{{tag>ldap samba}}
====== Install Samba4 as LDAP Authentication Backend ======
NOTE:
* Provisioning the domain below will fail if samba is installed inside an unprivileged lxc container. See https://github.com/lxc/lxd/issues/3442
* Make sure that the servers can talk to each other, check firewall rules etc. if setting the directory replication
* If this is a container inside Proxmox make sure to edit DNS options in Proxmox Web gui and not in /etc/resolv.conf because it will get overwritten
===== Install packages =====
apt update && apt -y install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind ldb-tools ldap-utils && apt clean
===== Configure Kerberos =====
* Leave default domain as FQDN
* enter hostnames of the servers where Samba will be running e.g. auth1 auth2
* set one of the above servers as administrative
===== Stop and disable all samba related services =====
systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service && systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service && mv /etc/samba/smb.conf /etc/samba/smb.conf.initial
===== Provision domain =====
samba-tool domain provision --use-rfc2307 --interactive
root@server:~# samba-tool domain provision --use-rfc2307 --interactive
Realm [EXAMPLE.COM]:
Domain [EXAMPLE]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [213.133.98.98]: 8.8.4.4
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=example,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=example,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: auth1
NetBIOS Domain: EXAMPLE
DNS Domain: example.com
DOMAIN SID: S-1-5-21-3181794916-3194312431-3547220048
===== Use samba krb5.conf =====
mv /etc/krb5.conf /etc/krb5.conf.initial && ln -s /var/lib/samba/private/krb5.conf /etc/
===== Enable and start samba =====
systemctl unmask samba-ad-dc.service && systemctl enable samba-ad-dc.service && systemctl start samba-ad-dc.service
===== Verify that the realm has been created =====
samba-tool domain level show
===== Add winbind options in the global section to /etc/samba/smb.conf =====
winbind use default domain = true
winbind offline logon = false
winbind nss info = rfc2307
winbind enum users = true
winbind enum groups = true
ldap server require strong auth = no
===== Add winbind to group and passwd in /etc/nsswitch.conf and disable password policy =====
==== Disable password expiration for the Administrator account. ====
samba-tool user setexpiry Administrator --noexpiry
==== Show domain level password options. ====
samba-tool domain passwordsettings show
==== Disable password complexity at the domain level. ====
samba-tool domain passwordsettings set --complexity=off
==== Disable password history at the domain level. ====
samba-tool domain passwordsettings set --history-length=0
==== Disable password min-age at the domain level. ====
samba-tool domain passwordsettings set --min-pwd-age=0
==== Disable password max-age at the domain level. ====
samba-tool domain passwordsettings set --max-pwd-age=0
==== Disable minimum password length at the domain level. ====
samba-tool domain passwordsettings set --min-pwd-length=0
====== Add "TLS_REQCERT allow" to /etc/ldap/ldap.conf ======
====== Add your own certificates for LDAPS ======
===== Copy your certs and keys to server and overwrite default samba *pem files in /var/lib/samba/private/tls: =====
cat example.com.crt > cert.pem
cat example.com.key > key.pem
cat intermediate.crt > ca.pem
systemctl restart samba-ad-dc.service
===== Test from your local machine =====
openssl s_client -connect auth1.example.com:636
====== Adding users and groups ======
===== Create user =====
samba-tool user create --given-name= --surname= --mail-address=
===== Create group =====
samba-tool group add Example-Users
===== Add members to group =====
samba-tool group addmembers Git-Users
See 'samba-tool help' for more commands.
====== Setup directory replication ======
===== Add secondary server to Samba domain =====
On secondary server install samba like above but don't provision a new domain, instead we will join to an existing one.
===== Setup DNS resolving (see note above if on Proxmox) =====
On master (auth1) edit /etc/resolve.conf like so:
root@auth1:~# cat /etc/resolv.conf
search example.com
nameserver 10.10.x.174
nameserver 2a01:xxx:xxx:xxxx:10:10:4:ae
Nameservers are the ips of the master itself. On auth2 edit /etc/resolve.conf like so:
root@auth2:~# cat /etc/resolv.conf
search example.com
nameserver 5.9.xxx.174
nameserver 2a01:xxx:xxx:xxxx:10:10:4:ae
Nameserver are the ips of auth1 server.
===== Test dns on auth2 =====
root@auth2:~# nslookup auth1.example.com
Server: 2a01:xxx:xxx:xxxx:10:10:4:ae
Address: 2a01:xxx:xxx:xxxx:10:10:4:ae#53
Name: auth1.example.com
Address: 10.10.x.174
===== Use samba krb5.conf =====
mv /etc/krb5.conf /etc/krb5.conf.initial && ln -s /var/lib/samba/private/krb5.conf /etc/
==== Add settings to krb5.conf: ====
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = EXAMPLE.COM
==== Verify the settings use the kinit command ====
Password for "administrator" is same as "Administrator" account on auth1 server.
root@auth2:~# kinit administrator
Password for administrator@EXAMPLE.COM:
root@auth2:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@EXAMPLE.COM
Valid starting Expires Service principal
08.07.2019 12:00:03 08.07.2019 22:00:03 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 09.07.2019 11:58:46
===== Finally join the new domain =====
samba-tool domain join EXAMPLE.COM DC -U"administrator" --option='idmap_ldb:use rfc2307 = yes' --option='template shell = /bin/bash' --option='winbind use default domain = true' --option='winbind offline logon = false' --option='winbind nss info = rfc2307' --option='winbind enum users = true' --option='winbind enum groups = true' --option='ldap server require strong auth = no' --option='hosts allow = ALL' --dns-backend=SAMBA_INTERNAL
===== Start samba if not started =====
systemctl start samba-ad-dc.service
===== Check replication status =====
samba-tool drs showrepl
====== Tested on ======
* Debian 9 (Stretch)
* Proxmox
====== See also ======
[[wiki:connect_samba_ldap_bitbucket|Connect to Samba with LDAP (Bitbucket e.g.)]]
====== References ======
* https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
* https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
* https://wiki.samba.org/index.php/Linux_and_Unix_DNS_Configuration