Samba As Domain Controller: Difference between revisions
Jump to navigation
Jump to search
(6 intermediate revisions by the same user not shown) | |||
Line 12: | Line 12: | ||
sudo user: kedar | sudo user: kedar | ||
VM: | VM: atezworldad1 | ||
Network: 10.1.65.0/24 | Network: 10.1.65.0/24 | ||
IP Address : 10.1.65. | IP Address : 10.1.65.109 | ||
Subnet Mask: 255.255.255.0 | Subnet Mask: 255.255.255.0 | ||
Gateway: 10.1.65.1 | Gateway: 10.1.65.1 | ||
Line 27: | Line 27: | ||
|} | |} | ||
=Before you proceed= | =Before you proceed= | ||
The domain used here is ''' | The domain used here is '''atez.world'''. This is used only for demonstration. You should use your own domain to configure the active directory domain. This installation uses Ubuntu 22.04 server OS and uses the samba available in the repository provided and maintained by Canonical. Users should note that this is done to ensure, any vulnerabilities and fixes released for samba are provided by canonical and are generally safe to apply. Samba can be installed by compiling from source, however, any patches and fixes need re-compilation. | ||
=Introduction= | =Introduction= | ||
*We shall be creating an active directory with domain as: | *We shall be creating an active directory with domain as: atez.world | ||
*We shall be enabling TLS by default and also enabling LDAPS for connecting to AD on a secure port | *We shall be enabling TLS by default and also enabling LDAPS for connecting to AD on a secure port | ||
*We shall be using a self signed SSL certificate | *We shall be using a self signed SSL certificate | ||
Line 37: | Line 37: | ||
* Log into the server and run the below commands | * Log into the server and run the below commands | ||
<pre> | <pre> | ||
ssh kedar@10.1.65. | ssh kedar@10.1.65.109 | ||
sudo systemctl stop systemd-resolved | |||
sudo systemctl disable systemd-resolved | |||
</pre> | |||
*Add nameserver in resolv.conf | |||
<pre> | |||
sudo unlink /etc/resolv.conf | |||
sudo nano /etc/resolv.conf | |||
nameserver 8.8.8.8 | |||
</pre> | |||
*Install & Configure Chrony NTP server | |||
*Install | |||
<pre> | |||
sudo apt install chrony | |||
</pre> | |||
*Configure by editing the file /etc/chrony/chrony.conf | |||
<pre> | |||
pool ntp.ubuntu.com iburst maxsources 4 | |||
pool 0.in.pool.ntp.org iburst maxsources 1 | |||
pool 1.in.pool.ntp.org iburst maxsources 1 | |||
pool 2.in.pool.ntp.org iburst maxsources 2 | |||
</pre> | |||
*Restart & Check if chrony is working | |||
<pre> | |||
sudo systemctl restart chrony | |||
sudo systemctl status chronyd | |||
sudo chronyc tracking | |||
</pre> | |||
*Install and configure other pre-requisites | |||
<pre> | |||
sudo apt update && sudo apt upgrade -y | sudo apt update && sudo apt upgrade -y | ||
sudo timedatectl set-timezone Asia/Kolkata | sudo timedatectl set-timezone Asia/Kolkata | ||
</pre> | </pre> | ||
= | =Install samba and utils= | ||
<pre> | <pre> | ||
sudo apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind net-tools openssl | |||
'''Add ATEZ.WORLD three times (any domain you want to enter should be in CAPS)''' | |||
sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service | sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service | ||
sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service | sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service | ||
sudo mv /etc/samba/smb.conf /etc/samba/smb.bak | |||
</pre> | </pre> | ||
=Provisioning the domain controller | |||
<pre> | <pre> | ||
sudo | sudo samba-tool domain provision --use-rfc2307 --interactive | ||
</pre> | </pre> | ||
Update the /etc/samba/smb.conf file with the below content | |||
<pre> | <pre> | ||
# Global parameters | # Global parameters | ||
[global] | [global] | ||
dns forwarder = 8.8.8.8 | dns forwarder = 8.8.8.8 | ||
netbios name = | netbios name = ATEZWORLDAD1 | ||
realm = | realm = ATEZ.WORLD | ||
server role = active directory domain controller | server role = active directory domain controller | ||
workgroup = | workgroup = ATEZ | ||
idmap_ldb:use rfc2307 = yes | idmap_ldb:use rfc2307 = yes | ||
server role check:inhibit = yes | server role check:inhibit = yes | ||
template shell = /bin/bash | template shell = /bin/bash | ||
template homedir = /home/%U | template homedir = /home/%U | ||
winbind use default domain = true | winbind use default domain = true | ||
winbind offline logon = false | winbind offline logon = false | ||
winbind nss info = rfc2307 | winbind nss info = rfc2307 | ||
winbind enum users = yes | winbind enum users = yes | ||
winbind enum groups = yes | winbind enum groups = yes | ||
server signing = auto | server signing = auto | ||
dsdb:schema update allowed = yes | dsdb:schema update allowed = yes | ||
ldap server require strong auth = no | ldap server require strong auth = no | ||
drs:max object sync = 1200 | drs:max object sync = 1200 | ||
rpc server dynamic port range = 49152-65535 | rpc server dynamic port range = 49152-65535 | ||
#interfaces = lo,eth0 | |||
#bind interfaces only = yes | |||
map to guest = Bad User | |||
log level = 3 auth_json_audit:5@/var/log/samba/samba_audit.log | |||
log file = /var/log/samba/samba.log | |||
max log size = 100000 | |||
#lanman auth = yes | |||
ntlm auth = yes | |||
password hash userPassword schemes = CryptSHA256 CryptSHA512 | |||
tls enabled = yes | |||
tls keyfile = tls/atezworldkey.pem | |||
tls certfile = tls/atezworldcert.pem | |||
tls cafile = | |||
# sysvol write log | |||
full_audit:failure = none | |||
full_audit:success = pwrite write renameat unlinkat | |||
full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S | |||
full_audit:facility = local7 | |||
full_audit:priority = NOTICE | |||
# disable null session | |||
restrict anonymous = 2 | |||
# disable printing services | |||
printcap name = /dev/null | |||
load printers = no | |||
disable spoolss = yes | |||
printing = bsd | |||
# disable printing services | |||
printcap name = /dev/null | |||
load printers = no | |||
disable spoolss = yes | |||
printing = bsd | |||
[sysvol] | [sysvol] | ||
path = /var/lib/samba/sysvol | path = /var/lib/samba/sysvol | ||
read only = No | read only = No | ||
vfs objects = dfs_samba4, acl_xattr, full_audit | vfs objects = dfs_samba4, acl_xattr, full_audit | ||
[netlogon] | [netlogon] | ||
path = /var/lib/samba/sysvol/ | path = /var/lib/samba/sysvol/atez.world/scripts | ||
read only = No | read only = No | ||
vfs objects = dfs_samba4, acl_xattr, full_audit | vfs objects = dfs_samba4, acl_xattr, full_audit | ||
</pre> | </pre> | ||
=Generate self-signed certificate= | |||
* | *Using openssl libraries create self signed certifcate and | ||
* Store the self signed certificate in /var/lib/samba/private/tls. | |||
* If the above folder does not exist, you can create it. | |||
<pre> | <pre> | ||
cd /var/lib/samba/private/tls | |||
openssl req -newkey rsa:2048 -keyout atezworldkey.pem -nodes -x509 -days 3650 -out atezworldcert.pem | |||
</pre> | </pre> | ||
Answer | *Answer relevant questions as below | ||
<pre> | |||
AU : IN | |||
State or Province Name : Maharashtra | |||
City : Mumbai | |||
Company Name : Atez World | |||
Organization Unit : corpit | |||
Comman Name : atezworldad1.atez.world | |||
Email Address : admin@atez.world | |||
</pre> | </pre> | ||
* | *Unlink kerberos, unmask and restart samba dc service | ||
<pre> | <pre> | ||
sudo mv /etc/krb5.conf /etc/krb5.conf.initial | |||
sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf | |||
sudo systemctl unmask samba-ad-dc.service | sudo systemctl unmask samba-ad-dc.service | ||
sudo systemctl restart samba-ad-dc.service | sudo systemctl restart samba-ad-dc.service | ||
sudo systemctl status samba-ad-dc.service | sudo systemctl status samba-ad-dc.service | ||
</pre> | </pre> | ||
* | *Check if samba is running | ||
<pre> | <pre> | ||
sudo | sudo netstat -plant |egrep '[smbd|samba]' | ||
</pre> | </pre> | ||
*Change the nameservers in netplan and change the gateway4 argument as it is now deprecated | *Change the nameservers in netplan and change the gateway4 argument as it is now deprecated | ||
Line 154: | Line 193: | ||
ens18: | ens18: | ||
addresses: | addresses: | ||
- 10.1.65. | - 10.1.65.109/24 | ||
# gateway4: 172.16.141.1 | # gateway4: 172.16.141.1 | ||
nameservers: | nameservers: | ||
addresses: | addresses: | ||
- 10.1.65. | - 10.1.65.109 | ||
search: [ | search: [ATEZ.WORLD] | ||
routes: | routes: | ||
- to: default | - to: default | ||
Line 183: | Line 222: | ||
netgroup: nis | netgroup: nis | ||
</pre> | </pre> | ||
* | *edit /etc/resolv.conf file and add the relevant details | ||
<pre> | <pre> | ||
sudo | sudo nano /etc/resolv.conf | ||
nameserver 10.1.65.109 | |||
search atez.world | |||
</pre> | </pre> | ||
*Restart Samba Service | *Restart Samba Service | ||
Line 193: | Line 233: | ||
sudo systemctl status samba-ad-dc.service | sudo systemctl status samba-ad-dc.service | ||
</pre> | </pre> | ||
*Restart the server | |||
<pre> | |||
sudo init 6 | |||
</pre> | |||
*Edit /tec/hosts file and add correct hostnames | |||
<pre> | |||
10.1.65.109 atezworldad1.atez.world atezworldad1 | |||
</pre> | |||
=Validate if samba is working correctly= | |||
*Check the kerberos tickets | *Check the kerberos tickets | ||
<pre> | <pre> | ||
Line 199: | Line 248: | ||
*Check if DC is resolving to the correct name | *Check if DC is resolving to the correct name | ||
<pre> | <pre> | ||
sudo host -t srv _kerberos._udp | sudo host -t srv _kerberos._udp.atez.world | ||
host -t srv _ldap._tcp | host -t srv _ldap._tcp.atez.world | ||
</pre> | </pre> | ||
*sudo netstat -plant |egrep '[smbd|samba]' | |||
</pre> | |||
=User and groups management= | |||
*Create a User in samba using samba tool | *Create a User in samba using samba tool | ||
<pre> | <pre> | ||
sudo samba-tool user create kedar | sudo samba-tool user create kedar | ||
sudo samba-tool user setpassword kedar (Do not avoid this step even if you have kept a password in the above step) | |||
</pre> | </pre> | ||
*Edit user attributes & add the following attributes to the end of the file | |||
<pre> | |||
sudo samba-tool user edit kedar | |||
mail: kedar@atez.world | |||
givenName: Kedar | |||
sn: Atez | |||
mobile: 98xxxxxxxxx | |||
</pre> | |||
*Add groups | |||
<pre> | |||
sudo samba-tool group add z-license-allocation | |||
sudo samba-tool group add z-admins | |||
</pre> | |||
*Add users to the groups | |||
<pre> | |||
sudo samba-tool group addmembers z-admins kedar | |||
sudo samba-tool group addmembers z-license-allocation kedar | |||
</pre> | |||
*List the members in groups | |||
<pre> | |||
sudo samba-tool group listmembers z-license-allocation | |||
sudo samba-tool group listmembers z-admins | |||
</pre> | |||
=Conclusion= | =Conclusion= | ||
* We have a working Samba Active Directory. | * We have a working Samba Active Directory. |
Latest revision as of 09:16, 27 April 2023
Setup Details |
hostname: infrabase1 Network: 10.1.65.0/24 IP Address : 10.1.65.11 Subnet Mask: 255.255.255.0 Gateway: 10.1.65.1 DNS: 8.8.8.8 sudo user: kedar VM: atezworldad1 Network: 10.1.65.0/24 IP Address : 10.1.65.109 Subnet Mask: 255.255.255.0 Gateway: 10.1.65.1 DNS: 8.8.8.8 sudo user: kedar User PC Details PC type: Desktop OS: Ubuntu Desktop IP Address: 10.1.65.160 |
Before you proceed
The domain used here is atez.world. This is used only for demonstration. You should use your own domain to configure the active directory domain. This installation uses Ubuntu 22.04 server OS and uses the samba available in the repository provided and maintained by Canonical. Users should note that this is done to ensure, any vulnerabilities and fixes released for samba are provided by canonical and are generally safe to apply. Samba can be installed by compiling from source, however, any patches and fixes need re-compilation.
Introduction
- We shall be creating an active directory with domain as: atez.world
- We shall be enabling TLS by default and also enabling LDAPS for connecting to AD on a secure port
- We shall be using a self signed SSL certificate
Pre-requisites installation
- Log into the server and run the below commands
ssh kedar@10.1.65.109 sudo systemctl stop systemd-resolved sudo systemctl disable systemd-resolved
- Add nameserver in resolv.conf
sudo unlink /etc/resolv.conf sudo nano /etc/resolv.conf nameserver 8.8.8.8
- Install & Configure Chrony NTP server
- Install
sudo apt install chrony
- Configure by editing the file /etc/chrony/chrony.conf
pool ntp.ubuntu.com iburst maxsources 4 pool 0.in.pool.ntp.org iburst maxsources 1 pool 1.in.pool.ntp.org iburst maxsources 1 pool 2.in.pool.ntp.org iburst maxsources 2
- Restart & Check if chrony is working
sudo systemctl restart chrony sudo systemctl status chronyd sudo chronyc tracking
- Install and configure other pre-requisites
sudo apt update && sudo apt upgrade -y sudo timedatectl set-timezone Asia/Kolkata
Install samba and utils
sudo apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind net-tools openssl '''Add ATEZ.WORLD three times (any domain you want to enter should be in CAPS)''' sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service sudo mv /etc/samba/smb.conf /etc/samba/smb.bak
=Provisioning the domain controller
sudo samba-tool domain provision --use-rfc2307 --interactive
Update the /etc/samba/smb.conf file with the below content
# Global parameters [global] dns forwarder = 8.8.8.8 netbios name = ATEZWORLDAD1 realm = ATEZ.WORLD server role = active directory domain controller workgroup = ATEZ idmap_ldb:use rfc2307 = yes server role check:inhibit = yes template shell = /bin/bash template homedir = /home/%U winbind use default domain = true winbind offline logon = false winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes server signing = auto dsdb:schema update allowed = yes ldap server require strong auth = no drs:max object sync = 1200 rpc server dynamic port range = 49152-65535 #interfaces = lo,eth0 #bind interfaces only = yes map to guest = Bad User log level = 3 auth_json_audit:5@/var/log/samba/samba_audit.log log file = /var/log/samba/samba.log max log size = 100000 #lanman auth = yes ntlm auth = yes password hash userPassword schemes = CryptSHA256 CryptSHA512 tls enabled = yes tls keyfile = tls/atezworldkey.pem tls certfile = tls/atezworldcert.pem tls cafile = # sysvol write log full_audit:failure = none full_audit:success = pwrite write renameat unlinkat full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S full_audit:facility = local7 full_audit:priority = NOTICE # disable null session restrict anonymous = 2 # disable printing services printcap name = /dev/null load printers = no disable spoolss = yes printing = bsd [sysvol] path = /var/lib/samba/sysvol read only = No vfs objects = dfs_samba4, acl_xattr, full_audit [netlogon] path = /var/lib/samba/sysvol/atez.world/scripts read only = No vfs objects = dfs_samba4, acl_xattr, full_audit
Generate self-signed certificate
- Using openssl libraries create self signed certifcate and
- Store the self signed certificate in /var/lib/samba/private/tls.
- If the above folder does not exist, you can create it.
cd /var/lib/samba/private/tls openssl req -newkey rsa:2048 -keyout atezworldkey.pem -nodes -x509 -days 3650 -out atezworldcert.pem
- Answer relevant questions as below
AU : IN State or Province Name : Maharashtra City : Mumbai Company Name : Atez World Organization Unit : corpit Comman Name : atezworldad1.atez.world Email Address : admin@atez.world
- Unlink kerberos, unmask and restart samba dc service
sudo mv /etc/krb5.conf /etc/krb5.conf.initial sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf sudo systemctl unmask samba-ad-dc.service sudo systemctl restart samba-ad-dc.service sudo systemctl status samba-ad-dc.service
- Check if samba is running
sudo netstat -plant |egrep '[smbd|samba]'
- Change the nameservers in netplan and change the gateway4 argument as it is now deprecated
sudo nano /etc/netplan/00-installer-config.yaml network: ethernets: ens18: addresses: - 10.1.65.109/24 # gateway4: 172.16.141.1 nameservers: addresses: - 10.1.65.109 search: [ATEZ.WORLD] routes: - to: default via: 10.1.65.1 version: 2
Save the file and restart netplan by: sudo netplay apply
- Add winbind option to /etc/nsswitch.conf
passwd: files systemd winbind group: files systemd winbind shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
- edit /etc/resolv.conf file and add the relevant details
sudo nano /etc/resolv.conf nameserver 10.1.65.109 search atez.world
- Restart Samba Service
sudo systemctl restart samba-ad-dc.service sudo systemctl status samba-ad-dc.service
- Restart the server
sudo init 6
- Edit /tec/hosts file and add correct hostnames
10.1.65.109 atezworldad1.atez.world atezworldad1
Validate if samba is working correctly
- Check the kerberos tickets
sudo kinit administrator
- Check if DC is resolving to the correct name
sudo host -t srv _kerberos._udp.atez.world host -t srv _ldap._tcp.atez.world
- sudo netstat -plant |egrep '[smbd|samba]'
User and groups management
- Create a User in samba using samba tool
sudo samba-tool user create kedar sudo samba-tool user setpassword kedar (Do not avoid this step even if you have kept a password in the above step)
- Edit user attributes & add the following attributes to the end of the file
sudo samba-tool user edit kedar mail: kedar@atez.world givenName: Kedar sn: Atez mobile: 98xxxxxxxxx
- Add groups
sudo samba-tool group add z-license-allocation sudo samba-tool group add z-admins
- Add users to the groups
sudo samba-tool group addmembers z-admins kedar sudo samba-tool group addmembers z-license-allocation kedar
- List the members in groups
sudo samba-tool group listmembers z-license-allocation sudo samba-tool group listmembers z-admins
Conclusion
- We have a working Samba Active Directory.
- Using a RSA tool, access and manage the Active Directory
- You can add multiple domain controllers to this architecture and make it more robust