Samba Additional Domain Controller
| Setup Details |
Hostname: dc1 Network: 172.16.141.0/24 IP Address : 172.16.141.115 Subnet Mask: 255.255.255.0 Gateway: 172.16.141.1 DNS: 8.8.8.8,9.9.9.9 sudo user: kedar Hostname: dc2 Network: 172.16.141.0/24 IP Address : 172.16.141.116 Subnet Mask: 255.255.255.0 Gateway: 172.16.141.1 DNS: 8.8.8.8,9.9.9.9 sudo user: kedar Domain: corp.atez.world AD: Samba 4 DNS: Bind9 9.18 OS: Ubuntu 24.04 |
Important
- This how-to should not be read and followed in isolation.
- Prior to following this how-to, read the main article that explains steps in implementing samba and bind9.
- The main article can be found here
- Samba Primary Domain Controller should be installed first before installing Additional Controller. Link to that article can be found here
Before you proceed
The Active Directory domain used here is corp.atez.world. The TLD - atez.world is not owned by us nor is the sub-domain corp.atez.world. This is used only for demonstration and required dns entries for this domain have already been done to the host file to make the domain and any subdomains reachable on the network. This domain may be owned by someone else and we do not know who it is and we are not linked to them. Services configured for this domain or sub-domain are not reachable on internet for the servers on which these services are configured. Someone else may do similar configurations and make them available on internet. But we are not responsible for the same as we do not own the domain.
Introduction
- We shall be configuring Additional Domain Controller and using Bind9_DLZ as a DNS backend in place of Samba's internal DNS server
- Bind9_DLZ server has several benefits and this how to is the place to discuss that, however, one important advantage is that the DNS can be configured as forward only, recursive, and authoritative mode
- Both VMs are fully patched and the user 'kedar' used here has sudo privileges
- Install Additional Domain controller only after Primary Domain controller has been installed
Pre-requisites
- Please ensure pre-requisites are installed / configured before you move ahead with the steps below
- Click here to find out the pre-requisites for Samba domain controller installation / configuration
- Installation will fail if the pre-requisites are not followed.
Changes to resolve.conf
- Change resolv.conf: /etc/resolv.conf
$ sudo nano /etc/resolv.conf nameserver 172.16.141.115 search corp.atez.world
- Check if ping google.com is working
Install & Configure Samba
- Run the following commands and when asked enter: Realm : CORP.ATEZ.WORLD; DNS Backend: BIND9_DLZ
$ sudo apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind $ sudo systemctl stop samba-ad-dc smbd nmbd winbind $ sudo systemctl disable samba-ad-dc smbd nmbd winbind $ sudo mv /etc/samba/smb.conf /etc/samba/smb.bak $ sudo samba-tool domain join corp.atez.world DC -U"Administrator" Realm: CORP.ATEZ.WORLD
- Configure /etc/samba/smb.conf - make necessary changes
# Global parameters
[global]
netbios name = DC2
realm = CORP.ATEZ.WORLD
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = ATEZ
idmap_ldb:use rfc2307 = yes
server role check:inhibit = yes
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = true
winbind offline logon = false
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
server signing = auto
dsdb:schema update allowed = yes
ldap server require strong auth = no
drs:max object sync = 1200
rpc server dynamic port range = 49152-65535
#interfaces = lo,eth0
#bind interfaces only = yes
map to guest = Bad User
log level = 3 auth_json_audit:5@/var/log/samba/samba_audit.log
log file = /var/log/samba/samba.log
max log size = 100000
#lanman auth = yes
ntlm auth = yes
password hash userPassword schemes = CryptSHA256 CryptSHA512
tls enabled = yes
tls keyfile = tls/atezworldkey.pem
tls certfile = tls/atezworldcert.pem
tls cafile =
# sysvol write log
full_audit:failure = none
full_audit:success = pwrite write renameat unlinkat
full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
full_audit:facility = local7
full_audit:priority = NOTICE
# disable null session
restrict anonymous = 2
# disable printing services
printcap name = /dev/null
load printers = no
disable spoolss = yes
printing = bsd
[sysvol]
path = /var/lib/samba/sysvol
read only = No
vfs objects = dfs_samba4, acl_xattr, full_audit
[netlogon]
path = /var/lib/samba/sysvol/corp.atez.world/scripts
read only = No
vfs objects = dfs_samba4, acl_xattr, full_audit
- Generate SSL certs - openssl certs should be generated from the correct directory
$ cd /var/lib/samba/private/tls $ cd /var/lib/samba/private/tls $ sudo openssl req -newkey rsa:2048 -keyout atezworldkey.pem -nodes -x509 -days 3650 -out atezworldcert.pem Answer relevant questions ensuring FQDN is: corp.atez.world
Configure Bind9 DNS
- There are three files in bind9 server that need to be configured
File 1: /etc/bind/named.conf.options File 2: /etc/bind/named.conf.local File 3: /etc/default/named
- File 1: Remove all the text in the file and paste following configuration to the File 1: /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
forwarders {
8.8.8.8;
9.9.9.9;
};
dnssec-validation no;
auth-nxdomain no; # confrm to RFC1035
listen-on-v6 { any; };
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
minimal-responses yes;
};
- File 2: Remove all the text in the file and paste the following configuration to the File 2: sudo nano /etc/bind/named.conf.local
dlz "corp.atez.world" {
# For BIND 9.18.28
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_18.so";
};
- File 3: Remove all the text in the file and paste the following configuration to the File 3: sudo nano /etc/default/named
# # run resolvconf? RESOLVCONF=no # startup options for the server OPTIONS="-4 -u bind"
- Upgrade DNS to Bind9 DLZ
$ sudo samba_upgradedns --dns-backend=BIND9_DLZ
- Make changes to /etc/nsswitch.conf file. It should look as below.
$ sudo nano /etc/nsswitch.conf passwd: files systemd winbind group: files systemd winbind shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis Save & Exit
Preparing to start samba and bind9
- Make permanent changes to resolv.conf file: sudo nano /etc/resolv.conf
nameserver 172.16.141.115 nameserver 172.16.141.116 search corp.atez.world Save & exit
- Make changes to netplan: sudo nano /etc/netplan/50-cloud-init.yaml
network:
ethernets:
ens18:
addresses:
- 172.16.141.116/24
nameservers:
addresses:
- 172.16.141.115
- 172.16.141.116
search:
- corp.atez.world
routes:
- to: default
via: 172.16.141.1
version: 2
$ sudo netplan generate && sudo netplan apply
- Make changes to kerberos file
$ sudo mv /etc/krb5.conf /etc/krb5.conf.bkp $ cd /var/lib/samba/private/ $ sudo cp krb5.conf /etc/krb5.conf
- Start bind9 and samba ad
$ sudo systemctl unmask samba-ad-dc.service $ sudo systemctl restart samba-ad-dc.service $ sudo systemctl status samba-ad-dc.service $ sudo systemctl enable samba-ad-dc.service $ sudo systemctl enable named $ sudo systemctl status named
Validations
Samba AD Validations
- Run some validations to check if the AD is working
$ sudo kinit administrator
$ sudo klist
The output of the above command should be
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@CORP.ATEZ.WORLD
Valid starting Expires Service principal
11/12/24 10:28:24 11/12/24 20:28:24 krbtgt/CORP.ATEZ.WORLD@CORP.ATEZ.WORLD
renew until 11/13/24 10:28:16
11/12/24 15:44:19 11/12/24 20:28:24 host/dc1@CORP.ATEZ.WORLD
renew until 11/13/24 10:28:16
Some more validations would be
$ host -t srv _kerberos._udp.corp.atez.world The output should be _kerberos._udp.corp.atez.world has SRV record 0 100 88 dc1.corp.atez.world. _kerberos._udp.corp.atez.world has SRV record 0 100 88 dc2.corp.atez.world.
Check what hosts are mapped to corp.atez.world
$ host corp.atez.world The output should be corp.atez.world has address 172.16.141.116 corp.atez.world has address 172.16.141.115
DNS Validations
- Check if the DNS is working
$ nslookup yahoo.com The out put should be Server: 172.16.141.115 - This is our DNS Server Address: 172.16.141.115#53 Non-authoritative answer: Name: yahoo.com Address: 98.137.11.163 Name: yahoo.com Address: 98.137.11.164 ... ...
- Check if DNS service is listening on the right port
$ netstat -tapn | grep 53 (No info could be read for "-p": geteuid()=1000 but you should be root.) tcp 0 0 0.0.0.0:49153 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN - tcp 0 0 172.16.141.116:53 0.0.0.0:* LISTEN - tcp 0 0 172.16.141.116:53 0.0.0.0:* LISTEN - tcp 0 0 172.16.141.116:53 0.0.0.0:* LISTEN - tcp 0 0 172.16.141.116:53 0.0.0.0:* LISTEN - tcp 0 0 172.16.141.116:57182 172.16.141.115:49153 ESTABLISHED - tcp 0 0 172.16.141.116:49153 172.16.141.115:57336 ESTABLISHED - tcp6 0 0 :::49153 :::* LISTEN -
- This installs Samba Additional Domain controller with Bind9 DLZ as the DNS backend
Conclusion
- We have a fully functional and integrated Samba Additional domain controller
- Bind9 DLZ is being used a backend DNS
- Both DNS and AD are functioning as expected
- Follow the same process to add more ADs in the cluster