Samba As Domain Controller: Difference between revisions

From The Opensource Knowledgebase
Jump to navigation Jump to search
← Older editNewer edit →
mNo edit summary
Line 71: Line 71:
</pre>
</pre>


=Disable services=
=Install samba and utils=
<pre>
<pre>
sudo apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind net-tools openssl
'''Add ATEZ.WORLD three times (any domain you want to enter should be in CAPS)'''
sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo mv /etc/samba/smb.conf /etc/samba/smb.bak
</pre>
</pre>
There will be three occasions where you will need to enter the realm and server name. Enter - CORP.ATEZ.WORLD
=Provisioning the domain controller
=Generate self-signed certificate=
*Using openssl libraries create self signed certifcate and
* Store the self signed certificate in /var/lib/samba/private/tls.
* If the above folder does not exist, you can create it.
<pre>
<pre>
cd /var/lib/samba/private/tls
sudo samba-tool domain provision --use-rfc2307 --interactive
openssl req -newkey rsa:2048 -keyout atezworldkey.pem -nodes -x509 -days 3650 -out atezworldcert.pem
</pre>
*Answer relevant questions as below
<pre>
AU : IN
State or Province Name : Maharashtra
City : Mumbai
Company Name : Atez World
Organization Unit : corpit
Comman Name : atezad1.corp.atez.world
Email Address : admin@atez.world
</pre>
=SMB Config File=
*Take a backup of the default smb config file and save it with some extension
<pre>
sudo mv /etc/samba/smb.conf /etc/samba/smb.bak
</pre>
</pre>
*Create a new smb.conf file in /etc/samba and edit it as following
Update the /etc/samba/smb.conf file with the below content
<pre>
<pre>
# Global parameters
# Global parameters
[global]
[global]
dns forwarder = 8.8.8.8
        dns forwarder = 8.8.8.8
netbios name = atezad1
        netbios name = ATEZWORLDAD1
realm = CORP.ATEZ.WORLD
        realm = ATEZ.WORLD
server role = active directory domain controller
        server role = active directory domain controller
workgroup = CORP
        workgroup = ATEZ
idmap_ldb:use rfc2307 = yes
        idmap_ldb:use rfc2307 = yes
 
server role check:inhibit = yes
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = true
winbind offline logon = false
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
 
server signing = auto
dsdb:schema update allowed = yes
ldap server require strong auth = no
drs:max object sync = 1200


rpc server dynamic port range = 49152-65535
        server role check:inhibit = yes
        template shell = /bin/bash
        template homedir = /home/%U
        winbind use default domain = true
        winbind offline logon = false
        winbind nss info = rfc2307
        winbind enum users = yes
        winbind enum groups = yes


#interfaces = lo,eth0
        server signing = auto
#bind interfaces only = yes
        dsdb:schema update allowed = yes
        ldap server require strong auth = no
        drs:max object sync = 1200


map to guest = Bad User
        rpc server dynamic port range = 49152-65535
log level = 3 auth_json_audit:5@/var/log/samba/samba_audit.log
        #interfaces = lo,eth0
log file = /var/log/samba/samba.log
        #bind interfaces only = yes
max log size = 100000


#lanman auth = yes
        map to guest = Bad User
ntlm auth = yes
        log level = 3 auth_json_audit:5@/var/log/samba/samba_audit.log
        log file = /var/log/samba/samba.log
        max log size = 100000


password hash userPassword schemes = CryptSHA256 CryptSHA512
        #lanman auth = yes
        ntlm auth = yes


tls enabled = yes
        password hash userPassword schemes = CryptSHA256 CryptSHA512
tls keyfile = tls/atezworldkey.pem
tls certfile = tls/atezworldcert.pem
tls cafile =


# sysvol write log
        tls enabled = yes
full_audit:failure = none
        tls keyfile = tls/atezworldkey.pem
full_audit:success = pwrite write renameat unlinkat
        tls certfile = tls/atezworldcert.pem
full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
        tls cafile =
full_audit:facility = local7
       
full_audit:priority = NOTICE
        # sysvol write log
        full_audit:failure = none
        full_audit:success = pwrite write renameat unlinkat
        full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
        full_audit:facility = local7
        full_audit:priority = NOTICE


# disable null session
        # disable null session
restrict anonymous = 2
        restrict anonymous = 2


# disable printing services
        # disable printing services
printcap name = /dev/null
        printcap name = /dev/null
load printers = no
        load printers = no
disable spoolss = yes
        disable spoolss = yes
printing = bsd
        printing = bsd


[sysvol]
[sysvol]
path = /var/lib/samba/sysvol
        path = /var/lib/samba/sysvol
read only = No
        read only = No
vfs objects = dfs_samba4, acl_xattr, full_audit
        vfs objects = dfs_samba4, acl_xattr, full_audit


[netlogon]
[netlogon]
path = /var/lib/samba/sysvol/corp.atez.world/scripts
        path = /var/lib/samba/sysvol/atez.world/scripts
read only = No
        read only = No
vfs objects = dfs_samba4, acl_xattr, full_audit
        vfs objects = dfs_samba4, acl_xattr, full_audit
</pre>
</pre>
Save the file and exit
=Generate self-signed certificate=
*Provision the domain using the samba tool
*Using openssl libraries create self signed certifcate and  
* Store the self signed certificate in /var/lib/samba/private/tls.
* If the above folder does not exist, you can create it.
<pre>
<pre>
sudo samba-tool domain provision --use-rfc2307 --interactive
cd /var/lib/samba/private/tls
openssl req -newkey rsa:2048 -keyout atezworldkey.pem -nodes -x509 -days 3650 -out atezworldcert.pem
</pre>
</pre>
Answer multiple questions and enter domain as CORP, netbios as CORP.ATEZ.WORLD, DNS as internal
*Answer relevant questions as below
<pre>
AU : IN
State or Province Name : Maharashtra
City : Mumbai
Company Name : Atez World
Organization Unit : corpit
Comman Name : atezworldad1.atez.world
Email Address : admin@atez.world
</pre>
</pre>
*Now unmask and restart samba dc service  
*Unlink kerberos, unmask and restart samba dc service  
<pre>
<pre>
sudo mv /etc/krb5.conf /etc/krb5.conf.initial
sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
sudo systemctl unmask samba-ad-dc.service
sudo systemctl unmask samba-ad-dc.service
sudo systemctl restart samba-ad-dc.service
sudo systemctl restart samba-ad-dc.service
sudo systemctl status samba-ad-dc.service
sudo systemctl status samba-ad-dc.service
</pre>
</pre>
*Now link the kerberos file to the correct path
*Check if samba is running
<pre>
<pre>
sudo mv /etc/krb5.conf /etc/krb5.conf.initial
sudo netstat -plant |egrep '[smbd|samba]'
sudo ln -s /var/lib/samba/private/krb5.conf /etc/
sudo systemctl restart samba-ad-dc.service
sudo systemctl status samba-ad-dc.service
</pre>
</pre>
*Change the nameservers in netplan and change the gateway4 argument as it is now deprecated
*Change the nameservers in netplan and change the gateway4 argument as it is now deprecated
Line 199: Line 193:
     ens18:
     ens18:
       addresses:
       addresses:
       - 10.1.65.108/24
       - 10.1.65.109/24
#      gateway4: 172.16.141.1
#      gateway4: 172.16.141.1
       nameservers:
       nameservers:
         addresses:
         addresses:
         - 10.1.65.108
         - 10.1.65.109
         search: [CORP.ATEZ.WORLD]
         search: [ATEZ.WORLD]
       routes:
       routes:
       - to: default
       - to: default
Line 228: Line 222:
netgroup:      nis
netgroup:      nis
</pre>
</pre>
*Disable systemd-resolved
*edit /etc/resolv.conf file and add the relevant details
<pre>
<pre>
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
sudo unlink /etc/resolv.conf
sudo nano /etc/resolv.conf
sudo nano /etc/resolv.conf
nameserver 8.8.8.8
nameserver 10.1.65.109
search atez.world
</pre>
</pre>
*Restart Samba Service
*Restart Samba Service
Line 241: Line 233:
sudo systemctl status samba-ad-dc.service
sudo systemctl status samba-ad-dc.service
</pre>
</pre>
*Restart the server
<pre>
sudo init 6
</pre>
*Edit /tec/hosts file and add correct hostnames
<pre>
10.1.65.109  atezworldad1.atez.world atezworldad1
</pre>
*Check the kerberos tickets
*Check the kerberos tickets
<pre>
<pre>
Line 247: Line 248:
*Check if DC is resolving to the correct name
*Check if DC is resolving to the correct name
<pre>
<pre>
sudo host -t srv _kerberos._udp.corp.atez.world  
sudo host -t srv _kerberos._udp.atez.world  
host -t srv _ldap._tcp.corp.atez.world
host -t srv _ldap._tcp.atez.world
</pre>
</pre>
*Create a User in samba using samba tool
*Create a User in samba using samba tool

Revision as of 09:08, 27 April 2023

Setup Details 
hostname: infrabase1
Network: 10.1.65.0/24
IP Address : 10.1.65.11
Subnet Mask: 255.255.255.0
Gateway: 10.1.65.1
DNS: 8.8.8.8
sudo user: kedar

VM: atezworldad1
Network: 10.1.65.0/24
IP Address : 10.1.65.109
Subnet Mask: 255.255.255.0
Gateway: 10.1.65.1
DNS: 8.8.8.8
sudo user: kedar

User PC Details
PC type: Desktop
OS: Ubuntu Desktop
IP Address: 10.1.65.160

Before you proceed

The domain used here is atez.world. This is used only for demonstration. You should use your own domain to configure the active directory domain. This installation uses Ubuntu 22.04 server OS and uses the samba available in the repository provided and maintained by Canonical. Users should note that this is done to ensure, any vulnerabilities and fixes released for samba are provided by canonical and are generally safe to apply. Samba can be installed by compiling from source, however, any patches and fixes need re-compilation.

Introduction

  • We shall be creating an active directory with domain as: atez.world
  • We shall be enabling TLS by default and also enabling LDAPS for connecting to AD on a secure port
  • We shall be using a self signed SSL certificate

Pre-requisites installation

  • Log into the server and run the below commands
ssh kedar@10.1.65.109
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
  • Add nameserver in resolv.conf
sudo unlink /etc/resolv.conf
sudo nano /etc/resolv.conf
nameserver 8.8.8.8
  • Install & Configure Chrony NTP server
  • Install
sudo apt install chrony
  • Configure by editing the file /etc/chrony/chrony.conf
pool ntp.ubuntu.com        iburst maxsources 4
pool 0.in.pool.ntp.org iburst maxsources 1
pool 1.in.pool.ntp.org iburst maxsources 1
pool 2.in.pool.ntp.org iburst maxsources 2
  • Restart & Check if chrony is working
sudo systemctl restart chrony
sudo systemctl status chronyd
sudo chronyc tracking
  • Install and configure other pre-requisites
sudo apt update && sudo apt upgrade -y
sudo timedatectl set-timezone Asia/Kolkata

Install samba and utils

sudo apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind net-tools openssl

'''Add ATEZ.WORLD three times (any domain you want to enter should be in CAPS)'''

sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo mv /etc/samba/smb.conf /etc/samba/smb.bak

=Provisioning the domain controller 

sudo samba-tool domain provision --use-rfc2307 --interactive

Update the /etc/samba/smb.conf file with the below content 

# Global parameters
[global]
        dns forwarder = 8.8.8.8
        netbios name = ATEZWORLDAD1
        realm = ATEZ.WORLD
        server role = active directory domain controller
        workgroup = ATEZ
        idmap_ldb:use rfc2307 = yes

        server role check:inhibit = yes
        template shell = /bin/bash
        template homedir = /home/%U
        winbind use default domain = true
        winbind offline logon = false
        winbind nss info = rfc2307
        winbind enum users = yes
        winbind enum groups = yes

        server signing = auto
        dsdb:schema update allowed = yes
        ldap server require strong auth = no
        drs:max object sync = 1200

        rpc server dynamic port range = 49152-65535
        #interfaces = lo,eth0
        #bind interfaces only = yes

        map to guest = Bad User
        log level = 3 auth_json_audit:5@/var/log/samba/samba_audit.log
        log file = /var/log/samba/samba.log
        max log size = 100000

        #lanman auth = yes
        ntlm auth = yes

        password hash userPassword schemes = CryptSHA256 CryptSHA512

        tls enabled = yes
        tls keyfile = tls/atezworldkey.pem
        tls certfile = tls/atezworldcert.pem
        tls cafile =
        
        # sysvol write log
        full_audit:failure = none
        full_audit:success = pwrite write renameat unlinkat
        full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
        full_audit:facility = local7
        full_audit:priority = NOTICE

        # disable null session
        restrict anonymous = 2

        # disable printing services
        printcap name = /dev/null
        load printers = no
        disable spoolss = yes
        printing = bsd

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
        vfs objects = dfs_samba4, acl_xattr, full_audit

[netlogon]
        path = /var/lib/samba/sysvol/atez.world/scripts
        read only = No
        vfs objects = dfs_samba4, acl_xattr, full_audit

Generate self-signed certificate

  • Using openssl libraries create self signed certifcate and
  • Store the self signed certificate in /var/lib/samba/private/tls.
  • If the above folder does not exist, you can create it.
cd /var/lib/samba/private/tls
openssl req -newkey rsa:2048 -keyout atezworldkey.pem -nodes -x509 -days 3650 -out atezworldcert.pem
  • Answer relevant questions as below
AU : IN
State or Province Name : Maharashtra
City : Mumbai
Company Name : Atez World
Organization Unit : corpit
Comman Name : atezworldad1.atez.world
Email Address : admin@atez.world
  • Unlink kerberos, unmask and restart samba dc service
sudo mv /etc/krb5.conf /etc/krb5.conf.initial
sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
sudo systemctl unmask samba-ad-dc.service
sudo systemctl restart samba-ad-dc.service
sudo systemctl status samba-ad-dc.service
  • Check if samba is running
sudo netstat -plant |egrep '[smbd|samba]'
  • Change the nameservers in netplan and change the gateway4 argument as it is now deprecated
sudo nano /etc/netplan/00-installer-config.yaml

network:
  ethernets:
    ens18:
      addresses:
      - 10.1.65.109/24
#      gateway4: 172.16.141.1
      nameservers:
        addresses:
        - 10.1.65.109
        search: [ATEZ.WORLD]
      routes:
      - to: default
        via: 10.1.65.1 
  version: 2

Save the file and restart netplan by: sudo netplay apply

  • Add winbind option to /etc/nsswitch.conf
passwd:         files systemd winbind
group:          files systemd winbind
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
  • edit /etc/resolv.conf file and add the relevant details
sudo nano /etc/resolv.conf
nameserver 10.1.65.109
search atez.world
  • Restart Samba Service
sudo systemctl restart samba-ad-dc.service
sudo systemctl status samba-ad-dc.service
  • Restart the server
sudo init 6
  • Edit /tec/hosts file and add correct hostnames
10.1.65.109  atezworldad1.atez.world atezworldad1
  • Check the kerberos tickets
sudo kinit administrator
  • Check if DC is resolving to the correct name
sudo host -t srv _kerberos._udp.atez.world 
host -t srv _ldap._tcp.atez.world
  • Create a User in samba using samba tool
sudo samba-tool user create kedar

Conclusion

  • We have a working Samba Active Directory.
  • Using a RSA tool, access and manage the Active Directory
  • You can add multiple domain controllers to this architecture and make it more robust
Retrieved from "https://infrastructure-advisory.org/index.php?title=Samba_As_Domain_Controller&oldid=314"