Run Samba4 as an Active Directory Domain Controller
This guide explains how to install and configure Samba4 as an AD DC. You will be able interact with your Samba4 box with Windows tools like Active Directory Users and Computers, Group Policy Management, and DNS. The OS I have used in this example is CentOS 6.5 with SELinux in a DISABLED state. The IP address of the server is 192.168.1.10 and the domain we are creating is example.com
Name your server and give it an IP address:
vi /etc/sysconfig/network
HOSTNAME=dc.example.com
vi /etc/sysconfig/network-scripts/ifcfg-eth0
IPADDR=192.168.1.10
Configure the server to look at itself for DNS:
search example.com
domain example.com
nameserver 192.168.1.10
Reboot your server and ensure that the IP configuration sticks and that the new hostname is applied.
Install the dependencies for Samba4:
yum -y install wget gcc make wget python-devel gnutls-devel openssl-devel libacl-devel krb5-server krb5-libs krb5-workstation bind bind-libs bind-utils ntp
Configure NTP to use the local time server (optional, but recommended). Active Directory requires an accurate time synchronization between the clients and the DC.
vi /etc/ntp.conf
Comment line numbers 22,23,24 and uncomment the below lines in the configuration file:
fudge 127.127.1.0 stratum 10
Download the latest version of Samba4 and compile it:
wget ftp://ftp.samba.org/pub/samba/samba-latest.tar.gz
tar -xvzf samba-latest.tar.gz
cd samba-4.1.0 (or whatever the relevant version number is)
./configure --enable-selftest --enable-debug
make && make install
Now that Samba is installed it's time to provision a the example.com domain:
/usr/local/samba/bin/samba-tool domain provision --realm=example.com --domain=EXAMPLE --adminpass 'enter_password' --server-role=dc --dns-backend=BIND9_DLZ
Configure BIND as the Samba Active Directory backend. Note, Bind must be installed on the same machine as Samba 4 is installed:
rndc-confgen -a -r /dev/urandom
The above command writes a key file /etc/rndc.key. Give BIND permission over this file:
chown named:named /etc/rndc.key
Add the following lines to the 'options' section of the named.conf file (note the include sections are at the bottom). Note, the forwarders section is optional and you should only enter forwarders that are relevant to your setup:
vi /etc/named.conf
options {
listen-on port 53 { 192.168.1.10; };
allow-query { any; };
forwarders {8.8.8.8; 8.8.4.4; };
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};
include "/usr/local/samba/private/named.conf";
include "/etc/rndc.key";
Configure the kerberos configuration file:
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
vi /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM (All Caps)
dns_lookup_realm = false
dns_lookup_kdc = true
Give named permission to the below files:
chgrp named /etc/krb5.conf
chown named:named /usr/local/samba/private/dns
chown named:named /usr/local/samba/private/dns.keytab
chmod 775 /usr/local/samba/private/dns
Create the Samba 4 init.d script so that the service starts at boot:
vi /etc/init.d/samba4
#! /bin/bash
#
# samba4 Bring up/down samba4 service
#
# chkconfig: - 90 10
# description: Activates/Deactivates all samba4 interfaces configured to
# start at boot time.
#
### BEGIN INIT INFO
# Provides:
# Should-Start:
# Short-Description: Bring up/down samba4
# Description: Bring up/down samba4
### END INIT INFO
# Source function library.
. /etc/init.d/functions
if [ -f /etc/sysconfig/samba4 ]; then
. /etc/sysconfig/samba4
fi
CWD=$(pwd)
prog="samba4"
start() {
# Attach irda device
echo -n $"Starting $prog: "
/usr/local/samba/sbin/samba
sleep 2
if ps ax | grep -v "grep" | grep -q /samba/sbin/samba ; then success $"samba4 startup"; else failure $"samba4 startup"; fi
echo
}
stop() {
# Stop service.
echo -n $"Shutting down $prog: "
killall samba
sleep 2
if ps ax | grep -v "grep" | grep -q /samba/sbin/samba ; then failure $"samba4 shutdown"; else success $"samba4 shutdown"; fi
echo
}
status() {
/usr/local/samba/sbin/samba --show-build
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status irattach
;;
restart|reload)
stop
start
;;
*)
echo $"Usage: $0 {start|stop|restart|status}"
exit 1
esac
exit 0
Set permissions on the newly created Samba init.d file:
chmod 755 /etc/init.d/samba4
Configure the NTP, Samba and named services that we have just configured to start at boot and also start them:
chkconfig ntpd on
chkconfig named on
chkconfig samba4 on
service ntpd start
service named start
service samba4 start
Use iptables to open the below ports in the firewall:
iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 123 -j ACCEPT
iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 135 -j ACCEPT
iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 138 -j ACCEPT
iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 389 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 88 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 139 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 389 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 445 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 464 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 636 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 1024:1032 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 3268 -j ACCEPT
iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 3269 -j ACCEPT
Save the above iptables rules to make them persistent:
service iptables save
The above mentioned port numbers are explained below:
53 - UDP - DNS (Domain Naming System)
123 - UDP - NTP (Network Time Protocol)
135 - UDP - RPC (Remote Procedure Calls)
138 - UDP - NetBIOS Logon
389 - UDP - LDAP UDP (LightWeight Directory Access Protocol)
88 - TCP - Kerberos
139 - TCP - NetBIOS Session
389 - TCP - LDAP TCP (LightWeight Directory Access Protocol)
445 - TCP - SMB CIFS (Server Message Block / Common Internet File System)
464 - TCP - Kerberos Password Management
636 - TCP - LDAP SSL (LightWeight Directory Access Protocol)
3268 - TCP - LDAP Global Catalog
3269 - TCP - LDAP Global Catalog SSL
Reboot your server and ensure that the NTP, Samba and bind services come back up.
Test Connectivity to Your Samba AD DC. First check that you have the right version of smbclient by running the below command. You should see a version starting with "Version 4.x".
/usr/local/samba/bin/smbclient --version
Next run the below command to list the shares on your Samba server (netlogon, sysvol etc):
/usr/local/samba/bin/smbclient -L localhost -U%
To test that authentication is working run the below command to connect to the netlogon share using the administrator password that was specified during the Samba configuration:
smbclient //localhost/netlogon -UAdministrator -c 'ls'
Verify that DNS is working properly by querying the below records:
host -t SRV _ldap._tcp.example.com.
host -t SRV _kerberos._udp.example.com.
host -t A dc.example.com.
Test Kerberos using your administrator account and enter the password that you set during the samba configuration:
kinit administrator@EXAMPLE.COM
Password for administrator@EXAMPLE.COM:
Warning: Your password will expire in 38 days on Sun Jul 20 11:46:51 2014
To verify that Kerberos is working, and that you received a ticket, run:
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@EXAMPLE.COM
Valid starting Expires Service principal
06/11/14 23:54:37 06/12/14 09:54:37 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 06/12/14 23:54:29
Finally, join a Windows workstation to your domain. You will need to ensure that the workstation has the Samba DC as its DNS server in its network card settings. Use the administrator account and the password you specified during the samba installation to join the workstation to the domain.