Pre-requisites<\/h2>\n
A fresh Fedora Linux 35 server installation.<\/p>\n
Definitions<\/h2>\n
Hostname<\/strong>: dc1 Let’s install the required software to get through this guide. It will provide all the applications you will need.<\/p>\n For setting up Samba as an AD and Domain Controller, you will have to prepare the environment with a functional configuration before you start using it.<\/p>\n You will need to allow some UDP and TCP ports through the firewall so that clients will be able to connect to the Domain Controller.<\/p>\n I will show you two methods to add them. Choose the one that suits you best.<\/p>\n This is the most straightforward method, firewalld <\/em>comes with a service with all ports needed to open Samba DC, which is called samba-dc<\/em>. Add it to the firewall rules:<\/p>\n Add the service:<\/p>\n Alternatively, you can add the rules from the command line:<\/p>\n Reload firewalld<\/em>:<\/p>\n For more information about firewalld<\/em>, check the following article: Control the firewall at the command line<\/a><\/p>\n To run a Samba DC and running with SELinux in enforcing mode, it is necessary to set some samba booleans for SELinux to on. After these booleans are set, it should not be necessary to disable SELinux.<\/p>\n Restore the default SELinux security contexts for files:<\/p>\n First, remove the \/etc\/samba\/smb.conf<\/em> file if it exists:<\/p>\n Samba uses its own DNS service, and for that reason, the service won’t start if systemd-resolved<\/em> is running, that is why it is necessary to edit its configuration to stop listening on port 53 and use Samba’s DNS.<\/p>\n Create the directory \/etc\/systemd\/resolved.conf.d\/<\/em> if it does not exist:<\/p>\n Create the file \/etc\/systemd\/resolved.conf.d\/custom.conf<\/em> that contains the custom config:<\/p>\n Remember to change the DNS <\/em>and Domains <\/em>entries to be your Samba DC server.<\/strong><\/p>\n Restart the systemd-resolved<\/em> service:<\/p>\n Finally, provision the Samba configuration. samba-tool<\/em> provides every step needed to make Samba an AD server.<\/p>\n Using the samba-tool<\/em>, provision the Samba configuration:<\/p>\n The \u2010\u2010use-rfc2307<\/em> argument provides POSIX attributes to Active Directory, which stores Unix user and group information on LDAP (rfc2307.txt<\/a>).<\/p>\n Make sure that you have the correct dns forwarder<\/em> address set in \/etc\/samba\/smb.conf<\/em>. Concerning this tutorial, it should be different<\/strong> from the server’s own IP address 10.1.1.10, in my case I set to 8.8.8.8, however your mileage may vary:<\/p>\n After changing the dns forwarder value<\/em>, restart samba <\/em>service:<\/p>\n After Samba installation, it was provided a krb5.conf<\/em> file that we will use:<\/p>\n Edit \/etc\/krb5.conf.d\/samba-dc<\/em> content to match your organization information:<\/p>\n To make sure that Samba will start on system initialization, enable and start it:<\/p>\n As a result of smbclient <\/em>command, shows that connection <\/em>was successful.<\/p>\n Now, test the Administrator <\/em>login to netlogon <\/em>share:<\/p>\n To test if the name resolution is working, execute the following commands:<\/p>\n If you get the error: <\/p>\n Install the bind-utils<\/em> package:<\/p>\n Testing Kerberos is important because it generates the required tickets to let clients authenticate with encryption. It heavily relies on correct time. <\/p>\n It can’t be stressed enough to have date and time set correctly, and that is why it is so important to have a time synchronization service running on both clients and servers.<\/p>\n samba-tool<\/em> provides us an interface for executing Domain administration tasks, so we can add a user to the Domain easily. <\/p>\n The samba-tool<\/em> help is very comprehensive:<\/p>\n Adding user danielk <\/em>to the domain:<\/p>\n To list the users on Domain:<\/p>\n We started out by installing Samba and required applications in a fresh Fedora Linux 35 installation. We’ve also explained the problems that this solution solves. Thereafter, we did an initial configuration that prepares the environment to be ready to Samba to operate as an AD and Domain Controller.<\/p>\n Then, we proceeded to cover how to have Samba up and running alongside Fedora Linux security features, like having it working with firewalld <\/em>and SELinux enabled. We did some important testing to make sure everything was fine and ended by showing a bit on how to administrate users using samba-tool<\/em>.<\/p>\n To summarize, if you want to establish a robust solution for centralizing authentication across your network, servers (If one wanted to, one could even join a Windows 10 client to this Samba domain [tested with Windows 10 Professional version 20H2<\/em>]) and services, consider using this approach as part of your infrastructure.<\/p>\n
Domain<\/strong>: onda.org
IP<\/strong>: 10.1.1.10\/24<\/p>\nConsiderations<\/h2>\n
\n
Samba installation<\/h2>\n
sudo dnf install samba samba-dc samba-client heimdal-workstation<\/pre>\n
![\"Samba](\"https:\/\/www.sickgaming.net\/blog\/wp-content\/uploads\/2022\/04\/samba-as-ad-and-domain-controller.gif\")
<\/a>Configurations<\/h2>\n
Firewall<\/h3>\n
First method<\/h4>\n
sudo firewall-cmd --permanent --add-service samba-dc<\/pre>\n
Second method<\/h4>\n
sudo firewall-cmd --permanent --add-port={53\/udp,53\/tcp,88\/udp,88\/tcp,123\/udp,135\/tcp,137\/udp,138\/udp,139\/tcp,389\/udp,389\/tcp,445\/tcp,464\/udp,464\/tcp,636\/tcp,3268\/tcp,3269\/tcp,49152-65535\/tcp}<\/pre>\nsudo firewall-cmd --reload<\/pre>\n
SELinux<\/h3>\n
sudo setsebool -P samba_create_home_dirs=on samba_domain_controller=on samba_enable_home_dirs=on samba_portmapper=on use_samba_home_dirs=on<\/pre>\n
sudo restorecon -Rv \/<\/pre>\n
Samba<\/h3>\n
sudo rm \/etc\/samba\/smb.conf<\/pre>\n
sudo mkdir \/etc\/systemd\/resolved.conf.d\/<\/pre>\n
[Resolve]\nDNSStubListener=no\nDomains=onda.org\nDNS=10.1.1.10<\/pre>\n
<\/a><\/figure>\nsudo systemctl restart systemd-resolved<\/pre>\n
sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=ONDA.ORG --domain=ONDA --adminpass=sVbOQ66iCD3hHShg<\/pre>\n
<\/a><\/a>sudo systemctl restart samba<\/pre>\n
Kerberos<\/h3>\n
sudo cp \/usr\/share\/samba\/setup\/krb5.conf \/etc\/krb5.conf.d\/samba-dc<\/pre>\n
[libdefaults]
default_realm = ONDA.ORG
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
ONDA.ORG = {
default_domain = ONDA
}
[domain_realm]
dc1.onda.org = ONDA.ORG<\/pre>\nStarting and enabling Samba on boot time<\/h3>\n
sudo systemctl enable samba
sudo systemctl start samba<\/pre>\nTesting<\/h2>\n
Connectivity<\/h3>\n
$ smbclient -L localhost -N<\/pre>\n
Anonymous login successful
Sharename Type Comment
--------- ---- -------
sysvol Disk
netlogon Disk
IPC$ IPC IPC Service (Samba 4.15.6)
SMB1 disabled -- no workgroup available<\/pre>\n<\/a>$ smbclient \/\/localhost\/netlogon -UAdministrator -c 'ls'<\/pre>\n
Password for [ONDA\\Administrator]:
. D 0 Sat Mar 26 05:45:13 2022
.. D 0 Sat Mar 26 05:45:18 2022
8154588 blocks of size 1024. 7307736 blocks available<\/pre>\n<\/a>DNS test<\/h3>\n
$ host -t SRV _ldap._tcp.onda.org.
_ldap._tcp.onda.org has SRV record 0 100 389 dc1.onda.org.<\/pre>\n$ host -t SRV _kerberos._udp.onda.org.
_kerberos._udp.onda.org has SRV record 0 100 88 dc1.onda.org.<\/pre>\n$ host -t A dc1.onda.org.
dc1.onda.org has address 10.1.1.10<\/pre>\n-bash: host: command not found<\/em> <\/pre>\n
sudo dnf install bind-utils<\/pre>\n
Kerberos test<\/h3>\n
$ \/usr\/lib\/heimdal\/bin\/kinit administrator
$ \/usr\/lib\/heimdal\/bin\/klist<\/pre>\n<\/a>Adding a user to the Domain<\/h2>\n
$ samba-tool user add --help<\/pre>\n
sudo samba-tool user add danielk --unix-home=\/home\/danielk --login-shell=\/bin\/bash --gecos 'Daniel K.' --given-name=Daniel --surname='K\u00fchl' --mail-address='danielk@onda.org'<\/pre>\n
<\/a>sudo samba-tool user list<\/pre>\n
Wrap up and conclusion<\/h2>\n