Samba As Domain Controller: Difference between revisions
Jump to navigation
Jump to search
| Line 259: | Line 259: | ||
sudo samba-tool user setpassword kedar (Do not avoid this step even if you have kept a password in the above step) | sudo samba-tool user setpassword kedar (Do not avoid this step even if you have kept a password in the above step) | ||
</pre> | </pre> | ||
*Edit user attributes | *Edit user attributes & add the following attributes to the end of the file | ||
<pre> | <pre> | ||
sudo samba-tool user edit kedar | sudo samba-tool user edit kedar | ||
Latest revision as of 09:16, 27 April 2023
| Setup Details |
hostname: infrabase1 Network: 10.1.65.0/24 IP Address : 10.1.65.11 Subnet Mask: 255.255.255.0 Gateway: 10.1.65.1 DNS: 8.8.8.8 sudo user: kedar VM: atezworldad1 Network: 10.1.65.0/24 IP Address : 10.1.65.109 Subnet Mask: 255.255.255.0 Gateway: 10.1.65.1 DNS: 8.8.8.8 sudo user: kedar User PC Details PC type: Desktop OS: Ubuntu Desktop IP Address: 10.1.65.160 |
Before you proceed
The domain used here is atez.world. This is used only for demonstration. You should use your own domain to configure the active directory domain. This installation uses Ubuntu 22.04 server OS and uses the samba available in the repository provided and maintained by Canonical. Users should note that this is done to ensure, any vulnerabilities and fixes released for samba are provided by canonical and are generally safe to apply. Samba can be installed by compiling from source, however, any patches and fixes need re-compilation.
Introduction
- We shall be creating an active directory with domain as: atez.world
- We shall be enabling TLS by default and also enabling LDAPS for connecting to AD on a secure port
- We shall be using a self signed SSL certificate
Pre-requisites installation
- Log into the server and run the below commands
ssh kedar@10.1.65.109 sudo systemctl stop systemd-resolved sudo systemctl disable systemd-resolved
- Add nameserver in resolv.conf
sudo unlink /etc/resolv.conf sudo nano /etc/resolv.conf nameserver 8.8.8.8
- Install & Configure Chrony NTP server
- Install
sudo apt install chrony
- Configure by editing the file /etc/chrony/chrony.conf
pool ntp.ubuntu.com iburst maxsources 4 pool 0.in.pool.ntp.org iburst maxsources 1 pool 1.in.pool.ntp.org iburst maxsources 1 pool 2.in.pool.ntp.org iburst maxsources 2
- Restart & Check if chrony is working
sudo systemctl restart chrony sudo systemctl status chronyd sudo chronyc tracking
- Install and configure other pre-requisites
sudo apt update && sudo apt upgrade -y sudo timedatectl set-timezone Asia/Kolkata
Install samba and utils
sudo apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind net-tools openssl '''Add ATEZ.WORLD three times (any domain you want to enter should be in CAPS)''' sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service sudo mv /etc/samba/smb.conf /etc/samba/smb.bak
=Provisioning the domain controller
sudo samba-tool domain provision --use-rfc2307 --interactive
Update the /etc/samba/smb.conf file with the below content
# Global parameters
[global]
dns forwarder = 8.8.8.8
netbios name = ATEZWORLDAD1
realm = ATEZ.WORLD
server role = active directory domain controller
workgroup = ATEZ
idmap_ldb:use rfc2307 = yes
server role check:inhibit = yes
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = true
winbind offline logon = false
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
server signing = auto
dsdb:schema update allowed = yes
ldap server require strong auth = no
drs:max object sync = 1200
rpc server dynamic port range = 49152-65535
#interfaces = lo,eth0
#bind interfaces only = yes
map to guest = Bad User
log level = 3 auth_json_audit:5@/var/log/samba/samba_audit.log
log file = /var/log/samba/samba.log
max log size = 100000
#lanman auth = yes
ntlm auth = yes
password hash userPassword schemes = CryptSHA256 CryptSHA512
tls enabled = yes
tls keyfile = tls/atezworldkey.pem
tls certfile = tls/atezworldcert.pem
tls cafile =
# sysvol write log
full_audit:failure = none
full_audit:success = pwrite write renameat unlinkat
full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
full_audit:facility = local7
full_audit:priority = NOTICE
# disable null session
restrict anonymous = 2
# disable printing services
printcap name = /dev/null
load printers = no
disable spoolss = yes
printing = bsd
[sysvol]
path = /var/lib/samba/sysvol
read only = No
vfs objects = dfs_samba4, acl_xattr, full_audit
[netlogon]
path = /var/lib/samba/sysvol/atez.world/scripts
read only = No
vfs objects = dfs_samba4, acl_xattr, full_audit
Generate self-signed certificate
- Using openssl libraries create self signed certifcate and
- Store the self signed certificate in /var/lib/samba/private/tls.
- If the above folder does not exist, you can create it.
cd /var/lib/samba/private/tls openssl req -newkey rsa:2048 -keyout atezworldkey.pem -nodes -x509 -days 3650 -out atezworldcert.pem
- Answer relevant questions as below
AU : IN State or Province Name : Maharashtra City : Mumbai Company Name : Atez World Organization Unit : corpit Comman Name : atezworldad1.atez.world Email Address : admin@atez.world
- Unlink kerberos, unmask and restart samba dc service
sudo mv /etc/krb5.conf /etc/krb5.conf.initial sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf sudo systemctl unmask samba-ad-dc.service sudo systemctl restart samba-ad-dc.service sudo systemctl status samba-ad-dc.service
- Check if samba is running
sudo netstat -plant |egrep '[smbd|samba]'
- Change the nameservers in netplan and change the gateway4 argument as it is now deprecated
sudo nano /etc/netplan/00-installer-config.yaml
network:
ethernets:
ens18:
addresses:
- 10.1.65.109/24
# gateway4: 172.16.141.1
nameservers:
addresses:
- 10.1.65.109
search: [ATEZ.WORLD]
routes:
- to: default
via: 10.1.65.1
version: 2
Save the file and restart netplan by: sudo netplay apply
- Add winbind option to /etc/nsswitch.conf
passwd: files systemd winbind group: files systemd winbind shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
- edit /etc/resolv.conf file and add the relevant details
sudo nano /etc/resolv.conf nameserver 10.1.65.109 search atez.world
- Restart Samba Service
sudo systemctl restart samba-ad-dc.service sudo systemctl status samba-ad-dc.service
- Restart the server
sudo init 6
- Edit /tec/hosts file and add correct hostnames
10.1.65.109 atezworldad1.atez.world atezworldad1
Validate if samba is working correctly
- Check the kerberos tickets
sudo kinit administrator
- Check if DC is resolving to the correct name
sudo host -t srv _kerberos._udp.atez.world host -t srv _ldap._tcp.atez.world
- sudo netstat -plant |egrep '[smbd|samba]'
User and groups management
- Create a User in samba using samba tool
sudo samba-tool user create kedar sudo samba-tool user setpassword kedar (Do not avoid this step even if you have kept a password in the above step)
- Edit user attributes & add the following attributes to the end of the file
sudo samba-tool user edit kedar mail: kedar@atez.world givenName: Kedar sn: Atez mobile: 98xxxxxxxxx
- Add groups
sudo samba-tool group add z-license-allocation sudo samba-tool group add z-admins
- Add users to the groups
sudo samba-tool group addmembers z-admins kedar sudo samba-tool group addmembers z-license-allocation kedar
- List the members in groups
sudo samba-tool group listmembers z-license-allocation sudo samba-tool group listmembers z-admins
Conclusion
- We have a working Samba Active Directory.
- Using a RSA tool, access and manage the Active Directory
- You can add multiple domain controllers to this architecture and make it more robust