Project

General

Profile

Support #323

Updated by Daniel Curtis almost 11 years ago

This guide is to assist in setting up an Active Directory Domain Controller with Samba4 on a Debian 7 "Wheezy" system inside of a *L*inu*X* *C*ontainer. I am currently using OpenLDAP and Kerberos for centralized authentication and user information, so I already have most of the principles of Active Directory understood. Samba4 ties LDAP, Kerberos, DNS, and Extended Filesystem Attributes together into a system the is a working replica of Active Directory. To add an additional layer of security, I have my VPS environment completely para-virtualized using Linux Containers; however this also adds an additional step in setting it up. This guide assumes that a baseline container has been created, has been configured with a static IP address, and has ssh access. This guide also uses the following example hosts: 
 * *vps-node.example.com*: 192.168.200.10 
 * *dc-container.example.com*:172.16.200.50 

 h2. Install xattr and acl on underlying VPS node 

 To begin, the filesystem must have *xattr* and *acl* support for samba4 to be installed properly. Since these are filesystem attributes that are set at boot time by the kernel directly on a partition, time, they need to be installed and configured on the underlying VPS node, and +not on Domain Controller container+. To do this, log into the VPS node and drop to root: 
 <pre> 
 ssh vps-node.example.com 
 sudo su 
 </pre> 

 Now install *xattr* and *acl*: 
 <pre> 
 apt-get install attr docbook-xsl acl python-xattr libblkid1 
 </pre> 

 Once these packages are installed, /etc/fstab needs to be modified similar to the following: 
 > /dev/sda4 /                 ext4      errors=remount-ro,user_xattr,acl,barrier=1    0         1 
 The options *user_xattr*, *acl*, and *barrier=1* must be defined. These are for: 
 * *user_xattr*: Extended attributes are extensions to the normal attributes which are associated with all nodes in the system. They are often used to provide additional functionality to a filesystem -for example, additional security features such as Access Control Lists (ACLs) may be implemented using extended attributes. 
 * *acl*: Provides an additional, more flexible permission mechanism for file systems.  
 * *barrier=1*: Ensures that tdb transactions are safe against unexpected power loss. 

 Now that the *xattr* and *acl* packages are installed and configured on the VPS node, reboot it: 
 <pre> 
 reboot 
 </pre> 

 Thats all that needs to be done there 

 h2. Install Samba4 and utilities on the Domain Controller container 

 Start by logging into the Domain Controller container and drop to root: 
 <pre> 
 ssh dc-container.example.com addc.example.com 
 sudo su 
 </pre> 

 Then install the samba4 and utility packages: 
 <pre> 
 apt-get install samba4 samba4-clients phpldapadmin bind9 libgcrypt11 python-dnspython pkg-config dnsutils attr docbook-xsl acl python-xattr libblkid1 krb5-user 
 </pre> 

 When the packages are finished installed, move the default package configuration out of the way; otherwise the initial Active Directory provisioning will fail: 
 <pre> 
 mv /etc/samba/smb.conf /etc/samba/smb.conf.orig 
 </pre> 

 h3. *Alternative*: Build from source 

 The default Debian provisioning script does not appear to have the @--use-rfc2307@ option, which is what provisions NIS information in the LDAP directory. One option is to build from source using the latest stable version of Samba4. This can be done in a few time consuming steps. 

 * Download the required dependencies 
 <pre> 
 apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl libpam0g-dev git-core 
 </pre> 

 * Download the latest stable Samba4 using git 
 <pre> 
 cd /usr/local/src 
 git clone -b v4-0-stable git://git.samba.org/samba.git samba-v4-0-stable 
 </pre>  

 * Compile and install Samba4 
 <pre> 
 cd samba-master 
 ./configure  
 make 
 make install 
 </pre> 

 h2. Provision the Active Directory Domain 

 Now its time to provision the domain. Make sure to replace the example command to your domain: 
 <pre> 
 /usr/share/samba/setup/provision --realm=example.com --domain=EXAMPLE --adminpass='SuperSecretPassword' --server-role=dc 
 </pre> 
 This will generate the required files, databases, and keyfiles for use in your active directory, they are usually stored in @/var/lib/samba/@. It will also generate a @/etc/samba/smb.conf@ configuration file for use, it will look similar to the following: 
 > # Global parameters 
 > [global] 
 >  	 server role = active directory domain controller 
 >  	 workgroup = EXAMPLE 
 >  	 realm = example.com 
 >  	 netbios name = ADDC 
 >  	 passdb backend = samba4 
 >  	 server services = +smb -s3fs 
 >  
 > [netlogon] 
 >  	 path = /var/lib/samba/sysvol/example.com/scripts 
 >  	 read only = No 
 >  
 > [sysvol] 
 >  	 path = /var/lib/samba/sysvol 
 >  	 read only = No 

 Note: I added the *server services = +smb -s3fs* string due to an error similar to the following: 
 > Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED) 

 Restart Samba 
 <pre> 
 service samba4 restart 
 </pre> 

 I get the following error when restarting, or starting the service for the first time: 
 [....] Starting Samba 4 daemon: samba/usr/sbin/samba: /usr/lib/powerpc-linux-gnu/libwbclient.so.0: no version information available (required by /usr/lib/powerpc-linux-gnu/samba/libauth4.so) 

 However I find that when I start the service a second time it launches properly. 
 <pre> 
 service samba4 start 
 </pre> 

 h3. Provision domain using the compile source script 

 This guide uses BIND9_DLZ for samba, so install BIND9: 
 <pre> 
 apt-get install bind9 
 </pre> 

 Then provision the domain: 
 <pre> 
 /usr/local/samba/bin/samba-tool domain provision --use-rfc2307 --interactive 
 </pre> 
 * Realm: *EXAMPLE.COM* 
 * Domain: *EXAMPLE* 
 * Server Role: *dc* 
 * DNS backend: *BIND9_DLZ* 
 * Administrator password: *SuperSecretPassword* 
 * Retype password: *SuperSecretPassword* 

 h2. Modify resolv.conf and hosts File 

 Edit your @resolv.conf@ file in nano 
 <pre> 
 vi /etc/resolv.conf 
 </pre> 

 The following info should be sufficient as long as this system is running only Samba4. Make sure the DNS nameserver is the IP of the Domain Controller container. 
 > domain example.com 
 > nameserver 172.16.200.15 

 h2. Manage Kerberos 

 Samba4 has created a krb5.conf for you to use as a replacement for the existing configuration file similar to the following: 
 > [libdefaults] 
 >  	 default_realm = EXAMPLE.COM 
 >  	 dns_lookup_realm = false 
 >  	 dns_lookup_kdc = true 

 Use the following commands to backup the old file and copy the new configuration file. 
 <pre> 
 mv /etc/krb5.conf /etc/krb5.conf.bak 
 cp /usr/local/samba/private/krb5.conf /etc/krb5.conf 
 </pre> 

 Now you must edit the new @krb5.conf@ file to include your domain realm info. 
 <pre> 
 vi /etc/krb5.conf 
 </pre> 

 Modify the “default_realm = SAMDOM.EXAMPLE.COM” line to contain your domain info.    In our tutorial it is “EXAMPLE.COM” 

 NOTE: The domain realm +*MUST* be typed in uppercase+! 

 h2. Setup BIND for use with Active Directory 

 Samba4 has an internal DNS server, however I would like to use BIND so I can have more control over DNS records.  
 <pre> 
 apt-get install bind9 
 </pre> 

 Once the BIND DNS server is installed add the following to the /etc/bind/named.conf: 
 > include "/var/lib/samba/private/named.conf"; 

 And then modify /etc/bind/named.conf to look similar to the following: 
 >         ... 
 >  	 dnssec-validation auto; 
 >  
 >  	 tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; 
 >  
 >  	 auth-nxdomain no;      # conform to RFC1035 
 >         ... 

 Then start BIND 
 <pre> 
 service bind9 start 
 </pre> 

 h2. Setting up NTP 

 Kerberos, which is the authentication service used by Samba4, is highly dependent on accurate time. Install NTP and the default servers should be fine, I added a local NTP server for redundancy. 
 <pre> 
 apt-get install ntp 
 </pre> 

 And test it 
 <pre> 
 ntpq -p 
 </pre> 

 h2. Testing Node Authentication 

 When finished, you should have a working Primary Domain Controller. To test it run: 
 kinit administrator@EXAMPLE.COM 

 * Note: You must specify your domain realm in uppercase letters!  
 * Note: Depending on your distribution, kinit may just return you to a prompt, however, some distributions may return something like: 
 > Warning: Your password will expire in x days on ...  

 To verify that Kerberos is working, and that you received a ticket, run: 
 <pre> 
 klist 
 </pre> 
 > Ticket cache: FILE:/tmp/krb5cc_1000 
 > Default principal: administrator@EXAMPLE.COM 
 >  
 > Valid starting       Expires              Service principal 
 > 02/10/13 19:39:48    02/11/13 19:39:46    krbtgt/EXAMPLE.COM@EXAMPLE.COM 

 If either kinit or klist do not exist on your system, then install the @krb5-user@ package. 

 You can also test Kerberos form a remote client, but you must first configure the client's @krb5.conf@ and @resolve.conf@ as shown previously. 

 * Note: If you are using a client behind NAT then you have to add the following to the krb5.conf on the domain controller:  
 > [kdc] 
 > check-ticket-addresses = false 

 * Note: If provision generated you a password and you forgot it or didn't get it saved in some way, you can use the following as root to reset it: 
 <pre> 
 samba-tool user setpassword administrator 
 </pre> 

 h2. Resources 

 * https://wiki.samba.org/index.php/Samba 
 * https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO 
 * https://wiki.samba.org/index.php/Samba_4/OS_Requirements#File_Systems_without_xattr_support 
 * http://linux-on-a-server.com/samba-4-active-directory-my-first-successfully-test/ 

Back