Samba As Domain Controller: Difference between revisions

From The Opensource Knowledgebase
Jump to navigation Jump to search
← Older edit
Formatting
 
(9 intermediate revisions by the same user not shown)
Line 12: Line 12:
sudo user: kedar
sudo user: kedar


Container: webserver
VM: atezworldad1
Network: 10.1.65.0/24
Network: 10.1.65.0/24
IP Address : 10.1.65.107
IP Address : 10.1.65.109
Subnet Mask: 255.255.255.0
Gateway: 10.1.65.1
DNS: 8.8.8.8
sudo user: kedar
 
Container: db1
Network: 10.1.65.0/24
IP Address : 10.1.65.108
Subnet Mask: 255.255.255.0
Subnet Mask: 255.255.255.0
Gateway: 10.1.65.1
Gateway: 10.1.65.1
Line 35: Line 27:
|}
|}
=Before you proceed=
=Before you proceed=
The domain used here is '''networked.com'''. This is used only for demonstration and required dns entries for this domain have already been done to the host file to make the domain and any subdomains reachable on the network. This domain may be owned by someone else and we do not know who it is and we are not linked to them. Joomla configured for this domain in this howto is not reachable on public IP. If you try networked.com and find any material that may be suitable / unsuitable to you, we are not the owners of the same and we are not responsible for the content.
The domain used here is '''atez.world'''. This is used only for demonstration. You should use your own domain to configure the active directory domain. This installation uses Ubuntu 22.04 server OS and uses the samba available in the repository provided and maintained by Canonical. Users should note that this is done to ensure, any vulnerabilities and fixes released for samba are provided by canonical and are generally safe to apply. Samba can be installed by compiling from source, however, any patches and fixes need re-compilation.  


=Introduction=
=Introduction=
*We shall be creating a website using joomla with FQDN as: https://joomla.networked.net
*We shall be creating an active directory with domain as: atez.world
*We shall be hosting the site on port number: 443
*We shall be enabling TLS by default and also enabling LDAPS for connecting to AD on a secure port
*We shall be using a self signed SSL certificate
*We shall be using a self signed SSL certificate
*Host entry to ensure this website is reachable is done in the user PC, in absence of a DNS
 
=Pre-requisites installation=
=Pre-requisites installation=
* Log into the webserver and run the below commands
* Log into the server and run the below commands
<pre>
<pre>
ssh kedar@10.1.65.107
ssh kedar@10.1.65.109
sudo apt install apache2 php7.2 php7.2-curl php7.2-gd php7.2-intl php7.2-json php7.2-mbstring php7.2-mysql php7.2-soap php7.2-xml php7.2-zip libapache2-mod-php7.2
sudo systemctl stop systemd-resolved
sudo apt install rsync nano openssl
sudo systemctl disable systemd-resolved
sudo a2enmod ssl
sudo a2enmod rewrite
sudo systemctl restart apache2
sudo systemctl status apache2
</pre>
</pre>
=Database Creation=
*Add nameserver in resolv.conf
*Database will be created in a mariadb server which is installed into a container created on the host server (infrabase1). Latest mariadb server has been installed and run the below commands after an ssh into the mariadb server.
<pre>
<pre>
sudo mysql -u root -p
sudo unlink /etc/resolv.conf
CREATE DATABASE joomla;
sudo nano /etc/resolv.conf
GRANT ALL PRIVILEGES ON joomla.* TO "joomla"@"%" IDENTIFIED BY "123456";
nameserver 8.8.8.8
FLUSH PRIVILEGES;
quit;
</pre>
</pre>
=Create self signed certificates=
*Install & Configure Chrony NTP server
* Log into the webserver and run the below commands
*Install
<pre>
<pre>
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/joomla.key -out /etc/ssl/certs/joomla.crt
sudo apt install chrony
</pre>
</pre>
* You can use a commercial self signed certificate if you have one or can also use free Lets Encrypt certificate
*Configure by editing the file /etc/chrony/chrony.conf
<pre>
pool ntp.ubuntu.com        iburst maxsources 4
pool 0.in.pool.ntp.org iburst maxsources 1
pool 1.in.pool.ntp.org iburst maxsources 1
pool 2.in.pool.ntp.org iburst maxsources 2
</pre>
*Restart & Check if chrony is working
<pre>
sudo systemctl restart chrony
sudo systemctl status chronyd
sudo chronyc tracking
</pre>
*Install and configure other pre-requisites
<pre>
sudo apt update && sudo apt upgrade -y
sudo timedatectl set-timezone Asia/Kolkata
</pre>
 
=Install samba and utils=
<pre>
sudo apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind net-tools openssl
 
'''Add ATEZ.WORLD three times (any domain you want to enter should be in CAPS)'''
 
sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo mv /etc/samba/smb.conf /etc/samba/smb.bak
</pre>
=Provisioning the domain controller
<pre>
sudo samba-tool domain provision --use-rfc2307 --interactive
</pre>
Update the /etc/samba/smb.conf file with the below content
<pre>
# Global parameters
[global]
        dns forwarder = 8.8.8.8
        netbios name = ATEZWORLDAD1
        realm = ATEZ.WORLD
        server role = active directory domain controller
        workgroup = ATEZ
        idmap_ldb:use rfc2307 = yes
 
        server role check:inhibit = yes
        template shell = /bin/bash
        template homedir = /home/%U
        winbind use default domain = true
        winbind offline logon = false
        winbind nss info = rfc2307
        winbind enum users = yes
        winbind enum groups = yes
 
        server signing = auto
        dsdb:schema update allowed = yes
        ldap server require strong auth = no
        drs:max object sync = 1200
 
        rpc server dynamic port range = 49152-65535
        #interfaces = lo,eth0
        #bind interfaces only = yes
 
        map to guest = Bad User
        log level = 3 auth_json_audit:5@/var/log/samba/samba_audit.log
        log file = /var/log/samba/samba.log
        max log size = 100000
 
        #lanman auth = yes
        ntlm auth = yes
 
        password hash userPassword schemes = CryptSHA256 CryptSHA512
 
        tls enabled = yes
        tls keyfile = tls/atezworldkey.pem
        tls certfile = tls/atezworldcert.pem
        tls cafile =
       
        # sysvol write log
        full_audit:failure = none
        full_audit:success = pwrite write renameat unlinkat
        full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
        full_audit:facility = local7
        full_audit:priority = NOTICE
 
        # disable null session
        restrict anonymous = 2
 
        # disable printing services
        printcap name = /dev/null
        load printers = no
        disable spoolss = yes
        printing = bsd
 
[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
        vfs objects = dfs_samba4, acl_xattr, full_audit


=Download Joomla=
[netlogon]
* Log into the webserver and run the below commands
        path = /var/lib/samba/sysvol/atez.world/scripts
        read only = No
        vfs objects = dfs_samba4, acl_xattr, full_audit
</pre>
=Generate self-signed certificate=
*Using openssl libraries create self signed certifcate and
* Store the self signed certificate in /var/lib/samba/private/tls.
* If the above folder does not exist, you can create it.
<pre>
cd /var/lib/samba/private/tls
openssl req -newkey rsa:2048 -keyout atezworldkey.pem -nodes -x509 -days 3650 -out atezworldcert.pem
</pre>
*Answer relevant questions as below
<pre>
AU : IN
State or Province Name : Maharashtra
City : Mumbai
Company Name : Atez World
Organization Unit : corpit
Comman Name : atezworldad1.atez.world
Email Address : admin@atez.world
</pre>
*Unlink kerberos, unmask and restart samba dc service
<pre>
<pre>
cd /var/www/html
sudo mv /etc/krb5.conf /etc/krb5.conf.initial
sudo mkdir joomla
sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
cd /home/kedar
sudo systemctl unmask samba-ad-dc.service
wget https://downloads.joomla.org/cms/joomla3/3-9-14/Joomla_3-9-16-Stable-Full_Package.zip?format=zip
sudo systemctl restart samba-ad-dc.service
mv Joomla_3-9-14-Stable-Full_Package.zip?format=zip joomla.zip
sudo systemctl status samba-ad-dc.service
</pre>
</pre>
=Deploy Joomla=
*Check if samba is running
<pre>
<pre>
cd /home/kedar
sudo netstat -plant |egrep '[smbd|samba]'
mkdir joomlainstaller
cp joomla.zip joomlainstaller/
cd joomlainstaller
unzip joomla.zip
cd joomlainstaller
rm -rf joomla.zip
sudo rsync -avz . /var/www/html/joomla
</pre>
</pre>
*Change the nameservers in netplan and change the gateway4 argument as it is now deprecated
<pre>
sudo nano /etc/netplan/00-installer-config.yaml


* Change the ownership of the joomla folder to apache user
network:
  ethernets:
    ens18:
      addresses:
      - 10.1.65.109/24
#      gateway4: 172.16.141.1
      nameservers:
        addresses:
        - 10.1.65.109
        search: [ATEZ.WORLD]
      routes:
      - to: default
        via: 10.1.65.1
  version: 2
</pre>
Save the file and restart netplan by: sudo netplay apply
*Add winbind option to /etc/nsswitch.conf
<pre>
<pre>
cd /var/www/html
passwd:        files systemd winbind
sudo chown -R www-data:www-data joomla/
group:          files systemd winbind
sudo ystemctl restart apache2
shadow:        files
gshadow:       files
 
hosts:          files dns
networks:      files
 
protocols:      db files
services:      db files
ethers:        db files
rpc:            db files
 
netgroup:      nis
</pre>
</pre>
* Create virtual host for the website
*edit /etc/resolv.conf file and add the relevant details
<pre>
<pre>
cd /etc/apache2/sites-available
sudo nano /etc/resolv.conf
sudo a2dissite 000-default.conf
nameserver 10.1.65.109
sudo a2dissite default-ssl.conf
search atez.world
sudo nano joomla.conf
</pre>
</pre>
* Add the below configuration in the joomla.conf file
*Restart Samba Service
<pre>
<pre>
<IfModule mod_ssl.c>
sudo systemctl restart samba-ad-dc.service
        <VirtualHost _default_:443>
sudo systemctl status samba-ad-dc.service
                ServerName      joomla.networked.net
</pre>
                ServerAlias    joomla
*Restart the server
                ServerAdmin    admin@networked.net
<pre>
                DocumentRoot /var/www/html/joomla
sudo init 6
</pre>
*Edit /tec/hosts file and add correct hostnames
<pre>
10.1.65.109  atezworldad1.atez.world atezworldad1
</pre>
=Validate if samba is working correctly=
*Check the kerberos tickets
<pre>
sudo kinit administrator
</pre>
*Check if DC is resolving to the correct name
<pre>
sudo host -t srv _kerberos._udp.atez.world
host -t srv _ldap._tcp.atez.world
</pre>
*sudo netstat -plant |egrep '[smbd|samba]'
</pre>
=User and groups management=
*Create a User in samba using samba tool
<pre>
sudo samba-tool user create kedar
sudo samba-tool user setpassword kedar (Do not avoid this step even if you have kept a password in the above step)
</pre>
*Edit user attributes & add the following attributes to the end of the file
<pre>
sudo samba-tool user edit kedar


                ErrorLog ${APACHE_LOG_DIR}/error.log
mail: kedar@atez.world
                CustomLog ${APACHE_LOG_DIR}/access.log combined
givenName: Kedar
                SSLEngine on
sn: Atez
                SSLCertificateFile      /etc/ssl/certs/joomla.crt
mobile: 98xxxxxxxxx
                SSLCertificateKeyFile /etc/ssl/private/joomla.key
</pre>
<FilesMatch "\.(cgi|shtml|phtml|php)$">
*Add groups
                                SSLOptions +StdEnvVars
<pre>
                </FilesMatch>
sudo samba-tool group add z-license-allocation
                <Directory /usr/lib/cgi-bin>
sudo samba-tool group add z-admins
                                SSLOptions +StdEnvVars
</pre>
                </Directory>
*Add users to the groups
</VirtualHost>
<pre>
</IfModule>
sudo samba-tool group addmembers z-admins kedar
sudo samba-tool group addmembers z-license-allocation kedar
</pre>
</pre>
* Enable the site and Restart apache service
*List the members in groups
<pre>
<pre>
sudo a2ensite joomla.conf
sudo samba-tool group listmembers z-license-allocation
sudo sysemctl restart apache2
sudo samba-tool group listmembers z-admins
</pre>
</pre>
* Using a browser navigate to https://joomla.networked.com
** Answer various questions based on some of the steps we have done above like db name, db user, db server etc.
** Login to joomla using the admin credentials


=Conclusion=
=Conclusion=
* We have a working joomla website hosted on an apache web server. Explore the plugins and extensions and create a website or a corporate intranet
* We have a working Samba Active Directory.  
* Using a RSA tool, access and manage the Active Directory
*You can add multiple domain controllers to this architecture and make it more robust


[[Category: Intranet Applications]]
[[Category: Directory Servers]]

Latest revision as of 09:16, 27 April 2023

Setup Details 
hostname: infrabase1
Network: 10.1.65.0/24
IP Address : 10.1.65.11
Subnet Mask: 255.255.255.0
Gateway: 10.1.65.1
DNS: 8.8.8.8
sudo user: kedar

VM: atezworldad1
Network: 10.1.65.0/24
IP Address : 10.1.65.109
Subnet Mask: 255.255.255.0
Gateway: 10.1.65.1
DNS: 8.8.8.8
sudo user: kedar

User PC Details
PC type: Desktop
OS: Ubuntu Desktop
IP Address: 10.1.65.160

Before you proceed

The domain used here is atez.world. This is used only for demonstration. You should use your own domain to configure the active directory domain. This installation uses Ubuntu 22.04 server OS and uses the samba available in the repository provided and maintained by Canonical. Users should note that this is done to ensure, any vulnerabilities and fixes released for samba are provided by canonical and are generally safe to apply. Samba can be installed by compiling from source, however, any patches and fixes need re-compilation.

Introduction

  • We shall be creating an active directory with domain as: atez.world
  • We shall be enabling TLS by default and also enabling LDAPS for connecting to AD on a secure port
  • We shall be using a self signed SSL certificate

Pre-requisites installation

  • Log into the server and run the below commands
ssh kedar@10.1.65.109
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
  • Add nameserver in resolv.conf
sudo unlink /etc/resolv.conf
sudo nano /etc/resolv.conf
nameserver 8.8.8.8
  • Install & Configure Chrony NTP server
  • Install
sudo apt install chrony
  • Configure by editing the file /etc/chrony/chrony.conf
pool ntp.ubuntu.com        iburst maxsources 4
pool 0.in.pool.ntp.org iburst maxsources 1
pool 1.in.pool.ntp.org iburst maxsources 1
pool 2.in.pool.ntp.org iburst maxsources 2
  • Restart & Check if chrony is working
sudo systemctl restart chrony
sudo systemctl status chronyd
sudo chronyc tracking
  • Install and configure other pre-requisites
sudo apt update && sudo apt upgrade -y
sudo timedatectl set-timezone Asia/Kolkata

Install samba and utils

sudo apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind net-tools openssl

'''Add ATEZ.WORLD three times (any domain you want to enter should be in CAPS)'''

sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo mv /etc/samba/smb.conf /etc/samba/smb.bak

=Provisioning the domain controller 

sudo samba-tool domain provision --use-rfc2307 --interactive

Update the /etc/samba/smb.conf file with the below content 

# Global parameters
[global]
        dns forwarder = 8.8.8.8
        netbios name = ATEZWORLDAD1
        realm = ATEZ.WORLD
        server role = active directory domain controller
        workgroup = ATEZ
        idmap_ldb:use rfc2307 = yes

        server role check:inhibit = yes
        template shell = /bin/bash
        template homedir = /home/%U
        winbind use default domain = true
        winbind offline logon = false
        winbind nss info = rfc2307
        winbind enum users = yes
        winbind enum groups = yes

        server signing = auto
        dsdb:schema update allowed = yes
        ldap server require strong auth = no
        drs:max object sync = 1200

        rpc server dynamic port range = 49152-65535
        #interfaces = lo,eth0
        #bind interfaces only = yes

        map to guest = Bad User
        log level = 3 auth_json_audit:5@/var/log/samba/samba_audit.log
        log file = /var/log/samba/samba.log
        max log size = 100000

        #lanman auth = yes
        ntlm auth = yes

        password hash userPassword schemes = CryptSHA256 CryptSHA512

        tls enabled = yes
        tls keyfile = tls/atezworldkey.pem
        tls certfile = tls/atezworldcert.pem
        tls cafile =
        
        # sysvol write log
        full_audit:failure = none
        full_audit:success = pwrite write renameat unlinkat
        full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
        full_audit:facility = local7
        full_audit:priority = NOTICE

        # disable null session
        restrict anonymous = 2

        # disable printing services
        printcap name = /dev/null
        load printers = no
        disable spoolss = yes
        printing = bsd

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
        vfs objects = dfs_samba4, acl_xattr, full_audit

[netlogon]
        path = /var/lib/samba/sysvol/atez.world/scripts
        read only = No
        vfs objects = dfs_samba4, acl_xattr, full_audit

Generate self-signed certificate

  • Using openssl libraries create self signed certifcate and
  • Store the self signed certificate in /var/lib/samba/private/tls.
  • If the above folder does not exist, you can create it.
cd /var/lib/samba/private/tls
openssl req -newkey rsa:2048 -keyout atezworldkey.pem -nodes -x509 -days 3650 -out atezworldcert.pem
  • Answer relevant questions as below
AU : IN
State or Province Name : Maharashtra
City : Mumbai
Company Name : Atez World
Organization Unit : corpit
Comman Name : atezworldad1.atez.world
Email Address : admin@atez.world
  • Unlink kerberos, unmask and restart samba dc service
sudo mv /etc/krb5.conf /etc/krb5.conf.initial
sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
sudo systemctl unmask samba-ad-dc.service
sudo systemctl restart samba-ad-dc.service
sudo systemctl status samba-ad-dc.service
  • Check if samba is running
sudo netstat -plant |egrep '[smbd|samba]'
  • Change the nameservers in netplan and change the gateway4 argument as it is now deprecated
sudo nano /etc/netplan/00-installer-config.yaml

network:
  ethernets:
    ens18:
      addresses:
      - 10.1.65.109/24
#      gateway4: 172.16.141.1
      nameservers:
        addresses:
        - 10.1.65.109
        search: [ATEZ.WORLD]
      routes:
      - to: default
        via: 10.1.65.1 
  version: 2

Save the file and restart netplan by: sudo netplay apply

  • Add winbind option to /etc/nsswitch.conf
passwd:         files systemd winbind
group:          files systemd winbind
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
  • edit /etc/resolv.conf file and add the relevant details
sudo nano /etc/resolv.conf
nameserver 10.1.65.109
search atez.world
  • Restart Samba Service
sudo systemctl restart samba-ad-dc.service
sudo systemctl status samba-ad-dc.service
  • Restart the server
sudo init 6
  • Edit /tec/hosts file and add correct hostnames
10.1.65.109  atezworldad1.atez.world atezworldad1

Validate if samba is working correctly

  • Check the kerberos tickets
sudo kinit administrator
  • Check if DC is resolving to the correct name
sudo host -t srv _kerberos._udp.atez.world 
host -t srv _ldap._tcp.atez.world
  • sudo netstat -plant |egrep '[smbd|samba]'

User and groups management

  • Create a User in samba using samba tool
sudo samba-tool user create kedar
sudo samba-tool user setpassword kedar (Do not avoid this step even if you have kept a password in the above step)
  • Edit user attributes & add the following attributes to the end of the file
sudo samba-tool user edit kedar

mail: kedar@atez.world
givenName: Kedar
sn: Atez
mobile: 98xxxxxxxxx
  • Add groups
sudo samba-tool group add z-license-allocation
sudo samba-tool group add z-admins
  • Add users to the groups
sudo samba-tool group addmembers z-admins kedar
sudo samba-tool group addmembers z-license-allocation kedar
  • List the members in groups
sudo samba-tool group listmembers z-license-allocation
sudo samba-tool group listmembers z-admins

Conclusion

  • We have a working Samba Active Directory.
  • Using a RSA tool, access and manage the Active Directory
  • You can add multiple domain controllers to this architecture and make it more robust
Retrieved from "https://infrastructure-advisory.org/index.php?title=Samba_As_Domain_Controller&oldid=316"