Samba As Domain Controller

From The Opensource Knowledgebase
Jump to navigation Jump to search
Setup Details
hostname: infrabase1
Network: 10.1.65.0/24
IP Address : 10.1.65.11
Subnet Mask: 255.255.255.0
Gateway: 10.1.65.1
DNS: 8.8.8.8
sudo user: kedar

VM: atezworldad1
Network: 10.1.65.0/24
IP Address : 10.1.65.109
Subnet Mask: 255.255.255.0
Gateway: 10.1.65.1
DNS: 8.8.8.8
sudo user: kedar

User PC Details
PC type: Desktop
OS: Ubuntu Desktop
IP Address: 10.1.65.160

Before you proceed

The domain used here is atez.world. This is used only for demonstration. You should use your own domain to configure the active directory domain. This installation uses Ubuntu 22.04 server OS and uses the samba available in the repository provided and maintained by Canonical. Users should note that this is done to ensure, any vulnerabilities and fixes released for samba are provided by canonical and are generally safe to apply. Samba can be installed by compiling from source, however, any patches and fixes need re-compilation.

Introduction

  • We shall be creating an active directory with domain as: atez.world
  • We shall be enabling TLS by default and also enabling LDAPS for connecting to AD on a secure port
  • We shall be using a self signed SSL certificate

Pre-requisites installation

  • Log into the server and run the below commands
ssh kedar@10.1.65.109
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
  • Add nameserver in resolv.conf
sudo unlink /etc/resolv.conf
sudo nano /etc/resolv.conf
nameserver 8.8.8.8
  • Install & Configure Chrony NTP server
    • Install
sudo apt install chrony
    • Configure by editing the file /etc/chrony/chrony.conf
pool ntp.ubuntu.com        iburst maxsources 4
pool 0.in.pool.ntp.org iburst maxsources 1
pool 1.in.pool.ntp.org iburst maxsources 1
pool 2.in.pool.ntp.org iburst maxsources 2
    • Restart & Check if chrony is working
sudo systemctl restart chrony
sudo systemctl status chronyd
sudo chronyc tracking
  • Install and configure other pre-requisites
sudo apt update && sudo apt upgrade -y
sudo timedatectl set-timezone Asia/Kolkata

sudo 
sudo apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind net-tools

Disable services

sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service

There will be three occasions where you will need to enter the realm and server name. Enter - CORP.ATEZ.WORLD

Generate self-signed certificate

  • Using openssl libraries create self signed certifcate and
  • Store the self signed certificate in /var/lib/samba/private/tls.
  • If the above folder does not exist, you can create it.
cd /var/lib/samba/private/tls
openssl req -newkey rsa:2048 -keyout atezworldkey.pem -nodes -x509 -days 3650 -out atezworldcert.pem
  • Answer relevant questions as below
AU : IN
State or Province Name : Maharashtra
City : Mumbai
Company Name : Atez World
Organization Unit : corpit
Comman Name : atezad1.corp.atez.world
Email Address : admin@atez.world

SMB Config File

  • Take a backup of the default smb config file and save it with some extension
sudo mv /etc/samba/smb.conf /etc/samba/smb.bak
  • Create a new smb.conf file in /etc/samba and edit it as following
# Global parameters
[global]
dns forwarder = 8.8.8.8
netbios name = atezad1
realm = CORP.ATEZ.WORLD
server role = active directory domain controller
workgroup = CORP
idmap_ldb:use rfc2307 = yes

server role check:inhibit = yes
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = true
winbind offline logon = false
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes

server signing = auto
dsdb:schema update allowed = yes
ldap server require strong auth = no
drs:max object sync = 1200

rpc server dynamic port range = 49152-65535

#interfaces = lo,eth0
#bind interfaces only = yes

map to guest = Bad User
log level = 3 auth_json_audit:5@/var/log/samba/samba_audit.log
log file = /var/log/samba/samba.log
max log size = 100000

#lanman auth = yes
ntlm auth = yes

password hash userPassword schemes = CryptSHA256 CryptSHA512

tls enabled = yes
tls keyfile = tls/atezworldkey.pem
tls certfile = tls/atezworldcert.pem
tls cafile =

# sysvol write log
full_audit:failure = none
full_audit:success = pwrite write renameat unlinkat
full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
full_audit:facility = local7
full_audit:priority = NOTICE

# disable null session
restrict anonymous = 2

# disable printing services
printcap name = /dev/null
load printers = no
disable spoolss = yes
printing = bsd

[sysvol]
path = /var/lib/samba/sysvol
read only = No
vfs objects = dfs_samba4, acl_xattr, full_audit

[netlogon]
path = /var/lib/samba/sysvol/corp.atez.world/scripts
read only = No
vfs objects = dfs_samba4, acl_xattr, full_audit

Save the file and exit

  • Provision the domain using the samba tool
sudo samba-tool domain provision --use-rfc2307 --interactive

Answer multiple questions and enter domain as CORP, netbios as CORP.ATEZ.WORLD, DNS as internal

  • Now unmask and restart samba dc service
sudo systemctl unmask samba-ad-dc.service
sudo systemctl restart samba-ad-dc.service
sudo systemctl status samba-ad-dc.service
  • Now link the kerberos file to the correct path
sudo mv /etc/krb5.conf /etc/krb5.conf.initial
sudo ln -s /var/lib/samba/private/krb5.conf /etc/
sudo systemctl restart samba-ad-dc.service
sudo systemctl status samba-ad-dc.service
  • Change the nameservers in netplan and change the gateway4 argument as it is now deprecated
sudo nano /etc/netplan/00-installer-config.yaml

network:
  ethernets:
    ens18:
      addresses:
      - 10.1.65.108/24
#      gateway4: 172.16.141.1
      nameservers:
        addresses:
        - 10.1.65.108
        search: [CORP.ATEZ.WORLD]
      routes:
      - to: default
        via: 10.1.65.1 
  version: 2

Save the file and restart netplan by: sudo netplay apply

  • Add winbind option to /etc/nsswitch.conf
passwd:         files systemd winbind
group:          files systemd winbind
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
  • Disable systemd-resolved
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
sudo unlink /etc/resolv.conf
sudo nano /etc/resolv.conf
nameserver 8.8.8.8
  • Restart Samba Service
sudo systemctl restart samba-ad-dc.service
sudo systemctl status samba-ad-dc.service
  • Check the kerberos tickets
sudo kinit administrator
  • Check if DC is resolving to the correct name
sudo host -t srv _kerberos._udp.corp.atez.world 
host -t srv _ldap._tcp.corp.atez.world
  • Create a User in samba using samba tool
sudo samba-tool user create kedar

Conclusion

  • We have a working Samba Active Directory.
  • Using a RSA tool, access and manage the Active Directory
  • You can add multiple domain controllers to this architecture and make it more robust