2016年11月10日 星期四

UBUNTU 16.04 Samba 4.5.1 安裝、建置 AD DC (或 Samba 加入 Windows Active Directory)

網路設定:
vi /etc/network/interfaces
iface eth0 inet static
address 192.168.1.253
netmask 255.255.255.0
gateway 192.168.1.254
#建置新 DC 網域,DNS IP 指向本機。加入已存在的網域DNS IP 指向 PDC
dns-nameservers 192.168.1.252 (建議系統先更新到最新套件,所以先指定可以正常解析的DNS IP)
dns-nameservers 192.168.1.253
dns-search tw.company

vi /etc/hosts
127.0.0.1     localhost.localdomain     localhost
192.168.1.253     ubuntu-ad.tw.company     ubuntu-ad

變更主機名稱:
vi  /etc/hostname
ubuntu-ad

shutdown -r 0

系統更新:
apt-get update && apt-get upgrade && apt-get dist-upgrade

安裝所需套件 (UBUNTU Samba安裝套件):
apt-get install attr build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev krb5-user docbook-xsl libcups2-dev acl ntp ntpdate libnss-winbind* libpam-winbind* winbind*
安裝所需套件 (Samba source檔安裝套件):
apt-get install attr build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev krb5-user docbook-xsl libcups2-dev acl ntp ntpdate
(安裝時,如果有彈出 kerberos 設定,可按《OK》先略過 kerberos 的設定,後面建置DC網域或加入網域時,會鍵結 SAMBA 目錄下的 krb5.conf)

新增 Samba 路徑參數檔到系統內:
vi /etc/profile.d/samba-path.sh
PATH=${PATH}:/usr/local/samba/bin:/usr/local/samba/sbin

修改新增 sudoers 權限:
vi /etc/sudoers
新增下列:
Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/samba/bin:/usr/local/samba/sbin

DC Server 增加檔案特殊權限:
vi /etc/fstab
UUID=xyzxyzxy-xyzx-xyzx-xyzx-xyzxyzxyzxyzxy    /       ext4      user_xattr,acl,barrier=1,errors=remount-ro     0     1

啟用或關閉 user_xattr,acl,barrier:
vi /etc/fstab
user_xattr (啟用 Samba 可達到更好的效能)
acl (檔案的存取控制)
barrier (數據預先寫入緩存不直接寫入硬碟,系統當機時會影響資料完整性。在 EXT4 預設是啟用,但不支援LVM,RAID…,且對效能有所影響,可用 barrier=0 關閉)。
可用 dumpe2fs /dev/sda1 | grep 'Default mount options' 確認 user_xattr,acl 是否啟用。
打開 /proc/mounts 觀察每一個掛載的文件系統是否有 barrier=1 表示正在使用。

安裝 Samba 套件:
如採用 source 檔安裝,以下設定檔路徑請依實際路徑變動。
(Samba source檔安裝套件,預設安裝路徑: /usr/local/samba)
cd /usr/local/src/
tar -xvf samba-latest.tar.gz
./configure
make
make install
或者:
安裝 UBUNTU 製作的 SAMBA 套件:
apt-get install samba* smbclient


校正更新系統時間 :
ntpdate -B time.stdtime.gov.tw (校正系統時間)

設定 NTP 時間伺服器:
vi /etc/ntp.conf

# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift

# Enable this if you want statistics to be logged.
statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

# Specify one or more NTP servers.

# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
# more information.
#pool 0.ubuntu.pool.ntp.org iburst
#pool 1.ubuntu.pool.ntp.org iburst
#pool 2.ubuntu.pool.ntp.org iburst
#pool 3.ubuntu.pool.ntp.org iburst
server time.stdtime.gov.tw prefer
server tick.stdtime.gov.tw
server watch.stdtime.gov.tw

# Use Ubuntu's ntp server as a fallback.
#pool ntp.ubuntu.com

# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited

# Local users may interrogate the ntp server more closely.
restrict time.stdtime.gov.tw
restrict tick.stdtime.gov.tw
restrict watch.stdtime.gov.tw
restrict 127.0.0.1
restrict ::1

# Needed for adding pool entries
restrict source notrap nomodify noquery

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust
restrict 192.168.1.0 mask 255.255.255.0 nomodify

# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255

# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines.  Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

#Changes recquired to use pps synchonisation as explained in documentation:
#http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm#AEN3918

#server 127.127.8.1 mode 135 prefer    # Meinberg GPS167 with PPS
#fudge 127.127.8.1 time1 0.0042        # relative to PPS for my hardware

#server 127.127.22.1                   # ATOM(PPS)
#fudge 127.127.22.1 flag3 1            # enable PPS API

設定 NTP server 開機啟動:
systemctl restart ntp.service
systemctl status ntp.service

備註以後參考用(UBUNTU 系統啟動順序設定方式):
如果 B 服務要 A 服務先啟動時才能正常啟動
第一個數字愈大,代表開機時愈晚被啟動
第二個數字愈大,代表關機時愈晚被關閉
通常會把這二個數字設計成加起來等於 100
update-rc.d -f A defaults 80 20
update-rc.d -f B defaults 90 10

NTP server 狀態檢查:
ntpstat
ntpq -p

如果時區在安裝時未設定正確:
dpkg-reconfigure tzdata

建立新的網域(確認DNS IP 指向本機):
安裝 BIND9 DNS 套件:
apt-get install bind9

重新開機:
shutdown -r 0

備份 smb.conf 設定檔(建立或加入網域需先移除 smb.conf 設定檔):
mv /usr/local/samba/etc/smb.conf /usr/local/samba/etc/smb.conf.orig

建立 DC 網域:
samba-tool domain provision --realm=tw.company --domain=tw --adminpass=夠複雜的密碼 --server-role=dc  --function-level=2008_R2 --dns-backend=BIND9_DLZ

修改 Samba DC 樹系、網域類型:
samba-tool domain level raise --forest-level=2008_R2
或:
samba-tool domain provision --use-rfc2307 --use-xattrs=yes --function-level=2008_R2 --interactive
依序設定:
Realm: TW.COMPANY
Domain [TW]: TW
Server Role (dc, member, standalone) [dc]: dc
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ
(BIND9_DLZ  相容 Windows AD DNS, SAMBA_INTERNAL 功能較陽春)
DNS forwarder IP address (write ‘none’ to disable forwarding) [192.168.1.10]: 8.8.8.8 168.95.1.1 8.8.4.4
重新開機:
shutdown -r 0

測試 Samba 能否正常連線:
smbclient -L localhost -U%

Samba DC 加入已存在的網域(確認DNS IP 指向第一台 PDC):
安裝 BIND9 DNS 套件:
apt-get install bind9

重新開機:
shutdown -r 0

備份 smb.conf 設定檔(建立或加入網域需先移除 smb.conf 設定檔):
mv /usr/local/samba/etc/smb.conf /usr/local/samba/etc/smb.conf.roig

samba-tool domain join tw.company DC -U"TW\administrator" --dns-backend=BIND9_DLZ
(相容 Windows AD DNS,如果最初設定時,選錯 DNS 支援類型,可用 samba_upgradedns --dns-backend=BIND9_DLZ 變更)
成功加入成為 DC 伺服器:
root@ubuntu-ad:~# samba-tool domain join tw.company DC -U"TW\administrator" --dns-backend=BIND9_DLZ
Finding a writeable DC for domain 'tw.company'
Found DC centos7-ad.tw.company
Password for [TW\administrator]:
workgroup is TW
realm is tw.company
checking sAMAccountName
Deleted CN=UBUNTU-AD,OU=Domain Controllers,DC=tw,DC=company
Deleted CN=dns-UBUNTU-AD,CN=Users,DC=tw,DC=company
Deleted CN=NTDS Settings,CN=UBUNTU-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tw,DC=company
Deleted CN=UBUNTU-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tw,DC=company
Adding CN=UBUNTU-AD,OU=Domain Controllers,DC=tw,DC=company
Adding CN=UBUNTU-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tw,DC=company
Adding CN=NTDS Settings,CN=UBUNTU-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tw,DC=company
Adding SPNs to CN=UBUNTU-AD,OU=Domain Controllers,DC=tw,DC=company
Setting account password for UBUNTU-AD$
Enabling account
Adding DNS account CN=dns-UBUNTU-AD,CN=Users,DC=tw,DC=company with dns/ SPN
Setting account password for dns-UBUNTU-AD
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Provision OK for domain DN DC=tw,DC=company
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=tw,DC=company] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=tw,DC=company] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=tw,DC=company] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=tw,DC=company] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=tw,DC=company] objects[402/1617] linked_values[0/0]
Partition[CN=Configuration,DC=tw,DC=company] objects[804/1617] linked_values[0/0]
Partition[CN=Configuration,DC=tw,DC=company] objects[1206/1617] linked_values[0/0]
Partition[CN=Configuration,DC=tw,DC=company] objects[1608/1617] linked_values[0/0]
Partition[CN=Configuration,DC=tw,DC=company] objects[1617/1617] linked_values[28/0]
Replicating critical objects from the base DN of the domain
Partition[DC=tw,DC=company] objects[98/98] linked_values[23/0]
Partition[DC=tw,DC=company] objects[396/298] linked_values[23/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=tw,DC=company
Partition[DC=DomainDnsZones,DC=tw,DC=company] objects[61/61] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=tw,DC=company
Partition[DC=ForestDnsZones,DC=tw,DC=company] objects[18/18] linked_values[0/0]
Committing SAM database
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
See /usr/local/samba/private/named.conf for an example configuration include file for BIND
and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
Joined domain TW (SID S-1-5-21-2798485062-3178217977-1919772479) as a DC

調整 smb.conf 設定檔(可用 testparm 取得建議設定值):
vi /usr/local/samba/etc/smb.conf
# Global parameters
[global]
    netbios name = UBUNTU-AD
    realm = TW.COMPANY
    server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
    workgroup = TW
    passdb backend = samba_dsdb
    server role = active directory domain controller
    rpc_server:tcpip = no
    rpc_daemon:spoolssd = embedded
    rpc_server:spoolss = embedded
    rpc_server:winreg = embedded
    rpc_server:ntsvcs = embedded
    rpc_server:eventlog = embedded
    rpc_server:srvsvc = embedded
    rpc_server:svcctl = embedded
    rpc_server:default = external
    winbindd:use external pipes = true
    idmap config * : backend = tdb
    map archive = No
    map readonly = no
    store dos attributes = Yes
    vfs objects = dfs_samba4 acl_xattr
    log file = /var/log/samba/samba.log
    max log size = 100000

[netlogon]
    path = /usr/local/samba/var/locks/sysvol/tw.company/scripts
    read only = No

[sysvol]
    path = /usr/local/samba/var/locks/sysvol
    read only = No

建立 SAMBA LOG 資料夾:
mkdir /var/log/samba/

連結 kerberos 設定檔到 /etc 下:
mv /etc/krb5.conf /etc/krb5.conf.orig
ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf
krb5.conf 內容:
[libdefaults]
    default_realm = TW.COMPANY
    dns_lookup_realm = false
    dns_lookup_kdc = true

測試 krb5.conf 設定是否正確:
kinit administrator@TW.COMPANY (Domain 一定要大寫)
輸入 administrator 密碼

再輸入 klist -e 可看到下列資訊表示正確認證:
Valid starting       Expires              Service principal
11/07/2016 09:41:47  11/07/2016 19:41:47  krbtgt/TW.COMPANY@TW.COMPANY
    renew until 11/08/2016 09:41:42

建立 named LOG 資料夾:
mkdir /var/log/named/
chown bind.bind /var/log/named

DNS 設定調整:
vi /etc/bind/named.conf
增加:
include "/usr/local/samba/private/named.conf";

vi /etc/bind/named.conf.option

acl "LocalIP" { 192.168.0.0/16; 172.16.10.0/24; 127.0.0.1; };    #開放 Local IP 可查詢 DNS

options {
        directory "/var/cache/bind";

        forward first;
        forwarders {
                8.8.8.8;
                8.8.4.4;
                168.95.1.1;
        };

        listen-on {
                LocalIP;
        };

        allow-recursion { LocalIP; };
        allow-update { LocalIP; };
        allow-query { LocalIP; };
        allow-transfer { localhost; LocalIP; };
        tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";   //允許 Client 動態更新 DNS 記錄
        dnssec-enable no;
        //dnssec-validation auto;     //內部使用,先關閉
        dnssec-validation no;
        auth-nxdomain no;    # conform to RFC1035
        //listen-on port 53 { 127.0.0.1; };
        listen-on port 53 { any; };
        listen-on-v6 { none; };
};

logging {
        channel Named_log {
                file "/var/log/named/named.run" versions 3 size 20m;
                severity dynamic;
                print-severity  yes;
                print-time yes;
        };
        channel Default_log {
                file "/var/log/named/default.log" versions 10 size 20m;
                severity dynamic;
                print-severity  yes;
                print-time yes;
        };
        channel Query_log {
                file "/var/log/named/query.log" versions 10 size 50m;
                severity dynamic;
                print-severity  yes;
                print-time yes;
        };
        category xfer-out { Named_log; };
        category default { Default_log; };
        category queries { Query_log; };
};

調整 DC DNS ZONE 檔案權限:
chown root.bind /usr/local/samba/private/named.conf
chmod 640 /usr/local/samba/private/dns.keytab
chown root:bind /usr/local/samba/private/dns.keytab
chmod 644 /usr/local/samba/private/krb5.conf
chown root.bind /usr/local/samba/private/krb5.conf
named-checkconf

確認 、修改 DNS IP 第一順位 :
(加入已存在的網域第一順位 DNS IP 指向 PDC。建置新的 DC 網域第一順位 DNS IP 指向本機。如此 DNS 動態更新記錄才能正確同步。)
vi /etc/network/interface

測試 DNS 動態更新:
samba_dnsupdate --verbose --all-name
無錯誤訊息可正常 update dns 記錄及從 PDC 同步 dns 記錄表示設定正確。

如 UBUNTU 16.04 加入 Windows AD 後 DNS 無法查詢本機 DC DNS ZONE 主機  Domain ,須修改:
關閉 apparmor:
update-rc.d apparmor disable
systemctl apparmor stop
或者:
vi /etc/apparmor.d/usr.sbin.named
最底部增加:
/usr/local/samba/private/** kwr,    //開放權限,允許 Windows Client 端動態更新 DNS 記錄
/usr/local/samba/private/named.conf r,
/usr/local/samba/private/dns.keytab kwr,
/usr/lib/samba/** m,
/usr/local/samba/private/dns/** krw,
/var/tmp/** krw,
/dev/urandom rw,
重啟:
systemctl restart apparmor.service

重新開機(以防調整時有些服務讀取到不正確的資料):
shutdown -r 0

tar 檔安裝的 Samba 服務,需手動啟動(後面會加入 Startup Script 讓 Samba 開機時自動啟動):
samba start

測試是否可解析網域主機:
nslookup tw.company localhost

測試 Samba 能否正常連線:
smbclient -L localhost -U 'administrator'

測試 DNS 設定(下列三項測試過了,表示正常加入 DC):
host -t SRV _ldap._tcp.tw.company (tcp port 可看到其他 DC Server 表示正確)
host -t SRV _kerberos._udp.tw.company(udp port 可看到其他 DC Server 表示正確)
host -t A ubuntu-ad.tw.company


備註: 加入新的 DC 及 DNS 設定後,每台 DC 都要重啟 BIND9:
systemctl restart bind9.service
再作 DNS 更新測試,否則會出現:
update failed: NOTAUTH
Failed nsupdate: 2

Failed update of 28 entries

測試更新 DNS 記錄:
samba_dnsupdate --verbose
samba_dnsupdate --verbose --all-names

Samba4 tar檔安裝開機 startup script:
samba 檔案內容:
#!/bin/sh

### BEGIN INIT INFO
# Provides:          samba
# Required-Start:    $network $local_fs $remote_fs
# Required-Stop:     $network $local_fs $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Should-Start:      slapd
# Should-Stop:       slapd
# Short-Description: start Samba daemons (samba and smbd)
### END INIT INFO

# Description of this script:
#                    
# This script comes initially from a Debian Squeeze machine on
# which samba 3.x was installed with "apt-get install samba". The script
# was modified/adjusted so it points to the correct paths of a default
# samba4 installation (/usr/local/samba).
#
# Installation instructions:
# (1) copy the content of this script into your clipboard or download it
# (2) save the content into /etc/init.d/samba of your samba4 host.
# (3) execute "chmod +x /etc/init.d/samba" to have the script executable
# (4) execute "update-rc.d samba defaults" to install auto-start function.
#     smbd+nmbd will automatically being started after earch system start/reboot

# Modified by local@#samba~irc.freenode.net at 06th March 2013
# The script was successfully tested on Debian GNU/Linux Squeeze+Wheezy

# Defaults
RUN_MODE="daemons"

# Reads config file (will override defaults above)
[ -r /etc/default/samba ] && . /etc/default/samba

PIDDIR=/usr/local/samba/var/run
SAMBAPID=$PIDDIR/samba.pid
SMBDPID=$PIDDIR/smbd.pid

# clear conflicting settings from the environment
unset TMPDIR

# See if the daemons are there
test -x /usr/local/samba/sbin/samba || exit 0

. /lib/lsb/init-functions

case "$1" in
        start)
                log_daemon_msg "Starting Samba daemons"
                # Make sure we have our PIDDIR, even if it's on a tmpfs
                install -o root -g root -m 755 -d $PIDDIR

                SAMBA_DISABLED=`testparm -s --parameter-name='disable netbios' 2>/dev/null`
                if [ "$SAMBA_DISABLED" != 'Yes' ]; then
                        log_progress_msg "samba"
                        if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/samba -- -D
                        then
                                log_end_msg 1
                                exit 1
                        fi
                fi

                ;;
        stop)
                log_daemon_msg "Stopping Samba daemons"
                log_progress_msg "samba"

                start-stop-daemon --stop --quiet --pidfile $SAMBAPID
                # Wait a little and remove stale PID file
                sleep 1
                if [ -f $SAMBAPID ] > /dev/null
                then
                        # Stale PID file (samba was succesfully stopped),
                        # remove it (should be removed by samba itself IMHO.)
                        rm -f $SAMBAPID
                fi 

                ;;

     reload)
                log_daemon_msg "Reloading /usr/local/samba/etc/smb.conf" "smbd only"

                start-stop-daemon --stop --signal HUP --pidfile $SMBDPID

                log_end_msg 0
                ;;
        restart|force-reload)
                $0 stop
                sleep 1
                if [ -f $SAMBAPID ] > /dev/null
                then
                        # Stale PID file (samba was succesfully stopped),
                        # remove it (should be removed by samba itself IMHO.)
                        rm -f $SAMBAPID
                fi 
                $0 start
                ;;
        status)
                status="0"
                SAMBA_DISABLED=`testparm -s --parameter-name='disable netbios' 2>/dev/null`
                if [ "$SAMBA_DISABLED" != "Yes" ]; then
                        status_of_proc -p $SAMBAPID /usr/local/samba/sbin/samba samba || status=$?
                fi
                if [ "$SAMBA_DISABLED" = "Yes" ]; then
                        status="4"
                fi
                exit $status
                ;;
        *)
                echo "Usage: /etc/init.d/samba {start|stop|reload|restart|force-reload|status}"
                exit 1
                ;;
esac

exit 0

chmod +x /etc/init.d/samba
update-rc.d samba defaults

重要: 
不同平台( Windows、Linux ) 同步 GPO、Script 需注意同步後的資料夾、檔案權限。
資料夾、檔案權限錯誤,將造成 GPO 損壞無法使用。
目前發現,每次調整、修改GPO後用 samba-tool ntacl sysvolcheck 檢查都會出現錯誤,必須用 samba-tool ntacl sysvolreset 重設一次權限就恢復正常了。

同步 GPO、Scripts 檔案:
Linux --> Linux 可用 rsync:
在 PDC(主要 DC 伺服器):
安裝 xinetd:
apt-get install xinetd
新增 rsync 啟動檔:
vi /etc/xinetd.d/rsync
內容:
service rsync
{
   disable         = no  
   only_from       = 192.168.1.0/24
   socket_type     = stream
   wait            = no
   user            = root
   server          = /usr/bin/rsync
   server_args     = --daemon
   log_on_failure += USERID
}

建立 rsyncd.conf 設定檔:
vi /etc/rsyncd.conf
內容:
log file = /var/log/rsyncd.log

[SysVol]
path = /usr/local/samba/var/locks/sysvol/
comment = Samba Sysvol Share
uid = root
gid = root
read only = yes
auth users = sysvol-replication
secrets file = /usr/local/samba/etc/rsyncd.secret

建立 rsync 密碼檔:
vi /usr/local/samba/etc/rsyncd.secret
sysvol-replication:pa$$w0rd
chmod 600 /usr/local/samba/etc/rsyncd.secret

註 :如不想使用密碼檔方式,也可使用 SSH 金鑰建立免密碼的連線同步資料

重啟 xinetd 服務:
systemctl restart xinetd.service

在其它 DC 伺服器上建立 rsync 密碼檔,以方便排程時不用每次入密碼:
確認其他 Linux DC 伺服器上是否有 rsync 套件,沒有則安裝: apt-get install rsync
vi /usr/local/samba/etc/rsync-sysvol.secret
pa$$w0rd (與 rsync Server 相同)
chmod 600 /usr/local/samba/etc/rsync-sysvol.secret

測試同步指令是否能正常運作:
--dry-run 不實際執行傳送,只顯示將會有的傳輸動作
-delete-after 讓檔案傳送後,再執行刪除檔案動作
--password-file=PASSWORD_FILE 從檔案讀取與遠端rsync伺服器連結的密碼
--delete 刪除傳送端已經不存在,而目的端存在的檔案
-A --acls 保留 ACL 權限
-X --xattrs 保留額外的檔案屬性
-a --archive archive mode 權限保存模式,相當於 -rlptgoD 參數
-p --perms 保留檔案權限
-q --quiet 安靜模式,幾乎沒有訊息產生。常用在以 cron 執行 rsync
-r --recursive 對子目錄以遞迴模式處理
-u --update 僅僅進行更新,也就是略過所有已經存在於目的端,且文件時間比要備份的檔案為新。(不覆蓋較新的文件)
-v --verbose 複雜的輸出訊息
-z --compress 壓縮模式,當資料在傳送到目的端進行檔案壓縮
-o --owner 保留檔案擁有者資訊(root only)
-g --group 保留檔案所屬群組資訊
-D --devices 保留設備檔案資訊(root only)
-t --times 保留檔案時間資訊

測試 rsync 同步指令參數:
rsync --dry-run -XAavrz --delete-after --password-file=/usr/local/samba/etc/rsync-sysvol.secret rsync://sysvol-replication@(主PDC_IP)/SysVol/ /usr/local/samba/var/locks/sysvol/

排程執行同步:

*/5 * * * * rsync -XAaqruz --delete-after --password-file=/usr/local/samba/etc/rsync-sysvol.secret rsync://sysvol-replication@(主PDC_IP)/SysVol/ /usr/local/samba/var/locks/sysvol/


Linux --> Windows 可用 Robocopy:
新增一個工作排程:

觸發程序:

動作:
啟動程式
程式或指令碼:
C:\Windows\SysWOW64\Robocopy.exe
新增引數:
\\ubuntu-ad\sysvol\ D:\AD\SYSVOL\sysvol\ /mir /sec




Samba AD DC Troubleshooting 網頁: https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting

利用微軟 遠端伺服器管理工具(RSAT) 連線管理 DC 伺服器

下載連結位址: https://www.microsoft.com/zh-TW/download/details.aspx?id=45520

沒有留言:

張貼留言

ManageEngine EventLog Analyzer版本更新步驟

更新檔下載位址: Upgrade to Latest Version of EventLog Analyzer Build (manageengine.com) 先將下載的更新檔上傳到主機裡,再進行下列動作。 切換到 ManageEngine EventLog Analyzer ...