Support #323
Installing a Samba4 Active Directory Domain Controller On Debian Using LXC
Description
- vps-node.example.com: 192.168.200.10
- dc-container.example.com:172.16.200.50
Install xattr and acl on underlying VPS node¶
To begin, the filesystem must have xattr and acl support for samba4 to be installed properly. Since these attributes that are set at boot time by the kernel directly on a partition, they need to be installed and configured on the underlying VPS node, and not on Domain Controller container. To do this, log into the VPS node and drop to root:
ssh vps-node.example.com sudo su
Now install xattr and acl:
apt-get install attr docbook-xsl acl python-xattr libblkid1
Once these packages are installed, /etc/fstab needs to be modified similar to the following:
The options user_xattr, acl, and barrier=1 must be defined. These are for:/dev/sda4 / ext4 errors=remount-ro,user_xattr,acl,barrier=1 0 1
- user_xattr: Extended attributes are extensions to the normal attributes which are associated with all nodes in the system. They are often used to provide additional functionality to a filesystem -for example, additional security features such as Access Control Lists (ACLs) may be implemented using extended attributes.
- acl: Provides an additional, more flexible permission mechanism for file systems.
- barrier=1: Ensures that tdb transactions are safe against unexpected power loss.
Now that the xattr and acl packages are installed and configured on the VPS node, reboot it:
reboot
Thats all that needs to be done there
Install Samba4 and utilities on the Domain Controller container¶
Start by logging into the Domain Controller container and drop to root:
ssh dc-container.example.com sudo su
Then install the samba4 and utility packages:
apt-get install samba4 samba4-clients bind9 libgcrypt11 python-dnspython pkg-config dnsutils attr docbook-xsl acl python-xattr libblkid1 krb5-user
When the packages are finished installed, move the default package configuration out of the way; otherwise the initial Active Directory provisioning will fail:
mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
Alternative: Build from source¶
The default Debian provisioning script does not appear to have the --use-rfc2307
option, which is what provisions NIS information in the LDAP directory. One option is to build from source using the latest stable version of Samba4. This can be done in a few time consuming steps.
- Download the required dependencies
apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl libpam0g-dev git-core
- Download the latest stable Samba4 using git
cd /usr/local/src git clone -b v4-0-stable git://git.samba.org/samba.git samba-v4-0-stable
- Compile and install Samba4
cd samba-master ./configure make make install
Provision the Active Directory Domain¶
Now its time to provision the domain. Make sure to replace the example command to your domain:
/usr/share/samba/setup/provision --realm=example.com --domain=EXAMPLE --adminpass='SuperSecretPassword' --server-role=dc
This will generate the required files, databases, and keyfiles for use in your active directory, they are usually stored in
/var/lib/samba/
. It will also generate a /etc/samba/smb.conf
configuration file for use, it will look similar to the following:
- Global parameters
[global]
server role = active directory domain controller
workgroup = EXAMPLE
realm = example.com
netbios name = ADDC
passdb backend = samba4
server services = +smb -s3fs[netlogon]
path = /var/lib/samba/sysvol/example.com/scripts
read only = No[sysvol]
path = /var/lib/samba/sysvol
read only = No
Note: I added the server services = +smb -s3fs string due to an error similar to the following:
Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED)
Restart Samba
service samba4 restart
I get the following error when restarting, or starting the service for the first time:
[....] Starting Samba 4 daemon: samba/usr/sbin/samba: /usr/lib/powerpc-linux-gnu/libwbclient.so.0: no version information available (required by /usr/lib/powerpc-linux-gnu/samba/libauth4.so)
However I find that when I start the service a second time it launches properly.
service samba4 start
Alternative: Provision domain using the compile source script¶
This guide uses the BIND9_DLZ backend to handle DNS for the Domain, so install BIND9:
apt-get install bind9Then provision the domain:
/usr/local/samba/bin/samba-tool domain provision --use-rfc2307 --interactive
- Realm: EXAMPLE.COM
- Domain: EXAMPLE
- Server Role: dc
- DNS backend: BIND9_DLZ
- Administrator password: SuperSecretPassword
- Retype password: SuperSecretPassword
Copy the Kerberos configuration to /etc:
cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
Then prepare the Samba4 generated BIND configurations:
chgrp bind /usr/local/samba/private/dns.keytab chmod g+r /usr/local/samba/private/dns.keytab
Add the following to /etc/bind/named.conf.options
:
vi /etc/bind/named.conf.options
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
tkey-domain "ALTSERVICE.COM";
auth-nxdomain yes;
forwarders { 192.168.7.252; };
allow-transfer { none; };
notify no;
empty-zones-enable no;allow-query {
192.168.0.0/16;
};
allow-recursion {
192.168.0.0/16;
};
And add the following to /etc/bind/named.conf.local
:
vi /etc/bind/named.conf.local
include "/usr/local/samba/private/named.conf";
Modify resolv.conf and hosts File¶
Edit your resolv.conf
file in nano
vi /etc/resolv.conf
The following info should be sufficient as long as this system is running only Samba4. Make sure the DNS nameserver is the IP of the Domain Controller container.
domain example.com
nameserver 172.16.200.15
Manage Kerberos¶
Samba4 has created a krb5.conf for you to use as a replacement for the existing configuration file similar to the following:
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
Use the following commands to backup the old file and copy the new configuration file.
mv /etc/krb5.conf /etc/krb5.conf.bak cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
Now you must edit the new krb5.conf
file to include your domain realm info.
vi /etc/krb5.conf
Modify the “default_realm = SAMDOM.EXAMPLE.COM” line to contain your domain info. In our tutorial it is “EXAMPLE.COM”
NOTE: The domain realm MUST be typed in uppercase!
Setup BIND for use with Active Directory¶
Samba4 has an internal DNS server, however I would like to use BIND so I can have more control over DNS records.
apt-get install bind9
Once the BIND DNS server is installed add the following to the /etc/bind/named.conf:
include "/var/lib/samba/private/named.conf";
And then modify /etc/bind/named.conf to look similar to the following:
...
dnssec-validation auto;tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
auth-nxdomain no; # conform to RFC1035
...
Then start BIND
service bind9 start
Setting up NTP¶
Kerberos, which is the authentication service used by Samba4, is highly dependent on accurate time. Install NTP and the default servers should be fine, I added a local NTP server for redundancy.
apt-get install ntp
And test it
ntpq -p
Testing Node Authentication¶
When finished, you should have a working Primary Domain Controller. To test it run:
kinit administrator@EXAMPLE.COM
- Note: You must specify your domain realm in uppercase letters!
- Note: Depending on your distribution, kinit may just return you to a prompt, however, some distributions may return something like:
Warning: Your password will expire in x days on ...
To verify that Kerberos is working, and that you received a ticket, run:
klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator@EXAMPLE.COMValid starting Expires Service principal
02/10/13 19:39:48 02/11/13 19:39:46 krbtgt/EXAMPLE.COM@EXAMPLE.COM
If either kinit or klist do not exist on your system, then install the krb5-user
package.
You can also test Kerberos form a remote client, but you must first configure the client's krb5.conf
and resolve.conf
as shown previously.
- Note: If you are using a client behind NAT then you have to add the following to the krb5.conf on the domain controller:
[kdc]
check-ticket-addresses = false
- Note: If provision generated you a password and you forgot it or didn't get it saved in some way, you can use the following as root to reset it:
samba-tool user setpassword administrator