
 2月 09 20:52:12 sice.home.idv.tw sssd[be[home.idv.tw]][5940]: Starting up
 2月 09 20:52:13 sice.home.idv.tw sssd[be[home.idv.tw]][5940]: Failed to read keytab [default]: 沒有此一檔案或目錄
 2月 09 20:52:13 sice.home.idv.tw sssd[5933]: Exiting the SSSD. Could not restart critical service [home.idv.tw].
 2月 09 20:52:13 sice.home.idv.tw sssd[be[implicit_files]][5934]: Shutting down
 2月 09 20:52:13 sice.home.idv.tw systemd[1]: sssd.service: Main process exited, code=exited, status=1/FAILURE
 2月 09 20:52:13 sice.home.idv.tw systemd[1]: sssd.service: Failed with result 'exit-code'.
 2月 09 20:52:13 sice.home.idv.tw systemd[1]: Failed to start System Security Services Daemon.

(22)

# nmcli connection mod br0 ipv4.dns 192.168.1.1

# nmcli connection down br0
Connection 'br0' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1)

# nmcli connection up br0
Connection successfully activated (master waiting for slaves) (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)

# systemctl restart samba.service

# systemctl status samba.service

● samba.service - Samba AD Daemon
   Loaded: loaded (/usr/lib/systemd/system/samba.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2019-02-09 21:15:00 CST; 2s ago
     Docs: man:samba(8)
           man:samba(7)
           man:smb.conf(5)
 Main PID: 6363 (samba)
   Status: "winbindd: ready to serve connections..."
    Tasks: 25 (limit: 4915)
   Memory: 202.2M
   CGroup: /system.slice/samba.service
           ├─6363 /usr/sbin/samba --foreground --no-process-group
           ├─6364 /usr/sbin/samba --foreground --no-process-group
           ├─6365 /usr/sbin/samba --foreground --no-process-group
           ├─6366 /usr/sbin/samba --foreground --no-process-group
           ├─6367 /usr/sbin/samba --foreground --no-process-group
           ├─6368 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
           ├─6369 /usr/sbin/samba --foreground --no-process-group
           ├─6370 /usr/sbin/samba --foreground --no-process-group
           ├─6371 /usr/sbin/samba --foreground --no-process-group
           ├─6372 /usr/sbin/samba --foreground --no-process-group
           ├─6373 /usr/sbin/samba --foreground --no-process-group
           ├─6374 /usr/sbin/samba --foreground --no-process-group
           ├─6375 /usr/sbin/samba --foreground --no-process-group
           ├─6376 /usr/sbin/samba --foreground --no-process-group
           ├─6377 /usr/sbin/samba --foreground --no-process-group
           ├─6378 /usr/sbin/samba --foreground --no-process-group
           ├─6379 /usr/sbin/samba --foreground --no-process-group
           ├─6380 /usr/sbin/samba --foreground --no-process-group
           ├─6381 /usr/sbin/krb5kdc -n
           ├─6382 /usr/sbin/samba --foreground --no-process-group
           ├─6383 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
           ├─6384 /usr/bin/python2 /usr/sbin/samba_dnsupdate
           ├─6389 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
           ├─6390 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
           └─6391 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground

 2月 09 21:15:03 sice.home.idv.tw samba[6377]: [2019/02/09 21:15:03.425669,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
 2月 09 21:15:03 sice.home.idv.tw samba[6377]:   /usr/sbin/samba_dnsupdate: ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
 2月 09 21:15:03 sice.home.idv.tw samba[6377]: [2019/02/09 21:15:03.425835,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
 2月 09 21:15:03 sice.home.idv.tw samba[6377]:   /usr/sbin/samba_dnsupdate:   File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
 2月 09 21:15:03 sice.home.idv.tw samba[6377]: [2019/02/09 21:15:03.425892,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
 2月 09 21:15:03 sice.home.idv.tw samba[6377]:   /usr/sbin/samba_dnsupdate:     return self.run(*args, **kwargs)
 2月 09 21:15:03 sice.home.idv.tw samba[6377]: [2019/02/09 21:15:03.425934,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
 2月 09 21:15:03 sice.home.idv.tw samba[6377]:   /usr/sbin/samba_dnsupdate:   File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
 2月 09 21:15:03 sice.home.idv.tw samba[6377]: [2019/02/09 21:15:03.425978,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
 2月 09 21:15:03 sice.home.idv.tw samba[6377]:   /usr/sbin/samba_dnsupdate:     raise e
[root@sice ~]#

(23)# net ads testjoin
kerberos_kinit_password SMB01@HOME.IDV.TW failed: Client not found in Kerberos database
kerberos_kinit_password SMB01@HOME.IDV.TW failed: Client not found in Kerberos database
Join to domain is not valid: The name provided is not a properly formed account name.
[root@sice ~]#

(24)# net ads leave -U Administrator
Enter Administrator's password:
Failed to leave domain: This machine is a domain controller and cannot be unjoined from a domain.

(25)# net ads join -U Administrator
Host is not configured as a member server.
Invalid configuration.  Exiting....
Failed to join domain: This operation is only allowed for the PDC of the domain.

(26)# net ads keytab create -U Administrator
Enter Administrator's password:
kerberos_kinit_password SMB01@HOME.IDV.TW failed: Client not found in Kerberos database
kerberos_kinit_password SMB01@HOME.IDV.TW failed: Client not found in Kerberos database
[root@sice ~]#

(27)# klist -k
Keytab name: FILE:/etc/krb5.keytab
klist: Key table file '/etc/krb5.keytab' not found while starting keytab scan

[root@sice ~]# service sssd restart
Redirecting to /bin/systemctl restart sssd.service
Job for sssd.service failed because the control process exited with error code.
See "systemctl status sssd.service" and "journalctl -xe" for details.
[root@sice ~]#

(28)

# rm /etc/samba/smb.conf
rm:是否移除普通檔案'/etc/samba/smb.conf'? y

samba-tool domain provision
Realm [HOME.IDV.TW]: SICE.HOME.IDV.TW
 Domain [SICE]: SMB01
 Server Role (dc, member, standalone) [dc]:
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
 DNS forwarder IP address (write 'none' to disable forwarding) [192.168.1.1]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs

Adding DomainDN: DC=sice,DC=home,DC=idv,DC=tw
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers and extended rights
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=sice,DC=home,DC=idv,DC=tw
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
The Kerberos KDC configuration for Samba AD is located at /var/lib/samba/private/kdc.conf
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
Once the above files are installed, your Samba AD server will be ready to use
Server Role:           active directory domain controller
Hostname:              sice
NetBIOS Domain:        SMB01
DNS Domain:            sice.home.idv.tw
DOMAIN SID:            S-1-5-21-3256789770-3481484408-2431171835

# net ads testjoin
kerberos_kinit_password SMB01@SICE.HOME.IDV.TW failed: Cannot contact any KDC for requested realm
ads_connect: Cannot contact any KDC for requested realm
Join to domain is not valid: No logon servers are currently available to service the logon request.

# net ads leave -U Administrator
Enter Administrator's password:
Failed to leave domain: This machine is a domain controller and cannot be unjoined from a domain.

# net ads join -U Administrator
Host is not configured as a member server.
Invalid configuration.  Exiting....
Failed to join domain: This operation is only allowed for the PDC of the domain.

 

# net ads keytab create -U Administrator

Warning: "kerberos method" must be set to a keytab method to use keytab functions.
Enter Administrator's password:
kerberos_kinit_password SMB01@SICE.HOME.IDV.TW failed: Cannot contact any KDC for requested realm
ads_connect: Cannot contact any KDC for requested realm
kerberos_kinit_password SMB01@SICE.HOME.IDV.TW failed: Cannot contact any KDC for requested realm
ads_connect: Cannot contact any KDC for requested realm

 

# klist -k
Keytab name: FILE:/etc/krb5.keytab
klist: Key table file '/etc/krb5.keytab' not found while starting keytab scan

 

REF1:https://fedoramagazine.org/secure-nfs-home-directories-kerberos/

REF2:https://www.server-world.info/en/note?os=Fedora_28&p=samba&f=3

REF3: http://felipeferreira.net/index.php/2017/01/failed-to-read-keytab-default/


select id,article_id,topic,text from lt_articles_text where article_id =481; ok. update lt_articles set num_reads=num_reads +1 where id=481; ok.