Контроллер домена на Debian

Товарищи, прошу, пожалуйста помощи.

В общем хочу поднять (в тестовом режиме, но тем не менее) на Debian 8.6 AD.
В качестве инструкции выбрал пример из Ubuntu

http://help.ubuntu.ru/wiki/samba4_as_dc_14.04

Т.е.

1. Успешно установил пакеты:
apt-get install samba acl krb5-user ntp cups bind9 smbclient

2. Выполнил команду:
samba-tool domain provision --use-rfc2307 --interactive
Имеем:

Открыть содержимое (спойлер)

root@1:~# samba-tool domain provision --use-rfc2307 --interactive
Realm: debian.local
Domain [debian]: debian
Server Role (dc, member, standalone) [dc]: dc
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=debian,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=debian,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
See /var/lib/samba/private/named.conf for an example configuration include file for BIND
and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: 1
NetBIOS Domain: DEBIAN
DNS Domain: debian.local
DOMAIN SID: S-1-5-21-543193289-1601867468-1038541806

[свернуть]

3. Настройка BIND9
Привожу файл
/etc/bind/named.conf.options
К такому виду:

Открыть содержимое (спойлер)

options {
directory "/var/cache/bind";
auth-nxdomain yes;
forwarders { 192.168.100.4; };
allow-transfer { none; };
notify no;
empty-zones-enable no;

allow-query {
192.168.100.0/24;
127.0.0.0/8;
};

allow-recursion {
192.168.100.0/24;
127.0.0.0/8;
};

allow-update {
192.168.100.0/24;
127.0.0.0/8;
};
};
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";

[свернуть]

*192.168.100.4 - это локальный адрес машины на которой поднимаю AD

4. Файл
/var/lib/samba/private/named.conf
Имеет следующий конфиг:

Открыть содержимое (спойлер)

# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include "/var/lib/samba/private/named.conf";

#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
# For BIND 9.8.0
# database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";

# For BIND 9.9.0
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
};

[свернуть]

5. Файл
/etc/apparmor.d/usr.sbin.named
Имеет следующий конфиг:

Открыть содержимое (спойлер)

# vim:syntax=apparmor
# Last Modified: Fri Jun 1 16:43:22 2007
#include <tunables/global>

/usr/sbin/named {
#include <abstractions/base>
#include <abstractions/nameservice>

capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,

# /etc/bind should be read-only for bind
# /var/lib/bind is for dynamically updated zone (and journal) files.
# /var/cache/bind is for slave/stub data, since we're not the origin of it.
# See /usr/share/doc/bind9/README.Debian.gz
/etc/bind/** r,
/var/lib/bind/** rw,
/var/lib/bind/ rw,
/var/cache/bind/** lrw,
/var/cache/bind/ rw,

# gssapi
/etc/krb5.keytab kr,
/etc/bind/krb5.keytab kr,

# ssl
/etc/ssl/openssl.cnf r,

# GeoIP data files for GeoIP ACLs
/usr/share/GeoIP/** r,
# dnscvsutil package
/var/lib/dnscvsutil/compiled/** rw,

/proc/net/if_inet6 r,
/proc/*/net/if_inet6 r,
/usr/sbin/named mr,
/{,var/}run/named/named.pid w,
/{,var/}run/named/session.key w,
# support for resolvconf
/{,var/}run/named/named.options r,

# some people like to put logs in /var/log/named/ instead of having
# syslog do the heavy lifting.
/var/log/named/** rw,
/var/log/named/ rw,

# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.named>
# for samba4
#/var/lib/samba/private/** r,
/usr/lib/x86_64-linux-gnu/samba/bind9/** m,
/usr/lib/x86_64-linux-gnu/samba/ldb/** m,
/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** m,
/usr/lib/x86_64-linux-gnu/samba/gensec/krb5.so m,
/var/lib/samba/private/dns.keytab rwk,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/var/lib/samba/private/krb5.conf r,
/var/tmp/** rwk,
/dev/urandom rwk,

}

[свернуть]

6. Перезапускаю службу:
service bind9 restart
Вроде бы никаких ошибок нет.

Открыть содержимое (спойлер)

root@1:~# service bind9 restart
root@1:~#

[свернуть]

7. Перезапускаю службу:
service apparmor restart
И тут начинается первая непонятка:

Открыть содержимое (спойлер)

root@1:~# service apparmor restart
Job for apparmor.service failed. See 'systemctl status apparmor.service' and 'journalctl -xn' for details.
root@1:~#

[свернуть]

systemctl status apparmor.service

Открыть содержимое (спойлер)

root@1:~# systemctl status apparmor.service
● apparmor.service - LSB: AppArmor initialization
Loaded: loaded (/etc/init.d/apparmor)
Active: failed (Result: exit-code) since Сб 2016-12-10 20:03:25 +07; 1min 1s ago
Process: 2624 ExecStart=/etc/init.d/apparmor start (code=exited, status=1/FAILURE)

дек 10 20:03:25 1 apparmor[2624]: Starting AppArmor profiles:AppArmor no.....
дек 10 20:03:25 1 apparmor[2624]: failed!
дек 10 20:03:25 1 systemd[1]: apparmor.service: control process exited, ...=1
дек 10 20:03:25 1 systemd[1]: Failed to start LSB: AppArmor initialization.
дек 10 20:03:25 1 systemd[1]: Unit apparmor.service entered failed state.
Hint: Some lines were ellipsized, use -l to show in full.
root@1:~#

[свернуть]

journalctl -xn

Открыть содержимое (спойлер)

root@1:~# journalctl -xn
-- Logs begin at Сб 2016-12-10 15:51:50 +07, end at Сб 2016-12-10 20:03:25 +07.
дек 10 20:01:58 1 systemd[1]: bind9.service: main process exited, code=exited, s
дек 10 20:01:58 1 rndc[2614]: rndc: connect failed: 127.0.0.1#953: connection re
дек 10 20:01:58 1 systemd[1]: bind9.service: control process exited, code=exited
дек 10 20:01:58 1 systemd[1]: Unit bind9.service entered failed state.
дек 10 20:03:25 1 systemd[1]: Starting LSB: AppArmor initialization...
-- Subject: Начинается запуск юнита apparmor.service
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Начат процесс запуска юнита apparmor.service.
дек 10 20:03:25 1 apparmor[2624]: Starting AppArmor profiles:AppArmor not availa
дек 10 20:03:25 1 apparmor[2624]: failed!
дек 10 20:03:25 1 systemd[1]: apparmor.service: control process exited, code=exi
дек 10 20:03:25 1 systemd[1]: Failed to start LSB: AppArmor initialization.
-- Subject: Ошибка юнита apparmor.service
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Произошел сбой юнита apparmor.service.
--
-- Результат: failed.
дек 10 20:03:25 1 systemd[1]: Unit apparmor.service entered failed state.

[свернуть]

7. Но продолжаем:
Запускаем samba4:
service samba-ad-dc start

Открыть содержимое (спойлер)

root@1:~# service samba-ad-dc start
root@1:~#

[свернуть]

8. Содержание файла:
/etc/resolv.conf

Открыть содержимое (спойлер)

nameserver 192.168.100.4

[свернуть]

9. Первый же тест выдает ошибку:
smbclient -L localhost -U%

Открыть содержимое (спойлер)

root@1:~# smbclient -L localhost -U%
Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED)
root@1:~#

[свернуть]

Русскоязычное сообщество Debian GNU/Linux

Контроллер домена на Debian

Salder

Hemul

Salder

ogost

Salder

endru

Salder

iwan12iwan