RedHat10/SambaAd

01- Sypnotic	02- SambaAD	03- PdnsRecursor	04- Settings
05- Maintenance	06- Selinux	07- GnomeShell	08- Secondary
FreeRadius	DaloRadius	OpenLdap

8. Secondary Samba-AD.

Prerequisite.

See https://samba.tranquil.it/doc/en/samba_config_server/redhat8/server_secondary_redhat.html.

Primary domain controller is thot.dw.learn.lan.
Check SambaAD.
systemctl stop samba
samba-tool dbcheck --cross-ncs
samba-tool dbcheck --cross-ncs --fix --yes (if there are errors)
Check sysvol
samba-tool ntacl sysvolreset
samba-tool ntacl sysvolcheck
Primary domain controller is fully operational.
systemctl start samba

Primary controller is called: thot.dw.learn.lan, 192.168.40.47
Secondary controller is called: sesh.dw.learn.lan, 192.168.40.48
The domain is called: dw.learn.lan

8.1. Installation.

The VM Secondary domain controller is a Primary domain controller clone.
The primary domain controller must be shut down until the network reconfiguration of the secondary domain controller is complete.

Create a clone of the VM thot and name it shesh.
Change the MAC address of the network card in the shesh VM.

Start the shesh VM.

systemctl stop samba
systemctl disable samba

The installation of the secondary domain controller follows the same process as
the primary domain controller.

You must replace the name sesh in place of thot
and replace IP thot by IP sesh.

/etc/hosts  
/etc/hostname  
/etc/sysconfig/network

Except that you have to change for join the domain:
Change IP: 192.168.40.48.
Put as DNS thot.dw.learn.lan 192.168.40.47.

IP: 192.168.40.48/24.
Gateway: 192.168.40.254.
Domain Name Server: 192.168.40.47.
Search domain: dw.learn.lan.
nmcli con mod eth0 ipv4.method "manual" ipv4.addresses 192.168.40.48/24
nmcli con mod eth0 ipv4.gateway 192.168.40.254
nmcli con mod eth0 ipv4.dns 192.168.40.47
nmcli con mod eth0 ipv4.dns-search dw.learn.lan

This krb5.conf is the same as that of thot.dw.learn.lan
Add kdc = 192.168.40.47.

vi /etc/krb5.conf

[libdefaults]  
  default_realm = DW.LEARN.LAN  
  dns_lookup_kdc = false  
  dns_lookup_realm = false  
  allow_weak_crypto = false  
  permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac  
  
  
[realms]  
  DW.LEARN.LAN = {  
  kdc = 127.0.0.1  
  kdc = 192.168.40.47  
  }  
  
[domain_realm]  
        SESH = DW.LEARN.LAN

systemctl disable samba (already done).

Restart the Server sesh.dw.learn.lan.
reboot

Start the thot server.

Check that the primary controller (thot) is still active.
From sesh server.

kinit administrator with the passord DW.TEST\administrator.
klist gives.

Valid starting       Expires              Service principal  
03/23/2025 15:11:36  03/24/2025 01:11:36  krbtgt/[email protected]  
        renew until 03/24/2025 15:11:32

8.2 Configuring secondary (sesh).

Make a backup of your samba configuration.
cp /etc/samba/smb.conf /etc/samba/smb-thot.conf
Remove the configuration file /etc/samba/smb.conf.
rm /etc/samba/smb.conf
touch /etc/samba/smb.conf

Backup the samba folder.
rsync -avAX /var/lib/samba /root/backup_samba_20260203/

Remove /var/lib/samba.
rm -rf /var/lib/samba/*

Join sesh.dw.learn.lan as a member of the domain:
samba-tool domain join dw.learn.lan DC -U administrator --realm=DW.LEARN.LAN -W DW.LEARN

Modify the DNS to point to itself :
nmcli con mod eth0 ipv4.dns 127.0.0.1
systemctl restart NetworkManager
cat /etc/resolv.conf

# Generated by NetworkManager  
search dw.learn.lan  
nameserver 127.0.0.1

Copy the smb.conf thot.dw.learn.lan to sesh.dw.learn.lan.
Replace thot by sesh.
cd /etc/samba
cp smb.conf smb-sesh.conf_ori
cp smb-thot.conf smb.conf

vi /etc/samba/smb.conf

# Global parameters  
[global]  
        dns forwarder = 127.0.0.1:4343  
        netbios name = SESH  
        realm = DW.LEARN.LAN  
        server role = active directory domain controller  
        workgroup = DW.LEARN

Restart secondary controller.
reboot

Start samba service and stop.
systemctl start samba
systemctl stop samba

/var/lib/samba/sysvol/dw.learn.lan is empty.
Policies are missing.

You have already done the rsync /root/backup_samba_20260203/.

cd /root/backup_samba_20260203/samba
rsync -avAX sysvol /var/lib/samba/

Point your Kerberos to the correct configuration file:
rm /var/lib/samba/private/krb5.conf
ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf

Check sesh AD.
samba-tool dbcheck --cross-ncs
samba-tool dbcheck --cross-ncs --fix --yes (if there are errors)
Check sysvol
samba-tool ntacl sysvolreset
samba-tool ntacl sysvolcheck

Start samba ad service.
systemctl enable --now samba

Check that the DNS entries are correct:
samba_dnsupdate --verbose --use-samba-tool

Check the primary controller.
samba-tool fsmo show

SchemaMasterRole owner: CN=NTDS Settings,CN=THOT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dw,DC=learn,DC=lan  
InfrastructureMasterRole owner: CN=NTDS Settings,CN=THOT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dw,DC=learn,DC=lan  
RidAllocationMasterRole owner: CN=NTDS Settings,CN=THOT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dw,DC=learn,DC=lan  
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=THOT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dw,DC=learn,DC=lan  
DomainNamingMasterRole owner: CN=NTDS Settings,CN=THOT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dw,DC=learn,DC=lan  
DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=THOT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dw,DC=learn,DC=lan  
ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=THOT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dw,DC=learn,DC=lan

Add the secondary controller to the krb5.conf file of thot.
Thot server.
vi /etc/krb5.conf

[realms]  
  DW.LEARN.LAN = {  
  kdc = 127.0.0.1  
  kdc = 192.168.40.48  
  }  
  
[domain_realm]  
  THOT = DW.LEARN.LAN

systemctl restart samba

8.3 Check two controllers

Shutdown samba-ad service thot.dw.learn.lan.

From a computer attached to the domain dw.learn.lan.
Before you must have the 2 ip of controllers as DNS on your network card.

Start button.
Windows administrative tools
Open :

Users ans computers active directory.
Group Policy Management.
DNS.

8.4 Synchronize Sysvol between the 2 controllers.

https://dev.tranquil.it/wiki/SAMBA_-_R%C3%A9plication_du_partage_SYSVOL

8.4.1 Prerequisite.

Open the ports between the 2 controllers.
Need a root certificates between the 2 controllers.

8.4.1.1 Firewall.

Example :
Primary controller 192.168.40.47
Secondary controller 192.168.40.48
Primary controller.
ufw allow in from 192.168.40.48 to 192.168.40.47
ufw allow out from 192.168.40.47 to 192.168.40.48
Secondary controller.
ufw allow in from 192.168.40.47 to 192.168.40.48
ufw allow out from 192.168.40.48 to 192.168.40.47

8.4.1.2 sshd_config.

Primary controller.
vi /etc/ssh/sshd_config

PermitRootLogin  yes  
AllowUsers <your user>   [email protected]  
PubkeyAuthentication  no  
PasswordAuthentication  yes

systemctl restart sshd

Secondary controller.
vi /etc/ssh/sshd_config

PermitRootLogin  yes  
AllowUsers <your user>   [email protected]  
PubkeyAuthentication  no  
PasswordAuthentication  yes

systemctl restart sshd

8.4.1.3 Certificates.

Primary controllers
cd /root
No password.
ssh-keygen -t ed25519 -b 521 -C root@thot
ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]
Secondary controllers.
cd /root
No password.
ssh-keygen -t ed25519 -b 521 -C root@sesh
ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]

Enable the passphrase on each controllers.
vi /etc/ssh/sshd_config

PubkeyAuthentication  yes  
PasswordAuthentication  no

systemctl restart sshd

8.4.2 Installation tis-sysvolsync.

You must install on each controller.

cd /root
dnf install rpm-build git python-requests python-lxml python-ldap
git clone https://github.com/tranquilit/tis-sysvolsync
cd tis-sysvolsync/rpm
sh build.sh
ls *.rpm
rpm -ivh tis-sysvolsync-1.27.12-1.el10.x86_64.rpm
Before launching the services, be sure to check.
systemctl stop samba
samba-tool dbcheck
samba-tool ntacl sysvolcheck
If you have errors.
samba-tool dbcheck --cross-ncs --fix --yes
samba-tool ntacl sysvolreset
samba-tool dbcheck
samba-tool ntacl sysvolcheck

systemctl start samba

chmod -x /usr/lib/systemd/system/tis-sysvolsync.service
chmod -x /usr/lib/systemd/system/tis-sysvolacl.service
Starting services.
systemctl enable --now tis-sysvolsync
systemctl enable --now tis-sysvolacl
When you have completed the installation and launch the services on the controllers.
You need to run the command on each controllers.
systemctl stop tis-sysvolacl on the two controllers.
systemctl restart tis-sysvolsync on the two controllers.
On each controller.
/opt/tis-sysvolsync/sysvolsync.py configure
systemctl start tis-sysvolacl
Check sysvol synchronization.
Create a GPO with the RSAT tool on a Windows computer located in the dw.learn domain.
You will find this gpo of the form {xxx} in each controller.
ls -l /var/lib/samba/sysvol/dw.learn.lan/Policies/

708SecondaryAD - amagerard/FreeRadius GitHub Wiki

RedHat10/SambaAd

8. Secondary Samba-AD.

Prerequisite.

8.1. Installation.

8.2 Configuring secondary (sesh).

8.3 Check two controllers

8.4 Synchronize Sysvol between the 2 controllers.

8.4.1 Prerequisite.

8.4.1.1 Firewall.

8.4.1.2 sshd_config.

8.4.1.3 Certificates.

8.4.2 Installation tis-sysvolsync.

⚠️ GitHub.com Fallback ⚠️

708SecondaryAD - amagerard/FreeRadius GitHub Wiki

RedHat10/SambaAd

8. Secondary Samba-AD.

Prerequisite.

8.1. Installation.

8.2 Configuring secondary (sesh).

8.3 Check two controllers

8.4 Synchronize Sysvol between the 2 controllers.

8.4.1 Prerequisite.

8.4.1.1 Firewall.

8.4.1.2 sshd_config.

8.4.1.3 Certificates.

8.4.2 Installation tis-sysvolsync.

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️