Samba active directory

How to setup an active directory domain controller in Linux using Samba




Install packages

pacman -Syu krb5 python-dnspython openresolv samba bind

Rename machine

Note

Windows NetBIOS names are limited to 15 characters (16-bytes)

/etc/hostname
arch-vm-addc

Setup network

Wired NAT adapter using a static IP

/etc/systemd/network/20-wired.network
[Match]
Name=enp1*

[Network]
Address=192.168.122.30/24
Gateway=192.168.122.1
DNS=127.0.0.1
chmod 644 /etc/systemd/network/20-wired.network

Tip

Second bridged wired adapter using DHCP for ssh access

/etc/systemd/network/21-wired.network
[Match]
Name=enp8*

[Network]
DHCP=yes
chmod 644 /etc/systemd/network/21-wired.network

Use local DNS server

Reconfigure resolvconf to use only localhost for DNS lookups.

/etc/resolv.conf.tail
# Samba configuration
search wildw1ng.local
nameserver 127.0.0.1

Set permissions

chmod 644 /etc/resolv.conf.tail

Regenerate the new file

resolvconf -u

read more…


System clock synchronization

read about systemd-timesyncd


Provisioning

samba-tool-provisioning Performing basic directory configuration.

samba-tool domain provision --use-rfc2307 --interactive

–use-rfc2307

this argument adds POSIX attributes (UID/GID) to the AD Schema. This will be necessary if you intend to authenticate Linux, BSD, or macOS clients (including the local machine) in addition to Microsoft Windows.

–interactive

this parameter forces the provision script to run interactively.


BIND configuration

/etc/named.conf
// vim:set ts=4 sw=4 et:
acl local-networks {
    127.0.0.0/8;
    192.168.122.0/24;
};

options {
    directory "/var/named";
    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";

    // Uncomment this line to enable IPv6 connections support
    //  listen-on-v6 { any; };
    // Add this for no IPv4:
    //  listen-on { none; };

    // Add any subnets or hosts you want to allow to the local-networks acl
    allow-query       { local-networks; };
    allow-recursion   { local-networks; };
    allow-query-cache { local-networks; };
    allow-transfer    { none; };
    allow-update      { none; };

    version none;
    hostname none;
    server-id none;

    auth-nxdomain yes;
    datasize default;
    empty-zones-enable no;
    tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

    // Uncomment if you wish to use ISP forwarders
    // Google (8.8.8.8, 8.8.4.4, 2001:4860:4860::8888, and 2001:4860:4860::8844)
    // OpenDNS (208.67.222.222, 208.67.220.220, 2620:0:ccc::2 and 2620:0:ccd::2)
    // Appropriate values for subnets are specific to your network.
    // forwarders { 8.8.8.8; 8.8.8.4; };

};

zone "localhost" IN {
    type master;
    file "localhost.zone";
};

zone "0.0.127.in-addr.arpa" IN {
    type master;
    file "127.0.0.zone";
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
    type master;
    file "localhost.ip6.zone";
};

// Load AD integrated zones
dlz "AD DNS Zones" {
    database "dlopen /usr/lib/samba/bind9/dlz_bind9_12.so";
};

//zone "example.org" IN {
//    type slave;
//    file "example.zone";
//    masters {
//        192.168.1.100;
//    };
//    allow-query { any; };
//    allow-transfer { any; };
//};

logging {
    channel xfer-log {
        file "/var/log/named.log";
            print-category yes;
            print-severity yes;
            severity info;
        };
        category xfer-in { xfer-log; };
        category xfer-out { xfer-log; };
        category notify { xfer-log; };
};

chmod 644 /etc/named.conf
chgrp named /var/lib/samba/private/dns.keytab
chmod g+r /var/lib/samba/private/dns.keytab
touch /var/log/named.log
chown root:named /var/log/named.log
chmod 664 /var/log/named.log

Kerberos

Provisioning created a krb5.conf file for use with a Samba domain controller.

mv /etc/krb5.conf{,.default}
cp /var/lib/samba/private/krb5.conf /etc

/etc/krb5.conf
[libdefaults]
        default_realm = WILDW1NG.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]
WILDW1NG.LOCAL = {
        default_domain = WILDW1NG.LOCAL
}

[domain_realm]
        arch-vm-addc = WILDW1NG.LOCAL
chmod 644 /etc/krb5.conf

Samba

Enable printing and automatic sharing of all CUPS print queues

/etc/samba/smb.conf
[global]
        rpc_server:spoolss = external
        rpc_daemon:spoolssd = fork
        printing = CUPS

[printers]
       path = /var/spool/samba/
       printable = yes

Share only specific print queues

/etc/samba/smb.conf
[global]
        load printers = no

# Add and example print share
[HPDJ3050]
       path = /var/spool/samba/
       printable = yes
       printer name = hpdj3050

Roaming profiles

chmod 0777 /profiles

Create samba share

/etc/samba/smb.conf
[profiles]
    comment = User Profiles
    path = /profiles
    browseable = no
    read only = no
    csc policy = disable
    vfs objects = acl_xattr

/etc/samba/smb.conf
# Global parameters
[global]
        netbios name = ARCH-VM-ADDC
        realm = WILDW1NG.LOCAL
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = WILDW1NG
        idmap_ldb:use rfc2307 = yes
        tls enabled = yes
        tls keyfile = tls/key.pem
        tls certfile = tls/cert.pem
        tls cafile = tls/ca.pem
        # rpc_server:spoolss = external
        # rpc_daemon:spoolssd = fork
        # printing = CUPS
[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/wildw1ng.local/scripts
        read only = No

# [printers]
        # path = /var/spool/samba
        # printable = yes

[profiles]
        comment = User Profiles
        path = /profiles
        browseable = no
        read only = no
        csc policy = disable
        vfs objects = acl_xattr
chmod 644 /etc/samba/smb.conf

LDB utilities

/etc/profile.d/sambaldb.sh
export LDB_MODULES_PATH="${LDB_MODULES_PATH}:/usr/lib/samba/ldb"
chmod 0755 /etc/profile.d/sambaldb.sh
. /etc/profile.d/sambaldb.sh

Testing the installation

Verify tcp-based _ldap SRV record in the domain verify-tcp-based_ldap-srv-record-in-the-domain

host -t SRV _ldap._tcp.wildw1ng.local

Verify udp-based _kerberos SRV resource record in the domain verify-udp-based_kerberos-srv-resource-record

host -t SRV _kerberos._udp.wildw1ng.local

Verify A record of the domain controller verify-a-record-of-the-domain-controller

host -t A arch-vm-addc.wildw1ng.local

Verify NT password authentication verify-nt-password-authentication

smbclient //localhost/netlogon -U Administrator -c 'ls'

Verify Kerberos is working as expected verify-kerberos-is-working-as-expected

kinit Administrator@wildw1ng.local
Note

If the “KDC reply did not match expectations while getting initial credentials” error occurs, check your /etc/krb5.conf.
Ensure that all Realm names are in upper case letters.

List cached Kerberos tickets list-cached-kerberos-tickets

klist

Use smbclient with acquired ticket use-smbclient-with-acquired-ticket

smbclient //arch-vm-addc/netlogon -k -c 'ls'

DNS reverse lookup

Create a reverse lookup zone for each subnet in your environment in DNS.
It is important that this is kept in Samba’s DNS as opposed to BIND to allow for dynamic updates by clients.
Use the first three octets of the subnet in reverse order (for example: 192.168.0.0/24 becomes 0.168.192)

Create a reverse lookup zone for each subnet

samba-tool dns zonecreate arch-vm-addc.wildw1ng.local 122.168.192.in-addr.arpa -U Administrator

Add a record for you server (if your server is multi-homed, add for each subnet). Add the fourth octet of the IP for the server.

samba-tool dns add arch-vm-addc.wildw1ng.local 122.168.192.in-addr.arpa 30 PTR arch-vm-addc.wildw1ng.local -U Administrator

Verify the lookup verify-the-lookup

host -t PTR 192.168.122.30

Verify the file server verify-the-file-server

smbclient -L localhost -N

Enable services

systemctl enable named
systemctl enable samba

read more…


Manage roaming user profiles

Windows RSAT tools on Windows Client

roaming-profiles

Use ‘Active Directory Users and Computers’ application on a Windows client to set the path to the user’s roaming profile and shared home directory. profile-properties

User profile \\arch-vm-addc\profiles\%username%

Home folder \\arch-vm-addc\shared\%username%

Windows client OS sersion Windows Server OS version Profile suffix Profile directory name
Windows NT 4.0 - Windows Vista Windows NT Server 4.0 - Windows Server 2008 none user
Windows 7 Windows Server 2008 R2 V2 user.V2
Windows 8.0 - 8.1* Windows Server 2012 - 2012 R2* V3 user.V3
Windows 8.1* Windows Server 2012 R2* V4 user.V4
Windows 10 (1507 to 1511) Windows Server 2016 V5 user.V5
Windows 10 (1607 and later) V6 user.V6

Manage user profiles with Samba

samba-tool user list
samba-tool user create User11 Password11
 --use-username-as-cn --surname="User"
 --given-name="11" --initials=U11
 --mail-address=User11@wildw1ng.local
 --company="Company inc." --script-path=shire.bat
 --profile-path=\\\\arch-vm\\profiles\\User11
 --home-drive=Z
 --home-directory=\\\\arch-vm\\shared\\User11
 --job-title="Fancy title"

read more…


Manage group policies

group-policy-management Samba policies can be found in the ‘Group Policy Management Editor’ within User or

Computer Configuration > Policies > Administrative Templates > Samba

For Samba Domain Controllers, the Password and Kerberos settings are also applied, which are found in

Computer Configuration > Policies > OS Settings > Security Settings > Account Policy.