Support #323
Updated by Daniel Curtis about 10 years ago
This guide is to assist in setting up an Active Directory Domain Controller with Samba4 on a Debian 7 "Wheezy" system inside of a *L*inu*X* *C*ontainer. I am currently using OpenLDAP and Kerberos for centralized authentication and user information, so I already have most of the principles of Active Directory understood. Samba4 ties LDAP, Kerberos, DNS, and Extended Filesystem Attributes together into a system the is a working replica of Active Directory. To add an additional layer of security, I have my VPS environment completely para-virtualized using Linux Containers; however this also adds an additional step in setting it up. This guide assumes that a baseline container has been created, has been configured with a static IP address, and has ssh access. This guide also uses the following example hosts: * *vps-node.example.com*: 192.168.200.10 * *dc-container.example.com*:172.16.200.50 h2. Install xattr and acl on underlying VPS node To begin, the filesystem must have *xattr* and *acl* support for samba4 to be installed properly. Since these are filesystem attributes that are set at boot time by the kernel directly on a partition, time, they need to be installed and configured on the underlying VPS node, and +not on Domain Controller container+. To do this, log into the VPS node and drop to root: <pre> ssh vps-node.example.com sudo su </pre> Now install *xattr* and *acl*: <pre> apt-get install attr docbook-xsl acl python-xattr libblkid1 </pre> Once these packages are installed, /etc/fstab needs to be modified similar to the following: > /dev/sda4 / ext4 errors=remount-ro,user_xattr,acl,barrier=1 0 1 The options *user_xattr*, *acl*, and *barrier=1* must be defined. These are for: * *user_xattr*: Extended attributes are extensions to the normal attributes which are associated with all nodes in the system. They are often used to provide additional functionality to a filesystem -for example, additional security features such as Access Control Lists (ACLs) may be implemented using extended attributes. * *acl*: Provides an additional, more flexible permission mechanism for file systems. * *barrier=1*: Ensures that tdb transactions are safe against unexpected power loss. Now that the *xattr* and *acl* packages are installed and configured on the VPS node, reboot it: <pre> reboot </pre> Thats all that needs to be done there h2. Install Samba4 and utilities on the Domain Controller container Start by logging into the Domain Controller container and drop to root: <pre> ssh dc-container.example.com addc.example.com sudo su </pre> Then install the samba4 and utility packages: <pre> apt-get install samba4 samba4-clients phpldapadmin bind9 libgcrypt11 python-dnspython pkg-config dnsutils attr docbook-xsl acl python-xattr libblkid1 krb5-user </pre> When the packages are finished installed, move the default package configuration out of the way; otherwise the initial Active Directory provisioning will fail: <pre> mv /etc/samba/smb.conf /etc/samba/smb.conf.orig </pre> h3. *Alternative*: Build from source The default Debian provisioning script does not appear to have the @--use-rfc2307@ option, which is what provisions NIS information in the LDAP directory. One option is to build from source using the latest stable version of Samba4. This can be done in a few time consuming steps. * Download the required dependencies <pre> apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl libpam0g-dev git-core </pre> * Download the latest stable Samba4 using git <pre> cd /usr/local/src git clone -b v4-0-stable git://git.samba.org/samba.git samba-v4-0-stable </pre> * Compile and install Samba4 <pre> cd samba-master ./configure make make install </pre> h2. Provision the Active Directory Domain Now its time to provision the domain. Make sure to replace the example command to your domain: <pre> /usr/share/samba/setup/provision --realm=example.com --domain=EXAMPLE --adminpass='SuperSecretPassword' --server-role=dc </pre> This will generate the required files, databases, and keyfiles for use in your active directory, they are usually stored in @/var/lib/samba/@. It will also generate a @/etc/samba/smb.conf@ configuration file for use, it will look similar to the following: > # Global parameters > [global] > server role = active directory domain controller > workgroup = EXAMPLE > realm = example.com > netbios name = ADDC > passdb backend = samba4 > server services = +smb -s3fs > > [netlogon] > path = /var/lib/samba/sysvol/example.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No Note: I added the *server services = +smb -s3fs* string due to an error similar to the following: > Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED) Restart Samba <pre> service samba4 restart </pre> I get the following error when restarting, or starting the service for the first time: [....] Starting Samba 4 daemon: samba/usr/sbin/samba: /usr/lib/powerpc-linux-gnu/libwbclient.so.0: no version information available (required by /usr/lib/powerpc-linux-gnu/samba/libauth4.so) However I find that when I start the service a second time it launches properly. <pre> service samba4 start </pre> h3. Provision domain using the compile source script This guide uses BIND9_DLZ for samba, so install BIND9: <pre> apt-get install bind9 </pre> Then provision the domain: <pre> /usr/local/samba/bin/samba-tool domain provision --use-rfc2307 --interactive </pre> * Realm: *EXAMPLE.COM* * Domain: *EXAMPLE* * Server Role: *dc* * DNS backend: *BIND9_DLZ* * Administrator password: *SuperSecretPassword* * Retype password: *SuperSecretPassword* h2. Modify resolv.conf and hosts File Edit your @resolv.conf@ file in nano <pre> vi /etc/resolv.conf </pre> The following info should be sufficient as long as this system is running only Samba4. Make sure the DNS nameserver is the IP of the Domain Controller container. > domain example.com > nameserver 172.16.200.15 h2. Manage Kerberos Samba4 has created a krb5.conf for you to use as a replacement for the existing configuration file similar to the following: > [libdefaults] > default_realm = EXAMPLE.COM > dns_lookup_realm = false > dns_lookup_kdc = true Use the following commands to backup the old file and copy the new configuration file. <pre> mv /etc/krb5.conf /etc/krb5.conf.bak cp /usr/local/samba/private/krb5.conf /etc/krb5.conf </pre> Now you must edit the new @krb5.conf@ file to include your domain realm info. <pre> vi /etc/krb5.conf </pre> Modify the “default_realm = SAMDOM.EXAMPLE.COM” line to contain your domain info. In our tutorial it is “EXAMPLE.COM” NOTE: The domain realm +*MUST* be typed in uppercase+! h2. Setup BIND for use with Active Directory Samba4 has an internal DNS server, however I would like to use BIND so I can have more control over DNS records. <pre> apt-get install bind9 </pre> Once the BIND DNS server is installed add the following to the /etc/bind/named.conf: > include "/var/lib/samba/private/named.conf"; And then modify /etc/bind/named.conf to look similar to the following: > ... > dnssec-validation auto; > > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > > auth-nxdomain no; # conform to RFC1035 > ... Then start BIND <pre> service bind9 start </pre> h2. Setting up NTP Kerberos, which is the authentication service used by Samba4, is highly dependent on accurate time. Install NTP and the default servers should be fine, I added a local NTP server for redundancy. <pre> apt-get install ntp </pre> And test it <pre> ntpq -p </pre> h2. Testing Node Authentication When finished, you should have a working Primary Domain Controller. To test it run: kinit administrator@EXAMPLE.COM * Note: You must specify your domain realm in uppercase letters! * Note: Depending on your distribution, kinit may just return you to a prompt, however, some distributions may return something like: > Warning: Your password will expire in x days on ... To verify that Kerberos is working, and that you received a ticket, run: <pre> klist </pre> > Ticket cache: FILE:/tmp/krb5cc_1000 > Default principal: administrator@EXAMPLE.COM > > Valid starting Expires Service principal > 02/10/13 19:39:48 02/11/13 19:39:46 krbtgt/EXAMPLE.COM@EXAMPLE.COM If either kinit or klist do not exist on your system, then install the @krb5-user@ package. You can also test Kerberos form a remote client, but you must first configure the client's @krb5.conf@ and @resolve.conf@ as shown previously. * Note: If you are using a client behind NAT then you have to add the following to the krb5.conf on the domain controller: > [kdc] > check-ticket-addresses = false * Note: If provision generated you a password and you forgot it or didn't get it saved in some way, you can use the following as root to reset it: <pre> samba-tool user setpassword administrator </pre> h2. Resources * https://wiki.samba.org/index.php/Samba * https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO * https://wiki.samba.org/index.php/Samba_4/OS_Requirements#File_Systems_without_xattr_support * http://linux-on-a-server.com/samba-4-active-directory-my-first-successfully-test/