Setup Domain Controller on Linux using Samba 4
We will be setting up a CentOS Server as Domain Controller using Samba4 and then using a Windows client to authenticate against it.
This is a alternative to Microsoft's Active Directory.
In the following setup I will reference the DC as the Domain Controller, which we wil be setting up. Below is the rest of the referenced information:
- Host: dc
- IP: 192.168.1.2
- Domain: lan.bekkers.co.za
- DNS Forwarder: 192.168.1.1
Dependencies:
$ yum update -y
$ rpm -Uvh ftp://195.220.108.108/linux/dag/redhat/el6/en/x86_64/dag/RPMS/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
$ yum install glibc glibc-devel gcc libacl-devel krb5-workstation krb5-libs pam_krb5 python-devel gnutls gnutls-devel -y
$ rpm -qa | grep -i samba
$ yum install git-core -y
$ cd /opt/; git clone git://git.samba.org/samba.git samba-master
$ reboot
Setup Samba4:
$ cd /opt/samba-master/
$ ./configure --enable-debug --enable-selftest
$ make
$ make install
Provision the domain:
$ /usr/local/samba/bin/samba-tool domain provision
Output:
Realm [LAN.BEKKERS.CO.ZA]:
Domain [LAN]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [192.168.1.1]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=lan,DC=bekkers,DC=co,DC=za
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=lan,DC=bekkers,DC=co,DC=za
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: dc
NetBIOS Domain: LAN
DNS Domain: lan.bekkers.co.za
DOMAIN SID: S-1-5-21-172256615-2240083043-11205357
Reboot the server:
$ reboot
Start Samba and add to startup:
Start the DC:
$ /usr/local/samba/sbin/samba
Append on startup:
$ echo '/usr/local/samba/sbin/samba' >> /etc/rc.d/rc.local
Verify versions:
$ /usr/local/samba/sbin/samba -V
Version 4.5.0pre1-GIT-937d60f
$ /usr/local/samba/bin/smbclient --version
Version 4.5.0pre1-GIT-937d60f
List shares:
$ /usr/local/samba/bin/smbclient -L localhost -U%
Domain=[LAN] OS=[Windows 6.1] Server=[Samba 4.5.0pre1-GIT-937d60f]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.5.0pre1-GIT-937d60f)
Domain=[LAN] OS=[Windows 6.1] Server=[Samba 4.5.0pre1-GIT-937d60f]
Server Comment
--------- -------
Workgroup Master
--------- -------
Verify smb.conf:
$ cat /usr/local/samba/etc/smb.conf
Output:
# Global parameters
[global]
netbios name = DC
realm = LAN.BEKKERS.CO.ZA
workgroup = LAN
dns forwarder = 192.168.1.1
server role = active directory domain controller
[netlogon]
path = /usr/local/samba/var/locks/sysvol/lan.bekkers.co.za/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
Network/DNS Configuration
Edit /etc/resolv.conf
and configure our domain and nameserver to point to our current setup:
domain lan.bekkers.co.za
nameserver 192.168.1.2
For static network configuration, edit /etc/sysconfig/network-scripts/ifcfg-eth0
below is an example:
DEVICE="eth0"
BOOTPROTO="none"
DEFROUTE="yes"
DNS1="192.168.1.2"
GATEWAY="192.168.1.1"
HWADDR="86:C4:C1:0D:29:AD"
IPADDR="192.168.1.2"
IPV4_FAILURE_FATAL="yes"
IPV6INIT="no"
NAME="System eth0"
NM_CONTROLLED="yes"
ONBOOT="yes"
PREFIX="24"
TYPE="Ethernet"
Then reboot:
$ reboot
Testing DNS:
$ host -t SRV _ldap._tcp.lan.bekkers.co.za
_ldap._tcp.lan.bekkers.co.za has SRV record 0 100 389 dc.lan.bekkers.co.za.
$ host -t SRV _kerberos._udp.lan.bekkers.co.za
_kerberos._udp.lan.bekkers.co.za has SRV record 0 100 88 dc.lan.bekkers.co.za.
$ host -t A dc.lan.bekkers.co.za
dc.lan.bekkers.co.za has address 192.168.1.2
Firewall Changes:
For the sake of this guide, I will be disabling the firewall:
$ service iptables stop
$ chkconfig iptables off
Kerberos Configuration:
$ mv /etc/krb5.conf /etc/krb.old
$ cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
$ vi /etc/krb5.conf
[libdefaults]
default_realm = LAN.BEKKERS.CO.ZA
dns_lookup_realm = false
dns_lookup_kdc = true
Test Kerberos:
$ kinit administrator@LAN.BEKKERS.CO.ZA
Password for administrator@LAN.BEKKERS.CO.ZA:
Warning: Your password will expire in 41 days on Sat Apr 16 20:23:38 2016
Verify if ticket received:
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@LAN.BEKKERS.CO.ZA
Valid starting Expires Service principal
03/05/16 20:36:13 03/06/16 06:36:13 krbtgt/LAN.BEKKERS.CO.ZA@LAN.BEKKERS.CO.ZA
renew until 03/06/16 20:36:10
NTP:
$ yum install ntp -y
$ /etc/init.d/ntpd start
$ chkconfig ntpd on
From the Windows host/client, set time to sync to our server and join the windows host to the domain.
Samba Domain Contoller Usage:
Creating users:
$ cd /usr/local/samba/sbin/
$ ./samba-tool user add john
New Password:
Retype Password:
User 'john' created successfully
Verify Users:
$ ./wbinfo --name-to-sid john
S-1-5-21-172256615-2240083043-11205357-1104 SID_USER (1)
$ ./wbinfo --sid-to-uid S-1-5-21-172256615-2240083043-11205357-1104
3000019
Listing Users:
$ ./wbinfo -u
LAN\administrator
LAN\krbtgt
Listing Groups:
$ ./wbinfo -g
enterprise admins
domain computers
Samba Password Policies:
$ samba-tool domain passwordsettings set --complexity=off
$ samba-tool domain passwordsettings set --min-pwd-age=0
$ samba-tool domain passwordsettings set --max-pwd-age=0
Verify all processes are running:
To verify that all processes are running, try running the following:
$ ps axf | egrep "samba|smbd|nmbd|winbindd"
References:
Sources:
- https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting
- https://wiki.samba.org/index.php/User_home_drives
- https://wiki.samba.org/index.php/Managing_local_groups_on_domain_members_via_GPO_restricted_groups
- https://wiki.samba.org/index.php/Implementing_System_Policies_with_Samba
- https://wiki.samba.org/index.php/Adding_users_with_samba_tool
- https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
- http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
- http://www.razdc.com/#Downloads
- http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/
- http://www.golinuxhub.com/2014/02/how-to-configure-samba-4-secondary.html
- https://wiki.samba.org/index.php/DNS_administration
WebUI's: