Samba4 Active Directory
This tutorial shows how to setup a fully functional active directory using samba4. It also sets up a redundant system with two servers so that one may fail or reboot without loosing the directory access. This setup becomes my main authentication setup for my NAS servers and file shares. This also enables me to make some changes to the access rights on freenas and other servers at one central location.
Plan your setup
Before you should continue, you should plan your installation. You should answer the questions below
|Parameter / Information||Value||Comment|
|Kerberos Realm:||LAB.EXAMPLE.COM||Usually your local domainname in capital letters|
|DC / Kerberos Servers:||labdc1 (192.168.99.2), labdc2 (192.168.99.3)||One or more servers that serve the dc role|
|Forwarding DNS Server:||192.168.99.1||This will be your router or isp assigned dns. Here it is the lab gateway|
|Administrator Password:||XXXXXX||Choose a strong password or the provision will fail!|
|user for installation:||root||this howto assumes all commands are run as root|
Also checkout the following wiki pages of the samba project:
Minimal Debian 9 installation
First we set up a minimal debian Installation on both servers. We only select ssh server and basic tools to install. There is no other application needed at this stage.
I just install some utils I normally use.
/usr/bin/apt-get -y install mc unzip zip htop iotop curl nano
Network interface configuration
Next you should make sure that your network configuration is ok and set to the static ip you recieved.
auto ens18 iface ens18 inet static address 192.168.99.2 # or 3 for labdc2 netmask 255.255.255.0 gateway 192.168.99.1 broadcast 192.168.99.255 network 192.168.99.0
We ensure the hosts file is accurate and contains the two dc servers.
We just add the two servers with the defined ip address.
192.168.99.2 labdc1.lab.example.com labdc1 192.168.99.3 labdc2.lab.example.com labdc2
Installation of the Samba Server
Now it is time to install the service on the servers. During installation you will be prompted for the kerberos Realm and server names.
apt install samba attr winbind krb5-config krb5-user smbclient libpam-winbind libnss-winbind libpam-krb5
Config / daemon preparation
After the installation, we rename the generated smb.conf and krb4.conf files to keep the original ones. They will be regenerated during configuration.
mv /etc/samba/smb.conf /etc/samba/smb.conf.orig mv /etc/krb5.conf /etc/krb5.conf.orig
Next we ensure that no service is currently running and we disable nmbd and smbd as they are not allowed to run in standalone on a dc. Instead of nmbd and smbd, we unmask and enable samba-ad-dc.service. Winbind
systemctl stop smbd systemctl stop nmbd systemctl stop winbind systemctl disable smbd systemctl disable nmbd systemctl disable winbind systemctl unmask samba-ad-dc.service systemctl enable samba-ad-dc.service systemctl stop samba-ad-dc.service
samba-tool domain provision --use-rfc2307 --interactive Realm [LAB.EXAMPLE.COM]: Domain [LAB]: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: DNS forwarder IP address (write 'none' to disable forwarding) [192.168.99.1]: Administrator password: Retype password:
When the provision process finished, you should see something like the lines below.
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf Setting up fake yp server settings Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: labdc1 NetBIOS Domain: LAB DNS Domain: lab.example.com DOMAIN SID: S-1-5-21-??????????-?????????-??????????
Next, we need to configure the dns resolver to point to our samba dns server and check if the domain is set correctly.
domain lab.example.com nameserver 192.168.99.2 nameserver 192.168.99.3
Next we do link the new kerberos config file to the location in etc. After linking kerberos config, we reboot the server and make sure everything starts as expected and no service fails.
ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf reboot
Now it is time to verify the dns and samba setup on the system. There should be entries for ldap and kerberos and the dc that you just set up.
samba-tool domain level show > Domain and forest function level for domain 'DC=lab,DC=example,DC=com' > Forest function level: (Windows) 2008 R2 > Domain function level: (Windows) 2008 R2 > Lowest function level of a DC: (Windows) 2008 R2 smbclient -L localhost -U% > Domain=[LAB] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian] > > Sharename Type Comment > --------- ---- ------- > netlogon Disk > sysvol Disk > IPC$ IPC IPC Service (Samba 4.5.12-Debian) > Domain=[LAB] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian] > > Server Comment > --------- ------- > > Workgroup Master > --------- ------- > WORKGROUP LABDC1 host -t SRV _ldap._tcp.lab.example.com. > _ldap._tcp.lab.example.com has SRV record 0 100 389 labdc1.lab.example.com. host -t SRV _kerberos._udp.lab.example.com. > _kerberos._udp.lab.example.com has SRV record 0 100 88 labdc1.lab.example.com. host -t A labdc1.lab.example.com. > labdc1.lab.example.com has address 192.168.99.2 kinit administrator > Password for administrator@LAB.EXAMPLE.COM: > Warning: Your password will expire in 41 days on Tue 29 Jan 2019 09:54:01 PM CET klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator@LAB.EXAMPLE.COM > Valid starting Expires Service principal > 12/18/2018 22:53:13 12/19/2018 08:53:13 krbtgt/LAB.EXAMPLE.COM@LAB.EXAMPLE.COM > renew until 12/19/2018 22:52:58
Join labdc2 as domain controller
Now that the first dc is working, we have to provision the second one and join it to the existing directory. This is quite simple compared to the first dc setup. If you setup both servers with all the required packages, there should only be two steps needed.
join the domain
samba-tool domain join lab.example.com DC -U"LAB\administrator" --dns-backend=SAMBA_INTERNAL Finding a writeable DC for domain 'lab.example.com' Found DC labdc1.lab.example.com Password for [LAB\administrator]: workgroup is LAB realm is lab.example.com Adding CN=LABDC2,OU=Domain Controllers,DC=lab,DC=example,DC=com Adding CN=LABDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=lab,DC=example,DC=com Adding CN=NTDS Settings,CN=LABDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=lab,DC=example,DC=com Adding SPNs to CN=LABDC2,OU=Domain Controllers,DC=lab,DC=example,DC=com Setting account password for LABDC2$ Enabling account Calling bare provision Looking up IPv4 addresses Looking up IPv6 addresses Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf Provision OK for domain DN DC=lab,DC=example,DC=com Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=lab,DC=example,DC=com] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=lab,DC=example,DC=com] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=lab,DC=example,DC=com] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=lab,DC=example,DC=com] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=lab,DC=example,DC=com] objects[402/1614] linked_values[0/0] Partition[CN=Configuration,DC=lab,DC=example,DC=com] objects[804/1614] linked_values[0/0] Partition[CN=Configuration,DC=lab,DC=example,DC=com] objects[1206/1614] linked_values[0/0] Partition[CN=Configuration,DC=lab,DC=example,DC=com] objects[1608/1614] linked_values[0/0] Partition[CN=Configuration,DC=lab,DC=example,DC=com] objects[1614/1614] linked_values[30/0] Replicating critical objects from the base DN of the domain Partition[DC=lab,DC=example,DC=com] objects[97/97] linked_values[23/0] Partition[DC=lab,DC=example,DC=com] objects[361/264] linked_values[23/0] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=lab,DC=example,DC=com Partition[DC=DomainDnsZones,DC=lab,DC=example,DC=com] objects[40/40] linked_values[0/0] Replicating DC=ForestDnsZones,DC=lab,DC=example,DC=com Partition[DC=ForestDnsZones,DC=lab,DC=example,DC=com] objects[18/18] linked_values[0/0] Committing SAM database Sending DsReplicaUpdateRefs for all the replicated partitions Setting isSynchronized and dsServiceName Setting up secrets database Joined domain LAB (SID S-1-5-21-4212005323-1179728628-1017853860) as a DC
Link the newly created kerberos configuration file to /etc.
ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf reboot
Verify the kerberos configuration.
kinit administrator > Password for administrator@LAB.EXAMPLE.COM: > Warning: Your password will expire in 41 days on Tue 29 Jan 2019 09:54:01 PM CET klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator@LAB.EXAMPLE.COM > Valid starting Expires Service principal > 12/18/2018 22:53:13 12/19/2018 08:53:13 krbtgt/LAB.EXAMPLE.COM@LAB.EXAMPLE.COM > renew until 12/19/2018 22:52:58
On the labdc1 system, we setup the sync of the sysvol content of the two servers. This is a bidirectional sync and is needed until samba supports this sync out of the box. This setup assumes that both boxes are linux samba servers and no windows server is involved.
First we need to configure ssh authentication using keys. I recommend to setup a mutual login on both servers.
You probably have to allow password authentication in your ssh configuration until the keys are set up. Do not forget to disable root password logins!
ssh-keygen -t rsa ssh-copy-id -i ~/.ssh/id_rsa.pub root@labdc2
First we need to install rsync and unison that takes care of the sync and configure ssh authentication using keys. I recommend to setup a mutual login on both servers.
apt install rsync unison-all
configure sync on labdc1
First create the log file used by the sync job to log the actions.
touch /var/log/sysvol-sync.log chmod 640 /var/log/sysvol-sync.log
Next we configure the unison profile to sync the sysvol content. The content of the unison preferences come from the samba wiki as well.
install -o root -g root -m 0750 -d /root/.unison cat << EOF > /root/.unison/default.prf # Unison preferences file root = /var/lib/samba # Note that 2 x / behind DC2, it is required root = ssh://root@labdc2//var/lib/samba # Paths to synchronize path = sysvol auto=true batch=true perms=0 rsync=true maxthreads=1 retry=3 confirmbigdeletes=false servercmd=/usr/bin/unison copythreshold=0 copyprog = /usr/bin/rsync -XAavz --rsh='ssh -p 22' --inplace --compress copyprogrest = /usr/bin/rsync -XAavz --rsh='ssh -p 22' --partial --inplace --compress copyquoterem = true copymax = 1 logfile = /var/log/sysvol-sync.log EOF
Now it is time to do the initial sync by hand. Be careful as this is not a dry run this is the real run!
/usr/bin/rsync -XAavz --log-file=/var/log/sysvol-sync.log --delete-after -f"+ */" -f"- *" /var/lib/samba/sysvol root@labdc2:/var/lib/samba /usr/bin/unison
Nex we setup a little script and add it to cron to sync the folders.
cat << EOF > /root/syncsysvol.sh #!/bin/bash /usr/bin/unison default &> /dev/null EOF chmod 750 /root/syncsysvol.sh
The last part is to add this script to a cronjob that runs every 5 minutes and ensures the sysvol gets synced.
add the following line to the crontab to enable a sync every 5 minutes. You may adjust this for your needs and preferences.
*/5 * * * * /root/syncsysvol.sh
Final steps - Important
After finishing the setup, reconfigure your dhcp server of the network to provide labdc1 and labdc2 as dns servers. This is required as without using the DC as dns server, you would not be able to join the domain as many things are resolved by dns queries. Your domain controllers will forward all queries they are unable to answer to the forwarding dns server ip configured during the provisioning phase.
Manage the domain
There are multiple solutions to do this. You may use the samba-tool to manage users, groups and memberships or you may use a windows 10 system joined to the domain using the RSAT admin tools (Built in to Windows 10 on demand features starting Version 1809). This is up to you and what fits you best.