I will be using this information for the Samba AD DC minimal CentOS server:

Samba Server: dc1
IP Address: 192.168.2.100
Netmask: 255.255.255.0
Default Gateway: 192.168.2.1
DNS1:192.168.2.100
DNS2:192.168.2.1
DNS Domain Name: bales.lan
NetBIOS Domain Name: BALES
DNS Backend: SAMBA_INTERNAL

 

After Installing CentOS:

Using SSH for root I installed updates using terminal:

yum update

Then disabled the firewall:

systemctl stop firewalld
systemctl disable firewalld

Install nano and wget.

yum install nano wget

Then Reboot.

Prerequisite CentOS:

If you haven’t changed the IP to static, you can change the network now:

nano /etc/sysconfig/network-scripts/ifcfg-ens33
IPADDR=192.168.2.100
NETMASK=255.255.255.0
GATEWAY=192.168.2.1
DNS1=192.168.2.100
DNS2=192.168.2.1
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=ens33
UUID=b949bf38-7e14-43cd-ace2-0fb532a70427
DEVICE=ens33
ONBOOT=yesIPV6_PEERDNS="yes"
IPV6_PEERROUTES="yes"
IPV6_PRIVACY="no"

Then I changed the /etc/hosts file to match the actual IP of my server (dc1):

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.2.100 dc1.bales.lan dc1
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

I then changed the path directory by adding’:/usr/local/samba/bin:/usr/local/samba/sbin’ a new file called samba-path.sh in the /etc/profile.d/ directory:

nano /etc/profile.d/samba-path.sh

PATH=${PATH}:/usr/local/samba/bin:/usr/local/samba/sbin

Install the requirements/dependencies for Samba AD DC:

 yum install perl gcc attr libacl-devel libblkid-devel \
    gnutls-devel readline-devel python-devel gdb pkgconfig \
    krb5-workstation zlib-devel setroubleshoot-server libaio-devel \
    setroubleshoot-plugins policycoreutils-python \
    libsemanage-python perl-ExtUtils-MakeMaker perl-Parse-Yapp \
    popt-devel libxml2-devel libattr-devel \
    keyutils-libs-devel cups-devel bind-utils libxslt \
    docbook-style-xsl openldap-devel autoconf python-crypto pam-devel

Note: I took off perl-Test-Base because it’s not found. Thanks to Ron for noticing this.

Then reboot.

Installing Samba AD DC:

Make a directory for samba4 and download the current samba file:

mkdir /usr/src/samba4
cd /usr/src/samba4
wget https://download.samba.org/pub/samba/stable/samba-4.5.5.tar.gz

Then I extract the file.

tar -zxf samba-4.5.5.tar.gz

Go to /usr/src/samba4/samba-4.5.5 and first configure Samba.

./configure

Then a make:

make

Then lastly make install:

make install

Do these two last steps to install samba.

# mv /etc/krb5.conf /etc/krb5.conf.bak
# cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf

Then Reboot.

Time to build the Samba AD DC:

samba-tool domain provision --use-rfc2307 --interactive

Realm [BALES.LAN]: 
 Domain [BALES]: 
 Server Role (dc, member, standalone) [dc]: 
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: 
 DNS forwarder IP address (write 'none' to disable forwarding) [192.168.2.100]: 192.168.2.1
Administrator password: 
Retype password: 
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=bales,DC=lan
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=bales,DC=lan
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: dc1
NetBIOS Domain: BALES
DNS Domain: bales.lan
DOMAIN SID: S-1-5-21-1561570446-918321230-2588930881

* Administrator password:

At least 8 characters
Containing at least three of the following five character groups:

Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
Base 10 digits (0 through 9)
Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;”‘,.?/
Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
If the password doesn’t fulfil the complexity requirements, the provisioning will fail and you will have to start over (remove the generated new “smb.conf” in that case).

Then copy your private krb5.conf to /etc/krb5.conf.

$ cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
$ cp: overwrite ‘/etc/krb5.conf’? y
$

TESTING YOUR SAMBA DOMAIN CONTROLLER:

First start samba*:

sudo samba

* Samba does not have init script for samba4.

Testing my Samba AD DC default netlogon and sysvol shares:

$ smbclient -L localhost -U%
Domain=[BALES] OS=[Windows 6.1] Server=[Samba 4.5.5]

 Sharename Type Comment
 --------- ---- -------
 netlogon Disk 
 sysvol Disk 
 IPC$ IPC IPC Service (Samba 4.5.5)
Domain=[BALES] OS=[Windows 6.1] Server=[Samba 4.5.5]

 Server Comment
 --------- -------

 Workgroup Master
 --------- -------

To test that authentication is working, I connected to the netlogon share, using the Domain Administrator account, that was created during provisioning:

$ smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter administrator's password: 
Domain=[BALES] OS=[Windows 6.1] Server=[Samba 4.5.5]
 . D 0 Sat Jan 21 11:47:52 2017
 .. D 0 Sat Jan 21 11:50:27 2017

 17811456 blocks of size 1024. 15724556 blocks available

To test that DNS is working properly, I ran the following commands:

$ host -t SRV _ldap._tcp.bales.lan
_ldap._tcp.bales.lan has SRV record 0 100 389 dc1.bales.lan
$ host -t SRV _kerberos._udp.bales.lan
_kerberos._udp.bales.lan has SRV record 0 100 88 dc1.bales.lan
$ host -t A dc1.bales.lan
centos.bales.lan has address 192.168.2.100

Use “kinit” to obtain a Kerberos ticket.

$ kinit administrator
Password for administrator@BALES.LAN:
Warning: Your password will expire in 30 days on Sun 19 Mar 2017 10:26:49 AM PDT

$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@BALES.LAN

Valid starting Expires Service principal
02/16/2017 09:51:38 02/16/2017 19:51:38 krbtgt/BALES.LAN@BALES.LAN
 renew until 02/17/2017 09:51:35

No error message, you are ready to go! But it’s something is going wrong, see the Samba AD DC Troubleshooting page.

Note:  Windows 10 version 1607 (the latest) is getting ‘Access is denied’ for netlogon and sysvol for any user.  I changed the selinux from enforcing to disabled, but the same result though.

'Access is denied' for netlogon
‘Access is denied’ for netlogon

References:

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s