(1)$ sudo -i
# MY_HOSTNAME=$(</etc/hostname)
# MY_DOMAIN=${MY_HOSTNAME#*.}
# echo $MY_DOMAIN home.idv.tw
# echo $MY_HOSTNAME sice.home.idv.tw
(2)# dnf install -y ntpdate
(3)# ntpdate $MY_DOMAIN 8 Feb 17:31:24 ntpdate[15877]: no server suitable for synchronization found
# ntpdate time.stdtime.gov.tw; 8 Feb 17:40:49 ntpdate[16074]: adjust time server 118.163.81.61 offset 0.000618 sec
# ntpdate -s watch.stdtime.gov.tw;
# ntpdate watch.stdtime.gov.tw; 8 Feb 17:42:22 ntpdate[16081]: adjust time server 118.163.81.63 offset 0.000549 sec # hwclock -u -w
# date 五 2月 8 17:43:10 CST 2019
(4)# dnf install -y ntp
# MY_NETWORK=192.168.1.0
# MY_NETMASK=255.255.255.0
# MY_ADSERVER1=192.168.1.103
# vi /etc/ntp.conf # cat /etc/ntp.conf tinker panic 0 restrict -6 default ignore
driftfile /var/lib/ntp/drift includefile /etc/ntp/crypto/pw keys /etc/ntp/keys
restrict default ignore restrict 192.168.1.0 mask 255.255.255.0 restrict 127.0.0.1
server 192.168.1.103
# nslookup $MY_DOMAIN Server: 192.168.1.1 Address: 192.168.1.1#53
Non-authoritative answer: Name: home.idv.tw Address: 121.254.84.64
# sudo firewall-cmd --add-service=ntp --permanent
# sudo firewall-cmd --reload
# systemctl enable ntpd.service
# systemctl start ntpd.service
# ntpq -4 -p
# firewall-cmd --runtime-to-permanent
# ntpdate $MY_DOMAIN 8 Feb 20:52:50 ntpdate[17733]: the NTP socket is in use, exiting
(5)# dnf install -y krb5-workstation
(6)# echo ${MY_DOMAIN^^} HOME.IDV.TW
# MY_REALM=${MY_DOMAIN^^}
# echo ${MY_DOMAIN%%.*} home
# echo ${MY_DOMAIN} home.idv.tw
# cat << END > /etc/krb5.conf.d/${MY_DOMAIN%%.*} > [libdefaults] > default_realm = $MY_REALM > dns_lookup_kdc = true > > [domain_realm] > .$MY_DOMAIN = $MY_REALM > END
# ls /etc/krb5.conf.d/ -t home crypto-policies
# cat /etc/krb5.conf.d/home [libdefaults] default_realm = HOME.IDV.TW dns_lookup_kdc = true
[domain_realm] .home.idv.tw = HOME.IDV.TW
(7-1)# dnf install -y sssd
(7-2)# cat << END > /etc/sssd/sssd.conf > [sssd] > services = nss > config_file_version = 2 > domains = $MY_DOMAIN > > [domain/$MY_DOMAIN] > id_provider = ad > ldap_idmap_range_min = 0 > ldap_idmap_range_max = 2100000000 > ldap_idmap_range_size = 100000000 > ldap_idmap_default_domain_sid = S-1-5-21-0-0-0 > krb5_store_password_if_offline = true > cache_credentials = true > ignore_group_members = true > override_gid = 100 > override_shell = /bin/bash > override_homedir = /home/%u > END
(7-3)# cat /etc/sssd/sssd.conf [sssd] services = nss config_file_version = 2 domains = home.idv.tw
[domain/home.idv.tw] id_provider = ad ldap_idmap_range_min = 0 ldap_idmap_range_max = 2100000000 ldap_idmap_range_size = 100000000 ldap_idmap_default_domain_sid = S-1-5-21-0-0-0 krb5_store_password_if_offline = true cache_credentials = true ignore_group_members = true override_gid = 100 override_shell = /bin/bash override_homedir = /home/%u
(7-5)# chmod 600 /etc/sssd/sssd.conf
(7-6)# echo DenyGroups users >> /etc/ssh/sshd_config && systemctl restart sshd.service
(8) 安裝SSSD(System Security Services Daemon )供遠端目錄存取與認證
(8-1)# systemctl start sssd.service Job for sssd.service failed because the control process exited with error code. See "systemctl status sssd.service" and "journalctl -xe" for details.
(8-2)# systemctl status sssd.service ● sssd.service - System Security Services Daemon : 2月 09 19:49:18 sice.home.idv.tw sssd[be[home.idv.tw]][5419]: Failed to read keytab [default]: 沒有此一檔案或目錄 :
(8-3)# dnf install -y authconfig
(9)安裝samba及samba-dc
# dnf -y install samba samba-dc
(10-1) # mv /etc/samba/smb.conf /etc/samba/smb.conf.org
(10-2) # cat /etc/samba/smb.conf.org : [global] workgroup = SAMBA security = user
passdb backend = tdbsam
printing = cups printcap name = cups load printers = yes cups options = raw
[homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes
[printers] comment = All Printers path = /var/tmp printable = Yes create mask = 0600 browseable = No
[print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @printadmin root force group = @printadmin create mask = 0664 directory mask = 0775
(10-3)# samba-tool domain provision Realm [HOME.IDV.TW]: Domain [HOME]: SMB01 Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: DNS forwarder IP address (write 'none' to disable forwarding) [192.168.1.1]: Administrator password: !w????? Retype password: !w????? Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
Adding DomainDN: DC=home,DC=idv,DC=tw Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers and extended rights Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=home,DC=idv,DC=tw Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs The Kerberos KDC configuration for Samba AD is located at /var/lib/samba/private/kdc.conf A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink! Once the above files are installed, your Samba AD server will be ready to use Server Role: active directory domain controller Hostname: sice NetBIOS Domain: SMB01 DNS Domain: home.idv.tw DOMAIN SID: S-1-5-21-2956589458-940804405-3848506313 (10-4)
# samba-tool domain provision Realm [HOME.IDV.TW]: Domain [HOME]: SMB01 Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: DNS forwarder IP address (write 'none' to disable forwarding) [192.168.1.1]: Administrator password: Retype password: Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
Adding DomainDN: DC=home,DC=idv,DC=tw Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers and extended rights Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=home,DC=idv,DC=tw Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs The Kerberos KDC configuration for Samba AD is located at /var/lib/samba/private/kdc.conf A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink! Once the above files are installed, your Samba AD server will be ready to use Server Role: active directory domain controller Hostname: sice NetBIOS Domain: SMB01 DNS Domain: home.idv.tw DOMAIN SID: S-1-5-21-512889258-4134431294-676729561
(10-5) # cat /var/lib/samba/private/kdc.conf [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 kadmind_port = 464
[realms] HOME.IDV.TW = { }
home.idv.tw = { }
SMB01 = { }
[dbmodules] db_module_dir = /usr/lib64/krb5/plugins/kdb
HOME.IDV.TW = { db_library = samba }
home.idv.tw = { db_library = samba }
SMB01 = { db_library = samba }
[logging] kdc = FILE:/var/log/samba/mit_kdc.log admin_server = FILE:/var/log/samba/mit_kadmin.log
(10-6)# cat /var/lib/samba/private/krb5.conf [libdefaults] default_realm = HOME.IDV.TW dns_lookup_realm = false dns_lookup_kdc = true
(11-1)
# cp /var/lib/samba/private/krb5.conf /etc/ cp:是否覆寫 '/etc/krb5.conf'? n
# mv /etc/krb5.conf /etc/krb5.conf.20190209
# cp /var/lib/samba/private/krb5.conf /etc/
# systemctl start samba
# systemctl enable samba Created symlink /etc/systemd/system/multi-user.target.wants/samba.service → /usr/lib/systemd/system/samba.service.
(11-2)
# cp /var/lib/samba/private/krb5.conf /etc cp:是否覆寫 '/etc/krb5.conf'? n
# mv /etc/krb5.conf /etc/krb5.conf.20190209b
# cp /var/lib/samba/private/krb5.conf /etc
# systemctl start samba
# systemctl enable samba
(12)
# samba-tool domain level show Domain and forest function level for domain 'DC=home,DC=idv,DC=tw'
Forest function level: (Windows) 2008 R2 Domain function level: (Windows) 2008 R2 Lowest function level of a DC: (Windows) 2008 R2
# samba-tool user create fedora New Password: Retype Password: User 'fedora' created successfully
# samba-tool user create fedora28 New Password: Retype Password: User 'fedora28' created successfully
# samba-tool user list krbtgt Administrator fedora28 Guest
(13)
# firewall-cmd --add-service={dns,kerberos,kpasswd,ldap,ldaps,samba} --permanent success
# firewall-cmd --add-port={135/tcp,137-138/udp,139/tcp,3268-3269/tcp,49152-65535/tcp} --permanent success
# firewall-cmd --reload success
(14) # MY_USERNAME=treehrt
# adcli delete-computer "${MY_HOSTNAME%%.*}" -U "$MY_USERNAME" adcli: couldn't connect to home.idv.tw domain: Couldn't find usable domain controller to connect to
(15) # rm -f /etc/krb5.keytab
# MY_OU="cn=computers,dc=${MY_DOMAIN//./,dc=}"
# echo $MY_OU cn=computers,dc=home,dc=idv,dc=tw
# adcli join $MY_DOMAIN --login-user="$MY_USERNAME" --computer-name="${MY_HOSTNAME%%.*}" --host-fqdn="$MY_HOSTNAME" --user-principal="host/$MY_HOSTNAME@$MY_REALM" --service-name="host" --service-name="nfs" --domain-ou="$MY_OU" adcli: couldn't connect to home.idv.tw domain: Couldn't find usable domain controller to connect to
# echo $MY_DOMAIN --login-user="$MY_USERNAME" --computer-name="${MY_HOSTNAME%%.*}" --host-fqdn="$MY_HOSTNAME" --user-principal="host/$MY_HOSTNAME@$MY_REALM" --service-name="host" --service-name="nfs" --domain-ou="$MY_OU" home.idv.tw --login-user=treehrt --computer-name=sice --host-fqdn=sice.home.idv.tw --user-principal=host/sice.home.idv.tw@HOME.IDV.TW --service-name=host --service-name=nfs --domain-ou=cn=computers,dc=home,dc=idv,dc=tw
(16)# cat /etc/samba/smb.conf : [global] dns forwarder = 192.168.1.1 netbios name = SICE realm = HOME.IDV.TW server role = active directory domain controller workgroup = SMB01
[netlogon] path = /var/lib/samba/sysvol/home.idv.tw/scripts read only = No
[sysvol] path = /var/lib/samba/sysvol read only = No [root@sice ~]#
(17)
# groupadd security
# mkdir /home/security
# chgrp security /home/security
# chmod 770 /home/security
# vi /etc/samba/smb.conf
# cat /etc/samba/smb.conf # Global parameters [global] dns forwarder = 192.168.1.1 netbios name = SICE
realm = HOME.IDV.TW server role = active directory domain controller workgroup = SMB01
unix charset = UTF-8 dos charset = CP932 hosts allow =192.168.1. 127.
[Security] path = /home/security writable = yes create mode = 0770 directory mode = 0770 # not allow guest user guest ok = no # allow only security group valid users = @security
[netlogon] path = /var/lib/samba/sysvol/home.idv.tw/scripts read only = No
[sysvol] path = /var/lib/samba/sysvol read only = No
(18)
# systemctl start smb nmb
Job for nmb.service failed because the control process exited with error code. See "systemctl status nmb.service" and "journalctl -xe" for details. Job for smb.service failed because the control process exited with error code. See "systemctl status smb.service" and "journalctl -xe" for details.
# systemctl enable smb nmb
Created symlink /etc/systemd/system/multi-user.target.wants/smb.service → /usr/lib/systemd/system/smb.service. Created symlink /etc/systemd/system/multi-user.target.wants/nmb.service → /usr/lib/systemd/system/nmb.service.
(19)
# firewall-cmd --add-service=samba --permanent Warning: ALREADY_ENABLED: samba success
# firewall-cmd --reload success
# setsebool -P samba_enable_home_dirs on setsebool: SELinux is disabled.
# restorecon -R /home/security
(20-1)# realm discover HOME.IDV.TW home.idv.tw type: kerberos realm-name: HOME.IDV.TW domain-name: home.idv.tw configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U login-policy: [root@sice ~]#
(20-2)# realm join HOME.IDV.TW realm: Already joined to this domain
(20-3)# id SMB01\\fedora28 id: ‘SMB01\\fedora28’: no such user
(20-4)# samba-tool group add fedoraGRP
(21)
# restorecon /etc/krb5.conf
# cat /etc/krb5.conf [libdefaults] default_realm = HOME.IDV.TW dns_lookup_realm = false dns_lookup_kdc = true [root@sice ~]# systemctl restart sssd Job for sssd.service failed because the control process exited with error code. See "systemctl status sssd.service" and "journalctl -xe" for details. [root@sice ~]# systemctl status sssd ● sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Sat 2019-02-09 20:52:13 CST; 8s ago Process: 5933 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=1/FAILURE) Main PID: 5933 (code=exited, status=1/FAILURE)
2月 09 20:52:08 sice.home.idv.tw sssd[be[home.idv.tw]][5937]: Failed to read keytab [default]: 沒有此一檔案或目錄 2月 09 20:52:11 sice.home.idv.tw sssd[nss][5938]: Starting up 2月 09 20:52:11 sice.home.idv.tw sssd[nss][5939]: Starting up 2月 09 20:52:12 sice.home.idv.tw sssd[be[home.idv.tw]][5940]: Starting up 2月 09 20:52:13 sice.home.idv.tw sssd[be[home.idv.tw]][5940]: Failed to read keytab [default]: 沒有此一檔案或目錄 2月 09 20:52:13 sice.home.idv.tw sssd[5933]: Exiting the SSSD. Could not restart critical service [home.idv.tw]. 2月 09 20:52:13 sice.home.idv.tw sssd[be[implicit_files]][5934]: Shutting down 2月 09 20:52:13 sice.home.idv.tw systemd[1]: sssd.service: Main process exited, code=exited, status=1/FAILURE 2月 09 20:52:13 sice.home.idv.tw systemd[1]: sssd.service: Failed with result 'exit-code'. 2月 09 20:52:13 sice.home.idv.tw systemd[1]: Failed to start System Security Services Daemon.
(22)
# nmcli connection mod br0 ipv4.dns 192.168.1.1
# nmcli connection down br0 Connection 'br0' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1)
# nmcli connection up br0 Connection successfully activated (master waiting for slaves) (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)
# systemctl restart samba.service
# systemctl status samba.service
● samba.service - Samba AD Daemon Loaded: loaded (/usr/lib/systemd/system/samba.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2019-02-09 21:15:00 CST; 2s ago Docs: man:samba(8) man:samba(7) man:smb.conf(5) Main PID: 6363 (samba) Status: "winbindd: ready to serve connections..." Tasks: 25 (limit: 4915) Memory: 202.2M CGroup: /system.slice/samba.service ├─6363 /usr/sbin/samba --foreground --no-process-group ├─6364 /usr/sbin/samba --foreground --no-process-group ├─6365 /usr/sbin/samba --foreground --no-process-group ├─6366 /usr/sbin/samba --foreground --no-process-group ├─6367 /usr/sbin/samba --foreground --no-process-group ├─6368 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground ├─6369 /usr/sbin/samba --foreground --no-process-group ├─6370 /usr/sbin/samba --foreground --no-process-group ├─6371 /usr/sbin/samba --foreground --no-process-group ├─6372 /usr/sbin/samba --foreground --no-process-group ├─6373 /usr/sbin/samba --foreground --no-process-group ├─6374 /usr/sbin/samba --foreground --no-process-group ├─6375 /usr/sbin/samba --foreground --no-process-group ├─6376 /usr/sbin/samba --foreground --no-process-group ├─6377 /usr/sbin/samba --foreground --no-process-group ├─6378 /usr/sbin/samba --foreground --no-process-group ├─6379 /usr/sbin/samba --foreground --no-process-group ├─6380 /usr/sbin/samba --foreground --no-process-group ├─6381 /usr/sbin/krb5kdc -n ├─6382 /usr/sbin/samba --foreground --no-process-group ├─6383 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground ├─6384 /usr/bin/python2 /usr/sbin/samba_dnsupdate ├─6389 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground ├─6390 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground └─6391 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
2月 09 21:15:03 sice.home.idv.tw samba[6377]: [2019/02/09 21:15:03.425669, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) 2月 09 21:15:03 sice.home.idv.tw samba[6377]: /usr/sbin/samba_dnsupdate: ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') 2月 09 21:15:03 sice.home.idv.tw samba[6377]: [2019/02/09 21:15:03.425835, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) 2月 09 21:15:03 sice.home.idv.tw samba[6377]: /usr/sbin/samba_dnsupdate: File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run 2月 09 21:15:03 sice.home.idv.tw samba[6377]: [2019/02/09 21:15:03.425892, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) 2月 09 21:15:03 sice.home.idv.tw samba[6377]: /usr/sbin/samba_dnsupdate: return self.run(*args, **kwargs) 2月 09 21:15:03 sice.home.idv.tw samba[6377]: [2019/02/09 21:15:03.425934, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) 2月 09 21:15:03 sice.home.idv.tw samba[6377]: /usr/sbin/samba_dnsupdate: File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run 2月 09 21:15:03 sice.home.idv.tw samba[6377]: [2019/02/09 21:15:03.425978, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) 2月 09 21:15:03 sice.home.idv.tw samba[6377]: /usr/sbin/samba_dnsupdate: raise e [root@sice ~]#
(23)# net ads testjoin kerberos_kinit_password SMB01@HOME.IDV.TW failed: Client not found in Kerberos database kerberos_kinit_password SMB01@HOME.IDV.TW failed: Client not found in Kerberos database Join to domain is not valid: The name provided is not a properly formed account name. [root@sice ~]#
(24)# net ads leave -U Administrator Enter Administrator's password: Failed to leave domain: This machine is a domain controller and cannot be unjoined from a domain.
(25)# net ads join -U Administrator Host is not configured as a member server. Invalid configuration. Exiting.... Failed to join domain: This operation is only allowed for the PDC of the domain.
(26)# net ads keytab create -U Administrator Enter Administrator's password: kerberos_kinit_password SMB01@HOME.IDV.TW failed: Client not found in Kerberos database kerberos_kinit_password SMB01@HOME.IDV.TW failed: Client not found in Kerberos database [root@sice ~]#
(27)# klist -k Keytab name: FILE:/etc/krb5.keytab klist: Key table file '/etc/krb5.keytab' not found while starting keytab scan
[root@sice ~]# service sssd restart Redirecting to /bin/systemctl restart sssd.service Job for sssd.service failed because the control process exited with error code. See "systemctl status sssd.service" and "journalctl -xe" for details. [root@sice ~]#
(28)
# rm /etc/samba/smb.conf rm:是否移除普通檔案'/etc/samba/smb.conf'? y
# samba-tool domain provision Realm [HOME.IDV.TW]: SICE.HOME.IDV.TW Domain [SICE]: SMB01 Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: DNS forwarder IP address (write 'none' to disable forwarding) [192.168.1.1]: Administrator password: Retype password: Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
Adding DomainDN: DC=sice,DC=home,DC=idv,DC=tw Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers and extended rights Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=sice,DC=home,DC=idv,DC=tw Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs The Kerberos KDC configuration for Samba AD is located at /var/lib/samba/private/kdc.conf A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink! Once the above files are installed, your Samba AD server will be ready to use Server Role: active directory domain controller Hostname: sice NetBIOS Domain: SMB01 DNS Domain: sice.home.idv.tw DOMAIN SID: S-1-5-21-3256789770-3481484408-2431171835
# net ads testjoin kerberos_kinit_password SMB01@SICE.HOME.IDV.TW failed: Cannot contact any KDC for requested realm ads_connect: Cannot contact any KDC for requested realm Join to domain is not valid: No logon servers are currently available to service the logon request.
# net ads leave -U Administrator Enter Administrator's password: Failed to leave domain: This machine is a domain controller and cannot be unjoined from a domain.
# net ads join -U Administrator Host is not configured as a member server. Invalid configuration. Exiting.... Failed to join domain: This operation is only allowed for the PDC of the domain.
# net ads keytab create -U Administrator
Warning: "kerberos method" must be set to a keytab method to use keytab functions. Enter Administrator's password: kerberos_kinit_password SMB01@SICE.HOME.IDV.TW failed: Cannot contact any KDC for requested realm ads_connect: Cannot contact any KDC for requested realm kerberos_kinit_password SMB01@SICE.HOME.IDV.TW failed: Cannot contact any KDC for requested realm ads_connect: Cannot contact any KDC for requested realm
# klist -k Keytab name: FILE:/etc/krb5.keytab klist: Key table file '/etc/krb5.keytab' not found while starting keytab scan
REF1:https://fedoramagazine.org/secure-nfs-home-directories-kerberos/
REF2:https://www.server-world.info/en/note?os=Fedora_28&p=samba&f=3
REF3: http://felipeferreira.net/index.php/2017/01/failed-to-read-keytab-default/ |