Salder
Newbie | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору Товарищи, прошу, пожалуйста помощи. В общем хочу поднять (в тестовом режиме, но тем не менее) на Debian 8.6 AD. В качестве инструкции выбрал пример из Ubuntu http://help.ubuntu.ru/wiki/samba4_as_dc_14.04 Т.е. 1. Успешно установил пакеты: apt-get install samba acl krb5-user ntp cups bind9 smbclient 2. Выполнил команду: samba-tool domain provision --use-rfc2307 --interactive Имеем: Код: root@1:~# samba-tool domain provision --use-rfc2307 --interactive Realm: debian.local Domain [debian]: debian Server Role (dc, member, standalone) [dc]: dc DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ Administrator password: Retype password: Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=debian,DC=local Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=debian,DC=local Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions See /var/lib/samba/private/named.conf for an example configuration include file for BIND and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf Setting up fake yp server settings Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: 1 NetBIOS Domain: DEBIAN DNS Domain: debian.local DOMAIN SID: S-1-5-21-543193289-1601867468-1038541806 | 3. Настройка BIND9 Привожу файл /etc/bind/named.conf.options К такому виду: Код: options { directory "/var/cache/bind"; auth-nxdomain yes; forwarders { 192.168.100.4; }; allow-transfer { none; }; notify no; empty-zones-enable no; allow-query { 192.168.100.0/24; 127.0.0.0/8; }; allow-recursion { 192.168.100.0/24; 127.0.0.0/8; }; allow-update { 192.168.100.0/24; 127.0.0.0/8; }; }; include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/var/lib/samba/private/named.conf"; | *192.168.100.4 - это локальный адрес машины на которой поднимаю AD 4. Файл /var/lib/samba/private/named.conf Имеет следующий конфиг: Код: # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support. # # This file should be included in your main BIND configuration file # # For example with # include "/var/lib/samba/private/named.conf"; # # This configures dynamically loadable zones (DLZ) from AD schema # Uncomment only single database line, depending on your BIND version # dlz "AD DNS Zone" { # For BIND 9.8.0 # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so"; # For BIND 9.9.0 database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so"; }; | 5. Файл /etc/apparmor.d/usr.sbin.named Имеет следующий конфиг: Код: # vim:syntax=apparmor # Last Modified: Fri Jun 1 16:43:22 2007 #include <tunables/global> /usr/sbin/named { #include <abstractions/base> #include <abstractions/nameservice> capability net_bind_service, capability setgid, capability setuid, capability sys_chroot, capability sys_resource, # /etc/bind should be read-only for bind # /var/lib/bind is for dynamically updated zone (and journal) files. # /var/cache/bind is for slave/stub data, since we're not the origin of it. # See /usr/share/doc/bind9/README.Debian.gz /etc/bind/** r, /var/lib/bind/** rw, /var/lib/bind/ rw, /var/cache/bind/** lrw, /var/cache/bind/ rw, # gssapi /etc/krb5.keytab kr, /etc/bind/krb5.keytab kr, # ssl /etc/ssl/openssl.cnf r, # GeoIP data files for GeoIP ACLs /usr/share/GeoIP/** r, # dnscvsutil package /var/lib/dnscvsutil/compiled/** rw, /proc/net/if_inet6 r, /proc/*/net/if_inet6 r, /usr/sbin/named mr, /{,var/}run/named/named.pid w, /{,var/}run/named/session.key w, # support for resolvconf /{,var/}run/named/named.options r, # some people like to put logs in /var/log/named/ instead of having # syslog do the heavy lifting. /var/log/named/** rw, /var/log/named/ rw, # Site-specific additions and overrides. See local/README for details. #include <local/usr.sbin.named> # for samba4 #/var/lib/samba/private/** r, /usr/lib/x86_64-linux-gnu/samba/bind9/** m, /usr/lib/x86_64-linux-gnu/samba/ldb/** m, /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** m, /usr/lib/x86_64-linux-gnu/samba/gensec/krb5.so m, /var/lib/samba/private/dns.keytab rwk, /var/lib/samba/private/named.conf r, /var/lib/samba/private/dns/** rwk, /var/lib/samba/private/krb5.conf r, /var/tmp/** rwk, /dev/urandom rwk, } | 6. Перезапускаю службу: service bind9 restart Вроде бы никаких ошибок нет. Код: root@1:~# service bind9 restart root@1:~# | 7. Перезапускаю службу: service apparmor restart И тут начинается первая непонятка: Код: root@1:~# service apparmor restart Job for apparmor.service failed. See 'systemctl status apparmor.service' and 'journalctl -xn' for details. root@1:~# | systemctl status apparmor.service Код: root@1:~# systemctl status apparmor.service ● apparmor.service - LSB: AppArmor initialization Loaded: loaded (/etc/init.d/apparmor) Active: failed (Result: exit-code) since Сб 2016-12-10 20:03:25 +07; 1min 1s ago Process: 2624 ExecStart=/etc/init.d/apparmor start (code=exited, status=1/FAILURE) дек 10 20:03:25 1 apparmor[2624]: Starting AppArmor profiles:AppArmor no..... дек 10 20:03:25 1 apparmor[2624]: failed! дек 10 20:03:25 1 systemd[1]: apparmor.service: control process exited, ...=1 дек 10 20:03:25 1 systemd[1]: Failed to start LSB: AppArmor initialization. дек 10 20:03:25 1 systemd[1]: Unit apparmor.service entered failed state. Hint: Some lines were ellipsized, use -l to show in full. root@1:~# | journalctl -xn Код: root@1:~# journalctl -xn -- Logs begin at Сб 2016-12-10 15:51:50 +07, end at Сб 2016-12-10 20:03:25 +07. дек 10 20:01:58 1 systemd[1]: bind9.service: main process exited, code=exited, s дек 10 20:01:58 1 rndc[2614]: rndc: connect failed: 127.0.0.1#953: connection re дек 10 20:01:58 1 systemd[1]: bind9.service: control process exited, code=exited дек 10 20:01:58 1 systemd[1]: Unit bind9.service entered failed state. дек 10 20:03:25 1 systemd[1]: Starting LSB: AppArmor initialization... -- Subject: Начинается запуск юнита apparmor.service -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Начат процесс запуска юнита apparmor.service. дек 10 20:03:25 1 apparmor[2624]: Starting AppArmor profiles:AppArmor not availa дек 10 20:03:25 1 apparmor[2624]: failed! дек 10 20:03:25 1 systemd[1]: apparmor.service: control process exited, code=exi дек 10 20:03:25 1 systemd[1]: Failed to start LSB: AppArmor initialization. -- Subject: Ошибка юнита apparmor.service -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Произошел сбой юнита apparmor.service. -- -- Результат: failed. дек 10 20:03:25 1 systemd[1]: Unit apparmor.service entered failed state. | 7. Но продолжаем: Запускаем samba4: service samba-ad-dc start Код: root@1:~# service samba-ad-dc start root@1:~# | 8. Содержание файла: /etc/resolv.conf Код: 9. Первый же тест выдает ошибку: smbclient -L localhost -U% Код: root@1:~# smbclient -L localhost -U% Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED) root@1:~# | |