** You should upgrade to at least 4.4.2 because of the Badlock Bug, released 4-12-2016 **

Samba 4.4.0 has several improvements, especialling it now allows for a demoting a dead server and it allows me to use a real server if I want to, not only a virtual one, but I still prefer a virtual one though.

Note: Linux Mint does not have xattr support in the latest Linux firmware (as of  03-28-16 config-3.19.0-32-generic) and Samba has workaround for it. However, Samba states “…it is not efficient and doesn’t scale well. That’s why it shouldn’t be used in production!

I will be using this information for the Samba AD DC server:

Samba Server: dc1
IP Address: 192.168.2.100
Netmask: 255.255.255.0
Default Gateway: 192.168.2.1
DNS Domain Name: bales.lan
NetBIOS Domain Name: BALES
DNS Backend: SAMBA_INTERNAL

After Installing Linux Mint:

First I installed updates using the terminal:

sudo apt-get update
sudo apt-get dist-upgrade

Then rebooted.

Prerequisite Linux Mint:

I disabled the firewall:

sudo ufw disable

Then I purged default installed samba:

sudo apt-get purge samba*

Then I edited the /etc/network/interfaces and added the static IP address:

sudo gedit /etc/network/interfaces
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 192.168.2.100
netmask 255.255.255.0
gateway 192.168.2.1
dns-nameservers 192.168.2.100 192.168.2.1
dns-search bales.lan

I changed the /etc/hosts and /etc/hostname for the IP address and host name:

sudo gedit /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.2.100 dc1.bales.lan dc1 

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

sudo gedit /etc/hostname
dc1

Rebooted.

Add the “/usr/local/samba/bin/” and “/usr/local/samba/sbin/” at the end in the /etc/environment and ‘Defaults secure_path’ in the /etc/sudoers file:

sudo gedit /etc/environment
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/local/samba/bin:/usr/local/samba/sbin"
sudo gedit /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:
/sbin:/bin:/usr/local/samba/bin:/usr/local/samba/sbin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root	ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

Reboot.

After rebooting install the requirements/dependencies for Samba AD DC:

 sudo apt-get install acl attr autoconf bison build-essential \
  debhelper dnsutils docbook-xml docbook-xsl flex gdb krb5-user \
  libacl1-dev libaio-dev libattr1-dev libblkid-dev libbsd-dev \
  libcap-dev libcups2-dev libgnutls-dev libjson-perl \
  libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl \
  libpopt-dev libreadline-dev perl perl-modules pkg-config \
  python-all-dev python-dev python-dnspython python-crypto \
  xsltproc zlib1g-dev

Reboot.

Installing Samba AD DC:

Download the ‘samba 4.4.0’ zipped file from http://www.samba.org and extract it to your Downloads directory.  Using Terminal first do a ./configure in the extraction directory:

sudo ./configure

Then do a make:

sudo make

Lastly do a make install.

sudo make install

Rebooted.

Time to build the Samba AD DC:

sudo samba-tool domain provision --use-rfc2307 --interactive
Realm [BALES.LAN]: 
 Domain [BALES]: 
 Server Role (dc, member, standalone) [dc]: 
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: 
 DNS forwarder IP address (write 'none' to disable forwarding) [192.168.2.100]: 192.168.2.1
Administrator password: 
Retype password: 
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=bales,DC=lan
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=bales,DC=lan
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: dc1
NetBIOS Domain: BALES
DNS Domain: bales.lan
DOMAIN SID: S-1-5-21-2120959518-3299838744-118815185

* Administrator password:

At least 8 characters
Containing at least three of the following five character groups:

  • Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
  • Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
  • Base 10 digits (0 through 9)
  • Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;”‘,.?/
  • Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
    If the password doesn’t fulfil the complexity requirements, the provisioning will fail and you will have to start over (remove the generated new “smb.conf” in that case).

Note: Since Linux Mint is not supporting xattr, you should add this to your /usr/local/samba/etc/smb.conf file per Samba.   Again, Samba states not use this Samba AD DC in production.   I put the line at the end of Global section.

posix:eadb = /usr/local/samba/private/eadb.tdb

Testing your Samba Domain Controller:

First start samba*:

sudo samba

* Samba does not have init script for samba4.

Testing my Samba AD DC default netlogon and sysvol shares:

$ smbclient -L localhost -U%
Domain=[BALES] OS=[Windows 6.1] Server=[Samba 4.4.0]

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk      
        sysvol          Disk      
        IPC$            IPC       IPC Service (Samba 4.4.0)
Domain=[BALES] OS=[Windows 6.1] Server=[Samba 4.4.0]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

To test that authentication is working, I connected to the netlogon share, using the Domain Administrator account, that was created during provisioning:

$ smbclient //localhost/netlogon -Uadministrator -c 'ls'
Enter administrator's password: 
Domain=[BALES] OS=[Windows 6.1] Server=[Samba 4.4.0]
 . D 0 Mon Mar 28 14:09:31 2016
 .. D 0 Mon Mar 28 14:09:44 2016

 59732092 blocks of size 1024. 50432024 blocks available

To test that DNS is working properly, I ran the following commands:

$ host -t SRV _ldap._tcp.bales.lan
_ldap._tcp.bales.lan has SRV record 0 100 389 dc1.bales.lan
$ host -t SRV _kerberos._udp.bales.lan
_kerberos._udp.bales.lan has SRV record 0 100 88 dc1.bales.lan
$ host -t A dc1.bales.lan
centos.bales.lan has address 192.168.2.100

Use “kinit” to obtain a Kerberos ticket:

$ kinit administrator@BALES.LAN
Password for administrator@BALES.LAN: 
Warning: Your password will expire in 41 days on Mon 09 May 2016 10:13:04 AM PDT 12:46:12 PM PST

Note: You must always specify your realm in uppercase letters!

$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator@BALES.LAN

Valid starting       Expires              Service principal
11/09/2015 13:32:44  03/29/2016 23:32:44  krbtgt/BALES.LAN@BALES.LAN
	renew until 03/30/2016 13:32:39

No error message, you are ready to go! But you do or something is going wrong, see the Samba AD DC Troubleshooting page.

References:

https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s