Support #323
Updated by Daniel Curtis over 10 years ago
This guide is to assist in setting up an Active Directory Domain Controller with Samba4 on a Debian 7 "Wheezy" system inside of a *L*inu*X* *C*ontainer. I am currently using OpenLDAP and Kerberos for centralized authentication and user information, so I already have most of the principles of Active Directory understood. Samba4 ties LDAP, Kerberos, DNS, and Extended Filesystem Attributes together into a system the is a working replica of Active Directory. To add an additional layer of security, I have my VPS environment completely para-virtualized using Linux Containers; however this also adds an additional step in setting it up. This guide assumes that a baseline container has been created, has been configured with a static IP address, and has ssh access. This guide also uses the following example hosts: * *vps-node.example.com*: 192.168.200.10 * *dc-container.example.com*:172.16.200.50 h2. Install xattr and acl on underlying VPS node To begin, the filesystem must have *xattr* and *acl* support for samba4 to be installed properly. Since these are filesystem attributes that are set at boot time, they need to be installed and configured on the underlying VPS node, and +not on Domain Controller container+. To do this, log into the VPS node and drop to root: <pre> ssh vps-node.example.com sudo su </pre> Now install *xattr* and *acl*: <pre> apt-get install attr docbook-xsl acl python-xattr libblkid1 </pre> Once these packages are installed, /etc/fstab needs to be modified similar to the following: > /dev/sda4 / ext4 errors=remount-ro,user_xattr,acl,barrier=1 0 1 The options *user_xattr*, *acl*, and *barrier=1* must be defined. These are for: * *user_xattr*: Extended attributes are extensions to the normal attributes which are associated with all nodes in the system. They are often used to provide additional functionality to a filesystem -for example, additional security features such as Access Control Lists (ACLs) may be implemented using extended attributes. * *acl*: Provides an additional, more flexible permission mechanism for file systems. * *barrier=1*: Ensures that tdb transactions are safe against unexpected power loss. Now that the *xattr* and *acl* packages are installed and configured on the VPS node, reboot it: <pre> reboot </pre> Thats all that needs to be done there h2. Install Samba4 and utilities on the Domain Controller container Start by logging into the Domain Controller container and drop to root: <pre> ssh addc.example.com sudo su </pre> Then install the samba4 and utility packages: <pre> apt-get install samba4 samba4-clients phpldapadmin bind9 libgcrypt11 python-dnspython pkg-config dnsutils attr docbook-xsl acl python-xattr libblkid1 krb5-user </pre> When the packages are finished installed, move the default package configuration out of the way; otherwise the initial Active Directory provisioning will fail: <pre> mv /etc/samba/smb.conf /etc/samba/smb.conf.orig </pre> h2. Provision the Active Directory Domain Now its time to provision the domain. Make sure to replace the example command to your domain: <pre> /usr/share/samba/setup/provision --realm=example.com --domain=EXAMPLE --adminpass='SuperSecretPassword' --server-role=dc </pre> This will generate the required files, databases, and keyfiles for use in your active directory, they are usually stored in @/var/lib/samba/@. It will also generate a @/etc/samba/smb.conf@ configuration file for use, it will look similar to the following: > # Global parameters > [global] > server role = active directory domain controller > workgroup = EXAMPLE > realm = example.com > netbios name = ADDC > passdb backend = samba4 > server services = +smb -s3fs > > [netlogon] > path = /var/lib/samba/sysvol/example.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No Note: I added the *server services = +smb -s3fs* string due to an error similar to the following: > Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED) Restart Samba <pre> service samba4 restart </pre> I get the following error when restarting, or starting the service for the first time: [....] Starting Samba 4 daemon: samba/usr/sbin/samba: /usr/lib/powerpc-linux-gnu/libwbclient.so.0: no version information available (required by /usr/lib/powerpc-linux-gnu/samba/libauth4.so) However I find that when I start the service a second time it launches properly. <pre> service samba4 start </pre> h2. Modify resolv.conf and hosts File Edit your @resolv.conf@ file in nano <pre> vi /etc/resolv.conf </pre> The following info should be sufficient as long as this system is running only Samba4. Make sure the DNS nameserver is the IP of the Domain Controller container. > domain example.com > nameserver 172.16.200.15 h2. Manage Kerberos Samba4 has created a krb5.conf for you to use as a replacement for the existing configuration file similar to the following: > [libdefaults] > default_realm = EXAMPLE.COM > dns_lookup_realm = false > dns_lookup_kdc = true Use the following commands to backup the old file and copy the new configuration file. <pre> mv /etc/krb5.conf /etc/krb5.conf.bak cp /usr/local/samba/private/krb5.conf /etc/krb5.conf </pre> Now you must edit the new @krb5.conf@ file to include your domain realm info. <pre> vi /etc/krb5.conf </pre> Modify the “default_realm = SAMDOM.EXAMPLE.COM” line to contain your domain info. In our tutorial it is “EXAMPLE.COM” NOTE: The domain realm +*MUST* be typed in uppercase+! h2. Setup BIND for use with Active Directory Samba4 has an internal DNS server, however I would like to use BIND so I can have more control over DNS records. <pre> apt-get install bind9 </pre> Once the BIND DNS server is installed add the following to the /etc/bind/named.conf: > include "/var/lib/samba/private/named.conf"; And then modify /etc/bind/named.conf to look similar to the following: > ... > dnssec-validation auto; > > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > > auth-nxdomain no; # conform to RFC1035 > ... Then start BIND <pre> service bind9 start </pre> h2. Setting up NTP Kerberos, which is the authentication service used by Samba4, is highly dependent on accurate time. Install NTP and the default servers should be fine, I added a local NTP server for redundancy. <pre> apt-get install ntp </pre> And test it <pre> ntpq -p </pre> h2. Testing Node Authentication When finished, you should have a working Primary Domain Controller. To test it run: kinit administrator@EXAMPLE.COM finished * Note: You must specify your domain realm in uppercase letters! * Note: Depending on your distribution, kinit may just return you to a prompt, however, some distributions may return something like: > Warning: Your password will expire in x days on ... To verify that Kerberos is working, and that you received a ticket, run: <pre> klist </pre> > Ticket cache: FILE:/tmp/krb5cc_1000 > Default principal: administrator@EXAMPLE.COM > > Valid starting Expires Service principal > 02/10/13 19:39:48 02/11/13 19:39:46 krbtgt/EXAMPLE.COM@EXAMPLE.COM If either kinit or klist do not exist on your system, then install the @krb5-user@ package. You can also test Kerberos form a remote client, but you must first configure the client's @krb5.conf@ and @resolve.conf@ as shown previously. * Note: If you are using a client behind NAT then you have to add the following to the krb5.conf on the domain controller: > [kdc] > check-ticket-addresses = false * Note: If provision generated you a password and you forgot it or didn't get it saved in some way, you can use the following as root to reset it: <pre> samba-tool user setpassword administrator </pre> h2. Resources * https://wiki.samba.org/index.php/Samba * https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO * https://wiki.samba.org/index.php/Samba_4/OS_Requirements#File_Systems_without_xattr_support * http://linux-on-a-server.com/samba-4-active-directory-my-first-successfully-test/