Samba As Domain Controller: Difference between revisions

From The Opensource Knowledgebase
Jump to navigation Jump to search
← Older editNewer edit →
Formatting
No edit summary
Line 12: Line 12:
sudo user: kedar
sudo user: kedar


Container: webserver
VM: atezad1
Network: 10.1.65.0/24
IP Address : 10.1.65.107
Subnet Mask: 255.255.255.0
Gateway: 10.1.65.1
DNS: 8.8.8.8
sudo user: kedar
 
Container: db1
Network: 10.1.65.0/24
Network: 10.1.65.0/24
IP Address : 10.1.65.108
IP Address : 10.1.65.108
Line 35: Line 27:
|}
|}
=Before you proceed=
=Before you proceed=
The domain used here is '''networked.com'''. This is used only for demonstration and required dns entries for this domain have already been done to the host file to make the domain and any subdomains reachable on the network. This domain may be owned by someone else and we do not know who it is and we are not linked to them. Joomla configured for this domain in this howto is not reachable on public IP. If you try networked.com and find any material that may be suitable / unsuitable to you, we are not the owners of the same and we are not responsible for the content.
The domain used here is '''corp.atez.world'''. This is used only for demonstration. You should use your own domain to configure the active directory domain. This installation uses Ubuntu 22.04 server OS and uses the samba available in the repository provided and maintained by Canonical. Users should note that this is done to ensure, any vulnerabilities and fixes released for samba are provided by canonical and are generally safe to apply. Samba can be installed by compiling from source, however, any patches and fixes need re-compilation.  


=Introduction=
=Introduction=
*We shall be creating a website using joomla with FQDN as: https://joomla.networked.net
*We shall be creating an active directory with domain as: corp.atez.world
*We shall be hosting the site on port number: 443
*We shall be enabling TLS by default and also enabling LDAPS for connecting to AD on a secure port
*We shall be using a self signed SSL certificate
*We shall be using a self signed SSL certificate
*Host entry to ensure this website is reachable is done in the user PC, in absence of a DNS
 
=Pre-requisites installation=
=Pre-requisites installation=
* Log into the webserver and run the below commands
* Log into the server and run the below commands
<pre>
<pre>
ssh kedar@10.1.65.107
ssh kedar@10.1.65.108
sudo apt install apache2 php7.2 php7.2-curl php7.2-gd php7.2-intl php7.2-json php7.2-mbstring php7.2-mysql php7.2-soap php7.2-xml php7.2-zip libapache2-mod-php7.2
sudo apt update && sudo apt upgrade -y
sudo apt install rsync nano openssl
sudo apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind
sudo a2enmod ssl
sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo a2enmod rewrite
sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo systemctl restart apache2
sudo systemctl status apache2
</pre>
</pre>
=Database Creation=
There will be three occasions where you will need to enter the realm and server name. Enter - CORP.ATEZ.WORLD
*Database will be created in a mariadb server which is installed into a container created on the host server (infrabase1). Latest mariadb server has been installed and run the below commands after an ssh into the mariadb server.
=SMB Config File=
*Take a backup of the default smb config file and save it with some extension
<pre>
<pre>
sudo mysql -u root -p
sudo mv /etc/samba/smb.conf /etc/samba/smb.bak
CREATE DATABASE joomla;
GRANT ALL PRIVILEGES ON joomla.* TO "joomla"@"%" IDENTIFIED BY "123456";
FLUSH PRIVILEGES;
quit;
</pre>
</pre>
=Create self signed certificates=
*Create a new smb.conf file in /etc/samba and edit it as following
* Log into the webserver and run the below commands
<pre>
<pre>
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/joomla.key -out /etc/ssl/certs/joomla.crt
# Global parameters
[global]
dns forwarder = 8.8.8.8
netbios name = atezad1
realm = CORP.ATEZ.WORLD
server role = active directory domain controller
workgroup = CORP
idmap_ldb:use rfc2307 = yes
 
server role check:inhibit = yes
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = true
winbind offline logon = false
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
 
server signing = auto
dsdb:schema update allowed = yes
ldap server require strong auth = no
drs:max object sync = 1200
 
rpc server dynamic port range = 49152-65535
 
#interfaces = lo,eth0
#bind interfaces only = yes
 
map to guest = Bad User
log level = 3 auth_json_audit:5@/var/log/samba/samba_audit.log
log file = /var/log/samba/samba.log
max log size = 100000
 
#lanman auth = yes
ntlm auth = yes
 
password hash userPassword schemes = CryptSHA256 CryptSHA512
 
tls enabled = yes
tls keyfile = tls/myKey.pem
tls certfile = tls/myCert.pem
tls cafile =
 
# sysvol write log
full_audit:failure = none
full_audit:success = pwrite write renameat unlinkat
full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
full_audit:facility = local7
full_audit:priority = NOTICE
 
# disable null session
restrict anonymous = 2
 
# disable printing services
printcap name = /dev/null
load printers = no
disable spoolss = yes
printing = bsd
 
[sysvol]
path = /var/lib/samba/sysvol
read only = No
vfs objects = dfs_samba4, acl_xattr, full_audit
 
[netlogon]
path = /var/lib/samba/sysvol/corp.atez.world/scripts
read only = No
vfs objects = dfs_samba4, acl_xattr, full_audit
</pre>
</pre>
* You can use a commercial self signed certificate if you have one or can also use free Lets Encrypt certificate
Save the file and exit
*Provision the domain using the samba tool
<pre>
sudo samba-tool domain provision --use-rfc2307 --interactive
</pre>
Answer multiple questions and enter domain as CORP, netbios as CORP.ATEZ.WORLD, DNS as internal
</pre>
*Now unmask and restart samba dc service
<pre>
sudo systemctl unmask samba-ad-dc.service
sudo systemctl restart samba-ad-dc.service
sudo systemctl status samba-ad-dc.service
</pre>
*Now link the kerberos file to the correct path
<pre>
sudo mv /etc/krb5.conf /etc/krb5.conf.initial
sudo ln -s /var/lib/samba/private/krb5.conf /etc/
sudo systemctl restart samba-ad-dc.service
sudo systemctl status samba-ad-dc.service
</pre>
*Change the nameservers in netplan and change the gateway4 argument as it is now deprecated
<pre>
sudo nano /etc/netplan/00-installer-config.yaml


=Download Joomla=
network:
* Log into the webserver and run the below commands
  ethernets:
    ens18:
      addresses:
      - 10.1.65.108/24
#      gateway4: 172.16.141.1
      nameservers:
        addresses:
        - 10.1.65.108
        search: [CORP.ATEZ.WORLD]
      routes:
      - to: default
        via: 10.1.65.1
  version: 2
</pre>
Save the file and restart netplan by: sudo netplay apply
*Add winbind option to /etc/nsswitch.conf
<pre>
<pre>
cd /var/www/html
passwd:        files systemd winbind
sudo mkdir joomla
group:          files systemd winbind
cd /home/kedar
shadow:        files
wget https://downloads.joomla.org/cms/joomla3/3-9-14/Joomla_3-9-16-Stable-Full_Package.zip?format=zip
gshadow:        files
mv Joomla_3-9-14-Stable-Full_Package.zip?format=zip joomla.zip
 
hosts:         files dns
networks:      files
 
protocols:      db files
services:      db files
ethers:        db files
rpc:            db files
 
netgroup:      nis
</pre>
</pre>
=Deploy Joomla=
*Disable systemd-resolved
<pre>
<pre>
cd /home/kedar
sudo systemctl stop systemd-resolved
mkdir joomlainstaller
sudo systemctl disable systemd-resolved
cp joomla.zip joomlainstaller/
cd joomlainstaller
unzip joomla.zip
cd joomlainstaller
rm -rf joomla.zip
sudo rsync -avz . /var/www/html/joomla
</pre>
</pre>
 
*Restart Samba Service
* Change the ownership of the joomla folder to apache user
<pre>
<pre>
cd /var/www/html
sudo systemctl restart samba-ad-dc.service
sudo chown -R www-data:www-data joomla/
sudo systemctl status samba-ad-dc.service
sudo ystemctl restart apache2
</pre>
</pre>
* Create virtual host for the website
*Check the kerberos tickets
<pre>
<pre>
cd /etc/apache2/sites-available
sudo kinit administrator
sudo a2dissite 000-default.conf
sudo a2dissite default-ssl.conf
sudo nano joomla.conf
</pre>
</pre>
* Add the below configuration in the joomla.conf file
*Check if DC is resolving to the correct name
<pre>
<pre>
<IfModule mod_ssl.c>
sudo host -t srv _kerberos._udp.corp.atez.world
        <VirtualHost _default_:443>
host -t srv _ldap._tcp.corp.atez.world
                ServerName      joomla.networked.net
                ServerAlias    joomla
                ServerAdmin    admin@networked.net
                DocumentRoot /var/www/html/joomla
 
                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined
                SSLEngine on
                SSLCertificateFile      /etc/ssl/certs/joomla.crt
                SSLCertificateKeyFile /etc/ssl/private/joomla.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>
</VirtualHost>
</IfModule>
</pre>
</pre>
* Enable the site and Restart apache service
*Create a User in samba using samba tool
<pre>
<pre>
sudo a2ensite joomla.conf
sudo samba-tool user create kedar
sudo sysemctl restart apache2
</pre>
</pre>
* Using a browser navigate to https://joomla.networked.com
** Answer various questions based on some of the steps we have done above like db name, db user, db server etc.
** Login to joomla using the admin credentials
=Conclusion=
=Conclusion=
* We have a working joomla website hosted on an apache web server. Explore the plugins and extensions and create a website or a corporate intranet
* We have a working Samba Active Directory.  
* Using a RSA tool, access and manage the Active Directory
*You can add multiple domain controllers to this architecture and make it more robust


[[Category: Intranet Applications]]
[[Category: Directory Servers]]

Revision as of 14:11, 20 April 2023

Setup Details 
hostname: infrabase1
Network: 10.1.65.0/24
IP Address : 10.1.65.11
Subnet Mask: 255.255.255.0
Gateway: 10.1.65.1
DNS: 8.8.8.8
sudo user: kedar

VM: atezad1
Network: 10.1.65.0/24
IP Address : 10.1.65.108
Subnet Mask: 255.255.255.0
Gateway: 10.1.65.1
DNS: 8.8.8.8
sudo user: kedar

User PC Details
PC type: Desktop
OS: Ubuntu Desktop
IP Address: 10.1.65.160

Before you proceed

The domain used here is corp.atez.world. This is used only for demonstration. You should use your own domain to configure the active directory domain. This installation uses Ubuntu 22.04 server OS and uses the samba available in the repository provided and maintained by Canonical. Users should note that this is done to ensure, any vulnerabilities and fixes released for samba are provided by canonical and are generally safe to apply. Samba can be installed by compiling from source, however, any patches and fixes need re-compilation.

Introduction

  • We shall be creating an active directory with domain as: corp.atez.world
  • We shall be enabling TLS by default and also enabling LDAPS for connecting to AD on a secure port
  • We shall be using a self signed SSL certificate

Pre-requisites installation

  • Log into the server and run the below commands
ssh kedar@10.1.65.108
sudo apt update && sudo apt upgrade -y
sudo apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind
sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service

There will be three occasions where you will need to enter the realm and server name. Enter - CORP.ATEZ.WORLD

SMB Config File

  • Take a backup of the default smb config file and save it with some extension
sudo mv /etc/samba/smb.conf /etc/samba/smb.bak
  • Create a new smb.conf file in /etc/samba and edit it as following
# Global parameters
[global]
dns forwarder = 8.8.8.8
netbios name = atezad1
realm = CORP.ATEZ.WORLD
server role = active directory domain controller
workgroup = CORP
idmap_ldb:use rfc2307 = yes

server role check:inhibit = yes
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = true
winbind offline logon = false
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes

server signing = auto
dsdb:schema update allowed = yes
ldap server require strong auth = no
drs:max object sync = 1200

rpc server dynamic port range = 49152-65535

#interfaces = lo,eth0
#bind interfaces only = yes

map to guest = Bad User
log level = 3 auth_json_audit:5@/var/log/samba/samba_audit.log
log file = /var/log/samba/samba.log
max log size = 100000

#lanman auth = yes
ntlm auth = yes

password hash userPassword schemes = CryptSHA256 CryptSHA512

tls enabled = yes
tls keyfile = tls/myKey.pem
tls certfile = tls/myCert.pem
tls cafile =

# sysvol write log
full_audit:failure = none
full_audit:success = pwrite write renameat unlinkat
full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
full_audit:facility = local7
full_audit:priority = NOTICE

# disable null session
restrict anonymous = 2

# disable printing services
printcap name = /dev/null
load printers = no
disable spoolss = yes
printing = bsd

[sysvol]
path = /var/lib/samba/sysvol
read only = No
vfs objects = dfs_samba4, acl_xattr, full_audit

[netlogon]
path = /var/lib/samba/sysvol/corp.atez.world/scripts
read only = No
vfs objects = dfs_samba4, acl_xattr, full_audit

Save the file and exit

  • Provision the domain using the samba tool
sudo samba-tool domain provision --use-rfc2307 --interactive

Answer multiple questions and enter domain as CORP, netbios as CORP.ATEZ.WORLD, DNS as internal

  • Now unmask and restart samba dc service
sudo systemctl unmask samba-ad-dc.service
sudo systemctl restart samba-ad-dc.service
sudo systemctl status samba-ad-dc.service
  • Now link the kerberos file to the correct path
sudo mv /etc/krb5.conf /etc/krb5.conf.initial
sudo ln -s /var/lib/samba/private/krb5.conf /etc/
sudo systemctl restart samba-ad-dc.service
sudo systemctl status samba-ad-dc.service
  • Change the nameservers in netplan and change the gateway4 argument as it is now deprecated
sudo nano /etc/netplan/00-installer-config.yaml

network:
  ethernets:
    ens18:
      addresses:
      - 10.1.65.108/24
#      gateway4: 172.16.141.1
      nameservers:
        addresses:
        - 10.1.65.108
        search: [CORP.ATEZ.WORLD]
      routes:
      - to: default
        via: 10.1.65.1 
  version: 2

Save the file and restart netplan by: sudo netplay apply

  • Add winbind option to /etc/nsswitch.conf
passwd:         files systemd winbind
group:          files systemd winbind
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
  • Disable systemd-resolved
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
  • Restart Samba Service
sudo systemctl restart samba-ad-dc.service
sudo systemctl status samba-ad-dc.service
  • Check the kerberos tickets
sudo kinit administrator
  • Check if DC is resolving to the correct name
sudo host -t srv _kerberos._udp.corp.atez.world 
host -t srv _ldap._tcp.corp.atez.world
  • Create a User in samba using samba tool
sudo samba-tool user create kedar

Conclusion

  • We have a working Samba Active Directory.
  • Using a RSA tool, access and manage the Active Directory
  • You can add multiple domain controllers to this architecture and make it more robust
Retrieved from "https://infrastructure-advisory.org/index.php?title=Samba_As_Domain_Controller&oldid=305"