Blog Jurišić

To content | To menu | To search

Tag - bind

Entries feed

Wednesday, April 24 2019

Setting up Samba as an Active Directory Domain Controller on Debian 9 Stretch

Introduction

Samba is great project and if wont make Samba AD DC today is very simple. More about Samba look at https://www.samba.org/.

Preparing the Installation

  • select hostname(dc1.internal.example.com),domain name(internal.example.com)
  • installation and configure of time server (ntp)
  • installation and configure of domain name system (bind9)

 

Set hostname of my Samba ad dc server:

hostnamectl set-hostname dc1.internal.example.com

Edit hosts:

nano /etc/hosts

192.168.0.100  dc1.internal.example.com dc1


Installation and configure of time server (ntp):

apt-get install ntp

Change settings in ntp.conf

nano /etc/ntp.conf

logfile   /var/log/ntp.log
driftfile /var/lib/ntp/ntp.drift
ntpsigndsocket /var/lib/samba/ntp_signd/

pool 0.debian.pool.ntp.org iburst
pool 1.debian.pool.ntp.org iburst
pool 2.debian.pool.ntp.org iburst
pool 3.debian.pool.ntp.org iburst

restrict -4 default kod notrap nomodify nopeer noquery limited
restrict 127.0.0.1
restrict source notrap nomodify noquery
restrict default kod nomodify notrap nopeer mssntp

Fix bug apparmor (Thanks to  Louis van Belle):

Enable the local file part for ntpd:

sed -i 's[#include <local/usr.sbin.ntpd>[include <local/usr.sbin.ntpd>[g' /etc/apparmor.d/usr.sbin.ntpd

NTPD fix.:

echo "
  # To sign replies to MS-SNTP clients by the smbd daemon /var/lib/samba
  /var/lib/samba/ntp_signd r,
  /var/lib/samba/ntp_signd/{,*} rw,

  # samba4 winbindd pipe
  /{,var/}run/samba/winbindd r,
  /{,var/}run/samba/winbindd/pipe rw,

  # samba4 winbindd privileged pipe ? Needed?
  /var/lib/samba/winbindd r,
  /var/lib/samba/winbindd/pipe rw,

" >> /etc/apparmor.d/local/usr.sbin.ntpd

Installation and configure of domain name system (bind9):

Instalirati bind9 paket:

apt-get install bind9

Configure neamed.conf.options

nano /etc/bind/named.conf.options

//  Add any subnets or hosts you want to allow to use this DNS server
acl internal {
   127.0.0.0/16;
   192.168.0.0/16;
};

options {

        auth-nxdomain yes;
        directory "/var/cache/bind";
        notify no;
        empty-zones-enable no;
        listen-on-v6 { none; };

        forwarders {
                8.8.8.8;
                8.8.4.4;
        };

        allow-query { internal; };
        allow-recursion { internal; };
        allow-transfer { none; };
};

Finale step start service and test ntp and bind9:

systemctl restart ntp.service bind9.service

Set in resolv.conf our bind9:

nano /etc/resolv.conf

search internal.example.com
nameserver 192.168.0.100

Now test bind9:

Test the localhost forward zone):

host -t A localhost 

Default respond is:

Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

localhost has address 127.0.0.1

To test the 0.0.127.in-addr.arpa reverse zone:

host -t PTR 127.0.0.1 

Default respond is:

Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

1.0.0.127.in-addr.arpa domain name pointer localhost.

Test NTP server:

ntpdate -q 192.168.100.31

Default respond is:

server 192.168.0.100, stratum 2, offset -0.000073, delay 0.02602
24 Apr 12:10:30 ntpdate[10143]: adjust time server 192.168.0.100 offset -0.000073 sec

 

Installing Kerberos & Samba and configure Bind9 with Samba:

  • Installing Kerberos and configure
  • Installing Samba and configure
  • Configure Bind9 to work with Samba

Installing Kerberos and configure:

apt-get install krb5-config krb5-user

Configure krb5.conf

nano /etc/krb5.conf

[libdefaults]
        default_realm = INTERNAL.EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

 

Installing Samba and configure:

Debian bring Samba 4.5.16 but that version don't have JSON module (Need 4.7+ for JSON), and I find great repository apt.van-belle.nl by Louis van Belle (Please feel to free Donate to Louis).

Add van-belle.nl repos:

wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add -

echo "# AptVanBelle repo for samba." | sudo tee /etc/apt/sources.list.d/van-belle.list

echo "deb http://apt.van-belle.nl/debian stretch-samba410 main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list

apt-get update

Install samba:

apt-get install samba winbind attr acl

Configure service samba for AD DC:

systemctl stop smbd nmbd winbind
systemctl mask smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl daemon-reload

Configure Samba as AD DC:

If exist old configuration of samba /etc/samba/smb.conf then make backup of config and delete.

cp /etc/samba/smb.conf /etc/samba/smb.conf.bck
rm /etc/samba/smb.conf

samba-tool domain provision --use-rfc2307 --realm INTERNAL.EXAMPLE.COM --domain EXAMPLE --server-role dc --dns-backend=BIND9_DLZ  --adminpass StrongPassword

Configure Bind9 to work with Samba:

Add under section options { }

nano /etc/bind/named.conf.options

allow-update { 192.168.0.100; };

// https://wiki.samba.org/index.php/Dns-backend_bind
// DNS dynamic updates via Kerberos (optional, but recommended)
//tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";    //samba 4.8 and lower
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";    // samba 4.9 and up

 

Add rndc.key, bind-dns include in named.conf

nano /etc/bind/named.conf.local

include "/etc/bind/rndc.key";
    controls {
     inet 127.0.0.1 allow { localhost; } keys { rndc-key;};
};

include "/var/lib/samba/bind-dns/named.conf";

Set pemission for Bind9:

setfacl -m g:bind:r /etc/krb5.conf
setfacl -m g:bind:r /var/lib/samba/bind-dns

Set permission for NTP:

chown root:ntp /var/lib/samba/ntp_signd/
chmod 750 /var/lib/samba/ntp_signd/

Restartati all services:

systemctl restart bind9.service ntp.service samba-ad-dc.service

Test Kerberos:

kinit administrator
klist

Test DNS over Samba:

samba_dnsupdate --verbose

* Change from internal samba dns to bind9_dlz use (If you are running a older samba ad-dc and then upgrade as shown, The file dns.keytab isnt move the the new folder, you need todo that manualy. Its already in the debian bugreport for samba):

samba_upgradedns --dns-backend=BIND9_DLZ

Tweak service start order for Samba then Bind9 and disable reload for Bind9(bug sometime confuze Samba) :

Samba:

systemctl edit samba-ad-dc.service 

Add in file:

[Unit]
After=network.target network-online.target bind9.service

Bind9:

systemctl edit bind9.service

Add in file:

[Service]
ExecReload=

Test Samba:

samba-tool domain info 192.168.0.100
net ads info
net rpc info -U administrator
wbinfo -P
wbinfo -t
wbinfo -pPt 

Congratulations enjoy in Samba World.