Debian – Samba4 AD DC on Ubuntu 14.04 (õige õpetus)

Samba 4 is a good bit of software. If only that last few tweaks could be done to finish it and the documentation off it would be great software. I have found lot of ways to set up Samba4 as a AD DC most of which fail to work only this one series of steps worked. Samba4 configuration is really really flaky! The official Samba documentation is getting better and beginning to cover some of the configuration pitfalls.

For this how to we are building on some of my other howtos.

We will be building this:

  • AD DC Hostname: lab-addc1
  • AD DNS Domain Name: black.dragon.lab
  • Kerberos Realm: black.dragon.lab
  • Domain Name/NetBIOS Name: black
  • IP Address: 10.1.200.3
  • Forwarder DNS Server: 10.1.200.3
  • Gateway: 10.1.200.3
  • Subnet Mask: 255.255.255.0
  • Server Role: Primary Domain Controller (PDC)
  • Domain Admin Password: Admin1234
  • Backend DNS: BIND9 DLZ

Update Ubuntu To The Latest

Always use the latest bug fixes and security patches. Also Samba is still being updated with bug fixes and newer features so get them too.

sudo apt-get update
sudo apt-get dist-upgrade

OS Requirements

A functioning DNS and usually a DHCP server see above. Kerberos requires that all systems have the same time, you will therefore need a functioning NTP server. See my post about setting up an NTP server process.

To use the full functionality of Samba when sharing file systems you need acl and both user and system xattr additions. Although using your AD DC as a file share is not a good idea, as the file system could be overloaded sharing files and be slow or unable to check credentials of users.

Make sure the acl and attr packages are installed.

sudo apt-get install acl attr

These can be turned on by updating your /etc/fstab. Be careful when setting these get it wrong an the system will not be bootable. You did do that full backup, didn’t you?!

To add the features add user_xattr,acl,barrier=1 to each file system you want to use for shares. Try it out on a file system that is not required during the booting process, e.g. Create a small temporary fs and mount that as /data.

sudo nano /etc/fstab
/dev/sdb1   /data   ext4 user_xattr,acl,barrier=1,noatime  0  0

Test it out without booting first, when you get the fs mounted without errors then proceed to the others and reboot before proceeding.

umount /data
mount -a
mount | grep '/data '
/dev/sdb1 on / type ext4 (rw,user_xattr,acl,barrier=1,noatime)

and all other file systems on the server where they are going to be accessed via Samaba using Windows ACL’s

Once you are sure you have your fstab correct you should reboot, to take those changes into use.

Check ACL’s are working

This next part is almost direct lift from the Samba docs, it seemed pointless reinventing the wheel for this part.
Some of the names have been changed to protect the innocent.

All these commands should be run as root, either su to root or give yourself a root shell with sudo -i.

Create a test file, to play around with:

sudo touch testing_acl.txt

Add some extended attributes with the name user.test, adding a value of test. Then add a second set named security.test and a valuer of test2.

sudo setfattr -n user.test -v test testing_acl.txt
sudo setfattr -n security.test -v test2 testing_acl.txt

View the ACL’s just added to the test file.

sudo getfattr -d testing_acl.txt
# file: testing_acl.txt
user.test="test"
sudo getfattr -n security.test -d testing_acl.txt
# file: testing_acl.txt
security.test="test2"

Now add some file access control list, ACL, permissions to our test file. For the users who have the Linux group adm give them, additionally, read/write and execute permissions.

sudo setfacl -m g:adm:rwx testing_acl.txt
sudo getfacl testing_acl.txt
# file: testing_acl.txt
# owner: root
# group: root
user::rw-
group::r--
group:adm:rwx
mask::rwx
other::r--

Only continue on if all went as above. If it did not go back top your backup and start again.

Installing even more software

Depending on how you installed your system some of these packages may already be installed.

sudo apt-get install samba smbclient  build-essential libacl1-dev libattr1-dev \
   libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev \
   python-dnspython gdb pkg-config libpopt-dev libldap2-dev \
   dnsutils libbsd-dev krb5-user docbook-xsl libcups2-dev ldb-tools

apt-get install winbind libnss-winbind libpam-winbind (need tuleb ka kindlasti installida)

During the installation process you will be asked some questions:

  • Configuring Kerberos Authentication: BLACK.DRAGON.LAB
  • hostname of Kerberos servers in the BLACK.DRAGON.LAB: lab-addc1
  • hostname of the Administrative (password changing) servers: lab-addc1

Pitfall: If you get these wrong your AD DC will not work and you will have to start again!

Once that lot is installed, without errors, delete the Samba configuration file created by the system. The provisioning tool fails if it already exists. (Why don’t the Samba guys update the provisioning tool to do that or ask you?)

sudo rm /etc/samba/smb.conf

Now to provision the AD. Pitfall: Be very careful and precise here you only get one shot at this!

#selle käsuga saab domeeni ära seadistada
sudo samba-tool domain provision --use-rfc2307 --interactive

#all siis kirjeldatud mis tuleb ridade peale kirjutada ( see on näidis domeen).

The only inputs you should been to change are:

  • Realm: tapavpk.ee
  • Domain: domeen (see läheb smb.conf failis workgroup nimeks)
  • Server Role: dc
  • DNS Backend: SAMBA_INTERNAL
  • Administrator password:
Realm [DRAGON.LAB]: BLACK.DRAGON.LAB
 Domain [BLACK]: 
 Server Role (dc, member, standalone) [dc]: 
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ
Administrator password: 
Retype password: 
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=black,DC=dragon,DC=lab
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=black,DC=dragon,DC=lab
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
See /var/lib/samba/private/named.conf for an example configuration include file for BIND
and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              lab-addc1
NetBIOS Domain:        BLACK
DNS Domain:            black.dragon.lab
DOMAIN SID:            S-1-5-21-1234567890-1234567890-1234567890

Configuring Samba and Bind

Edit the file /etc/samba/smb.conf and add the following lines to the end of the [global] section.

sudo nano /etc/samba/smb.conf
allow dns updates = nonsecure and secure 
        dns forwarder = 10.1.200.3
 
        # Thanks to Lars for this fix, it stops the syslog
        # being spammed by the lack of a CUPS server.
        printing = CUPS
        printcap name = /dev/null

#########samba konfi tuleb lisada need read

# Global parameters
[global]
workgroup = HKHK
realm = HKHK.EDU.EE
netbios name = MYYR
server role = active directory domain controller
dns forwarder = 172.21.0.3
idmap config *:backend = tdb
# idmap config *:range = 5000-9999
# idmap config HKHK:backend = ad
# idmap config HKHK:schema_mode = rfc2307
idmap config HKHK:range = 10000-30000

idmap_ldb:use rfc2307 = yes
interfaces = lo eth0
allow dns updates = nonsecure

winbind nss info = rfc2307

#[homes]
# comment = Home Directories
# path = /home/
# valid users = %S
# read only = No
# browseable = No

[netlogon]
path = /var/lib/samba/sysvol/hkhk.edu.ee/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[home]
path = /home/
read only = No

[Profiles]
path = /home/profiles/
# browseable = no
# guest ok = no
# writable = yes
# public = no
read only = No
create mask = 0600
directory mask = 0700
csc policy = disable
profile acls = yes
store dos attributes = yes

#########samba konfi tuleb lisada need read

#############/etc/nsswitch.conf-i tuleb lisada need read
passwd: taha tuleb lisada juurde winbind ja sama asi ka group: taha

näide siin:

passwd: compat winbind
group: compat winbind
#############/etc/nsswitch.conf-i tuleb lisada need read
samba konfi tuleb lisada juurde allow dns update = nonsecure and secure #Lõpus tuleb lasta läbi ka need käsud 
systemctl disable nmbd
systemctl disable smbd
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
service samba-ad-dc restart

Add the following to /etc/bind/named.conf.options at the end of the options{…} block. You may need to comment out any existing lines as duplicate settings are not allowed.

sudo nano /etc/bind/named.conf.options
   auth-nxdomain yes;  
   empty-zones-enable no;
 
   // Adding this Samba generated file will allow for automatic DDNS updates
   tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

Edit /var/lib/samba/private/named.conf for the version of bind9 see the comments in the file, to find out the version of bind run the following and look at the last line there is a lot of output here which is the usage text for the command.

sudo /usr/sbin/rndc --version
Version: 9.9.5-3ubuntu0.2-Ubuntu
sudo nano /var/lib/samba/private/named.conf
dlz "AD DNS Zone" {
    # For BIND 9.8.0
#    database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";
 
    # For BIND 9.9.0
     database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
};

Add the following to /etc/bind/named.conf as the second include line.

sudo nano /etc/bind/named.conf
include "/var/lib/samba/private/named.conf";

Change the permissions on the private dns.keytab file so it is readable by your bind group.

sudo chgrp bind /var/lib/samba/private/dns.keytab
sudo chmod g+r /var/lib/samba/private/dns.keytab

Add the following apparmor rules to the end of /etc/apparmor.d/usr.sbin.named inside the {..}

sudo nano /etc/apparmor.d/usr.sbin.named
   /usr/lib/x86_64-linux-gnu/ldb/** rwmk,
   /usr/lib/x86_64-linux-gnu/samba/** rwmk,
 
   /var/lib/samba/private/dns/** rwmk,
   /var/lib/samba/private/named.conf r,
   /var/lib/samba/private/dns.keytab r,
 
   /var/tmp/* rw,
 
   /dev/urandom rw,

Pitfall: If you followed all of the above and the software for Samba, Kerberos and Bind has not changed and the configuration requirements have not changed for anything, your AD DC should work. Check it all through once more before rebooting. If it fails to work after the reboot it will be quicker to just start again. ?

sudo reboot

Testing it all still works.

smbclient -L localhost -U%
Domain=[BLACK] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
 
	Sharename       Type      Comment
	---------       ----      -------
	netlogon        Disk      
	sysvol          Disk      
	IPC$            IPC       IPC Service (Samba 4.1.6-Ubuntu)
Domain=[BLACK] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
 
	Server               Comment
	---------            -------
 
	Workgroup            Master
	---------            -------
	WORKGROUP            LAB-ADDC1
smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter Administrator's password: 
Domain=[BLACK] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
  .                                   D        0  Sat May  9 12:20:08 2015
  ..                                  D        0  Sat May  9 12:20:14 2015
 
		41773 blocks of size 262144. 27672 blocks available
host -t SRV _ldap._tcp.black.dragon.lab.
_ldap._tcp.black.dragon.lab has SRV record 0 100 389 lab-addc1.black.dragon.lab.
host -t SRV _kerberos._udp.black.dragon.lab.
_kerberos._udp.black.dragon.lab has SRV record 0 100 88 lab-addc1.black.dragon.lab.
host -t A lab-addc1.black.dragon.lab.
lab-addc1.black.dragon.lab has address 10.1.200.3

Kerberos testing

kerberos confi tuleb lisada juurde /etc/krb5.conf

lisada need read

forwardable = true
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false

####Algus####Windowsi masinasse esimene sisse logimine

#esimene sisselogimine windowsisse

kasutajanimi domeeninimi\Administrator
parool (see parool, mis kerberose installi ajal pandi)

nt. kasutaja: tapavpk.ee\Administrator
parool: 123456

####Lõpp####Windowsi masinasse esimene sisse logimine

 

kinit administrator
Password for administrator@BLACK.DRAGON.LAB: 
Warning: Your password will expire in 41 days on Sat 20 Jun 2015 12:20:13 BST
klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator@BLACK.DRAGON.LAB
 
Valid starting     Expires            Service principal
09/05/15 12:33:07  09/05/15 22:33:07  krbtgt/BLACK.DRAGON.LAB@BLACK.DRAGON.LAB
	renew until 10/05/15 12:32:59
samba-tool dns query lab-addc1 BLACK.DRAGON.LAB @ ALL
  Name=, Records=3, Children=0
    SOA: serial=1, refresh=900, retry=600, expire=86400, minttl=0, ns=lab-addc1.black.dragon.lab., email=hostmaster.black.dragon.lab. (flags=600000f0, serial=1, ttl=3600)
    NS: lab-addc1.black.dragon.lab. (flags=600000f0, serial=1, ttl=900)
    A: 10.1.200.3 (flags=600000f0, serial=1, ttl=900)
  Name=_msdcs, Records=0, Children=0
  Name=_sites, Records=0, Children=1
  Name=_tcp, Records=0, Children=4
  Name=_udp, Records=0, Children=2
  Name=DomainDnsZones, Records=0, Children=2
  Name=ForestDnsZones, Records=0, Children=2
  Name=lab-addc1, Records=1, Children=0
    A: 10.1.200.3 (flags=f0, serial=1, ttl=900)

If the above test worked you should have a working AD DC running on Linux and can replace your Microsoft Small Business Server with it. Yay!

To add Ubuntu machines to the new domain see this how to I prepared earlier ?

Trouble shooting

Aug  2 16:22:18 lab-addc1 named[2347]: Loading 'AD DNS Zone' using driver dlopen
Aug  2 16:22:18 lab-addc1 named[2347]: dlz_dlopen: incorrect version 1 should be 2 in '/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so'
Aug  2 16:22:18 lab-addc1 named[2347]: dlz_dlopen of 'AD DNS Zone' failed

You need to edit /var/lib/samba/private/named.conf for the correct version of the lib.

After booting up a Windows machine using DHCP and the DNS updated automatically. Put a tail on the syslog file and run the following command. It will try and force Samba to update the DNS setting it knows about. The command below will in turn try and call the bind utility nsupdate.

sudo samba_dnsupdate --verbose --all-names

There will be loads of output to the terminal and to the syslog. Likely causes are

  • The apparmor rules in
    • /etc/apparmor.d/usr.sbin.named
    • /etc/apparmor.d/usr.sbin.dhcpd
  • File permissions
    • -rw-r–r– 1 root root 3781 May 10 11:59 /etc/krb5.conf
    • -rw-r—– 1 root bind 852 May 10 12:00 /var/lib/samba/private/dns.keytab

Also see https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable

For the next part in this series take a look at Administering AD DC via Windows.