Samba As Domain Controller: Difference between revisions

From The Opensource Knowledgebase
Jump to navigation Jump to search
← Older edit
mNo edit summary
 
(4 intermediate revisions by the same user not shown)
Line 12: Line 12:
sudo user: kedar
sudo user: kedar


VM: atezad1
VM: atezworldad1
Network: 10.1.65.0/24
Network: 10.1.65.0/24
IP Address : 10.1.65.108
IP Address : 10.1.65.109
Subnet Mask: 255.255.255.0
Subnet Mask: 255.255.255.0
Gateway: 10.1.65.1
Gateway: 10.1.65.1
Line 27: Line 27:
|}
|}
=Before you proceed=
=Before you proceed=
The domain used here is '''corp.atez.world'''. This is used only for demonstration. You should use your own domain to configure the active directory domain. This installation uses Ubuntu 22.04 server OS and uses the samba available in the repository provided and maintained by Canonical. Users should note that this is done to ensure, any vulnerabilities and fixes released for samba are provided by canonical and are generally safe to apply. Samba can be installed by compiling from source, however, any patches and fixes need re-compilation.  
The domain used here is '''atez.world'''. This is used only for demonstration. You should use your own domain to configure the active directory domain. This installation uses Ubuntu 22.04 server OS and uses the samba available in the repository provided and maintained by Canonical. Users should note that this is done to ensure, any vulnerabilities and fixes released for samba are provided by canonical and are generally safe to apply. Samba can be installed by compiling from source, however, any patches and fixes need re-compilation.  


=Introduction=
=Introduction=
*We shall be creating an active directory with domain as: corp.atez.world
*We shall be creating an active directory with domain as: atez.world
*We shall be enabling TLS by default and also enabling LDAPS for connecting to AD on a secure port
*We shall be enabling TLS by default and also enabling LDAPS for connecting to AD on a secure port
*We shall be using a self signed SSL certificate
*We shall be using a self signed SSL certificate
Line 37: Line 37:
* Log into the server and run the below commands
* Log into the server and run the below commands
<pre>
<pre>
ssh kedar@10.1.65.108
ssh kedar@10.1.65.109
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
</pre>
*Add nameserver in resolv.conf
<pre>
sudo unlink /etc/resolv.conf
sudo nano /etc/resolv.conf
nameserver 8.8.8.8
</pre>
*Install & Configure Chrony NTP server
*Install
<pre>
sudo apt install chrony
</pre>
*Configure by editing the file /etc/chrony/chrony.conf
<pre>
pool ntp.ubuntu.com        iburst maxsources 4
pool 0.in.pool.ntp.org iburst maxsources 1
pool 1.in.pool.ntp.org iburst maxsources 1
pool 2.in.pool.ntp.org iburst maxsources 2
</pre>
*Restart & Check if chrony is working
<pre>
sudo systemctl restart chrony
sudo systemctl status chronyd
sudo chronyc tracking
</pre>
*Install and configure other pre-requisites
<pre>
sudo apt update && sudo apt upgrade -y
sudo apt update && sudo apt upgrade -y
sudo timedatectl set-timezone Asia/Kolkata
sudo timedatectl set-timezone Asia/Kolkata
sudo apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind net-tools
</pre>
</pre>


=Disable services=
=Install samba and utils=
<pre>
<pre>
sudo apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind net-tools openssl
'''Add ATEZ.WORLD three times (any domain you want to enter should be in CAPS)'''
sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo mv /etc/samba/smb.conf /etc/samba/smb.bak
</pre>
</pre>
There will be three occasions where you will need to enter the realm and server name. Enter - CORP.ATEZ.WORLD
=Provisioning the domain controller
=Generate self-signed certificate=
*Using openssl libraries create self signed certifcate and
* Store the self signed certificate in /var/lib/samba/private/tls.
* If the above folder does not exist, you can create it.
<pre>
<pre>
cd /var/lib/samba/private/tls
sudo samba-tool domain provision --use-rfc2307 --interactive
openssl req -newkey rsa:2048 -keyout atezworldkey.pem -nodes -x509 -days 3650 -out atezworldcert.pem
</pre>
</pre>
*Answer relevant questions as below
Update the /etc/samba/smb.conf file with the below content
<pre>
AU : IN
State or Province Name : Maharashtra
City : Mumbai
Company Name : Atez World
Organization Unit : corpit
Comman Name : atezad1.corp.atez.world
Email Address : admin@atez.world
</pre>
=SMB Config File=
*Take a backup of the default smb config file and save it with some extension
<pre>
sudo mv /etc/samba/smb.conf /etc/samba/smb.bak
</pre>
*Create a new smb.conf file in /etc/samba and edit it as following
<pre>
<pre>
# Global parameters
# Global parameters
[global]
[global]
dns forwarder = 8.8.8.8
        dns forwarder = 8.8.8.8
netbios name = atezad1
        netbios name = ATEZWORLDAD1
realm = CORP.ATEZ.WORLD
        realm = ATEZ.WORLD
server role = active directory domain controller
        server role = active directory domain controller
workgroup = CORP
        workgroup = ATEZ
idmap_ldb:use rfc2307 = yes
        idmap_ldb:use rfc2307 = yes
 
server role check:inhibit = yes
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = true
winbind offline logon = false
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes


server signing = auto
        server role check:inhibit = yes
dsdb:schema update allowed = yes
        template shell = /bin/bash
ldap server require strong auth = no
        template homedir = /home/%U
drs:max object sync = 1200
        winbind use default domain = true
        winbind offline logon = false
        winbind nss info = rfc2307
        winbind enum users = yes
        winbind enum groups = yes


rpc server dynamic port range = 49152-65535
        server signing = auto
        dsdb:schema update allowed = yes
        ldap server require strong auth = no
        drs:max object sync = 1200


#interfaces = lo,eth0
        rpc server dynamic port range = 49152-65535
#bind interfaces only = yes
        #interfaces = lo,eth0
        #bind interfaces only = yes


map to guest = Bad User
        map to guest = Bad User
log level = 3 auth_json_audit:5@/var/log/samba/samba_audit.log
        log level = 3 auth_json_audit:5@/var/log/samba/samba_audit.log
log file = /var/log/samba/samba.log
        log file = /var/log/samba/samba.log
max log size = 100000
        max log size = 100000


#lanman auth = yes
        #lanman auth = yes
ntlm auth = yes
        ntlm auth = yes


password hash userPassword schemes = CryptSHA256 CryptSHA512
        password hash userPassword schemes = CryptSHA256 CryptSHA512


tls enabled = yes
        tls enabled = yes
tls keyfile = tls/atezworldkey.pem
        tls keyfile = tls/atezworldkey.pem
tls certfile = tls/atezworldcert.pem
        tls certfile = tls/atezworldcert.pem
tls cafile =
        tls cafile =
       
        # sysvol write log
        full_audit:failure = none
        full_audit:success = pwrite write renameat unlinkat
        full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
        full_audit:facility = local7
        full_audit:priority = NOTICE


# sysvol write log
        # disable null session
full_audit:failure = none
        restrict anonymous = 2
full_audit:success = pwrite write renameat unlinkat
full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
full_audit:facility = local7
full_audit:priority = NOTICE


# disable null session
        # disable printing services
restrict anonymous = 2
        printcap name = /dev/null
 
        load printers = no
# disable printing services
        disable spoolss = yes
printcap name = /dev/null
        printing = bsd
load printers = no
disable spoolss = yes
printing = bsd


[sysvol]
[sysvol]
path = /var/lib/samba/sysvol
        path = /var/lib/samba/sysvol
read only = No
        read only = No
vfs objects = dfs_samba4, acl_xattr, full_audit
        vfs objects = dfs_samba4, acl_xattr, full_audit


[netlogon]
[netlogon]
path = /var/lib/samba/sysvol/corp.atez.world/scripts
        path = /var/lib/samba/sysvol/atez.world/scripts
read only = No
        read only = No
vfs objects = dfs_samba4, acl_xattr, full_audit
        vfs objects = dfs_samba4, acl_xattr, full_audit
</pre>
</pre>
Save the file and exit
=Generate self-signed certificate=
*Provision the domain using the samba tool
*Using openssl libraries create self signed certifcate and  
* Store the self signed certificate in /var/lib/samba/private/tls.
* If the above folder does not exist, you can create it.
<pre>
<pre>
sudo samba-tool domain provision --use-rfc2307 --interactive
cd /var/lib/samba/private/tls
openssl req -newkey rsa:2048 -keyout atezworldkey.pem -nodes -x509 -days 3650 -out atezworldcert.pem
</pre>
</pre>
Answer multiple questions and enter domain as CORP, netbios as CORP.ATEZ.WORLD, DNS as internal
*Answer relevant questions as below
<pre>
AU : IN
State or Province Name : Maharashtra
City : Mumbai
Company Name : Atez World
Organization Unit : corpit
Comman Name : atezworldad1.atez.world
Email Address : admin@atez.world
</pre>
</pre>
*Now unmask and restart samba dc service  
*Unlink kerberos, unmask and restart samba dc service  
<pre>
<pre>
sudo mv /etc/krb5.conf /etc/krb5.conf.initial
sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
sudo systemctl unmask samba-ad-dc.service
sudo systemctl unmask samba-ad-dc.service
sudo systemctl restart samba-ad-dc.service
sudo systemctl restart samba-ad-dc.service
sudo systemctl status samba-ad-dc.service
sudo systemctl status samba-ad-dc.service
</pre>
</pre>
*Now link the kerberos file to the correct path
*Check if samba is running
<pre>
<pre>
sudo mv /etc/krb5.conf /etc/krb5.conf.initial
sudo netstat -plant |egrep '[smbd|samba]'
sudo ln -s /var/lib/samba/private/krb5.conf /etc/
sudo systemctl restart samba-ad-dc.service
sudo systemctl status samba-ad-dc.service
</pre>
</pre>
*Change the nameservers in netplan and change the gateway4 argument as it is now deprecated
*Change the nameservers in netplan and change the gateway4 argument as it is now deprecated
Line 171: Line 193:
     ens18:
     ens18:
       addresses:
       addresses:
       - 10.1.65.108/24
       - 10.1.65.109/24
#      gateway4: 172.16.141.1
#      gateway4: 172.16.141.1
       nameservers:
       nameservers:
         addresses:
         addresses:
         - 10.1.65.108
         - 10.1.65.109
         search: [CORP.ATEZ.WORLD]
         search: [ATEZ.WORLD]
       routes:
       routes:
       - to: default
       - to: default
Line 200: Line 222:
netgroup:      nis
netgroup:      nis
</pre>
</pre>
*Disable systemd-resolved
*edit /etc/resolv.conf file and add the relevant details
<pre>
<pre>
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
sudo unlink /etc/resolv.conf
sudo nano /etc/resolv.conf
sudo nano /etc/resolv.conf
nameserver 8.8.8.8
nameserver 10.1.65.109
search atez.world
</pre>
</pre>
*Restart Samba Service
*Restart Samba Service
Line 213: Line 233:
sudo systemctl status samba-ad-dc.service
sudo systemctl status samba-ad-dc.service
</pre>
</pre>
*Restart the server
<pre>
sudo init 6
</pre>
*Edit /tec/hosts file and add correct hostnames
<pre>
10.1.65.109  atezworldad1.atez.world atezworldad1
</pre>
=Validate if samba is working correctly=
*Check the kerberos tickets
*Check the kerberos tickets
<pre>
<pre>
Line 219: Line 248:
*Check if DC is resolving to the correct name
*Check if DC is resolving to the correct name
<pre>
<pre>
sudo host -t srv _kerberos._udp.corp.atez.world  
sudo host -t srv _kerberos._udp.atez.world  
host -t srv _ldap._tcp.corp.atez.world
host -t srv _ldap._tcp.atez.world
</pre>
</pre>
*sudo netstat -plant |egrep '[smbd|samba]'
</pre>
=User and groups management=
*Create a User in samba using samba tool
*Create a User in samba using samba tool
<pre>
<pre>
sudo samba-tool user create kedar
sudo samba-tool user create kedar
sudo samba-tool user setpassword kedar (Do not avoid this step even if you have kept a password in the above step)
</pre>
</pre>
*Edit user attributes & add the following attributes to the end of the file
<pre>
sudo samba-tool user edit kedar
mail: kedar@atez.world
givenName: Kedar
sn: Atez
mobile: 98xxxxxxxxx
</pre>
*Add groups
<pre>
sudo samba-tool group add z-license-allocation
sudo samba-tool group add z-admins
</pre>
*Add users to the groups
<pre>
sudo samba-tool group addmembers z-admins kedar
sudo samba-tool group addmembers z-license-allocation kedar
</pre>
*List the members in groups
<pre>
sudo samba-tool group listmembers z-license-allocation
sudo samba-tool group listmembers z-admins
</pre>
=Conclusion=
=Conclusion=
* We have a working Samba Active Directory.  
* We have a working Samba Active Directory.  

Latest revision as of 09:16, 27 April 2023

Setup Details 
hostname: infrabase1
Network: 10.1.65.0/24
IP Address : 10.1.65.11
Subnet Mask: 255.255.255.0
Gateway: 10.1.65.1
DNS: 8.8.8.8
sudo user: kedar

VM: atezworldad1
Network: 10.1.65.0/24
IP Address : 10.1.65.109
Subnet Mask: 255.255.255.0
Gateway: 10.1.65.1
DNS: 8.8.8.8
sudo user: kedar

User PC Details
PC type: Desktop
OS: Ubuntu Desktop
IP Address: 10.1.65.160

Before you proceed

The domain used here is atez.world. This is used only for demonstration. You should use your own domain to configure the active directory domain. This installation uses Ubuntu 22.04 server OS and uses the samba available in the repository provided and maintained by Canonical. Users should note that this is done to ensure, any vulnerabilities and fixes released for samba are provided by canonical and are generally safe to apply. Samba can be installed by compiling from source, however, any patches and fixes need re-compilation.

Introduction

  • We shall be creating an active directory with domain as: atez.world
  • We shall be enabling TLS by default and also enabling LDAPS for connecting to AD on a secure port
  • We shall be using a self signed SSL certificate

Pre-requisites installation

  • Log into the server and run the below commands
ssh kedar@10.1.65.109
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
  • Add nameserver in resolv.conf
sudo unlink /etc/resolv.conf
sudo nano /etc/resolv.conf
nameserver 8.8.8.8
  • Install & Configure Chrony NTP server
  • Install
sudo apt install chrony
  • Configure by editing the file /etc/chrony/chrony.conf
pool ntp.ubuntu.com        iburst maxsources 4
pool 0.in.pool.ntp.org iburst maxsources 1
pool 1.in.pool.ntp.org iburst maxsources 1
pool 2.in.pool.ntp.org iburst maxsources 2
  • Restart & Check if chrony is working
sudo systemctl restart chrony
sudo systemctl status chronyd
sudo chronyc tracking
  • Install and configure other pre-requisites
sudo apt update && sudo apt upgrade -y
sudo timedatectl set-timezone Asia/Kolkata

Install samba and utils

sudo apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind net-tools openssl

'''Add ATEZ.WORLD three times (any domain you want to enter should be in CAPS)'''

sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo mv /etc/samba/smb.conf /etc/samba/smb.bak

=Provisioning the domain controller 

sudo samba-tool domain provision --use-rfc2307 --interactive

Update the /etc/samba/smb.conf file with the below content 

# Global parameters
[global]
        dns forwarder = 8.8.8.8
        netbios name = ATEZWORLDAD1
        realm = ATEZ.WORLD
        server role = active directory domain controller
        workgroup = ATEZ
        idmap_ldb:use rfc2307 = yes

        server role check:inhibit = yes
        template shell = /bin/bash
        template homedir = /home/%U
        winbind use default domain = true
        winbind offline logon = false
        winbind nss info = rfc2307
        winbind enum users = yes
        winbind enum groups = yes

        server signing = auto
        dsdb:schema update allowed = yes
        ldap server require strong auth = no
        drs:max object sync = 1200

        rpc server dynamic port range = 49152-65535
        #interfaces = lo,eth0
        #bind interfaces only = yes

        map to guest = Bad User
        log level = 3 auth_json_audit:5@/var/log/samba/samba_audit.log
        log file = /var/log/samba/samba.log
        max log size = 100000

        #lanman auth = yes
        ntlm auth = yes

        password hash userPassword schemes = CryptSHA256 CryptSHA512

        tls enabled = yes
        tls keyfile = tls/atezworldkey.pem
        tls certfile = tls/atezworldcert.pem
        tls cafile =
        
        # sysvol write log
        full_audit:failure = none
        full_audit:success = pwrite write renameat unlinkat
        full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
        full_audit:facility = local7
        full_audit:priority = NOTICE

        # disable null session
        restrict anonymous = 2

        # disable printing services
        printcap name = /dev/null
        load printers = no
        disable spoolss = yes
        printing = bsd

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
        vfs objects = dfs_samba4, acl_xattr, full_audit

[netlogon]
        path = /var/lib/samba/sysvol/atez.world/scripts
        read only = No
        vfs objects = dfs_samba4, acl_xattr, full_audit

Generate self-signed certificate

  • Using openssl libraries create self signed certifcate and
  • Store the self signed certificate in /var/lib/samba/private/tls.
  • If the above folder does not exist, you can create it.
cd /var/lib/samba/private/tls
openssl req -newkey rsa:2048 -keyout atezworldkey.pem -nodes -x509 -days 3650 -out atezworldcert.pem
  • Answer relevant questions as below
AU : IN
State or Province Name : Maharashtra
City : Mumbai
Company Name : Atez World
Organization Unit : corpit
Comman Name : atezworldad1.atez.world
Email Address : admin@atez.world
  • Unlink kerberos, unmask and restart samba dc service
sudo mv /etc/krb5.conf /etc/krb5.conf.initial
sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
sudo systemctl unmask samba-ad-dc.service
sudo systemctl restart samba-ad-dc.service
sudo systemctl status samba-ad-dc.service
  • Check if samba is running
sudo netstat -plant |egrep '[smbd|samba]'
  • Change the nameservers in netplan and change the gateway4 argument as it is now deprecated
sudo nano /etc/netplan/00-installer-config.yaml

network:
  ethernets:
    ens18:
      addresses:
      - 10.1.65.109/24
#      gateway4: 172.16.141.1
      nameservers:
        addresses:
        - 10.1.65.109
        search: [ATEZ.WORLD]
      routes:
      - to: default
        via: 10.1.65.1 
  version: 2

Save the file and restart netplan by: sudo netplay apply

  • Add winbind option to /etc/nsswitch.conf
passwd:         files systemd winbind
group:          files systemd winbind
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
  • edit /etc/resolv.conf file and add the relevant details
sudo nano /etc/resolv.conf
nameserver 10.1.65.109
search atez.world
  • Restart Samba Service
sudo systemctl restart samba-ad-dc.service
sudo systemctl status samba-ad-dc.service
  • Restart the server
sudo init 6
  • Edit /tec/hosts file and add correct hostnames
10.1.65.109  atezworldad1.atez.world atezworldad1

Validate if samba is working correctly

  • Check the kerberos tickets
sudo kinit administrator
  • Check if DC is resolving to the correct name
sudo host -t srv _kerberos._udp.atez.world 
host -t srv _ldap._tcp.atez.world
  • sudo netstat -plant |egrep '[smbd|samba]'

User and groups management

  • Create a User in samba using samba tool
sudo samba-tool user create kedar
sudo samba-tool user setpassword kedar (Do not avoid this step even if you have kept a password in the above step)
  • Edit user attributes & add the following attributes to the end of the file
sudo samba-tool user edit kedar

mail: kedar@atez.world
givenName: Kedar
sn: Atez
mobile: 98xxxxxxxxx
  • Add groups
sudo samba-tool group add z-license-allocation
sudo samba-tool group add z-admins
  • Add users to the groups
sudo samba-tool group addmembers z-admins kedar
sudo samba-tool group addmembers z-license-allocation kedar
  • List the members in groups
sudo samba-tool group listmembers z-license-allocation
sudo samba-tool group listmembers z-admins

Conclusion

  • We have a working Samba Active Directory.
  • Using a RSA tool, access and manage the Active Directory
  • You can add multiple domain controllers to this architecture and make it more robust
Retrieved from "https://infrastructure-advisory.org/index.php?title=Samba_As_Domain_Controller&oldid=316"