TranslateProject/sources/tech/20220408 Samba as AD and Domain Controller.md
DarkSun b1cac8143a 选题[tech]: 20220408 Samba as AD and Domain Controller
sources/tech/20220408 Samba as AD and Domain Controller.md
2022-04-09 05:02:26 +08:00

11 KiB
Raw Permalink Blame History

Samba as AD and Domain Controller

Samba AD Domain Controller

Photo by Eric Schirtzinger on Unsplash

Having a server with Samba providing AD and Domain Controller functionality will provide you with a very mature and professional way to have a centralized place with all users and groups information. It will free you from the burden of having to manage users and groups on each server. This solution is useful for authenticating applications such as WordPress, FTP servers, HTTP servers, you name it.

This step-by-step tutorial about setting up Samba as an AD and Domain Controller will demonstrate to you how you can achieve this solution for your network, servers, and applications.

Pre-requisites

A fresh Fedora Linux 35 server installation.

Definitions

Hostname: dc1 Domain: onda.org IP: 10.1.1.10/24

Considerations

  • Once the domain was chosen, you cant change it, be wise;
  • In the /etc/hosts file, the server name cant be on 127.0.0.1 line, it must be on its IP address line;
  • Use a fixed IP address for the server, as a result, the servers IP wont change;
  • Once you provision the DC server, do not provision another one, join other ones to the domain instead;
  • For the DNS server, we will choose SAMBA_INTERNAL, so we can have the DNS forwarding feature;
  • It is necessary to have a time synchronization service running in the server, like chrony or ntp, so you can avoid numerous problems from not having the server and clients synchronized with the same time;

Samba installation

Lets install the required software to get through this guide. It will provide all the applications you will need.


    sudo dnf install samba samba-dc samba-client heimdal-workstation

Samba installation

Configurations

For setting up Samba as an AD and Domain Controller, you will have to prepare the environment with a functional configuration before you start using it.

Firewall

You will need to allow some UDP and TCP ports through the firewall so that clients will be able to connect to the Domain Controller.

I will show you two methods to add them. Choose the one that suits you best.

First method

This is the most straightforward method, firewalld comes with a service with all ports needed to open Samba DC, which is called samba-dc. Add it to the firewall rules:

Add the service:


    sudo firewall-cmd --permanent --add-service samba-dc

Second method

Alternatively, you can add the rules from the command line:


    sudo firewall-cmd --permanent --add-port={53/udp,53/tcp,88/udp,88/tcp,123/udp,135/tcp,137/udp,138/udp,139/tcp,389/udp,389/tcp,445/tcp,464/udp,464/tcp,636/tcp,3268/tcp,3269/tcp,49152-65535/tcp}

Reload firewalld:


    sudo firewall-cmd --reload

For more information about firewalld, check the following article: Control the firewall at the command line

SELinux

To run a Samba DC and running with SELinux in enforcing mode, it is necessary to set some samba booleans for SELinux to on. After these booleans are set, it should not be necessary to disable SELinux.


    sudo setsebool -P samba_create_home_dirs=on samba_domain_controller=on samba_enable_home_dirs=on samba_portmapper=on use_samba_home_dirs=on

Restore the default SELinux security contexts for files:


    sudo restorecon -Rv /

Samba

First, remove the /etc/samba/smb.conf file if it exists:


    sudo rm /etc/samba/smb.conf

Samba uses its own DNS service, and for that reason, the service wont start if systemd-resolved is running, that is why it is necessary to edit its configuration to stop listening on port 53 and use Sambas DNS.

Create the directory /etc/systemd/resolved.conf.d/ if it does not exist:


    sudo mkdir /etc/systemd/resolved.conf.d/

Create the file /etc/systemd/resolved.conf.d/custom.conf that contains the custom config:


    [Resolve]
    DNSStubListener=no
    Domains=onda.org
    DNS=10.1.1.10

Remember to change the DNS and Domains entries to be your Samba DC server.

Restart the systemd-resolved service:


    sudo systemctl restart systemd-resolved

Finally, provision the Samba configuration. samba-tool provides every step needed to make Samba an AD server.

Using the samba-tool, provision the Samba configuration:


    sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=ONDA.ORG --domain=ONDA --adminpass=sVbOQ66iCD3hHShg

Samba domain provisioning

The use-rfc2307 argument provides POSIX attributes to Active Directory, which stores Unix user and group information on LDAP (rfc2307.txt).

Make sure that you have the correct dns forwarder address set in /etc/samba/smb.conf. Concerning this tutorial, it should be different from the servers own IP address 10.1.1.10, in my case I set to 8.8.8.8, however your mileage may vary:

Changing the dns forwarder value on /etc/samba/smb.conf file

After changing the dns forwarder value, restart samba service:


    sudo systemctl restart samba

Kerberos

After Samba installation, it was provided a krb5.conf file that we will use:


    sudo cp /usr/share/samba/setup/krb5.conf /etc/krb5.conf.d/samba-dc

Edit /etc/krb5.conf.d/samba-dc content to match your organization information:


    [libdefaults]
      default_realm = ONDA.ORG
      dns_lookup_realm = false
      dns_lookup_kdc = true

    [realms]
    ONDA.ORG = {
      default_domain = ONDA
    }

    [domain_realm]
      dc1.onda.org = ONDA.ORG

Starting and enabling Samba on boot time

To make sure that Samba will start on system initialization, enable and start it:


    sudo systemctl enable samba
    sudo systemctl start samba

Testing

Connectivity


    $ smbclient -L localhost -N

As a result of smbclient command, shows that connection **was successful.


    Anonymous login successful
            Sharename       Type      Comment
            ---------       ----      -------
            sysvol          Disk
            netlogon        Disk
            IPC$            IPC       IPC Service (Samba 4.15.6)
    SMB1 disabled -- no workgroup available

smbclient connection test

Now, test the Administrator login to netlogon share:


    $ smbclient //localhost/netlogon -UAdministrator -c 'ls'


    Password for [ONDA\Administrator]:
      .                              D        0  Sat Mar 26 05:45:13 2022
      ..                             D        0  Sat Mar 26 05:45:18 2022

                    8154588 blocks of size 1024. 7307736 blocks available

smbclient Administrator connection test

DNS test

To test if the name resolution is working, execute the following commands:


    $ host -t SRV _ldap._tcp.onda.org.
    _ldap._tcp.onda.org has SRV record 0 100 389 dc1.onda.org.


    $ host -t SRV _kerberos._udp.onda.org.
    _kerberos._udp.onda.org has SRV record 0 100 88 dc1.onda.org.


    $ host -t A dc1.onda.org.
    dc1.onda.org has address 10.1.1.10

If you get the error:


    -bash: host: command not found

Install the bind-utils package:


    sudo dnf install bind-utils

Kerberos test

Testing Kerberos is important because it generates the required tickets to let clients authenticate with encryption. It heavily relies on correct time.

It cant be stressed enough to have date and time set correctly, and that is why it is so important to have a time synchronization service running on both clients and servers.


    $ /usr/lib/heimdal/bin/kinit administrator
    $ /usr/lib/heimdal/bin/klist

Kerberos ticket validation

Adding a user to the Domain

samba-tool provides us an interface for executing Domain administration tasks, so we can add a user to the Domain easily.

The samba-tool help is very comprehensive:


    $ samba-tool user add --help

Adding user danielk to the domain:


    sudo samba-tool user add danielk --unix-home=/home/danielk --login-shell=/bin/bash --gecos 'Daniel K.' --given-name=Daniel --surname='Kühl' --mail-address='danielk@onda.org'

Adding user to the Domain

To list the users on Domain:


    sudo samba-tool user list

Wrap up and conclusion

We started out by installing Samba and required applications in a fresh Fedora Linux 35 installation. Weve also explained the problems that this solution solves. Thereafter, we did an initial configuration that prepares the environment to be ready to Samba to operate as an AD and Domain Controller.

Then, we proceeded to cover how to have Samba up and running alongside Fedora Linux security features, like having it working with firewalld and SELinux enabled. We did some important testing to make sure everything was fine and ended by showing a bit on how to administrate users using samba-tool.

To summarize, if you want to establish a robust solution for centralizing authentication across your network, servers (If one wanted to, one could even join a Windows 10 client to this Samba domain [tested with Windows 10 Professional version 20H2]) and services, consider using this approach as part of your infrastructure.

Now that you know how to have a Samba as AD and Domain Controller solution, what would you like to see covered next? Share your thoughts in the comments below.


via: https://fedoramagazine.org/samba-as-ad-and-domain-controller/

作者:Daniel Kühl 选题:lujun9972 译者:译者ID 校对:校对者ID

本文由 LCTT 原创编译,Linux中国 荣誉推出