** You should upgrade to at least 4.4.2 because of the Badlock Bug **

Joining a CentOS DC to existing Samba AD DC directory is quite like building a AD DC but a little bit different at the end, namely join and instead of building a AD DC. Here are my directions to building a CentOS Samba 4.4.0 AD DC that I used for this post.

Samba 4.4.0 has several improvements, especialling it now allows for a demoting a dead server and it allows me to use a real server if I want to, not only a virtual one, but I still prefer a virtual one though.

I will be using this information for the Samba AD DC second server:

Samba Server: dc2
IP Address: 192.168.2.101
Netmask: 255.255.255.0
Default Gateway: 192.168.2.1
DNS Domain Name: bales.lan
NetBIOS Domain Name: BALES
DNS Backend: SAMBA_INTERNAL

After Installing CentOS:

I installed updates using terminal:

sudo yum update

then I rebooted.

Then disabled the firewall and disabled SELinux:

sudo service firewalld stop
sudo systemctl disable firewalld
sudo gedit /etc/sysconfig/selinux

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Reboot.

Prerequisite CentOS:

I changed the network.  Note that I put the first dns of the first Samba AD DC of ‘dc1’ IP address, 192.168.2.100, so that the second server will be able to find it.

sudo gedit /etc/sysconfig/network-scripts/ifcfg-eno16777736

TYPE=Ethernet
BOOTPROTO=static
IPADDR=192.168.2.101
NETMASK=255.255.255.0
GATEWAY=192.168.2.1
DNS1=192.168.2.100
DNS2=192.168.2.101
DNS2=192.168.2.1
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=eno16777736
UUID=b949bf38-7e14-43cd-ace2-0fb532a70427
DEVICE=eno16777736
ONBOOT=yes

*** Since I used VMware Workstation 12 for my CentOS it had additional interface called “virbr0” and it was using 192.168.22.8 (why that I don’t know), and it was intefering with making Samba AD DC work.  I disabled it by doing this:

sudo virsh net-destroy default
sudo virsh net-undefine default
sudo service libvirtd restart

Then I changed the /etc/hosts file to match the actual IP of my server (dc2):

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.2.101 dc2.bales.lan centos2
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

Then changed to the hostname to only ‘dc2’ (make sure you have changed the hostname for first AD DC or your ‘drs showrepl’ will only show localhost!)

sudo gedit /etc/hostname

Rebooted.

I then changed the path directory by adding’:/usr/local/samba/bin:/usr/local/samba/sbin’ a new file called samba-path.sh in the /etc/profile.d/ directory:

sudo gedit /etc/profile.d/samba-path.sh

PATH=${PATH}:/usr/local/samba/bin:/usr/local/samba/sbin

Then I added the same line to the sudoers file in the ‘Defaults secure_path’ line:

sudo gedit /etc/sudoers

.........
#
# Defaults   env_keep += "HOME"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/samba/bin:/usr/local/samba/sbin

## Next comes the main part: which users can run what software on 
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:

.........

Then I rebooted again.

After rebooting install the requirements/dependencies for Samba AD DC:

sudo yum install perl gcc attr libacl-devel libblkid-devel \
    gnutls-devel readline-devel python-devel gdb pkgconfig \
    krb5-workstation zlib-devel setroubleshoot-server libaio-devel \
    setroubleshoot-plugins policycoreutils-python \
    libsemanage-python perl-ExtUtils-MakeMaker perl-Parse-Yapp \
    perl-Test-Base popt-devel libxml2-devel libattr-devel \
    keyutils-libs-devel cups-devel bind-utils libxslt \
    docbook-style-xsl openldap-devel autoconf python-crypto pam-devel

Rebooted.

Installing Samba AD DC:

Download the ‘samba 4.3.1’ zipped file from http://www.samba.org and extract it to your Downloads directory. Using terminal first do a ./configure in the extraction directory:

sudo ./configure

Then a make:

sudo make

Then make install:

sudo make install

Then lastly adding this 3 lines in /etc/krb5.conf:

[libdefaults]
    dns_lookup_realm = false
    dns_lookup_kdc = true
    default_realm = BALES.LAN

Rebooted.

Time to join a Samba AD DC:

# sudo samba-tool domain join bales.lan DC -Uadministrator --realm=BALES.LAN --dns-backend=SAMBA_INTERNAL

Found DC dc1.bales.lan
Password for [WORKGROUP\administrator]:
workgroup is BALES
realm is bales.lan
checking sAMAccountName
Adding CN=DC2,OU=Domain Controllers,DC=bales,DC=lan
Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bales,DC=lan
Adding CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bales,DC=lan
Adding SPNs to CN=DC2,OU=Domain Controllers,DC=bales,DC=lan
Setting account password for DC2$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Provision OK for domain DN DC=bales,DC=lan
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=bales,DC=lan] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=bales,DC=lan] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=bales,DC=lan] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=bales,DC=lan] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=bales,DC=lan] objects[402/1614] linked_values[0/0]
Partition[CN=Configuration,DC=bales,DC=lan] objects[804/1614] linked_values[0/0]
Partition[CN=Configuration,DC=bales,DC=lan] objects[1206/1614] linked_values[0/0]
Partition[CN=Configuration,DC=bales,DC=lan] objects[1608/1614] linked_values[0/0]
Partition[CN=Configuration,DC=bales,DC=lan] objects[1614/1614] linked_values[28/0]
Replicating critical objects from the base DN of the domain
Partition[DC=bales,DC=lan] objects[97/97] linked_values[23/0]
Partition[DC=bales,DC=lan] objects[364/267] linked_values[23/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=bales,DC=lan
Partition[DC=DomainDnsZones,DC=bales,DC=lan] objects[40/40] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=bales,DC=lan
Partition[DC=ForestDnsZones,DC=bales,DC=lan] objects[18/18] linked_values[0/0]
Committing SAM database
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain BALES (SID S-1-5-21-2467930394-1560492651-202832562) as a DC

Start samba:

sudo samba

Testing your new joined Centos2 domain controller:

Resolving your A record:

host -t A dc2.bales.lan

dc2.bales.lan has address 192.168.2.101

If it cannot resolve it then add it.

# sudo samba-tool dns add dc1 bales.lan dc2 A 192.168.2.101 -Uadministrator

Password for [BALES\administrator]: *
Record added successfully

Resolve the objectGUID CNAME record:

sudo ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid

# record 1
dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bales,DC=lan
objectGUID: b490caa1-1fef-45ad-89b7-3a96c2666515

# record 2
dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bales,DC=lan
objectGUID: c0754d24-ebaf-4cac-81b1-f28372e88bb6

# returned 2 records
# 2 entries
# 0 referrals

Then test for the CNAME for centos2:

host -t CNAME c0754d24-ebaf-4cac-81b1-f28372e88bb6._msdcs.bales.lan

c0754d24-ebaf-4cac-81b1-f28372e88bb6._msdcs.bales.lan is an alias for dc2.bales.lan.

If not found add it:

sudo  samba-tool dns add dc1 _msdcs.bales.lan c0754d24-ebaf-4cac-81b1-f28372e88bb6 CNAME dc2.bales.lan -Uadministrator
Password for [BALES\administrator]: *
Record added successfully

Add dns forwarder and rfc2307 is the smb.conf file:

# Global parameters
[global]
 workgroup = BALES
 realm = bales.lan
 netbios name = dc2
 server role = active directory domain controller
 dns forwarder = 192.168.2.1
 idmap_ldb:use rfc2307 = yes

[netlogon]
 path = /usr/local/samba/var/locks/sysvol/bales.lan/scripts
 read only = No

[sysvol]
 path = /usr/local/samba/var/locks/sysvol
 read only = No

 

Then after 10 minutes check to see your new domain is replicated with the main AD DC. You should have all 0 consecutive failure(s) both inbound and outbound connections:

Default-First-Site-Name\DC2
DSA Options: 0x00000001
DSA object GUID: f44f8fb3-6ca5-4d12-8656-61d5e254323f
DSA invocationId: d996cbf3-0015-4b9f-94b5-01641b62d259

==== INBOUND NEIGHBORS ====

DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: 2ee9e9ff-89ab-4ad4-88e2-1189616d246f
 Last attempt @ Sat Mar 26 15:19:36 2016 PDT was successful
 0 consecutive failure(s).
 Last success @ Sat Mar 26 15:19:36 2016 PDT

DC=ForestDnsZones,DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: 2ee9e9ff-89ab-4ad4-88e2-1189616d246f
 Last attempt @ Sat Mar 26 15:19:35 2016 PDT was successful
 0 consecutive failure(s).
 Last success @ Sat Mar 26 15:19:35 2016 PDT

DC=DomainDnsZones,DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: 2ee9e9ff-89ab-4ad4-88e2-1189616d246f
 Last attempt @ Sat Mar 26 15:19:35 2016 PDT was successful
 0 consecutive failure(s).
 Last success @ Sat Mar 26 15:19:35 2016 PDT

CN=Schema,CN=Configuration,DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: 2ee9e9ff-89ab-4ad4-88e2-1189616d246f
 Last attempt @ Sat Mar 26 15:19:36 2016 PDT was successful
 0 consecutive failure(s).
 Last success @ Sat Mar 26 15:19:36 2016 PDT

CN=Configuration,DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: 2ee9e9ff-89ab-4ad4-88e2-1189616d246f
 Last attempt @ Sat Mar 26 15:19:36 2016 PDT was successful
 0 consecutive failure(s).
 Last success @ Sat Mar 26 15:19:36 2016 PDT

==== OUTBOUND NEIGHBORS ====

DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: 2ee9e9ff-89ab-4ad4-88e2-1189616d246f
 Last attempt @ NTTIME(0) was successful
 0 consecutive failure(s).
 Last success @ NTTIME(0)

DC=ForestDnsZones,DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: 2ee9e9ff-89ab-4ad4-88e2-1189616d246f
 Last attempt @ NTTIME(0) was successful
 0 consecutive failure(s).
 Last success @ NTTIME(0)

DC=DomainDnsZones,DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: 2ee9e9ff-89ab-4ad4-88e2-1189616d246f
 Last attempt @ NTTIME(0) was successful
 0 consecutive failure(s).
 Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: 2ee9e9ff-89ab-4ad4-88e2-1189616d246f
 Last attempt @ NTTIME(0) was successful
 0 consecutive failure(s).
 Last success @ NTTIME(0)

CN=Configuration,DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: 2ee9e9ff-89ab-4ad4-88e2-1189616d246f
 Last attempt @ NTTIME(0) was successful
 0 consecutive failure(s).
 Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
 Connection name: 4b9f19e9-dfc9-49ba-b7a8-a30cd6854b3e
 Enabled : TRUE
 Server DNS name : dc1.bales.lan
 Server DN name : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bales,DC=lan
 TransportType: RPC
 options: 0x00000001
Warning: No NC replicated for Connection!

If is everything is ok, you got a joined domain controller! If not, go to https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting.

References:

https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory

Advertisements

One thought on “Joining a CentOS 7 DC to Samba 4.4.0 AD DC

  1. Nice writeup, works fine for me after I fixed the Netbios name in /usr/local/samba/etc/smb.conf manually. I had a hostname that was too long for NetBios, and the samba-tool had just truncated it to 15 characters. I changed it to a shorter CNAME that actually resolves to the new DC, restarted Samba and then the DRS replication started working.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s