** You should upgrade to at least 4.4.2 because of the Badlock Bug **

Samba 4.4.0 has several improvements, especialling it now allows for a demoting a dead server and it allows me to use a real server if I want to, not only a virtual one, but I still prefer a virtual one though.

Note: Linux Mint does not have xattr support in the latest Linux firmware (as of  03-28-16 config-3.19.0-32-generic) and Samba has workaround for it. However, Samba states “…it is not efficient and doesn’t scale well. That’s why it shouldn’t be used in production!

I will be using this information for the Samba AD DC server:

Samba Server: dc2
IP Address: 192.168.2.101
Netmask: 255.255.255.0
Default Gateway: 192.168.2.1
DNS Domain Name: bales.lan
NetBIOS Domain Name: BALES
DNS Backend: SAMBA_INTERNAL

After Installing Linux Mint:

First I installed updates using the terminal:

sudo apt-get update
sudo apt-get dist-upgrade

Then rebooted.

Prerequisite Linux Mint:

I disabled the firewall:

sudo ufw disable

Then I purged default installed samba:

sudo apt-get purge samba*

Then I edited the /etc/network/interfaces and added the static IP address.  Note that I put the first dns of the first AD DC Samba of ‘dc1’, 192.168.2.100, so that the second server will be able to find it.

sudo gedit /etc/network/interfaces
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 192.168.2.101
netmask 255.255.255.0
gateway 192.168.2.1
dns-nameservers 192.168.2.100 192.168.2.1
dns-search bales.lan

I changed the /etc/hosts and /etc/hostname for the IP address and host name:

sudo gedit /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.2.101 dc2.bales.lan dc2 

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

sudo gedit /etc/hostname
dc2

Rebooted.

Add the “/usr/local/samba/bin/” and “/usr/local/samba/sbin/” at the end in the /etc/environment and ‘Defaults secure_path’ in the /etc/sudoers file:

sudo gedit /etc/environment
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/local/samba/bin:/usr/local/samba/sbin"
sudo gedit /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:
/sbin:/bin:/usr/local/samba/bin:/usr/local/samba/sbin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root	ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

Reboot.

After rebooting install the requirements/dependencies for Samba AD DC:

 sudo apt-get install acl attr autoconf bison build-essential \
  debhelper dnsutils docbook-xml docbook-xsl flex gdb krb5-user \
  libacl1-dev libaio-dev libattr1-dev libblkid-dev libbsd-dev \
  libcap-dev libcups2-dev libgnutls-dev libjson-perl \
  libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl \
  libpopt-dev libreadline-dev perl perl-modules pkg-config \
  python-all-dev python-dev python-dnspython python-crypto \
  xsltproc zlib1g-dev

Reboot.

Installing Samba AD DC:

Download the ‘samba 4.4.0’ zipped file from http://www.samba.org and extract it to your Downloads directory.  Using Terminal first do a ./configure in the extraction directory:

sudo ./configure

Then do a make:

sudo make

Lastly do a make install.

sudo make install

Then lastly adding this 3 lines in /etc/krb5.conf:

[libdefaults]
    dns_lookup_realm = false
    dns_lookup_kdc = true
    default_realm = BALES.LAN

Rebooted.

Time to join a Samba AD DC:

$ sudo samba-tool domain join bales.lan DC -Uadministrator --realm=BALES.LAN --dns-backend=SAMBA_INTERNAL
 
Finding a writeable DC for domain 'bales.lan'
Found DC dc1.bales.lan
Password for [WORKGROUP\administrator]:
workgroup is BALES
realm is bales.lan
checking sAMAccountName
Adding CN=DC2,OU=Domain Controllers,DC=bales,DC=lan
Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bales,DC=lan
Adding CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bales,DC=lan
Adding SPNs to CN=DC2,OU=Domain Controllers,DC=bales,DC=lan
Setting account password for DC2$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Provision OK for domain DN DC=bales,DC=lan
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=bales,DC=lan] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=bales,DC=lan] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=bales,DC=lan] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=bales,DC=lan] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=bales,DC=lan] objects[402/1614] linked_values[0/0]
Partition[CN=Configuration,DC=bales,DC=lan] objects[804/1614] linked_values[0/0]
Partition[CN=Configuration,DC=bales,DC=lan] objects[1206/1614] linked_values[0/0]
Partition[CN=Configuration,DC=bales,DC=lan] objects[1608/1614] linked_values[0/0]
Partition[CN=Configuration,DC=bales,DC=lan] objects[1614/1614] linked_values[28/0]
Replicating critical objects from the base DN of the domain
Partition[DC=bales,DC=lan] objects[97/97] linked_values[23/0]
Partition[DC=bales,DC=lan] objects[360/263] linked_values[23/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=bales,DC=lan
Partition[DC=DomainDnsZones,DC=bales,DC=lan] objects[40/40] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=bales,DC=lan
Partition[DC=ForestDnsZones,DC=bales,DC=lan] objects[18/18] linked_values[0/0]
Committing SAM database
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain BALES (SID S-1-5-21-2120959518-3299838744-118815185) as a DC

Start samba

sudo samba

Testing your newly joined Centos2 domain controller:

Resolving your A record:

host -t A dc2.bales.lan

dc2.bales.lan has address 192.168.2.101

If it cannot resolve it then add it.

# sudo samba-tool dns add dc1 bales.lan dc2 A 192.168.2.101 -Uadministrator

Password for [BALES\administrator]: *
Record added successfully

Resolve the objectGUID CNAME record:

sudo ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid

# record 1
dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bales,DC=lan
objectGUID: b490caa1-1fef-45ad-89b7-3a96c2666515

# record 2
dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bales,DC=lan
objectGUID: c0754d24-ebaf-4cac-81b1-f28372e88bb6

# returned 2 records
# 2 entries
# 0 referrals

Then test for the CNAME for centos2:

host -t CNAME c0754d24-ebaf-4cac-81b1-f28372e88bb6._msdcs.bales.lan

c0754d24-ebaf-4cac-81b1-f28372e88bb6._msdcs.bales.lan is an alias for dc2.bales.lan.

If not found add it:

sudo  samba-tool dns add dc1 _msdcs.bales.lan c0754d24-ebaf-4cac-81b1-f28372e88bb6 CNAME dc2.bales.lan -Uadministrator
Password for [BALES\administrator]: *
Record added successfully

Add dns forwarder and rfc2307 is the smb.conf file.  Note: Also add this also because Linux Mint is not support xattr; I added mine at the end of the Global section.

 posix:eadb = /usr/local/samba/private/eadb.tdb
# Global parameters
[global]
 workgroup = BALES
 realm = bales.lan
 netbios name = dc2
 server role = active directory domain controller
 dns forwarder = 192.168.2.1
 idmap_ldb:use rfc2307 = yes
 posix:eadb = /usr/local/samba/private/eadb.tdb

[netlogon]
 path = /usr/local/samba/var/locks/sysvol/bales.lan/scripts
 read only = No

[sysvol]
 path = /usr/local/samba/var/locks/sysvol
 read only = No

 

Then after 10 minutes check to see your new domain is replicated with the main AD DC. You should have all 0 consecutive failure(s) both inbound and outbound connections:

$ sudo samba-tool drs showrepl
Default-First-Site-Name\DC2
DSA Options: 0x00000001
DSA object GUID: 2d306b22-090a-424e-b81b-33cf5a8996fc
DSA invocationId: b7749694-1e47-4116-8986-62e059d87bcc

==== INBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: b5a28780-8923-403f-9874-7484f13bf463
 Last attempt @ Tue Mar 29 10:37:51 2016 PDT was successful
 0 consecutive failure(s).
 Last success @ Tue Mar 29 10:37:51 2016 PDT

CN=Schema,CN=Configuration,DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: b5a28780-8923-403f-9874-7484f13bf463
 Last attempt @ Tue Mar 29 10:37:51 2016 PDT was successful
 0 consecutive failure(s).
 Last success @ Tue Mar 29 10:37:51 2016 PDT

CN=Configuration,DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: b5a28780-8923-403f-9874-7484f13bf463
 Last attempt @ Tue Mar 29 10:37:51 2016 PDT was successful
 0 consecutive failure(s).
 Last success @ Tue Mar 29 10:37:51 2016 PDT

DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: b5a28780-8923-403f-9874-7484f13bf463
 Last attempt @ Tue Mar 29 10:37:51 2016 PDT was successful
 0 consecutive failure(s).
 Last success @ Tue Mar 29 10:37:51 2016 PDT

DC=DomainDnsZones,DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: b5a28780-8923-403f-9874-7484f13bf463
 Last attempt @ Tue Mar 29 10:37:51 2016 PDT was successful
 0 consecutive failure(s).
 Last success @ Tue Mar 29 10:37:51 2016 PDT

==== OUTBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: b5a28780-8923-403f-9874-7484f13bf463
 Last attempt @ NTTIME(0) was successful
 0 consecutive failure(s).
 Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: b5a28780-8923-403f-9874-7484f13bf463
 Last attempt @ NTTIME(0) was successful
 0 consecutive failure(s).
 Last success @ NTTIME(0)

CN=Configuration,DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: b5a28780-8923-403f-9874-7484f13bf463
 Last attempt @ NTTIME(0) was successful
 0 consecutive failure(s).
 Last success @ NTTIME(0)

DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: b5a28780-8923-403f-9874-7484f13bf463
 Last attempt @ NTTIME(0) was successful
 0 consecutive failure(s).
 Last success @ NTTIME(0)

DC=DomainDnsZones,DC=bales,DC=lan
 Default-First-Site-Name\DC1 via RPC
 DSA object GUID: b5a28780-8923-403f-9874-7484f13bf463
 Last attempt @ NTTIME(0) was successful
 0 consecutive failure(s).
 Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
 Connection name: ecb44244-3122-48d6-86d7-68d4c4c09319
 Enabled : TRUE
 Server DNS name : dc1.bales.lan
 Server DN name : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bales,DC=lan
 TransportType: RPC
 options: 0x00000001
Warning: No NC replicated for Connectio

If is everything is ok, you got a joined domain controller! If not, go tohttps://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting.

References:

https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s