Samba Additional Domain Controller: Difference between revisions
Created page with "{| style="float:right;border:1px solid black" | <strong> Setup Details </strong> |- | <pre> Hostname: dc1 Network: 172.16.141.0/24 IP Address : 172.16.141.115 Subnet Mask: 255.255.255.0 Gateway: 172.16.141.1 DNS: 8.8.8.8,9.9.9.9 sudo user: kedar Hostname: dc2 Network: 172.16.141.0/24 IP Address : 172.16.141.116 Subnet Mask: 255.255.255.0 Gateway: 172.16.141.1 DNS: 8.8.8.8,9.9.9.9 sudo user: kedar Domain: corp.atez.world AD: Samba 4 DNS: Bind9 9.18 OS: Ubuntu 24.04 </p..." |
mNo edit summary |
||
Line 339: | Line 339: | ||
* https://samba.tranquil.it/doc/en/samba_config_server/debian/server_secondary_debian.html | * https://samba.tranquil.it/doc/en/samba_config_server/debian/server_secondary_debian.html | ||
* https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory | * https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory | ||
[[Category:How Tos]] |
Latest revision as of 10:27, 20 December 2024
Setup Details |
Hostname: dc1 Network: 172.16.141.0/24 IP Address : 172.16.141.115 Subnet Mask: 255.255.255.0 Gateway: 172.16.141.1 DNS: 8.8.8.8,9.9.9.9 sudo user: kedar Hostname: dc2 Network: 172.16.141.0/24 IP Address : 172.16.141.116 Subnet Mask: 255.255.255.0 Gateway: 172.16.141.1 DNS: 8.8.8.8,9.9.9.9 sudo user: kedar Domain: corp.atez.world AD: Samba 4 DNS: Bind9 9.18 OS: Ubuntu 24.04 |
Important
- This how-to should not be read and followed in isolation.
- Prior to following this how-to, read the main article that explains steps in implementing samba and bind9.
- The main article can be found here
- Samba Primary Domain Controller should be installed first before installing Additional Controller. Link to that article can be found here
Before you proceed
The Active Directory domain used here is corp.atez.world. The TLD - atez.world is not owned by us nor is the sub-domain corp.atez.world. This is used only for demonstration and required dns entries for this domain have already been done to the host file to make the domain and any subdomains reachable on the network. This domain may be owned by someone else and we do not know who it is and we are not linked to them. Services configured for this domain or sub-domain are not reachable on internet for the servers on which these services are configured. Someone else may do similar configurations and make them available on internet. But we are not responsible for the same as we do not own the domain.
Introduction
- We shall be configuring Additional Domain Controller and using Bind9_DLZ as a DNS backend in place of Samba's internal DNS server
- Bind9_DLZ server has several benefits and this how to is the place to discuss that, however, one important advantage is that the DNS can be configured as forward only, recursive, and authoritative mode
- Both VMs are fully patched and the user 'kedar' used here has sudo privileges
- Install Additional Domain controller only after Primary Domain controller has been installed
Pre-requisites
- Please ensure pre-requisites are installed / configured before you move ahead with the steps below
- Click here to find out the pre-requisites for Samba domain controller installation / configuration
- Installation will fail if the pre-requisites are not followed.
Changes to resolve.conf
- Change resolv.conf: /etc/resolv.conf
$ sudo nano /etc/resolv.conf nameserver 172.16.141.115 search corp.atez.world
- Check if ping google.com is working
Install & Configure Samba
- Run the following commands and when asked enter: Realm : CORP.ATEZ.WORLD; DNS Backend: BIND9_DLZ
$ sudo apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind $ sudo systemctl stop samba-ad-dc smbd nmbd winbind $ sudo systemctl disable samba-ad-dc smbd nmbd winbind $ sudo mv /etc/samba/smb.conf /etc/samba/smb.bak $ sudo samba-tool domain join corp.atez.world DC -U"Administrator" Realm: CORP.ATEZ.WORLD
- Configure /etc/samba/smb.conf - make necessary changes
# Global parameters [global] netbios name = DC2 realm = CORP.ATEZ.WORLD server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = ATEZ idmap_ldb:use rfc2307 = yes server role check:inhibit = yes template shell = /bin/bash template homedir = /home/%U winbind use default domain = true winbind offline logon = false winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes server signing = auto dsdb:schema update allowed = yes ldap server require strong auth = no drs:max object sync = 1200 rpc server dynamic port range = 49152-65535 #interfaces = lo,eth0 #bind interfaces only = yes map to guest = Bad User log level = 3 auth_json_audit:5@/var/log/samba/samba_audit.log log file = /var/log/samba/samba.log max log size = 100000 #lanman auth = yes ntlm auth = yes password hash userPassword schemes = CryptSHA256 CryptSHA512 tls enabled = yes tls keyfile = tls/atezworldkey.pem tls certfile = tls/atezworldcert.pem tls cafile = # sysvol write log full_audit:failure = none full_audit:success = pwrite write renameat unlinkat full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S full_audit:facility = local7 full_audit:priority = NOTICE # disable null session restrict anonymous = 2 # disable printing services printcap name = /dev/null load printers = no disable spoolss = yes printing = bsd [sysvol] path = /var/lib/samba/sysvol read only = No vfs objects = dfs_samba4, acl_xattr, full_audit [netlogon] path = /var/lib/samba/sysvol/corp.atez.world/scripts read only = No vfs objects = dfs_samba4, acl_xattr, full_audit
- Generate SSL certs - openssl certs should be generated from the correct directory
$ cd /var/lib/samba/private/tls $ cd /var/lib/samba/private/tls $ sudo openssl req -newkey rsa:2048 -keyout atezworldkey.pem -nodes -x509 -days 3650 -out atezworldcert.pem Answer relevant questions ensuring FQDN is: corp.atez.world
Configure Bind9 DNS
- There are three files in bind9 server that need to be configured
File 1: /etc/bind/named.conf.options File 2: /etc/bind/named.conf.local File 3: /etc/default/named
- File 1: Remove all the text in the file and paste following configuration to the File 1: /etc/bind/named.conf.options
options { directory "/var/cache/bind"; forwarders { 8.8.8.8; 9.9.9.9; }; dnssec-validation no; auth-nxdomain no; # confrm to RFC1035 listen-on-v6 { any; }; tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; minimal-responses yes; };
- File 2: Remove all the text in the file and paste the following configuration to the File 2: sudo nano /etc/bind/named.conf.local
dlz "corp.atez.world" { # For BIND 9.18.28 database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_18.so"; };
- File 3: Remove all the text in the file and paste the following configuration to the File 3: sudo nano /etc/default/named
# # run resolvconf? RESOLVCONF=no # startup options for the server OPTIONS="-4 -u bind"
- Upgrade DNS to Bind9 DLZ
$ sudo samba_upgradedns --dns-backend=BIND9_DLZ
- Make changes to /etc/nsswitch.conf file. It should look as below.
$ sudo nano /etc/nsswitch.conf passwd: files systemd winbind group: files systemd winbind shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis Save & Exit
Preparing to start samba and bind9
- Make permanent changes to resolv.conf file: sudo nano /etc/resolv.conf
nameserver 172.16.141.115 nameserver 172.16.141.116 search corp.atez.world Save & exit
- Make changes to netplan: sudo nano /etc/netplan/50-cloud-init.yaml
network: ethernets: ens18: addresses: - 172.16.141.116/24 nameservers: addresses: - 172.16.141.115 - 172.16.141.116 search: - corp.atez.world routes: - to: default via: 172.16.141.1 version: 2
$ sudo netplan generate && sudo netplan apply
- Make changes to kerberos file
$ sudo mv /etc/krb5.conf /etc/krb5.conf.bkp $ cd /var/lib/samba/private/ $ sudo cp krb5.conf /etc/krb5.conf
- Start bind9 and samba ad
$ sudo systemctl unmask samba-ad-dc.service $ sudo systemctl restart samba-ad-dc.service $ sudo systemctl status samba-ad-dc.service $ sudo systemctl enable samba-ad-dc.service $ sudo systemctl enable named $ sudo systemctl status named
Validations
Samba AD Validations
- Run some validations to check if the AD is working
$ sudo kinit administrator $ sudo klist The output of the above command should be Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@CORP.ATEZ.WORLD Valid starting Expires Service principal 11/12/24 10:28:24 11/12/24 20:28:24 krbtgt/CORP.ATEZ.WORLD@CORP.ATEZ.WORLD renew until 11/13/24 10:28:16 11/12/24 15:44:19 11/12/24 20:28:24 host/dc1@CORP.ATEZ.WORLD renew until 11/13/24 10:28:16
Some more validations would be
$ host -t srv _kerberos._udp.corp.atez.world The output should be _kerberos._udp.corp.atez.world has SRV record 0 100 88 dc1.corp.atez.world. _kerberos._udp.corp.atez.world has SRV record 0 100 88 dc2.corp.atez.world.
Check what hosts are mapped to corp.atez.world
$ host corp.atez.world The output should be corp.atez.world has address 172.16.141.116 corp.atez.world has address 172.16.141.115
DNS Validations
- Check if the DNS is working
$ nslookup yahoo.com The out put should be Server: 172.16.141.115 - This is our DNS Server Address: 172.16.141.115#53 Non-authoritative answer: Name: yahoo.com Address: 98.137.11.163 Name: yahoo.com Address: 98.137.11.164 ... ...
- Check if DNS service is listening on the right port
$ netstat -tapn | grep 53 (No info could be read for "-p": geteuid()=1000 but you should be root.) tcp 0 0 0.0.0.0:49153 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN - tcp 0 0 172.16.141.116:53 0.0.0.0:* LISTEN - tcp 0 0 172.16.141.116:53 0.0.0.0:* LISTEN - tcp 0 0 172.16.141.116:53 0.0.0.0:* LISTEN - tcp 0 0 172.16.141.116:53 0.0.0.0:* LISTEN - tcp 0 0 172.16.141.116:57182 172.16.141.115:49153 ESTABLISHED - tcp 0 0 172.16.141.116:49153 172.16.141.115:57336 ESTABLISHED - tcp6 0 0 :::49153 :::* LISTEN -
- This installs Samba Additional Domain controller with Bind9 DLZ as the DNS backend
Conclusion
- We have a fully functional and integrated Samba Additional domain controller
- Bind9 DLZ is being used a backend DNS
- Both DNS and AD are functioning as expected
- Follow the same process to add more ADs in the cluster