tested on slackware current (nov 2021)
you need at least 1GB of RAM per node hence you cannot run this on a restricted dom0 system.
for your domain name, consider using public FQDNs to use well known PKIX bundles –or– go for a corporate and private CA. default self-signed cert is located over there
/var/lib/samba/private/tls/
also make sure you’ve defined a static resolution record for the hostnames you are going to use for the DCs.
it’s better to avoid .local here and that’s not only a matter of PKIX bundles.
vi /etc/hosts 192.168.122.12 dc1.example.net dc1 192.168.122.13 dc2.example.net dc2
let’s also make sure we’re in time sync between the DC (and probably also a good idea for clients) therefore use an NTP client daemon for once (unless this is all XEN guests with a virtual clock).
apt update apt install samba ldb-tools cat /etc/default/samba # no exist
some tools might also be useful
apt install dnsutils nmap apt install ldap-utils
slackpkg update slackpkg install samba talloc tevent libunwind python-dnspython libedit ls -alF /var/run/samba/ # folder exists? #mkdir /var/run/samba/ slackpkg install python3 tdb lmdb slackpkg install gpgme libassuan ldd `which samba` | grep found ldd `which nmbd` | grep found ldd `which smbd` | grep found
some tools might also be useful
slackpkg install bind json-c libuv slackpkg install nmap libnl slackpkg search openldap
check
samba --version samba -b smbd --build-options
samba-tool domain provision -h #export LDB_MODULES_PATH=/usr/lib64/ldb ldd /usr/lib64/ldb/password_hash.so | grep found mv -i /etc/samba/smb.conf /etc/samba/smb.conf.dist
backup the defaults
cd /var/lib/samba/ tar czpf private.tar.gz private/
and/or eventually clean-up previous setup attempts
rm -f /var/lib/samba/private/tls/*
it’s better to bind to specific interfaces from the start, just in case you’ve get several ones in the future. don’t forget to define the forwarder (here virsh’s instead of ISP’s).
dc1
samba-tool domain provision \
--interactive \
--host-ip=192.168.122.12 \
--host-name=dc1 \
--dns-backend=SAMBA_INTERNAL \
--use-rfc2307 \
--option="interfaces = lo xenbr0" \
--option="bind interfaces only = yes"
Realm [LOCALDOMAIN]: EXAMPLE.NET
Domain [EXAMPLE]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [192.168.122.12]: 192.168.122.1
check the resulting parms and config
ls -alF /var/lib/samba/private/ ldbsearch -H /var/lib/samba/private/sam.ldb | grep ^dn: | less cat /etc/samba/smb.conf
gives
[global]
bind interfaces only = yes
interfaces = lo xenbr0
dns forwarder = 192.168.122.1
netbios name = DC1
realm = EXAMPLE.NET
server role = active directory domain controller
workgroup = EXAMPLE
idmap_ldb:use rfc2307 = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/example.net/scripts
read only = No
copy the samba KRB samples
ls -lF /var/lib/samba/private/krb5.conf
ls -lF /var/lib/samba/private/kdc.conf
cp -i /var/lib/samba/private/krb5.conf /etc/
cp -i /var/lib/samba/private/kdc.conf /var/kerberos/krb5kdc/
cat /etc/krb5.conf
cat /var/kerberos/krb5kdc/kdc.conf
you HAVE TO start using your AD as DNS already, for the updates to apply
ls -lF /etc/resolv.conf # un-managed (not a symlink) vi /etc/resolv.conf domain example.net search example.net nameserver 192.168.122.12 #nameserver 192.168.122.13
also setup the backup domain controler
watch the samba logs
tail -F /var/log/samba/*
systemctl list-unit-files | grep -E 'mbd|samba' systemctl stop nmbd.service systemctl stop smbd.service systemctl disable nmbd.service systemctl disable smbd.service systemctl unmask samba-ad-dc.service systemctl restart samba-ad-dc.service systemctl enable samba-ad-dc.service systemctl status samba-ad-dc.service
disable the init scripts as we want a full DC, not just file-sharing
ls -lF /etc/rc.d/rc.samba #chmod -x /etc/rc.d/rc.samba
start the daemon while watching the logs and enable it at boot time
vi /etc/rc.d/rc.local mkdir -p /var/run/samba/ echo starting PDC samba && echo done #grep 'interfaces =' /etc/samba/smb.conf
kill
vi /etc/rc.d/rc.local_shutdown echo -n killing samba4... pkill samba && echo done chmod +x /etc/rc.d/rc.local_shutdown
status
pgrep -a mbd pgrep -a samba ps auxfww | less # /samba
key pair and cert got created at first run
ls -alF /var/lib/samba/private/tls/ openssl x509 -noout -text < /var/lib/samba/private/tls/cert.pem | less
validate system shares
smbclient -L localhost -N
validate local dns records
netstat -lntup | grep :53
nmap -sU -p 53 localhost
nmap -p 53 localhost
host -t SRV _ldap._tcp.example.net
validate dns forwarding
host opendns.com 127.0.0.1 host opendns.com
create a user and finally proceed with a samba client
smb.conf — The configuration file for the Samba suite https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
Setting up Samba as an Active Directory Domain Controller https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
Installing Samba https://wiki.samba.org/index.php/Installing_Samba
Back up and Restoring a Samba AD DC
https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba_AD_DC
==> host-ip
Cyber Security Awareness Month - Day 27 - Active Directory Ports https://isc.sans.edu/diary/Cyber+Security+Awareness+Month+-+Day+27+-+Active+Directory+Ports/7468
Required ports to communicate with Domain controller. RRS feed https://social.technet.microsoft.com/Forums/windows/en-US/1c6a59de-c1fe-4946-bb4e-1fe36fd40b08/required-ports-to-communicate-with-domain-controller
Configuring LDAP over SSL (LDAPS) on a Samba AD DC https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_%28LDAPS%29_on_a_Samba_AD_DC
Setting up RFC2307 in AD https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD