Samba4 Active Directory
This tutorial shows how to setup a fully functional active directory using samba4. It also sets up a redundant system with two servers so that one may fail or reboot without loosing the directory access. This setup becomes my main authentication setup for my NAS servers and file shares. This also enables me to make some changes to the access rights on freenas and other servers at one central location.
Plan your setup
Before you should continue, you should plan your installation. You should answer the questions below
| Parameter / Information | Value | Comment |
|---|---|---|
| Kerberos Realm: | LAB.EXAMPLE.COM | Usually your local domainname in capital letters |
| DC / Kerberos Servers: | labdc1 (192.168.99.2), labdc2 (192.168.99.3) | One or more servers that serve the dc role |
| Forwarding DNS Server: | 192.168.99.1 | This will be your router or isp assigned dns. Here it is the lab gateway |
| Administrator Password: | XXXXXX | Choose a strong password or the provision will fail! |
| user for installation: | root | this howto assumes all commands are run as root |
Also checkout the following wiki pages of the samba project:
- https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
- https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Preparing_the_Host_for_Joining_the_Domain
- https://wiki.samba.org/index.php/Distribution-specific_Package_Installation#Stretch_.28stable.29
- https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)
Minimal Debian 9 installation
First we set up a minimal debian Installation on both servers. We only select ssh server and basic tools to install. There is no other application needed at this stage.
Tools installation
I just install some utils I normally use.
/usr/bin/apt-get -y install mc unzip zip htop iotop curl nano
Network interface configuration
Next you should make sure that your network configuration is ok and set to the static ip you recieved.
auto ens18
iface ens18 inet static
address 192.168.99.2 # or 3 for labdc2
netmask 255.255.255.0
gateway 192.168.99.1
broadcast 192.168.99.255
network 192.168.99.0
hosts configuration
We ensure the hosts file is accurate and contains the two dc servers.
nano /etc/hosts
We just add the two servers with the defined ip address.
192.168.99.2 labdc1.lab.example.com labdc1
192.168.99.3 labdc2.lab.example.com labdc2
Installation of the Samba Server
Now it is time to install the service on the servers. During installation you will be prompted for the kerberos Realm and server names.
Applications
apt install samba attr winbind krb5-config krb5-user smbclient libpam-winbind libnss-winbind libpam-krb5
Config / daemon preparation
After the installation, we rename the generated smb.conf and krb4.conf files to keep the original ones. They will be regenerated during configuration.
mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
mv /etc/krb5.conf /etc/krb5.conf.orig
Next we ensure that no service is currently running and we disable nmbd and smbd as they are not allowed to run in standalone on a dc. Instead of nmbd and smbd, we unmask and enable samba-ad-dc.service. Winbind
systemctl stop smbd
systemctl stop nmbd
systemctl stop winbind
systemctl disable smbd
systemctl disable nmbd
systemctl disable winbind
systemctl unmask samba-ad-dc.service
systemctl enable samba-ad-dc.service
systemctl stop samba-ad-dc.service
Provisioning labdc1
samba-tool domain provision --use-rfc2307 --interactive
Realm [LAB.EXAMPLE.COM]:
Domain [LAB]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [192.168.99.1]:
Administrator password:
Retype password:
When the provision process finished, you should see something like the lines below.
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: labdc1
NetBIOS Domain: LAB
DNS Domain: lab.example.com
DOMAIN SID: S-1-5-21-??????????-?????????-??????????
Next, we need to configure the dns resolver to point to our samba dns server and check if the domain is set correctly.
nano /etc/resolv.conf
domain lab.example.com
nameserver 192.168.99.2
nameserver 192.168.99.3
Next we do link the new kerberos config file to the location in etc. After linking kerberos config, we reboot the server and make sure everything starts as expected and no service fails.
ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
reboot
Now it is time to verify the dns and samba setup on the system. There should be entries for ldap and kerberos and the dc that you just set up.
samba-tool domain level show
> Domain and forest function level for domain 'DC=lab,DC=example,DC=com'
> Forest function level: (Windows) 2008 R2
> Domain function level: (Windows) 2008 R2
> Lowest function level of a DC: (Windows) 2008 R2
smbclient -L localhost -U%
> Domain=[LAB] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
>
> Sharename Type Comment
> --------- ---- -------
> netlogon Disk
> sysvol Disk
> IPC$ IPC IPC Service (Samba 4.5.12-Debian)
> Domain=[LAB] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
>
> Server Comment
> --------- -------
>
> Workgroup Master
> --------- -------
> WORKGROUP LABDC1
host -t SRV _ldap._tcp.lab.example.com.
> _ldap._tcp.lab.example.com has SRV record 0 100 389 labdc1.lab.example.com.
host -t SRV _kerberos._udp.lab.example.com.
> _kerberos._udp.lab.example.com has SRV record 0 100 88 labdc1.lab.example.com.
host -t A labdc1.lab.example.com.
> labdc1.lab.example.com has address 192.168.99.2
kinit administrator
> Password for administrator@LAB.EXAMPLE.COM:
> Warning: Your password will expire in 41 days on Tue 29 Jan 2019 09:54:01 PM CET
klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator@LAB.EXAMPLE.COM
> Valid starting Expires Service principal
> 12/18/2018 22:53:13 12/19/2018 08:53:13 krbtgt/LAB.EXAMPLE.COM@LAB.EXAMPLE.COM
> renew until 12/19/2018 22:52:58
Join labdc2 as domain controller
Now that the first dc is working, we have to provision the second one and join it to the existing directory. This is quite simple compared to the first dc setup. If you setup both servers with all the required packages, there should only be two steps needed.
join the domain
samba-tool domain join lab.example.com DC -U"LAB\administrator" --dns-backend=SAMBA_INTERNAL
Finding a writeable DC for domain 'lab.example.com'
Found DC labdc1.lab.example.com
Password for [LAB\administrator]:
workgroup is LAB
realm is lab.example.com
Adding CN=LABDC2,OU=Domain Controllers,DC=lab,DC=example,DC=com
Adding CN=LABDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=lab,DC=example,DC=com
Adding CN=NTDS Settings,CN=LABDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=lab,DC=example,DC=com
Adding SPNs to CN=LABDC2,OU=Domain Controllers,DC=lab,DC=example,DC=com
Setting account password for LABDC2$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=lab,DC=example,DC=com
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=lab,DC=example,DC=com] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=lab,DC=example,DC=com] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=lab,DC=example,DC=com] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=lab,DC=example,DC=com] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=lab,DC=example,DC=com] objects[402/1614] linked_values[0/0]
Partition[CN=Configuration,DC=lab,DC=example,DC=com] objects[804/1614] linked_values[0/0]
Partition[CN=Configuration,DC=lab,DC=example,DC=com] objects[1206/1614] linked_values[0/0]
Partition[CN=Configuration,DC=lab,DC=example,DC=com] objects[1608/1614] linked_values[0/0]
Partition[CN=Configuration,DC=lab,DC=example,DC=com] objects[1614/1614] linked_values[30/0]
Replicating critical objects from the base DN of the domain
Partition[DC=lab,DC=example,DC=com] objects[97/97] linked_values[23/0]
Partition[DC=lab,DC=example,DC=com] objects[361/264] linked_values[23/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=lab,DC=example,DC=com
Partition[DC=DomainDnsZones,DC=lab,DC=example,DC=com] objects[40/40] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=lab,DC=example,DC=com
Partition[DC=ForestDnsZones,DC=lab,DC=example,DC=com] objects[18/18] linked_values[0/0]
Committing SAM database
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain LAB (SID S-1-5-21-4212005323-1179728628-1017853860) as a DC
configure kerberos
Link the newly created kerberos configuration file to /etc.
ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
reboot
Verify the kerberos configuration.
kinit administrator
> Password for administrator@LAB.EXAMPLE.COM:
> Warning: Your password will expire in 41 days on Tue 29 Jan 2019 09:54:01 PM CET
klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator@LAB.EXAMPLE.COM
> Valid starting Expires Service principal
> 12/18/2018 22:53:13 12/19/2018 08:53:13 krbtgt/LAB.EXAMPLE.COM@LAB.EXAMPLE.COM
> renew until 12/19/2018 22:52:58
Synchronizing sysvol
On the labdc1 system, we setup the sync of the sysvol content of the two servers. This is a bidirectional sync and is needed until samba supports this sync out of the box. This setup assumes that both boxes are linux samba servers and no windows server is involved.
configure ssh
First we need to configure ssh authentication using keys. I recommend to setup a mutual login on both servers.
You probably have to allow password authentication in your ssh configuration until the keys are set up. Do not forget to disable root password logins!
ssh-keygen -t rsa
ssh-copy-id -i ~/.ssh/id_rsa.pub root@labdc2
install tools
First we need to install rsync and unison that takes care of the sync and configure ssh authentication using keys. I recommend to setup a mutual login on both servers.
apt install rsync unison-all
configure sync on labdc1
First create the log file used by the sync job to log the actions.
touch /var/log/sysvol-sync.log
chmod 640 /var/log/sysvol-sync.log
Next we configure the unison profile to sync the sysvol content. The content of the unison preferences come from the samba wiki as well.
install -o root -g root -m 0750 -d /root/.unison
cat << EOF > /root/.unison/default.prf
# Unison preferences file
root = /var/lib/samba
# Note that 2 x / behind DC2, it is required
root = ssh://root@labdc2//var/lib/samba
# Paths to synchronize
path = sysvol
auto=true
batch=true
perms=0
rsync=true
maxthreads=1
retry=3
confirmbigdeletes=false
servercmd=/usr/bin/unison
copythreshold=0
copyprog = /usr/bin/rsync -XAavz --rsh='ssh -p 22' --inplace --compress
copyprogrest = /usr/bin/rsync -XAavz --rsh='ssh -p 22' --partial --inplace --compress
copyquoterem = true
copymax = 1
logfile = /var/log/sysvol-sync.log
EOF
Now it is time to do the initial sync by hand. Be careful as this is not a dry run this is the real run!
/usr/bin/rsync -XAavz --log-file=/var/log/sysvol-sync.log --delete-after -f"+ */" -f"- *" /var/lib/samba/sysvol root@labdc2:/var/lib/samba
/usr/bin/unison
Nex we setup a little script and add it to cron to sync the folders.
cat << EOF > /root/syncsysvol.sh
#!/bin/bash
/usr/bin/unison default &> /dev/null
EOF
chmod 750 /root/syncsysvol.sh
The last part is to add this script to a cronjob that runs every 5 minutes and ensures the sysvol gets synced.
crontab -e
add the following line to the crontab to enable a sync every 5 minutes. You may adjust this for your needs and preferences.
*/5 * * * * /root/syncsysvol.sh
Final steps - Important
After finishing the setup, reconfigure your dhcp server of the network to provide labdc1 and labdc2 as dns servers. This is required as without using the DC as dns server, you would not be able to join the domain as many things are resolved by dns queries. Your domain controllers will forward all queries they are unable to answer to the forwarding dns server ip configured during the provisioning phase.
Manage the domain
There are multiple solutions to do this. You may use the samba-tool to manage users, groups and memberships or you may use a windows 10 system joined to the domain using the RSAT admin tools (Built in to Windows 10 on demand features starting Version 1809). This is up to you and what fits you best.