Альтенатива Active Directory на базе Ubuntu Server и Samba4

Доброго времени суток!

В этой заметке я постарался собрать найденную мной информацию о том как можно на базе Ubuntu Server 12.04 и пакете Samba4 развернуть инфраструктуру Active Directory 2003.

При установке убунты был указан хостнейм dc1.corp.grant . Локальный домен будем использовать corp.grant (CORP), IP: 192.168.10.220 .

Устанавливаем все необходимые пакеты:

root@dc1:~#apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr libkrb5-dev libssl-dev krb5-user acl

root@dc1:~#checkinstall bind9 -y

Настраиваем bind9 с поддержкой DLZ (DLZ — Dynamically Loadable Zones динамические загружаемые зоны).
Удалим текущую версию bind9, установленную из репозитария для установки всех нужных зависимостей и файлов конфигурации:

root@dc1:~#dpkg -r bind9

Создадим директорию для сборки нашего софта:

root@dc1:~# mkdir /usr/src/

Скачаем и соберем из исходников текущую версию bind9 с поддержкой DLZ

root@dc1:~# cd /usr/src/
root@dc1:/usr/src# wget ftp://ftp.isc.org/isc/bind9/9.9.2/bind-9.9.2.tar.gz

root@dc1:/usr/src# tar zxvf bind-9.9.2.tar.gz
root@dc1:/usr/src# cd bind-9.9.2/

root@dc1:/usr/src/bind-9.9.2# ./configure —prefix=/usr —mandir=/usr/share/man —infodir=/usr/share/info —sysconfdir=/etc/bind —localstatedir=/var —enable-threads —enable-largefile —with-libtool —enable-shared —enable-static —with-openssl=/usr —with-gssapi=/usr —with-gnu-ld —with-geoip=/usr —enable-ipv6 —with-dlopen=yes
root@dc1:/usr/src/bind-9.9.2# make

Далее собираем пакет через checkinstall:

root@dc1:/usr/src/bind-9.9.2# checkinstall —type=debian —pkgname=bind9 —pkgversion=9.9.2 —install=yes —nodoc —default

root@dc1:/usr/src/bind-9.9.2# /etc/init.d/bind9 restart
* Stopping domain name service… bind9 rndc: connect failed: 127.0.0.1#953: connection refused
[ OK ]
* Starting domain name service… bind9 [ OK ]

Проверяем текущую версию bind9:

root@dc1:/usr/src/bind-9.9.2# named -V
BIND 9.9.2 built with ‘—prefix=/usr’ ‘—mandir=/usr/share/man’ ‘—infodir=/usr/share/info’ ‘—sysconfdir=/etc/bind’ ‘—localstatedir=/var’ ‘—enable-threads’ ‘—enable-largefile’ ‘—with-libtool’ ‘—enable-shared’ ‘—enable-static’ ‘—with-openssl=/usr’ ‘—with-gssapi=/usr’ ‘—with-gnu-ld’ ‘—with-geoip=/usr’ ‘—enable-ipv6′ ‘—with-dlopen=yes’
using OpenSSL version: OpenSSL 1.0.1 14 Mar 2012

Выходим на уровень выше для загрузки самбы:

root@dc1:/usr/src/bind-9.9.2# cd ..

Скачиваем Сабж:

root@dc1:/usr/src# wget http://ftp.samba.org/pub/samba/rc/samba-4.0.0rc6.tar.gz
—2013-01-10 14:51:11— http://ftp.samba.org/pub/samba/rc/samba-4.0.0rc6.tar.gz
Преобразование адреса ftp.samba.org (ftp.samba.org)… 216.83.154.106, 2001:470:1f05:1a07::1
Подключение к ftp.samba.org (ftp.samba.org)|216.83.154.106|:80… соединились.
Запрос HTTP послан, ожидание ответа… 200 OK
Длина: 22028908 (21M) [application/x-gzip]
Сохранение в каталог: ««samba-4.0.0rc6.tar.gz»».

100%[===========================================================================================>] 22.028.908 405K/s за 98s

2013-01-10 14:52:49 (219 KB/s) — «samba-4.0.0rc6.tar.gz» сохранен [22028908/22028908]

Распаковываем:

root@dc1:/usr/src# tar -xzvf samba-4.0.0rc6.tar.gz

Заходим в директорию:

root@dc1:/usr/src# cd samba-4.0.0rc6/

Конфигуряем для сборки:

root@dc1:/usr/src/samba-4.0.0rc6# ./configure —enable-debug —enable-selftest

Собираем:

root@dc1:/usr/src/samba-4.0.0rc6# make

[3769/3774] pidl.1p: pidl/pidl -> bin/default/pidl/pidl.1p [3770/3774] Parse::Pidl::Dump.3pm: pidl/lib/Parse/Pidl/Dump.pm -> bin/default/pidl/Parse::Pidl::Dump.3pm [3771/3774] Parse::Pidl::Wireshark::Conformance.3pm: pidl/lib/Parse/Pidl/Wireshark/Conformance.pm -> bin/default/pidl/Parse::Pidl::Wireshark::Conformance.3pm [3772/3774] Parse::Pidl::Util.3pm: pidl/lib/Parse/Pidl/Util.pm -> bin/default/pidl/Parse::Pidl::Util.3pm [3773/3774] Parse::Pidl::NDR.3pm: pidl/lib/Parse/Pidl/NDR.pm -> bin/default/pidl/Parse::Pidl::NDR.3pm [3774/3774] Parse::Pidl::Wireshark::NDR.3pm: pidl/lib/Parse/Pidl/Wireshark/NDR.pm -> bin/default/pidl/Parse::Pidl::Wireshark::NDR.3pm Waf: Leaving directory `/usr/src/samba-4.0.0rc6/bin’

Делаем пакет с помощью checkinstall:

root@dc1:/usr/src/samba-4.0.0rc6# checkinstall —type=debian —pkgname=samba4 —pkgversion=4.0.0rc6 —install=yes —nodoc —default

checkinstall 1.6.2, Copyright 2009 Felipe Eduardo Sanchez Diaz Duran
Эта программа распространяется на условиях GNU GPL

*****************************************
**** Debian package creation selected ***
*****************************************

Этот пакет был создан с использованием данных значений:

0 — Maintainer: [ root@dc1 ]
1 — Summary: [ Package created with checkinstall 1.6.2 ]
2 — Name: [ samba4 ]
3 — Version: [ 4.0.0rc6 ]
4 — Release: [ 1 ]
5 — License: [ GPL ]
6 — Group: [ checkinstall ]
7 — Architecture: [ i386 ]
8 — Source location: [ samba-4.0.0rc6 ]
9 — Alternate source location: [ ]
10 — Requires: [ ]
11 — Provides: [ samba4 ]
12 — Conflicts: [ ]
13 — Replaces: [ ]

Введите номер для изменения параметра или нажмите ВВОД для продолжения:

Installing with make install…

========================= Результаты установки ===========================
WAF_MAKE=1 python ./buildtools/bin/waf install
Waf: Entering directory `/usr/src/samba-4.0.0rc6/bin’
* creating /usr/local/samba/etc
* creating /usr/local/samba/private
* creating /usr/local/samba/var
* creating /usr/local/samba/private
* creating /usr/local/samba/var/lib
* creating /usr/local/samba/var/locks
* creating /usr/local/samba/var/cache
* creating /usr/local/samba/var/lock
* creating /usr/local/samba/var/run
* creating /usr/local/samba/var/run
Selected embedded Heimdal build
Checking project rules …
Project rules pass

======================== Установка успешно завершена ======================

Some of the files created by the installation are inside the build
directory: /usr/src/samba-4.0.0rc6

You probably don’t want them to be included in the package,
especially if they are inside your home directory.
Do you want me to list them? [n]: n
Исключить их из пакета? (ответить ДА-хорошая идея) [y]: y

Файлы копируются во временный каталог…OK

Stripping ELF binaries and libraries…OK

Сжимаются страницы руководства…OK

Построение списка файлов…OK

Собирается Debian-пакет…OK

Устанавливается Debian-пакет…OK

Удаляются временные файлы…OK

Записывается пакет с резервной копией…OK
OK

Удаляется временный каталог…OK

**********************************************************************

Done. The new package has been installed and saved to

/usr/src/samba-4.0.0rc6/samba4_4.0.0rc6-1_i386.deb

You can remove it from your system anytime using:

dpkg -r samba4

**********************************************************************

Добавляем пути в переменные:

root@dc1:/usr/src/samba-4.0.0rc6# echo > /etc/environment
root@dc1:/usr/src/samba-4.0.0rc6# echo PATH=»/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/local/samba/sbin:/usr/local/samba/bin» > /etc/environment

Проверяем что получилось:

root@dc1:/usr/src/samba-4.0.0rc6# cat /etc/environment
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/local/samba/sbin:/usr/local/samba/bin

Делаем симлинки:

root@dc1:/usr/src/samba-4.0.0rc6# ln -s /usr/local/samba/etc/ /etc/samba

Создаем скрипт управления службой samba4 /etc/init.d/samba4:

touch /etc/init.d/samba4
chmod +x /etc/init.d/samba4

root@dc1:/usr/src/samba-4.0.0rc6# cat /etc/init.d/samba4
#!/bin/sh

### BEGIN INIT INFO
# Provides: samba
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $network $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Should-Start: slapd
# Should-Stop: slapd
# Short-Description: start Samba daemon (samba)
### END INIT INFO

PIDDIR=/usr/local/samba/var/run
SAMBADPID=$PIDDIR/samba.pid

# clear conflicting settings from the environment
unset TMPDIR

# See if the daemons are there
test -x /usr/local/samba/sbin/samba || exit 0

# Starting init-fuctions for Debian -shell script
. /lib/lsb/init-functions

case «$1″ in
start)
log_daemon_msg «Starting Samba daemon»
# Make sure we have our PIDDIR, even if it’s on a tmpfs
install -o root -g root -m 755 -d $PIDDIR

SAMBA_DISABLED=`testparm -s —parameter-name=’disable netbios’ 2>/dev/null`
if [ «$SAMBA_DISABLED» != ‘Yes’ ]; then
log_progress_msg «samba»
if ! start-stop-daemon —start —quiet —oknodo —exec /usr/local/samba/sbin/samba — -D
then
log_end_msg 1
exit 1
fi
fi

log_end_msg 0
;;
stop)
log_daemon_msg «Stopping Samba daemon»
log_progress_msg «samba»

start-stop-daemon —stop —quiet —pidfile $SAMBADPID
# Wait a little and remove stale PID file
sleep 1
if [ -f $SAMBADPID ] && ! ps h `cat $SAMBADPID` > /dev/null
then
# Stale PID file (samba was succesfully stopped),
# remove it (should be removed by samba itself IMHO.)
rm -f $SAMBADPID
fi

log_end_msg 0

;;
reload)
log_daemon_msg «Reloading /usr/local/samba/etc/smb.conf »
start-stop-daemon —stop —signal HUP —pidfile $SAMBADPID
log_end_msg 0
;;
restart|force-reload)
$0 stop
sleep 1
$0 start
;;
*)
echo «Usage: /etc/init.d/samba4 {start|stop|reload|restart|force-reload}»
exit 1
;;
esac

exit 0

==================================

Проверяем работоспособность:

root@dc1:/usr/src/samba-4.0.0rc6# /etc/init.d/samba4 restart
* Stopping Samba daemon [ OK ]
* Starting Samba daemon [ OK ]

Настраиваем автоматическую автозагрузку samba4:

update-rc.d samba4 defaults

Добавляем в /etc/resolvconf/resolv.conf.d/head ip адрес текущего компьютера
nameserver 192.168.10.220

Перезапускаем resolvconf:

service resolvconf restart

Задаем имя хоста, например dc1 и перегружаем сервер, на случай если Вы не подготовились в момент установки убунты:

echo dc1 > /etc/hostname

Разрешим AppArmor для взаимодействия Bind9 с Samba4. Добавляем в конец файла:

/etc/apparmor.d/usr.sbin.named, до знака } вписываем
/usr/local/samba/private/** rwlmk,
/usr/local/samba/private/dns/** rwlmk,
/usr/local/samba/private/dns.keytab rwlmk,
/usr/local/samba/private/named.conf.update rwlmk,
/usr/local/samba/private/named.conf rwlmk,
/usr/local/samba/private/sam.ldb.d/** rwlmk,
/usr/local/samba/private/dns/sam.ldb.d/** rwlmk,
/var/tmp/** rwlmk,
/usr/local/samba/lib/bind9/** rwlmk,
/usr/local/samba/lib/** rwlmk,
/usr/local/samba/lib/ldb/** rwlmk,

Перегружаем apparmor:

root@dc1:/usr/src/samba-4.0.0rc6# /etc/init.d/apparmor reload

* Reloading AppArmor profiles Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd [ OK ]

Добавляем сведения о новом домене в bind9 /etc/bind/named.conf.local :

root@dc1:/usr/src/samba-4.0.0rc6# cat /etc/bind/named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include «/etc/bind/zones.rfc1918″;

include «/usr/local/samba/private/named.conf»;

Удаляем старую конфигурацию samba4(на всякий случай ):

root@dc1:/usr/src/samba-4.0.0rc6# mv /usr/local/samba/etc/smb.conf /usr/local/samba/etc/smb.conf.old

Мы будем собирать новый домен corp.grant, замените значение realm на DNS-имя вашего сервера, domain на название домена(WINS), adminpass на желаемый пароль администратора PDC. Удаляем старую конфигурацию samba4
обратите внимание на регистр в —domain=CORP, обязательно большими буквами.

root@dc1:~# /usr/local/samba/bin/samba-tool domain provision —realm=CORP.GRANT —domain=CORP —adminpass=Qwerty123456789 —server-role=’domain controller’ —dns-backend=BIND9_DLZ

Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=corp,DC=grant
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=corp,DC=grant
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
See /usr/local/samba/private/named.conf for an example configuration include file for BIND
and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: dc1
NetBIOS Domain: CORP
DNS Domain: corp.grant
DOMAIN SID: S-1-5-21-3041233208-4010610489-468173023

Подпихиваем конфиги для кербероса:

root@dc1:~# mv /etc/krb5.conf /etc/krb5.conf.orig
root@dc1:~# ln -s /usr/local/samba/private/krb5.conf /etc/krb5.conf

Приводим krb5.conf к виду:

root@dc1:~# cat /usr/local/samba/private/krb5.conf
[libdefaults]
default_realm = CORP.GRANT
dns_lookup_realm = true
dns_lookup_kdc = true

Включаем в samba4 поддержку bind 9.9.
Приводим /usr/local/samba/private/named.conf к виду:

root@dc1:~# cat /usr/local/samba/private/named.conf
# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include «/usr/local/samba/private/named.conf»;

#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz «AD DNS Zone» {
# For BIND 9.8.0
#database «dlopen /usr/local/samba/lib/bind9/dlz_bind9.so»;

# For BIND 9.9.0
database «dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so»;
};

Ребутаем сервер…

root@dc1:~# reboot

Проверяем работу samba4:

root@dc1:~# /usr/local/samba/bin/smbclient -L localhost -U%
Domain=[CORP] OS=[Unix] Server=[Samba 4.0.0rc6]

Sharename Type Comment
——— —- ——-
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.0.0rc6)
Domain=[CORP] OS=[Unix] Server=[Samba 4.0.0rc6]

Server Comment
——— ——-

Workgroup Master
——— ——

Проверяем работу kerberos:

root@dc1:~# kinit Administrator
Password for Administrator@CORP.GRANT:
Warning: Your password will expire in 41 days on Thu Feb 21 17:25:56 2013

Генерируем ключ для bind9:

root@dc1:~# /usr/local/samba/bin/samba-tool domain exportkeytab /usr/local/samba/private/dns.keytab
root@dc1:~# ln -s /usr/local/samba/private/dns.keytab /etc/krb5.keytab

и подключаем его в bind9, добавляем в /etc/bind/named.conf.options перед строкой с «dnssec-validation auto;»:

root@dc1:~# cat /etc/bind/named.conf.options
options {
directory «/var/cache/bind»;

// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0′s placeholder.

// forwarders {
// 0.0.0.0;
// };

//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
tkey-gssapi-keytab «/usr/local/samba/private/dns.keytab»;
forwarders {

//Добавляем свои ДНС апстримы:
192.168.104.200;
192.168.104.104;
};
dnssec-validation auto;

auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};

Создаем пользователя для dns bind, пароль любой и обновляем dns в samba4

root@dc1:~# /usr/local/samba/bin/samba-tool user add dc1
New Password:
Retype Password:
User ‘dc1′ created successfully

root@dc1:~# /usr/local/samba/sbin/samba_upgradedns —verbose
Reading domain information
Looking up IPv4 addresses
IPv4 addresses: 192.168.10.220
Looking up IPv6 addresses
DNS accounts already exist
No zone file /usr/local/samba/private/dns/corp.grant.zone
DNS records will be automatically created
DNS partitions already exist
Finished upgrading DNS

Перегружаем сервер:

root@dc1:~# reboot

Обновляем spn:

root@dc1:~# /usr/local/samba/sbin/samba_spnupdate —verbose Existing SPNs: [‘HOST/dc1.corp.grant’, ‘HOST/dc1.corp.grant/CORP’, ‘ldap/dc1.corp.grant/CORP’, ‘GC/dc1.corp.grant/corp.grant’, ‘ldap/dc1.corp.grant’, ‘HOST/dc1.corp.grant/corp.grant’, ‘ldap/dc1.corp.grant/corp.grant’, ‘HOST/DC1’, ‘E3514235-4B06-11D1-AB04-00C04FC2DCD2/f4a44687-f6de-4ee6-8936-7f815577a8e2/corp.grant’, ‘ldap/f4a44687-f6de-4ee6-8936-7f815577a8e2._msdcs.corp.grant’, ‘ldap/DC1’, ‘RestrictedKrbHost/DC1’, ‘RestrictedKrbHost/dc1.corp.grant’, ‘ldap/dc1.corp.grant/DomainDnsZones.corp.grant’, ‘ldap/dc1.corp.grant/ForestDnsZones.corp.grant’] New SPNs: [] Nothing to add

Обновляем dns:

root@dc1:~# /usr/local/samba/sbin/samba_dnsupdate —verbose IPs: [‘fe80::20c:f1ff:fe99:85e2%eth0’, ‘192.168.10.220’] Looking for DNS entry A corp.grant 192.168.10.220 as corp.grant. Looking for DNS entry A dc1.corp.grant 192.168.10.220 as dc1.corp.grant. Looking for DNS entry A gc._msdcs.corp.grant 192.168.10.220 as gc._msdcs.corp.grant. Looking for DNS entry CNAME f4a44687-f6de-4ee6-8936-7f815577a8e2._msdcs.corp.grant dc1.corp.grant as f4a44687-f6de-4ee6-8936-7f815577a8e2._msdcs.corp.grant. Looking for DNS entry SRV _kpasswd._tcp.corp.grant dc1.corp.grant 464 as _kpasswd._tcp.corp.grant. Checking 0 100 464 dc1.corp.grant. against SRV _kpasswd._tcp.corp.grant dc1.corp.grant 464 Looking for DNS entry SRV _kpasswd._udp.corp.grant dc1.corp.grant 464 as _kpasswd._udp.corp.grant. Checking 0 100 464 dc1.corp.grant. against SRV _kpasswd._udp.corp.grant dc1.corp.grant 464 Looking for DNS entry SRV _kerberos._tcp.bank.grant dc1.corp.grant 88 as _kerberos._tcp.corp.grant. Checking 0 100 88 dc1.corp.grant. against SRV _kerberos._tcp.corp.grant dc1.corp.grant 88 Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.corp.grant dc1.corp.grant 88 as _kerberos._tcp.dc._msdcs.corp.grant. Checking 0 100 88 dc1.corp.grant. against SRV _kerberos._tcp.dc._msdcs.corp.grant dc1.corp.grant 88 Looking for DNS entry SRV _kerberos._tcp.default-first-site-name._sites.corp.grant dc1.corp.grant 88 as _kerberos._tcp.default-first-site-name._sites.corp.grant. Checking 0 100 88 dc1.corp.grant. against SRV _kerberos._tcp.default-first-site-name._sites.corp.grant dc1.corp.grant 88 Looking for DNS entry SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.corp.grant dc1.corp.grant 88 as _kerberos._tcp.default-first-site-name._sites.dc._msdcs.corp.grant. Checking 0 100 88 dc1.corp.grant. against SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.corp.grant dc1.corp.grant 88 Looking for DNS entry SRV _kerberos._udp.corp.grant dc1.corp.grant 88 as _kerberos._udp.corp.grant. Checking 0 100 88 dc1.corp.grant. against SRV _kerberos._udp.corp.grant dc1.corp.grant 88 Looking for DNS entry SRV _ldap._tcp.corp.grant dc1.corp.grant 389 as _ldap._tcp.corp.grant. Checking 0 100 389 dc1.corp.grant. against SRV _ldap._tcp.corp.grant dc1.corp.grant 389 Looking for DNS entry SRV _ldap._tcp.dc._msdcs.corp.grant dc1.corp.grant 389 as _ldap._tcp.dc._msdcs.corp.grant. Checking 0 100 389 dc1.corp.grant. against SRV _ldap._tcp.dc._msdcs.corp.grant dc1.corp.grant 389 Looking for DNS entry SRV _ldap._tcp.gc._msdcs.corp.grant dc1.corp.grant 3268 as _ldap._tcp.gc._msdcs.corp.grant. Checking 0 100 3268 dc1.corp.grant. against SRV _ldap._tcp.gc._msdcs.corp.grant dc1.corp.grant 3268 Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.corp.grant dc1.corp.grant 389 as _ldap._tcp.pdc._msdcs.corp.grant. Checking 0 100 389 dc1.corp.grant. against SRV _ldap._tcp.pdc._msdcs.corp.grant dc1.corp.grant 389 Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.corp.grant dc1.corp.grant 389 as _ldap._tcp.default-first-site-name._sites.corp.grant. Checking 0 100 389 dc1.corp.grant. against SRV _ldap._tcp.default-first-site-name._sites.corp.grant dc1.corp.grant 389 Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.corp.grant dc1.corp.grant 389 as _ldap._tcp.default-first-site-name._sites.dc._msdcs.corp.grant. Checking 0 100 389 dc1.corp.grant. against SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.corp.grant dc1.corp.grant 389 Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.corp.grant dc1.corp.grant 3268 as _ldap._tcp.default-first-site-name._sites.gc._msdcs.corp.grant. Checking 0 100 3268 dc1.corp.grant. against SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.corp.grant dc1.corp.grant 3268 Looking for DNS entry SRV _ldap._tcp.aeb48857-f054-4e83-8113-ccef639c55ba.domains._msdcs.corp.grant dc1.corp.grant 389 as _ldap._tcp.aeb48857-f054-4e83-8113-ccef639c55ba.domains._msdcs.corp.grant. Checking 0 100 389 dc1.corp.grant. against SRV _ldap._tcp.aeb48857-f054-4e83-8113-ccef639c55ba.domains._msdcs.corp.grant dc1.corp.grant 389 Looking for DNS entry SRV _gc._tcp.corp.grant dc1.corp.grant 3268 as _gc._tcp.corp.grant. Checking 0 100 3268 dc1.corp.grant. against SRV _gc._tcp.corp.grant dc1.corp.grant 3268 Looking for DNS entry SRV _gc._tcp.default-first-site-name._sites.corp.grant dc1.corp.grant 3268 as _gc._tcp.default-first-site-name._sites.corp.grant. Checking 0 100 3268 dc1.corp.grant. against SRV _gc._tcp.default-first-site-name._sites.bank.grant dc1.corp.grant 3268 No DNS updates needed

Проверяем состояние базы samba4:

root@dc1:~# /usr/local/samba/bin/samba-tool dbcheck Checking 209 objects Checked 209 objects (0 errors)