Project

General

Profile

Support #323

Installing a Samba4 Active Directory Domain Controller On Debian Using LXC

Added by Daniel Curtis about 10 years ago. Updated about 9 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Domain Controller
Target version:
-
Start date:
01/22/2014
Due date:
% Done:

100%

Estimated time:
4.00 h
Spent time:

Description

This guide is to assist in setting up an Active Directory Domain Controller with Samba4 on a Debian 7 "Wheezy" system inside of a Linux Container. I am currently using OpenLDAP and Kerberos for centralized authentication and user information, so I already have most of the principles of Active Directory understood. Samba4 ties LDAP, Kerberos, DNS, and Extended Filesystem Attributes together into a system the is a working replica of Active Directory. To add an additional layer of security, I have my VPS environment completely para-virtualized using Linux Containers; however this also adds an additional step in setting it up. This guide assumes that a baseline container has been created, has been configured with a static IP address, and has ssh access. This guide also uses the following example hosts:
  • vps-node.example.com: 192.168.200.10
  • dc-container.example.com:172.16.200.50

Install xattr and acl on underlying VPS node

To begin, the filesystem must have xattr and acl support for samba4 to be installed properly. Since these attributes that are set at boot time by the kernel directly on a partition, they need to be installed and configured on the underlying VPS node, and not on Domain Controller container. To do this, log into the VPS node and drop to root:

ssh vps-node.example.com
sudo su

Now install xattr and acl:

apt-get install attr docbook-xsl acl python-xattr libblkid1

Once these packages are installed, /etc/fstab needs to be modified similar to the following:

/dev/sda4 / ext4 errors=remount-ro,user_xattr,acl,barrier=1 0 1

The options user_xattr, acl, and barrier=1 must be defined. These are for:
  • user_xattr: Extended attributes are extensions to the normal attributes which are associated with all nodes in the system. They are often used to provide additional functionality to a filesystem -for example, additional security features such as Access Control Lists (ACLs) may be implemented using extended attributes.
  • acl: Provides an additional, more flexible permission mechanism for file systems.
  • barrier=1: Ensures that tdb transactions are safe against unexpected power loss.

Now that the xattr and acl packages are installed and configured on the VPS node, reboot it:

reboot

Thats all that needs to be done there

Install Samba4 and utilities on the Domain Controller container

Start by logging into the Domain Controller container and drop to root:

ssh dc-container.example.com
sudo su

Then install the samba4 and utility packages:

apt-get install samba4 samba4-clients bind9 libgcrypt11 python-dnspython pkg-config dnsutils attr docbook-xsl acl python-xattr libblkid1 krb5-user

When the packages are finished installed, move the default package configuration out of the way; otherwise the initial Active Directory provisioning will fail:

mv /etc/samba/smb.conf /etc/samba/smb.conf.orig

Alternative: Build from source

The default Debian provisioning script does not appear to have the --use-rfc2307 option, which is what provisions NIS information in the LDAP directory. One option is to build from source using the latest stable version of Samba4. This can be done in a few time consuming steps.

  • Download the required dependencies
    apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl libpam0g-dev git-core
    
  • Download the latest stable Samba4 using git
    cd /usr/local/src
    git clone -b v4-0-stable git://git.samba.org/samba.git samba-v4-0-stable
    
  • Compile and install Samba4
    cd samba-master
    ./configure 
    make
    make install
    

Provision the Active Directory Domain

Now its time to provision the domain. Make sure to replace the example command to your domain:

/usr/share/samba/setup/provision --realm=example.com --domain=EXAMPLE --adminpass='SuperSecretPassword' --server-role=dc

This will generate the required files, databases, and keyfiles for use in your active directory, they are usually stored in /var/lib/samba/. It will also generate a /etc/samba/smb.conf configuration file for use, it will look similar to the following:

  1. Global parameters
    [global]
    server role = active directory domain controller
    workgroup = EXAMPLE
    realm = example.com
    netbios name = ADDC
    passdb backend = samba4
    server services = +smb -s3fs

[netlogon]
path = /var/lib/samba/sysvol/example.com/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

Note: I added the server services = +smb -s3fs string due to an error similar to the following:

Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED)

Restart Samba

service samba4 restart

I get the following error when restarting, or starting the service for the first time:
[....] Starting Samba 4 daemon: samba/usr/sbin/samba: /usr/lib/powerpc-linux-gnu/libwbclient.so.0: no version information available (required by /usr/lib/powerpc-linux-gnu/samba/libauth4.so)

However I find that when I start the service a second time it launches properly.

service samba4 start

Alternative: Provision domain using the compile source script

This guide uses the BIND9_DLZ backend to handle DNS for the Domain, so install BIND9:

apt-get install bind9

Then provision the domain:
/usr/local/samba/bin/samba-tool domain provision --use-rfc2307 --interactive
  • Realm: EXAMPLE.COM
  • Domain: EXAMPLE
  • Server Role: dc
  • DNS backend: BIND9_DLZ
  • Administrator password: SuperSecretPassword
  • Retype password: SuperSecretPassword

Copy the Kerberos configuration to /etc:

cp /usr/local/samba/private/krb5.conf /etc/krb5.conf

Then prepare the Samba4 generated BIND configurations:

chgrp bind /usr/local/samba/private/dns.keytab
chmod g+r /usr/local/samba/private/dns.keytab

Add the following to /etc/bind/named.conf.options:

vi /etc/bind/named.conf.options

tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
tkey-domain "ALTSERVICE.COM";
auth-nxdomain yes;
forwarders { 192.168.7.252; };
allow-transfer { none; };
notify no;
empty-zones-enable no;

allow-query {
192.168.0.0/16;
};
allow-recursion {
192.168.0.0/16;
};

And add the following to /etc/bind/named.conf.local:

vi /etc/bind/named.conf.local

include "/usr/local/samba/private/named.conf";

Modify resolv.conf and hosts File

Edit your resolv.conf file in nano

vi /etc/resolv.conf

The following info should be sufficient as long as this system is running only Samba4. Make sure the DNS nameserver is the IP of the Domain Controller container.

domain example.com
nameserver 172.16.200.15

Manage Kerberos

Samba4 has created a krb5.conf for you to use as a replacement for the existing configuration file similar to the following:

[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true

Use the following commands to backup the old file and copy the new configuration file.

mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/private/krb5.conf /etc/krb5.conf

Now you must edit the new krb5.conf file to include your domain realm info.

vi /etc/krb5.conf

Modify the “default_realm = SAMDOM.EXAMPLE.COM” line to contain your domain info. In our tutorial it is “EXAMPLE.COM”

NOTE: The domain realm MUST be typed in uppercase!

Setup BIND for use with Active Directory

Samba4 has an internal DNS server, however I would like to use BIND so I can have more control over DNS records.

apt-get install bind9

Once the BIND DNS server is installed add the following to the /etc/bind/named.conf:

include "/var/lib/samba/private/named.conf";

And then modify /etc/bind/named.conf to look similar to the following:

...
dnssec-validation auto;

tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

auth-nxdomain no; # conform to RFC1035
...

Then start BIND

service bind9 start

Setting up NTP

Kerberos, which is the authentication service used by Samba4, is highly dependent on accurate time. Install NTP and the default servers should be fine, I added a local NTP server for redundancy.

apt-get install ntp

And test it

ntpq -p

Testing Node Authentication

When finished, you should have a working Primary Domain Controller. To test it run:
kinit

  • Note: You must specify your domain realm in uppercase letters!
  • Note: Depending on your distribution, kinit may just return you to a prompt, however, some distributions may return something like:

Warning: Your password will expire in x days on ...

To verify that Kerberos is working, and that you received a ticket, run:

klist

Ticket cache: FILE:/tmp/krb5cc_1000
Default principal:

Valid starting Expires Service principal
02/10/13 19:39:48 02/11/13 19:39:46

If either kinit or klist do not exist on your system, then install the krb5-user package.

You can also test Kerberos form a remote client, but you must first configure the client's krb5.conf and resolve.conf as shown previously.

  • Note: If you are using a client behind NAT then you have to add the following to the krb5.conf on the domain controller:

[kdc]
check-ticket-addresses = false

  • Note: If provision generated you a password and you forgot it or didn't get it saved in some way, you can use the following as root to reset it:
    samba-tool user setpassword administrator
    

Resources

#1

Updated by Daniel Curtis about 10 years ago

  • Description updated (diff)
#2

Updated by Daniel Curtis about 10 years ago

  • Description updated (diff)
#3

Updated by Daniel Curtis about 10 years ago

  • Description updated (diff)
  • % Done changed from 70 to 90
#4

Updated by Daniel Curtis about 10 years ago

  • Status changed from In Progress to Closed
  • % Done changed from 90 to 100
#5

Updated by Daniel Curtis about 9 years ago

  • Project changed from 79 to GNU/Linux Administration
  • Subject changed from Installing Samba4 As An Active Directory Domain Controller On Debian In a LXC Container to Installing a Samba4 Active Directory Domain Controller On Debian Using LXC
  • Category set to Domain Controller

Also available in: Atom PDF