Introduction

This document explains how to setup Samba (4.0+) as a simple Domain Controller that is compatible with Microsoft's Active Directory, for use particularly by Microsoft Windows clients that are joined to the Active Directory domain, for services such as Domain Logon. We refer to this capability as being an AD DC for short.

Installing Samba

There are different ways to install Samba refer to the official documentation for further information. Since JU is a big production environment, we need a more stable enterprise ready package. Enterprisesamba.com offers enterprise level compiled packages for Samba4 in their repository. It is a highly recommended method other that compiling samba from the source. Follow the following steps for installing samba from Sernet repository.

  1. create a user account (sign up) and log in. Email verification might be asked so be sure to use the correct email address.
  2. look for a text something looking like this:
    Note that the repository files are templates: In the URLs inside the repository files, you should replace USERNAME:ACCESSKEY with your username and access key: bets90:1QE94Tmyuob2bFXURR0xenbJ2VIHakdd .
  3. Create a file /etc/apt/sources.list.d/samba4.list and make the contents like this:
    # 
    # SerNet Samba 4.0 Packages 
    # 
    # (debian-wheezy) 
     deb https://bets90:1QE94Tmyuob2bFXURR0xenbJ2VIHakdd@download.sernet.de/packages/samba/4.0/debian wheezy main 
  4. If you need to install apt-https traffic: sudo apt-get install apt-transport-https
  5. The packages are signed with SerNet's gpg build key to guarantee authenticity. Import the keys by installing a debian package
    wget http://ftp.sernet.de/pub/sernet-samba-keyring_1.3_all.deb 
    dpkg -i sernet-samba-keyring_1.3_all.deb
  6. Now run apt-get update
  7. Install Samba AD apt-get install sernet-samba-ad
  8. test using samba -V you should get this:
    Version 4.0.10-SerNet-Debian-8.wheezy

Server information

For the rest of this documentation, we will be using the following configuration/settings foe our AD DC

Installation Directory: /usr/share/samba /etc/samba /var/lib/samba
Server Hostname:        AD
DNS Domain Name:        ju.local (This will also be your realm)
NT4 Domain Name:        ju
IP Address:             192.168.1.80
Server Role:            DC

Provisioning Samba (Setting up a new domain)

The provisioning creates a basic database, and is used when you are configuring your first Samba DC in its own domain. The provision step must be run as a user with permission to write to the install directory. Otherwise you're getting permission denied errors.

Important notes on the provisioning

  • Before provisioning you need a filesystem that supports both the “user” and “system” xattr namespaces. \\If you are using either ext3 or ext4 for your file system you will need to include the options “user_xattr”,”acl” and “barrier=1” in your /etc/fstab. For example:
    /dev/hda3               /home                   ext3    user_xattr,acl,barrier=1     1 1
  • The provision command uses the Samba Internal DNS server by default. For this case, we use bind as DNS backend but bind must be compiled with dlopen support We will see this in the next section.
  • The admin password need to fulfill the password complexity requirements. This means at least one uppercase letter, one number, and at least eight characters length. If you don't use a complex enough password, the provision script will fail, and you will need to start over with a better password.
  • The domain of your AD should be a sub domain. if it, like ad.ju.edu.et. Avoid using ju.edu.et internally.

To provision a new domain, run:

# samba-tool domain provision --use-rfc2307 --interactive

This will run the provision tool interactively. Use the information provided in the “server information”. Also be sure to choose BIND9_DLZ as DNS backend Because some settings can't be set interactively, it's recommended to run samba-tool domain provision –help and have a look at the additional possibilities. The –use-rfc2307 option enables your Samba AD automatically to store posix attributes. It also creates NIS information in the AD, that allows you to administrate UIDs/GIDs and other Unix settings (on the „Unix attributes“ tab in ADUC). It's easier if you enable this feature during provisioning, than setting this up later by hand. And even if you don't required it (yet), it's not affecting your installation.

Starting and Testing the Installed Samba AD DC

  • Before restarting, edit the file /etc/default/sernet-samba make sue to modify this line as follows:
    SAMBA_START_MODE="ad"
  • Simply start samba as root
    /etc/init.d/sernet-samba-ad start
  • Check the connectivity to Samba AD DC:
    $ smbclient --version

    This should return something like this

    Version 4.0.10-SerNet-Debian-8.wheezy
  • Now run this command to list the shares on your Samba server:
    root@ad2:/home/vagrant# smbclient -L localhost -U%
    Domain=[JU] OS=[Unix] Server=[Samba 4.0.10-SerNet-Debian-8.wheezy]
    
    	Sharename       Type      Comment
    	---------       ----      -------
    	netlogon        Disk      
    	sysvol          Disk      
    	IPC$            IPC       IPC Service (Samba 4.0.10-SerNet-Debian-8.wheezy)
    Domain=[JU] OS=[Unix] Server=[Samba 4.0.10-SerNet-Debian-8.wheezy]
    
    	Server               Comment
    	---------            -------
    
    	Workgroup            Master
    	---------            -------

The output should be similar to the output shown above.

  1. To test that authentication is working, you should try to connect to the netlogon share, using the Administrator account created during provisioning. The output of the command should be similar to what is shown below:
    root@ad2:/home/vagrant# smbclient //localhost/netlogon -UAdministrator -c 'ls'
    Enter Administrator's password: 
    Domain=[JU] OS=[Unix] Server=[Samba 4.0.10-SerNet-Debian-8.wheezy]
      .                                   D        0  Fri Nov  8 13:10:06 2013
      ..                                  D        0  Fri Nov  8 13:10:15 2013
    
    		61467 blocks of size 131072. 48693 blocks available

Configure DNS

A working DNS setup is essential to the correct operation of Samba and AD. Without the right DNS entries, Kerberos won't work, which in turn means that many of the basic features won't work! It is worth spending some extra time to ensure your DNS setup is correct, as debugging problems caused by mis-configured DNS can take a lot of time later on. To manage DNS entries the DNS MMC on a Windows client can be used, or samba-tool on Linux.

Bind as DNS backend

If you are not familiar with bind pease refer this page on its general setup. Inorder to work as DLZ backend for samba AD, bind should be compiled as follows:

# ./configure --with-gssapi=/usr/include/gssapi --with-dlopen=yes

However there is a pre-compiled list of packages here To configure bind,

  • Make sure the file /etc/bind/named.conf.options looks like this.
    options {
    
           auth-nxdomain yes;
    
           directory "/var/named";
    
           forwarders { 8.8.8.8; 8.8.4.4; };
    
           allow-transfer { none; };
           notify no;
           empty-zones-enable no;
       allow-query {
                   10.140.0.0/16;
                   10.141.0.0/16;
                   10.135.0.0/16;
                   ;...other networks you want to allow to query your DNS...;
           };
           allow-recursion {
                 10.140.0.0/16;
                   10.141.0.0/16;
                   10.135.0.0/16;
                 ; ...other networks you want to allow to do recursive queries...;
           };
         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
           };
    • During provisioning/upgrading, a file ('/var/lib/samba/private/named.conf') was created, that must be included in your Bind named.conf:
      include "/var/lib/samba/private/named.conf";
    • Samba4 specific SELinux Policies and permissions should be allowed:

For all the commands below, make sure you have set the following environment variable:

MYREALM="ju.local"
  • Set permissions (SELinux)
    chown bind:bind /usr/local/samba/private/dns
    chgrp bind /usr/local/samba/private/dns.keytab
    chmod g+r /usr/local/samba/private/dns.keytab
    chmod 775 /usr/local/samba/private/dns
    chown root:bind /var/lib/samba/private
  • Restart bind and see the results. If bind restarts safely, issue the command:
    root@ad2:~# samba_dnsupdate --verbose --all-names
    
    Calling nsupdate for A gc._msdcs.ju.local 10.0.2.15
    Outgoing update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
    ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
    ;; UPDATE SECTION:
    gc._msdcs.ju.local.	900	IN	A	10.0.2.15
    .
    .
    .
    .
    .

If the out put is not simililar to that, there is an issue with bind. You can debug bind9 DLZ by changing changing the following line in '/usr/local/samba/private/named.conf' from

database "dlopen .../bin/modules/bind9/dlz_bind9.so";

to

database "dlopen .../bin/modules/bind9/dlz_bind9.so -d 3";
Testing DNS

For the local DNS lookups to resolve correctly, we need to modify the server's /etc/resolv.conf. The following example should be sufficient to have DNS resolve properly:

domain ju.local
nameserver 192.168.1.81

DHCP is not recommended on a DC so disable it and give a static IP.

  • To test that DNS is working properly, run the following commands and compare the output to what is shown:
     $ host -t SRV _ldap._tcp.ju.local.
    _ldap._tcp.ju.local has SRV record 0 100 389 ad.ju.local.
    $ host -t SRV _kerberos._udp.ju.edu.et.
    _kerberos._udp.ju.local has SRV record 0 100 88 ad.ju.local.
    $ host -t A ad.ju.local.
    ad.ju.local has address 192.168.1.81

The answers you get, should be similar to the ones above (adjusted for your domain name, hostname and IP). If you get any errors, carefully check your system logs to locate the problem.

Configure Kerberos

Kerberos configuration is handled by the krb5.conf file. This file is typically located in the /etc/ directory. Please refer to your distribution documentation for the location of this file on your system. If kerberos is not installed, you can install it using apt-get install krb5-user There is a sample file created during provisioning located at /usr/local/samba/share/setup/krb5.conf, that is a suitable replacement for an existing file. Its default content is:

[libdefaults]
        default_realm = JU.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true
Testing kerberos

The simplest test is to use the kinit command as follows:

$ kinit administrator@JU.LOCAL
  • Note: You must specify your domain realm in uppercase letters!
  • Note: Depending on your distribution, kinit may just return you to a prompt, however, some distributions may return something like Warning: Your password will expire in x days on …
  • To verify that Kerberos is working, and that you received a ticket, run:
    $ klist
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: administrator@JU.LOCAL
    
    Valid starting     Expires            Service principal
    11/12/13 07:49:03  11/12/13 17:49:03  krbtgt/JU.LOCAL@JU.LOCAL
    	renew until 11/13/13 07:48:51
  • You can also test Kerberos form a remote client, but you must first configure the client's krb5.conf and resolve.conf as shown previously.

Configure NTP

Active Directory requires an accurate time synchronization between the clients and the DC(s). It's highly recommended to run NTP or another form of synchronization.

  • Update apt repository and install ntp.
    apt-get update && apt-get install ntp
  • Set the permission of the ntp_signd directory (default /var/lib/samba/ntp_signd/) to 0750 and its owner to root:ntp to ensure that it is readable from ntpd.
  • If you already have a supported ntpd version and /etc/ntp.conf, you have to add/adjust only the following lines for minimal:
     server 127.127.1.0
     fudge  127.127.1.0 stratum 10
     server 0.pool.ntp.org  iburst prefer
     server 1.pool.ntp.org  iburst prefer
     driftfile /var/lib/ntp/ntp.drift
     logfile /var/log/ntp
     ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
     restrict default kod nomodify notrap nopeer mssntp
     restrict 127.0.0.1
     restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
     restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery

For explanation: This config allows clients to receive time from this NTP host, localhost doesn't have any restrictions, and the servers we receive the time from ,are not allowed to do anything else than providing the time to us. For more information about ntpd access controll, see http://support.ntp.org/bin/view/Support/AccessRestrictions

  • On members of the domain you don't have to configure anything. Per default they will receive the time from the DC that has the FSMO role PDC.

For further information please refer to the official wiki page.

vlir/projects/samba4_ad_dc_on_debian_wheezy.txt · Last modified: 2013/11/12 14:40 by betselot
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Run by Debian Driven by DokuWiki