Install Samba as a Active Directory Domain Controller

Kuko Armas <kuko@canarytek.com>
|

In this post I describe how to install Samba as an Active Directory Domain Controller

The problem

Samba4 has been able to act as an Active Directory Domain Controller for a long time. But most major Linux distributions don’t include this feature. The problem is that AD uses Kerberos, Samba4 uses a Kerberos implementation called Heimdal, but most major Linux distros uses a different Kerberos (MIT Kerberos), and it seems installing Samba4 on a server with MIT Kerberos could break it.

Samba developers had been working for a long time to support MIT Kerberos, but it seems it was not easy. Apparently, in Samba version 4.7 which is already in release candidate status, the AD support can be compiled with MIT Kerberos instead of Heimdal, but it will still take some time for the major distros to include this samba version

Sooo, the only choice I had to install Samba4 as an AD Domain Controller was compile it from sources. I even automated the whole process with Chef, but I was sick of it (and I’m in the process of abandoning Chef in favor of SaltStack)

So, recently I decided to do something I really should have done long before, prepare a Samba4 package with the AD DC support compiled in.

Since I recently have become a big fan of SuSE and it’s OpenBuildService, I decided to create the RPM for SuSE Leap 42.3 and SLES12SP3 and host the packages in OBS

Right! But let’s do it!

OK, enough for the chat, lets go and install the thing…

As I said, right now this packages are only built for SuSE’s SLES12SP3 and Leap 42.3. I will probably update the packages to build also with previous versions and maybe with CentOS 7 The OBS repo is here

If you are frustrated because you expected to find packages for your distro of choice I will tell you two things:

  1. A good practice is to use the domain controllers exclusively as domain controller, so you can install a host with openSUSE Leap 42.3 just for this task. Use your distro of choice for everything else (and if you can not manage a mixed environment, you are not a great sysadmin! :P Don’t worry, I will not tell your boss)
  2. Give openSUSE a try, you will be pleased! ;)

In the following sections I will assume we are using openSUSE Leap 42.3

Install the software

VERY IMPORTANT: Since the samba-dc package conflicts with the distro’s samba packages, and can break software that uses MIT Kerberos, this repo should be used exclusively in the hosts you plan to use as AD Domain Controller. Use the distro’s samba package for any other role (fileserver, printserver, etc), they will integrate perfectly with this AD DC

  • Install the samba-dc repo

      curl -o /etc/zypp/repos.d/samba-dc.repo http://download.opensuse.org/repositories/home:/kuko:/samba-dc/openSUSE_Leap_42.3/home:kuko:samba-dc.repo
    
  • Since samba-dc packages conflicts with the distro’s samba packages, you need to uninstall any previous samba package

      zypper remove samba*
    
  • Install the software

      zypper install samba-dc
    

Deploy a new AD domain

The next step is deploying a new AD domain. In the examples I will use the following data for the domain:

  • Domain name: mydomain.lan
  • NetBIOS name: MYDOMAIN
  • Server name for this DC: dc1
  • Administrator’s password: One.password_123

With this data, the command to deploy the new AD domain is the following:

samba-tool domain provision --use-rfc2307 --realm mydomain.lan --host-name dc1 --domain MYDOMAIN --server-role dc --adminpass One.password_123

At the end of this process a config file for kerberos will be created. You need to copy it to /etc

cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

And we need to setup the host so it uses samba to resolve DNS names (samba has an embedded nameserver). BTW do not use samba’s DNS server for DNS resolution for more than a few hosts, it sucks. You can use external DNS for resolution and Samba’s DNS only for AD related queries, but I will not cover it in this post.

echo -e "search mydomain.lan\nnameserver 127.0.0.1" > /etc/resolv.conf

And at last, you can enable and start the samba services (it will start “samba”, “smb” and “winbind” processes)

systemctl enable samba
systemctl restart samba

Add a Linux as a AD member server

In this section we well add a new openSUSE server as a AD member server. This way, Linux will “see” all AD users as local users To connect to the AD service we sill use the sssd service

zypper in -t pattern yast2_basis

Run YaST and go to “Security and Users” -> “User and Group Management” Go to “Authentication Settings” -> “SSSD” -> “Configure” -> “Change Settings” Join Domain -> Type the domanin name -> Select “Microft Active Directory” (in both options) -> Check the “Enabled” checkbox Enter administrative credentials

  • Options:
  • id_provider │ad
  • auth_provider │ad
  • enumerate │true
  • cache_credentials│false
  • case_sensitive │true
  • ad_server │dc1

Probed list users and groups

getent passwd getent group

Install, enable and start sssd service

zypper in sssd
systemctl enable sssd
systemctl start sssd

Install and enable winbind

zypper in samba-winbind
systemctl enable winbind
systemctl start winbind

Add server to DNS

List zones samba-tool dns zonelist dc1 -Uadministrator%One.password_123

Add server samba-tool dns add dc1 mydomain.lan samba-server A 192.168.122.112 -Uadministrator%One.password_123

Add user samba-tool user create test test.123

ACL

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Añadir a global vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes username map = /etc/samba/usermap

samba-server:~ # cat /etc/samba/usermap !root = MYDOMAIN\Administrator MYDOMAIN\administrator

Asignar permisos (en el fileserver) net rpc rights grant “domain admins” SeDiskOperatorPrivilege -Uadministrator%One.password_123 Verificar net rpc rights list privileges SeDiskOperatorPrivilege -U “administrator%One.password_123”

chown administrator:”Domain Admins” /home/shared samba-server:/home # chmod 0770 /home/shared

Establecemos permisos de carpeta compartida desde windows computer management -> Actions -> Connect to a different server -> conectar a filserver ir a recursos compartidos -> carpeta Propiedades -> Seguridad de carpeta compartida

OJO! el acceso local se mapa a root, asi que hay que dar permisos tambien a root???

Instalar utilidades zypper in acl attr