Setting up a DC farm with Samba v4

tested on slackware current (nov 2021)

Requirements

you need at least 1GB of RAM per node hence you cannot run this on a restricted dom0 system.

for your domain name, consider using public FQDNs to use well known PKIX bundles –or– go for a corporate and private CA. default self-signed cert is located over there

/var/lib/samba/private/tls/

also make sure you’ve defined a static resolution record for the hostnames you are going to use for the DCs. it’s better to avoid .local here and that’s not only a matter of PKIX bundles.

vi /etc/hosts

192.168.122.12  dc1.example.net dc1
192.168.122.13  dc2.example.net dc2

let’s also make sure we’re in time sync between the DC (and probably also a good idea for clients) therefore use an NTP client daemon for once (unless this is all XEN guests with a virtual clock).

Install

slackpkg update
slackpkg install samba talloc tevent libunwind python-dnspython libedit
ls -alF /var/run/samba/ # folder exists?
#mkdir /var/run/samba/
slackpkg install python3 tdb lmdb
slackpkg install gpgme libassuan

ldd `which samba` | grep found
ldd `which nmbd` | grep found
ldd `which smbd` | grep found

check

samba --version
samba -b
smbd --build-options

some dns utils and network tools might also be useful

slackpkg install bind json-c libuv
slackpkg install nmap libnl

Setup

samba-tool domain provision -h

#export LDB_MODULES_PATH=/usr/lib64/ldb
ldd /usr/lib64/ldb/password_hash.so | grep found
rm -f /etc/samba/smb.conf
rm -f /var/lib/samba/private/tls/*

it’s better to bind to specific interfaces from the start, just in case you’ve get several ones in the future. don’t forget to define the forwarder (here virsh’s instead of ISP’s).

dc1

samba-tool domain provision \
    --interactive \
    --host-ip=192.168.122.12 \
    --host-name=dc1 \
    --dns-backend=SAMBA_INTERNAL \
    --use-rfc2307 \
    --option="interfaces = lo xenbr0" \
    --option="bind interfaces only = yes"

Realm [LOCALDOMAIN]:  EXAMPLE.NET
Domain [EXAMPLE]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [192.168.122.12]:  192.168.122.1

gives

[global]
    bind interfaces only = yes
    interfaces = lo xenbr0
    dns forwarder = 192.168.122.1
    netbios name = DC1
    realm = EXAMPLE.NET
    server role = active directory domain controller
    workgroup = EXAMPLE
    idmap_ldb:use rfc2307 = yes

[sysvol]
    path = /var/lib/samba/sysvol
    read only = No

[netlogon]
    path = /var/lib/samba/sysvol/example.net/scripts
    read only = No

check the resulting parms and config

ls -alF /var/lib/samba/private/
ldbsearch -H /var/lib/samba/private/sam.ldb | grep ^dn: | less
cat /etc/samba/smb.conf

copy the samba KRB samples

    ls -lF /var/lib/samba/private/krb5.conf
    ls -lF /var/lib/samba/private/kdc.conf

    cp -i /var/lib/samba/private/krb5.conf /etc/
    cp -i /var/lib/samba/private/kdc.conf /var/kerberos/krb5kdc/

    cat /etc/krb5.conf
    cat /var/kerberos/krb5kdc/kdc.conf

you HAVE TO start using your AD as a DNS provider already, for the dns updates to apply

ls -lF /etc/resolv.conf # un-managed (not a symlink)
vi /etc/resolv.conf

domain example.net
search example.net
nameserver 192.168.122.12
#nameserver 192.168.122.13

also setup the backup domain controler

Ready to go

tail -n0 -F /var/log/* /var/log/samba/*

disable the provided init scripts as we want a DC, not just file-sharing

ls -lF /etc/rc.d/rc.samba
#chmod -x /etc/rc.d/rc.samba

start the daemon while watching the logs and enable it at boot time

vi /etc/rc.d/rc.local

mkdir -p /var/run/samba/
echo starting PDC
samba && echo done
#grep 'interfaces =' /etc/samba/smb.conf

status

pgrep -a samba
ps auxfww | less # /samba

kill

vi /etc/rc.d/rc.local_shutdown

echo -n killing samba4...
pkill samba && echo done

chmod +x /etc/rc.d/rc.local_shutdown

Acceptance

key pair and cert got created at first run

ls -alF /var/lib/samba/private/tls/
openssl x509 -noout -text < /var/lib/samba/private/tls/cert.pem  | less

validate system shares

    smbclient -L localhost -N

validate local dns records

netstat -lntup | grep :53
nmap -sU -p 53 localhost
nmap -p 53 localhost
    host -t SRV _ldap._tcp.example.net

validate dns forwarding

host opendns.com 127.0.0.1
host opendns.com

create a user and finally proceed with a samba client

Resources

install

smb.conf — The configuration file for the Samba suite https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html

Setting up Samba as an Active Directory Domain Controller https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

Installing Samba https://wiki.samba.org/index.php/Installing_Samba

Back up and Restoring a Samba AD DC https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba_AD_DC ==> host-ip

firewall

Cyber Security Awareness Month - Day 27 - Active Directory Ports https://isc.sans.edu/diary/Cyber+Security+Awareness+Month+-+Day+27+-+Active+Directory+Ports/7468

Required ports to communicate with Domain controller. RRS feed https://social.technet.microsoft.com/Forums/windows/en-US/1c6a59de-c1fe-4946-bb4e-1fe36fd40b08/required-ports-to-communicate-with-domain-controller

ldap

Configuring LDAP over SSL (LDAPS) on a Samba AD DC https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_%28LDAPS%29_on_a_Samba_AD_DC

nis

Setting up RFC2307 in AD https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | NU | HTML5
Copyright © 2022 Pierre-Philipp Braun