====== Installer Samba en contrôleur de domaine sur un serveur Ubuntu ======
Ceci n'est qu'un BROUILLON
Sources:
* [[https://doc.ubuntu-fr.org/samba-active-directory]]
* [[https://www.server-world.info/en/note?os=Ubuntu_18.04&p=samba&f=4]] trés bon
* [[https://www.tecmint.com/install-samba4-active-directory-ubuntu/]]
* [[https://kgrall.wordpress.com/2018/01/24/controleur-de-domaine-samba4-active-directory/]]
* [[https://www-fourier.ujf-grenoble.fr/informatique/doku.php?id=samba4#d_configuration_des_profils_itinerants]]
===== Préambule =====
NOTE :
* Les tests sont fait sur une machine virtuelle.
* La version de l'OS est Ubuntu serveur 18.04
Le nom d'hôte de la machine doit être différent du nom de domaine choisi
===== Etat des lieux =====
Sur un Ubuntu Server 18.04.1 LTS fraichement installé sur une VM (Virtual Machine)
==== Hostname ====
thierry@bino:~$ hostnamectl
Static hostname: bino
Icon name: computer-vm
Chassis: vm
Machine ID: c1ebde3e4ad0405c9e1f04ea0a5fbc7a
Boot ID: b6dfd8b5079c4fc38abc0e3a0fd03262
Virtualization: kvm
Operating System: Ubuntu 18.04.1 LTS
Kernel: Linux 4.15.0-38-generic
Architecture: x86-64
Bon on constate que notre nom d'hôte est ''bino''.
Ressources => Modifier un hostname:
* [[https://linuxize.com/post/how-to-change-hostname-on-ubuntu-18-04/]]
* [[https://www.tecmint.com/set-hostname-permanently-in-linux/]]
==== Fichier Hosts ====
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
Rien de spécial à constater, il y a juste ''localhost'' de défini
==== Config réseau ====
Apparement, la version 18 d'Ubuntu utilise [[linux:service:netplan|cloud-init]] pour gérer le réseau...
Le nom de fichier peut etre different de ''50-cloud-init.yml''
''config.yaml'' par exemple
# This file is generated from information provided by
# the datasource. Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
ethernets:
ens18:
addresses:
- 192.168.1.104/24
dhcp4: false
gateway4: 192.168.1.1
nameservers:
addresses:
- 192.168.1.1
search: []
version: 2
Ressources => [[linux:service:netplan|Netplan et Cloud-Init]]
Heureusement [[linux:commandes:ifconfig|ifconfig]] fonctionne toujours.
thierry@bino:/$ ifconfig
ens18: flags=4163 mtu 1500
inet 192.168.1.104 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::fc63:4cff:fea8:faaa prefixlen 64 scopeid 0x20
inet6 fd00::1:fc63:4cff:fea8:faaa prefixlen 64 scopeid 0x0
ether fe:63:4c:a8:fa:aa txqueuelen 1000 (Ethernet)
RX packets 1558 bytes 218058 (218.0 KB)
RX errors 0 dropped 28 overruns 0 frame 0
TX packets 467 bytes 60070 (60.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 113 bytes 8184 (8.1 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 113 bytes 8184 (8.1 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
On constate que nous sommes en adresse ip fixe (dhcp4:false)
notre adresse ip est **192.168.1.104**
La passerelle et le [[:dns]] sont notre LiveBox nationale **192.168.1.1**
==== DNS ====
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "systemd-resolve --status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 127.0.0.53
Donc, apparement, il y aurait un [[:dns]] sur l'adresse locale 127.0.0.53 ?
On va tester avec un [[linux:commandes:dig]]
thierry@bino:/$ dig google.fr
; <<>> DiG 9.11.3-1ubuntu1.2-Ubuntu <<>> google.fr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10978
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;google.fr. IN A
;; ANSWER SECTION:
google.fr. 219 IN A 216.58.213.131
;; Query time: 59 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Oct 26 09:47:45 UTC 2018
;; MSG SIZE rcvd: 54
Ça a l'air de fonctionner, c'est bien le serveur [[:dns]] 127.0.0.53:53 qui réponds...
===== Préparation =====
==== Informations pour le paramétrage ====
^Nom d'hôte|bino|
^Adresse IP de l'hôte|192.168.1.104/24|
^Adresse IP passerelle|192.168.1.1|
^Adresse IP DNS|192.168.1.1|
^Nom du domaine (Realm)|BINOVA.LAN|
^Mot de passe administrator du domaine|....... (min 8 caractères, avec MAJ et min et chiffre)|
==== ACL et Attributs étendus ====
>[[linux:fichiers:acl_attrs|Installer et tester les ACL et Attr]]
==== Synchronisation du temps sur le réseau ====
La synchro du temps est indispensable pour le LDAP, surement pour la réplication des bases entre le PDC (Primary Domain Controller) et le BDC (Backup Domain Controller) (...todo : a vérifier)
Sur Ubuntu 18+ apparement la synchro se fait d'office, on peut vérifier par [[:timedatectl]]:
thierry@bino:~$ sudo timedatectl
[sudo] password for thierry:
Local time: ven. 2018-10-26 11:15:24 UTC
Universal time: ven. 2018-10-26 11:15:24 UTC
RTC time: ven. 2018-10-26 11:15:25
Time zone: Etc/UTC (UTC, +0000)
System clock synchronized: yes
systemd-timesyncd.service active: yes
RTC in local TZ: no
Je pense que ''System clock synchronized: yes'' et ''systemd-timesyncd.service active: yes'' signifie que tout se passe bien...
Si ça marche pas ou si vous avez besoin d'installer le servive NTP => [[linux:service:ntp|Installer et tester NTP]]
===== Installation =====
sudo apt -y install samba krb5-config winbind smbclient krb5-user dnsutils
''smbclient'' ''krb5-user'' ''dnsutils'' seront utiles pour les tests
{{::capture2610181403.jpg}}
On saisie le nom du "royaume", ici BINOVA.LAN en MAJUSCULES (et non BINOVA.COM, comme indiqué sur l'image, car ce domaine existe déjà...)
{{:linux:service:samba:binovalan5.jpg?nolink|}}
{{:linux:service:samba:binovalan6.jpg?nolink|}}
Durant l'installation il y a le message suivant : Le service samba-ad-dc est maské, pourquoi ???
.....
Adding group `sambashare' (GID 115) ...
Done.
Samba is not being run as an AD Domain Controller, masking samba-ad-dc.service.
Please ignore the following error about deb-systemd-helper not finding samba-ad-dc.service.
Created symlink /etc/systemd/system/multi-user.target.wants/nmbd.service → /lib/systemd/system/nmbd.service.
Failed to preset unit: Unit file /etc/systemd/system/samba-ad-dc.service is masked.
/usr/bin/deb-systemd-helper: error: systemctl preset failed on samba-ad-dc.service: No such file or directory
Created symlink /etc/systemd/system/multi-user.target.wants/smbd.service → /lib/systemd/system/smbd.service.
....
===== Paramètrage =====
==== Stopper et désactiver les services ====
Stopper et désactiver les services Samba avec les commandes:
* ''sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service''
* ''sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service''
thierry@bino:~$ sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
thierry@bino:~$ sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service
Synchronizing state of samba-ad-dc.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable samba-ad-dc
Synchronizing state of smbd.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable smbd
Synchronizing state of nmbd.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable nmbd
Synchronizing state of winbind.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable winbind
Unit /etc/systemd/system/samba-ad-dc.service is masked, ignoring.
==== Supprimer smb.conf ====
On renomme le fichier conf de samba. Si on oublie on aura une erreur lors de la commande suivante (''samba-tool domain provision'')
thierry@bino:~$ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
==== Provisionner le domaine (samba-tool domain provision)====
Le nom de domain doit être **différent du nom de l'hôte** (hostname)
C'est pour cela que dans l'exemple on utilise BINOVASAS au lieu de BINOVA...Le mot de passe **Administrator password doit etre complexe**, sinon -> Erreur
C'est a dire minimum 8 caractéres dont Majuscules, minuscules et chiffres
thierry@bino:~$ sudo samba-tool domain provision --use-rfc2307 --interactive
Realm: BINOVA.LAN
Domain [BINOVA]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [127.0.0.53]: 192.168.1.1
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=binova,DC=lan
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=binova,DC=lan
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba AD server will be ready to use
Server Role: active directory domain controller
Hostname: bino
NetBIOS Domain: BINOVA
DNS Domain: binova.lan
DOMAIN SID: S-1-5-21-3406771442-4184896349-3643982972
Ca recree un SMB.CONF
# Global parameters
[global]
dns forwarder = 192.168.1.1
netbios name = BINO
realm = BINOVA.LAN
server role = active directory domain controller
workgroup = BINOVA
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/binova.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
==== Modification de krb5.conf pour Kerbeiros ====
thierry@bino:~$ sudo mv /etc/krb5.conf /etc/krb5.conf.bak
thierry@bino:~$ sudo ln -s /var/lib/samba/private/krb5.conf /etc/
thierry@bino:~$ ls -l /etc/krb5.conf
lrwxrwxrwx 1 root root 32 oct. 26 12:46 /etc/krb5.conf -> /var/lib/samba/private/krb5.conf
==== Modification du Resolv.conf ====
Modification manuelle du Resolv.conf
On supprime Resolv.conf et on en cree un autre
(Je ne sais pas si c'est la meilleure solution... a discuter)
thierry@bino:~$ ll /etc/resolv.conf
lrwxrwxrwx 1 root root 39 juil. 25 22:59 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
thierry@bino:~$ sudo rm /etc/resolv.conf
thierry@bino:~$ sudo nano /etc/resolv.conf
thierry@bino:~$ cat /etc/resolv.conf
domain binova.lan
nameserver 127.0.0.1
A ce niveau la ni [[linux:commandes:nslookup]] ni [[linux:commandes:dig]] ne sont capable de résoudre une adresse Internet.
Normal car le DNS en 127.0.0.1 ne fonctionne pas encore.
==== Démarrer le service ====
Avec les commandes:
* ''sudo systemctl unmask samba-ad-dc.service'' -> Enlève le mask du service si il est maské.
* ''sudo systemctl start samba-ad-dc.service'' -> Démarre le service
* ''sudo systemctl status samba-ad-dc.service'' -> Visionner si le service a démarrer correctement
* ''sudo systemctl enable samba-ad-dc.service'' -> Active le service
thierry@bino:~$ sudo systemctl unmask samba-ad-dc.service
Removed /etc/systemd/system/samba-ad-dc.service.
thierry@bino:~$ sudo systemctl start samba-ad-dc.service
thierry@bino:~$ sudo systemctl status samba-ad-dc.service
● samba-ad-dc.service - Samba AD Daemon
Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; disabled; vendor preset: en
Active: active (running) since Fri 2018-10-26 13:05:48 UTC; 15s ago
Docs: man:samba(8)
man:samba(7)
man:smb.conf(5)
Main PID: 3785 (samba)
Status: "smbd: ready to serve connections..."
Tasks: 22 (limit: 2320)
CGroup: /system.slice/samba-ad-dc.service
├─3785 /usr/sbin/samba --foreground --no-process-group
├─3798 /usr/sbin/samba --foreground --no-process-group
├─3800 /usr/sbin/samba --foreground --no-process-group
├─3803 /usr/sbin/samba --foreground --no-process-group
├─3804 /usr/sbin/samba --foreground --no-process-group
├─3805 /usr/sbin/samba --foreground --no-process-group
├─3806 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
├─3808 /usr/sbin/samba --foreground --no-process-group
├─3809 /usr/sbin/samba --foreground --no-process-group
├─3810 /usr/sbin/samba --foreground --no-process-group
├─3811 /usr/sbin/samba --foreground --no-process-group
├─3812 /usr/sbin/samba --foreground --no-process-group
├─3813 /usr/sbin/samba --foreground --no-process-group
thierry@bino:~$ sudo systemctl enable samba-ad-dc.service
Synchronizing state of samba-ad-dc.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable samba-ad-dc
=== Erreurs rencontrées ===
* ERREUR : [[##failed_to_listen_on_000053_-_nt_status_address_already_associat|Failed to listen on 0.0.0.0:53 - NT_STATUS_ADDRESS_ALREADY_ASSOCIAT]]
===== Tests =====
==== SMBClient ====
thierry@bino:~$ smbclient -L localhost -U%
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.7.6-Ubuntu)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP C3PO
thierry@bino:~$ smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter BINOVA\Administrator's password:
. D 0 Fri Oct 26 14:12:29 2018
.. D 0 Fri Oct 26 14:12:36 2018
65790508 blocks of size 1024. 57685256 blocks available
=== Voir les processus utilisés par Samba ===
thierry@bino:~$ sudo samba-tool processes
Service: PID
-----------------------------
dnsupdate 3316
cldap_server 3308
rpc_server 3301
rpc_server 3301
rpc_server 3301
rpc_server 3301
rpc_server 12708
rpc_server 12709
rpc_server 3301
rpc_server 3301
rpc_server 3301
rpc_server 3301
rpc_server 3301
rpc_server 3301
rpc_server 3301
rpc_server 3301
nbt_server 3304
winbind_server 3315
kdc_server 3309
notify-daemon 3326
ldap_server 3307
ldap_server 15054
ldap_server 15072
kccsrv 3314
samba 0
dreplsrv 3310
dnssrv 3317
==== Test du DNS ====
thierry@bino:~$ host -t SRV _ldap._tcp.binova.lan
_ldap._tcp.binova.lan has SRV record 0 100 389 bino.binova.lan.
thierry@bino:~$ host -t SRV _kerberos._udp.binova.lan
_kerberos._udp.binova.lan has SRV record 0 100 88 bino.binova.lan.
thierry@bino:~$ host -t A bino.binova.lan
bino.binova.lan has address 192.168.1.104
Avec [[:dig]] (parce que j'aime bien [[:dig]])
thierry@bino:~$ dig bino.binova.lan
; <<>> DiG 9.11.3-1ubuntu1.2-Ubuntu <<>> bino.binova.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46141
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;bino.binova.lan. IN A
;; ANSWER SECTION:
bino.binova.lan. 900 IN A 192.168.1.104
;; AUTHORITY SECTION:
binova.lan. 3600 IN SOA bino.binova.lan. hostmaster.binova.lan. 1 900 600 86400 3600
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Oct 26 15:36:05 UTC 2018
;; MSG SIZE rcvd: 96
==== Kerberos ====
=== krb5.conf ===
Verifions le fichier de configuration de [[linux:service:kerberos|Kerberos]]
thierry@bino:~$ cat /etc/krb5.conf
[libdefaults]
default_realm = BINOVA.LAN
dns_lookup_realm = false
dns_lookup_kdc = true
=== Test de connexion ===
Avec [[linux:commandes:kinit]]
thierry@bino:~$ kinit administrator@BINOVA.LAN
Password for administrator@BINOVA.LAN:
Warning: Your password will expire in 41 days on ven. 07 déc. 2018 15:15:00 UTC
Pour désactiver l'expiration du password, utilisez
thierry@bino:~$ sudo samba-tool user setexpiry administrator --noexpiry
Expiry for user 'administrator' disabled.
Verifiez avec un nouveau ''kinit administrator@BINOVA.LAN''
===== Et ensuite... =====
*[[windows:domaine:se_connecter|Connexion d'une station de travail Windows au domaine]]
*[[linux:service:samba:admin_samba4_depuis_windows|Administration distante de Samba4 PDC]]
*[[linux:service:samba:partage_de_fichiers_avec_samba|Mettre en place le partage de fichiers]]
===== Erreurs =====
==== Unit samba-ad-dc.service is masked ====
thierry@binova:~$ sudo systemctl start samba-ad-dc.service
Failed to start samba-ad-dc.service: Unit samba-ad-dc.service is masked.
thierry@binova:~$ sudo systemctl unmask samba-ad-dc
Removed /etc/systemd/system/samba-ad-dc.service.
thierry@binova:~$ sudo systemctl enable samba-ad-dc
Synchronizing state of samba-ad-dc.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable samba-ad-dc
thierry@binova:~$ sudo systemctl restart samba-ad-dc
==== Failed to listen on 0.0.0.0:53 - NT_STATUS_ADDRESS_ALREADY_ASSOCIAT ====
=== L'erreur ===
Lors du lancement du service on voit cette erreur:
thierry@binova-srv:~$ sudo systemctl status samba-ad-dc.service
● samba-ad-dc.service - Samba AD Daemon
Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; disabled; vendor preset: enabled)
Active: active (running) since Sat 2018-11-03 18:34:54 CET; 8s ago
Docs: man:samba(8)
man:samba(7)
man:smb.conf(5)
Main PID: 11506 (samba)
Status: "smbd: ready to serve connections..."
Tasks: 24 (limit: 3820)
CGroup: /system.slice/samba-ad-dc.service
├─11506 /usr/sbin/samba --foreground --no-process-group
├─11526 /usr/sbin/samba --foreground --no-process-group
├─11529 /usr/sbin/samba --foreground --no-process-group
├─11530 /usr/sbin/samba --foreground --no-process-group
├─11531 /usr/sbin/samba --foreground --no-process-group
├─11533 /usr/sbin/samba --foreground --no-process-group
├─11534 /usr/sbin/samba --foreground --no-process-group
├─11535 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
├─11536 /usr/sbin/samba --foreground --no-process-group
├─11537 /usr/sbin/samba --foreground --no-process-group
├─11538 /usr/sbin/samba --foreground --no-process-group
├─11539 /usr/sbin/samba --foreground --no-process-group
├─11540 /usr/sbin/samba --foreground --no-process-group
├─11541 /usr/sbin/samba --foreground --no-process-group
├─11542 /usr/sbin/samba --foreground --no-process-group
├─11543 /usr/sbin/samba --foreground --no-process-group
├─11544 /usr/sbin/samba --foreground --no-process-group
├─11545 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
├─11548 /usr/sbin/samba --foreground --no-process-group
├─11549 /usr/bin/python2.7 /usr/sbin/samba_dnsupdate
├─11554 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
├─11555 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
├─11557 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
└─11559 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
nov. 03 18:34:53 binova-srv samba[11544]: Failed to listen on 0.0.0.0:53 - NT_STATUS_ADDRESS_ALREADY_ASSOCIAT
nov. 03 18:34:53 binova-srv samba[11544]: [2018/11/03 18:34:53.275324, 0] ../source4/dns_server/dns_server.c:6
nov. 03 18:34:53 binova-srv samba[11544]: Failed to bind to 0.0.0.0:53 TCP - NT_STATUS_ADDRESS_ALREADY_ASSOCI
Cela signifie que le port 53 est déjà utilisé !!!
=== Diagnostique ===
Si je regarde qui utilise ce port avec une **[[linux:commandes:netstat]] -lnp | [[linux:commandes:grep]] :53**
thierry@binova-srv:~$ sudo netstat -lnp | grep :53
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 1870/systemd-resolv
tcp6 0 0 :::53 :::* LISTEN 1243/samba
udp 0 0 127.0.0.53:53 0.0.0.0:* 1870/systemd-resolv
udp6 0 0 :::53 :::* 1243/samba
On constate que j'ai un ''systemd-resolv'' qui est présent, alors qu'il n'est pas présent dans une config qui tourne déjà...
thierry@bino:~$ sudo netstat -nlp | grep :53
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 3317/samba
tcp6 0 0 :::53 :::* LISTEN 3317/samba
udp 43776 0 0.0.0.0:53 0.0.0.0:* 3317/samba
udp6 2304 0 :::53 :::* 3317/samba
=== Résolution ===
On supprime systemd-resolved
Source: [[https://askubuntu.com/questions/907246/how-to-disable-systemd-resolved-in-ubuntu]]
# On désactive le service
thierry@binova-srv:~$ sudo systemctl disable systemd-resolved.service
Removed /etc/systemd/system/multi-user.target.wants/systemd-resolved.service.
Removed /etc/systemd/system/dbus-org.freedesktop.resolve1.service.
# On stop le service
thierry@binova-srv:~$ sudo systemctl stop systemd-resolved
# On verifie...
thierry@binova-srv:~$ sudo netstat -lnp | grep :53
tcp6 0 0 :::53 :::* LISTEN 1243/samba
udp6 0 0 :::53 :::* 1243/samba
Donc le problème a disparu, relançons le service Samba pour voir si ça marche...
thierry@bino:~$ sudo systemctl restart samba-ad-dc.service
=== Vérifications ===
thierry@bino:~$ sudo systemctl status samba-ad-dc.service
● samba-ad-dc.service - Samba AD Daemon
Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2018-11-03 18:14:04 UTC; 10s ago
Docs: man:samba(8)
man:samba(7)
man:smb.conf(5)
Main PID: 28122 (samba)
Status: "smbd: ready to serve connections..."
Tasks: 24 (limit: 2320)
CGroup: /system.slice/samba-ad-dc.service
├─28122 /usr/sbin/samba --foreground --no-process-group
├─28143 /usr/sbin/samba --foreground --no-process-group
├─28144 /usr/sbin/samba --foreground --no-process-group
├─28145 /usr/sbin/samba --foreground --no-process-group
├─28146 /usr/sbin/samba --foreground --no-process-group
├─28147 /usr/sbin/samba --foreground --no-process-group
├─28148 /usr/sbin/samba --foreground --no-process-group
├─28150 /usr/sbin/samba --foreground --no-process-group
├─28151 /usr/sbin/samba --foreground --no-process-group
├─28153 /usr/sbin/samba --foreground --no-process-group
├─28154 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
├─28155 /usr/sbin/samba --foreground --no-process-group
├─28156 /usr/sbin/samba --foreground --no-process-group
├─28157 /usr/sbin/samba --foreground --no-process-group
├─28158 /usr/sbin/samba --foreground --no-process-group
├─28159 /usr/sbin/samba --foreground --no-process-group
├─28160 /usr/sbin/samba --foreground --no-process-group
├─28161 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
├─28169 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
├─28170 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
├─28171 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
├─28173 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
├─28175 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
└─28176 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
nov. 03 18:14:01 bino samba[28122]: Copyright Andrew Tridgell and the Samba Team 1992-2017
nov. 03 18:14:02 bino samba[28122]: [2018/11/03 18:14:02.198210, 0] ../source4/smbd/server.c:620(binary_smbd_main)
nov. 03 18:14:02 bino samba[28122]: samba: using 'standard' process model
nov. 03 18:14:03 bino winbindd[28161]: [2018/11/03 18:14:03.032310, 0] ../source3/winbindd/winbindd_cache.c:3170(initialize_w
nov. 03 18:14:03 bino winbindd[28161]: initialize_winbindd_cache: clearing cache and re-creating with version number 2
nov. 03 18:14:04 bino systemd[1]: Started Samba AD Daemon.
nov. 03 18:14:05 bino winbindd[28161]: [2018/11/03 18:14:04.923125, 0] ../lib/util/become_daemon.c:124(daemon_ready)
nov. 03 18:14:05 bino winbindd[28161]: STATUS=daemon 'winbindd' finished starting up and ready to serve connections
nov. 03 18:14:09 bino smbd[28154]: [2018/11/03 18:14:09.556902, 0] ../lib/util/become_daemon.c:124(daemon_ready)
nov. 03 18:14:09 bino smbd[28154]: STATUS=daemon 'smbd' finished starting up and ready to serve connections
On verifie avec [[linux:commandes:netstat|NetStat]]
thierry@bino:~$ sudo netstat -nlp | grep :53
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 28159/samba
tcp6 0 0 :::53 :::* LISTEN 28159/samba
udp 36864 0 0.0.0.0:53 0.0.0.0:* 28159/samba
udp6 0 0 :::53 :::* 28159/samba
Et on verifie la résolution des nom avec un [[linux:commandes:nslookup|NSLookup]]
thierry@binova-srv:~$ nslookup google.fr
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: google.fr
Address: 216.58.206.227
Notre serveur DNS est bien **127.0.0.1#53**
===== Voir aussi =====
* [[linux:service:kerberos|Service Kerberos]]