Samba 4 Active Directory Domain Controller on Ubuntu 20.04 Server

This post will detail how to setup a pair of active directory domain controllers using Samba 4 on Ubuntu 20.04 Server. One will be a primary domain controller and the other will be a backup domain controller. This provides redundancy incase one server has to go down for updates.

Pre-Requisites

  • Two independent linux servers, this guide will use Ubuntu 20.04 Server.
  • A domain name, sometimes called a fully qualified domain name (FQDN).

Network Configuration

You should configure these as static IP addresses on your router.
Hostname Domain IP Address
dc1 ad.ifsg.ca 192.168.2.10
dc2 ad.ifsg.ca 192.168.2.11

Setup the Primary Domain Controller

This is broken up into pre-configuration of the server, installation and post-installation configuration.

Pre-configuration of the server

Set the hostname of the primary domain controller to dc1

~$ sudo hostnamectl set-hostname dc1
Edit the hosts file to resolve dc1's hostname to the static IP address of this server
~$ sudo nano /etc/hosts
  # Add the following line to the /etc/hosts file:
  192.168.2.10    dc1.ad.ifsg.ca    dc1

Package installation

Install all of the required packages for Samba

~$ sudo apt-get install -y acl attr samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user dnsutils chrony net-tools

Provision the primary Samba domain controller. The first step is to ensure that Samba is not running, search for any Samba processes and if it is present kill the "root process" pid.

~$ ps -ax | grep samba
      1593 ?        Ss     0:00 samba: root process 
      4319 pts/0    S+     0:00 grep --color=auto samba
~$ sudo kill 1593

Now move the default smb.conf and krb5.conf files installed by the package manager 

~$ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
~$ sudo mv /etc/krb5.conf /etc/krb5.conf.orig

Run the samba-tool in interactive mode to configure the primary domain controller

  • This needs to be run as root (aka sudo), so it can write the configuration files to /etc/ and elsewhere 
  • The configuration tool will first ask for you to provide several pieces of information, the default is between square brackets []. You should be able to click through with the defaults, but the following were the settings I used:
    • Realm = AD.IFSG.CA 
    • Domain = AD 
    • DNS backbone = SAMBA_INTERNAL
      • I am configuring using the Internal DNS, you can use BIND9 but that is outside the scope of this guide.
    • DNS forwarder IP address = 208.67.222.222 208.67.220.220
      • Several DNS IPs can be provided by separating them with a space
  • Administrator password
~$ sudo samba-tool domain provision --use-rfc2307 --interactive
Realm [AD.IFSG.CA]
Domain [AD]
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: 
DNS forwarder IP address (write 'none' to disable forwarding) [127.0.0.53]: 208.67.222.222 208.67.220.220
Administrator password: 
Retype password: 
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
 Unable to determine the DomainSID, can not enforce uniqueness constrant on local domainSIDs
Adding DomainDN: DC=ad,DC=ifsg,DC=ca
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers and extended rights
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
 Repackaging database from v1 to v2 format
 Repack: repacked 10000 records so far
 Repackaging database from v1 to v2 format 
 Repackaging database from v1 to v2 format 
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=ad,DC=ifsg,DC=ca
Creating DomainDnsZones and ForestDnsZones partitions
Population DomainDnsZones and ForestDnsZones partitions
 Repacking database from v1 to v2 format
Setting up sam.lbd rootDSE marking as syncronized
Fixing privision GUIDs
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Merge the contents of the file with your system krb5.conf or replace it with this one.  Do not create a symlink!
Setting up fake yp server settings
Once the above files are installed, your Samba AD server will be ready to use
Server Role:           active directory domain controller
Hostname:              dc1
NetBIOS Domain:        AD
DNS Domain:            ad.ifsg.ca
DOMAIN SID:            S-1 ... 

Post install configuration and testing

Copy the krb5.conf file that samba-tool created to /etc/

~$ sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

The Samba domain controller can now be started

~$ sudo samba

Check the DNS settings

~$ host -t SRV _ldap._tcp.ad.ifsg.ca 
 Host _ldap._tcp.ad.ifsg.ca not found: 3(NXDOMAIN)
~$ host -t SRV _kerberos._udp.ad.ifsg.ca 
 Host _kerberos._udp.ad.ifsg.ca not found: 3(NXDOMAIN)
~$ host -t A dc1.ad.ifsg.ca
 dc1.ad.ifsg.ca has address 192.168.2.10

This seems to indicate that DNS is not working properly, per Rico Sharp's documentation, this is caused by Ubuntu's built-in DNS server (systemd-resolve) is overriding the internal DNS server that Samba has. We can see this is the case by checking what is listening on port 53

~$ sudo netstat -tulpn | grep :53
tcp     0      0 127.0.0.53:53    0.0.0.0:*    LISTEN   120/systemd-resolve
udp     0      0 127.0.0.53:53    0.0.0.0:*             120/systemd-resolve

To fix this we can disable the systemd-resolve service on the server

~$ sudo systemctl stop systemd-resolved
~$ sudo systemctl disable systemd-resolved
~$ sudo unlink /etc/resolv.conf
~$ sudo nano /etc/resolv.conf
 nameserver 192.168.2.10
 search ad.ifsg.ca
~$ sudo reboot

Start the Samba domain controller again

~$ sudo samba

Check the DNS settings again, these should resolve correctly now

~$ host -t SRV _ldap._tcp.ad.ifsg.ca 
 _ldap._tcp.ad.ifsg.ca has SRV record 0 100 389 dc1.ad.ifsg.ca.
~$ host -t SRV _kerberos._udp.ad.ifsg.ca 
 _kerberos._udp.ad.ifsg.ca has SRV record 0 100 88 dc1.ad.ifsg.ca.
~$ host -t A dc1.ad.ifsg.ca
 dc1.ad.ifsg.ca has address 192.168.2.10

We now need to configure the network time protocol (NTP) server, chronyd. Chronyd enables time syncronization which is required by the DC to function; however, by default it is not configured during the Samba setup process. What is more, the Samba instructions point us in the wrong direction for where the NTP socket folder is setup.

~$ samba -b | grep 'NTP' | awk '{print $NF}'
  /var/lib/samba/ntp_signd

By default, the permissions and group settings will not let chronyd use this socket.

~$ ls -ld /var/lib/samba/ntp_signd
  drwxr-x--- 2 root root 4096 Jan 24 05:08 /var/lib/samba/ntp_signd

Change the permissions as follows.

~$ sudo chown root:_chrony /var/lib/samba/ntp_signd/
~$ sudo chmod 750 /var/lib/samba/ntp_signd/
~$ ls -ld /var/lib/samba/ntp_signd
drwxr-x--- 2 root _chrony 4096 Jan 24 05:08 /var/lib/samba/ntp_signd

Now edit the chronyd configuration file to connect it to the above socket and enable connections on the network.

~$ sudo nano /etc/chrony/chrony.conf 
 # Settings for Samba DC
 allow 192.168.2.0/24 # dns netmask
 ntpsigndsocket /var/lib/samba/ntp_signd

By defafult Samba is not configured to run as a service meaning it will not startup automatically with the server. Running Samba as a service can be accomplished using systemd. First though, kill the Samba process so the service setup does not fail.

~$ ps -ax | grep samba
      1593 ?        Ss     0:00 samba: root process 
      4319 pts/0    S+     0:00 grep --color=auto samba
~$ sudo kill 1593

Now configure Samba to run as a systemd service. Mask the smbd, nmbd and winbind services and unmask the samba-ad-dc service.

~$ sudo systemctl mask smbd nmbd winbind
~$ sudo systemctl disable smbd nmbd winbind
~$ sudo systemctl stop smbd nmbd winbind
~$ sudo systemctl unmask samba-ad-dc
~$ sudo systemctl start samba-ad-dc
~$ sudo systemctl enable samba-ad-dc

Reboot the server and test!

~$ sudo reboot
~$ sudo systemctl status samba-ad-dc

Now confirm the server is working, test using kinit

~$ kinit Administrator

If you this worked, you should have entered your password and seen a message about your password expiring in # days

Setup the Backup Domain Controller

This will also be broken up into a few different sections

Pre-configuration of the server

Set the hostname of the primary domain controller to dc2

~$ sudo hostnamectl set-hostname dc2
Edit the hosts file to resolve dc1 and dc2 hostnames to the static IP address of each server
~$ sudo nano /etc/hosts
  # Add the following line to the /etc/hosts file:
  192.168.2.10    dc1.ad.ifsg.ca    dc1
  192.168.2.11    dc2.ad.ifsg.ca    dc2

Package installation

Install all of the required packages for Samba

~$ sudo apt-get install -y acl attr samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user dnsutils chrony net-tools

Provision the backup Samba domain controller. The first step is to ensure that Samba is not running, search for any Samba processes and if it is present kill the "root process" pid.

~$ ps -ax | grep samba
      1593 ?        Ss     0:00 samba: root process 
      4319 pts/0    S+     0:00 grep --color=auto samba
~$ sudo kill 1593

Now move the default smb.conf and krb5.conf files installed by the package manager 

~$ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
~$ sudo mv /etc/krb5.conf /etc/krb5.conf.orig

Now move the default smb.conf and krb5.conf files installed by the package manager 

~$ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
~$ sudo mv /etc/krb5.conf /etc/krb5.conf.orig

We can now try and install the backup DC server

~$ sudo samba-tool domain join ad.ifsg.ca DC -W AD -U Administrator

We get an error that it can't find a primary AD server to connect to. This seems to be related to the systemd-resolved and is preventing samba-tool from seeing the primary AD server. To fix this edit the /etc/resolv.conf and try again.

~$ sudo cp /etc/resolv.conf /etc/resolv.conf.orig
~$ sudo nano /etc/resolv.conf
 Change nameserver to 192.168.2.10
 Change search to ad.ifsg.ca

Try installing the backup DC server again

~$ sudo samba-tool domain join ad.ifsg.ca DC -W AD -U Administrator
Finding a writable DC for domain 'ad.ifsg.ca'
Found DC dc1.ad.ifsg.ca
 Password for [AD\Administrator]:
workgroup is AD
realm is ad.ifsg.ca
 Adding CN=DC2,OU=Domain Controlls,DC=ac,DC=ifsg,DC=ca
 Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ac,DC=ifsg,DC=ca
 Adding CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ac,DC=ifsg,DC=ca
 Adding SPNs to CN=DC2,OU=Domain Controllers,DC=ac,DC=ifsg,DC=ca
 Setting acount password for DC2$
 Enabling account
 Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
 Unable to determine the DomainSID, can not enforce uniqueness constrant on local domainSIDs
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Merge the contents of the file with your system krb5.conf or replace it with this one.  Do not create a symlink!
 Provision OK for domain DN DC=ad,DC=ifsg,DC=ca
 Starting replication
 [ works through replicating the databases ]
Adding 1 remote DNS records for DC2.ad.ifsg.ca
Adding DNA A record DC2.ad.ifsg.ca for IPv4: 192.168.2.11
Adding DNS CNAME record [long id]._msdcs.ad.ifsg.ca for DC2.ad.ifsg.ca
All other DNS recordxcs (like _ldap SRV records) will be created samba_dnsupdate on first startup
Replicating new DNS records in DC=DomainDnsZones,DC=ad,DC=ifsg,DC=ca
Replicating new DNS records in DC=ForestDnsZones,DC=ad,DC=ifsg,DC=ca
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSyncronized and dsServiceName
Setting up secrets database
Joined daomin AD (SID S-1 ... ) as a DC

Post install configuration and testing

Copy the krb5.conf file that samba-tool created to /etc/

~$ sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

We can attempt startup of the Samba backup domain controller

~$ sudo samba

Check the DNS settings

~$ host -t SRV _ldap._tcp.ad.ifsg.ca 
 Host _ldap._tcp.ad.ifsg.ca not found: 3(NXDOMAIN)
~$ host -t SRV _kerberos._udp.ad.ifsg.ca 
 Host _kerberos._udp.ad.ifsg.ca not found: 3(NXDOMAIN)
~$ host -t A dc1.ad.ifsg.ca
 dc1.ad.ifsg.ca has address 192.168.2.10

Same problem as we saw with the primary DC server. Checking what is listening on port 53 indicates the same problem.

~$ sudo netstat -tulpn | grep :53
tcp     0      0 127.0.0.53:53    0.0.0.0:*    LISTEN   120/systemd-resolve
udp     0      0 127.0.0.53:53    0.0.0.0:*             120/systemd-resolve

To fix this we can disable the systemd-resolve service on the server

~$ sudo systemctl stop systemd-resolved
~$ sudo systemctl disable systemd-resolved
~$ sudo unlink /etc/resolv.conf
~$ sudo nano /etc/resolv.conf
 nameserver 192.168.2.11
 search ad.ifsg.ca
~$ sudo reboot

Start the Samba domain controller again

~$ sudo samba

Check the DNS settings again, these should resolve correctly now. There will be two lines in for ldap and kerberos connections as we now have a second domain controller.

~$ host -t SRV _ldap._tcp.ad.ifsg.ca 
 _ldap._tcp.ad.ifsg.ca has SRV record 0 100 389 dc1.ad.ifsg.ca.
 _ldap._tcp.ad.ifsg.ca has SRV record 0 100 389 dc2.ad.ifsg.ca.
~$ host -t SRV _kerberos._udp.ad.ifsg.ca 
 _kerberos._udp.ad.ifsg.ca has SRV record 0 100 88 dc1.ad.ifsg.ca.
 _kerberos._udp.ad.ifsg.ca has SRV record 0 100 88 dc2.ad.ifsg.ca.
~$ host -t A dc1.ad.ifsg.ca
 dc1.ad.ifsg.ca has address 192.168.2.10
~$ host -t A dc2.ad.ifsg.ca
 dc2.ad.ifsg.ca has address 192.168.2.11

As before we need to configure the NTP server chronyd.

~$ samba -b | grep 'NTP' | awk '{print $NF}'
  /var/lib/samba/ntp_signd

By default, the permissions and group settings will not let chronyd use this socket.

~$ ls -ld /var/lib/samba/ntp_signd
  drwxr-x--- 2 root root 4096 Jan 24 05:08 /var/lib/samba/ntp_signd

Change the permissions as follows.

~$ sudo chown root:_chrony /var/lib/samba/ntp_signd/
~$ sudo chmod 750 /var/lib/samba/ntp_signd/
~$ ls -ld /var/lib/samba/ntp_signd
drwxr-x--- 2 root _chrony 4096 Jan 24 05:08 /var/lib/samba/ntp_signd

Now edit the chronyd configuration file to connect it to the above socket and enable connections on the network.

~$ sudo nano /etc/chrony/chrony.conf 
 # Settings for Samba DC
 allow 192.168.2.0/24 # dns netmask
 ntpsigndsocket /var/lib/samba/ntp_signd

By defafult Samba is not configured to run as a service meaning it will not startup automatically with the server. Running Samba as a service can be accomplished using systemd. First though, kill the Samba process so the service setup does not fail.

~$ ps -ax | grep samba
      1593 ?        Ss     0:00 samba: root process 
      4319 pts/0    S+     0:00 grep --color=auto samba
~$ sudo kill 1593

Now configure Samba to run as a systemd service. Mask the smbd, nmbd and winbind services and unmask the samba-ad-dc service.

~$ sudo systemctl mask smbd nmbd winbind
~$ sudo systemctl disable smbd nmbd winbind
~$ sudo systemctl stop smbd nmbd winbind
~$ sudo systemctl unmask samba-ad-dc
~$ sudo systemctl start samba-ad-dc
~$ sudo systemctl enable samba-ad-dc

Reboot the server and test!

~$ sudo reboot
~$ sudo systemctl status samba-ad-dc

Now confirm the server is working, test using kinit

~$ kinit Administrator

If you this worked, you should have entered your password and seen a message about your password expiring in # days

Lastly, confirm that redundancy is working by ssh'ing into the dc1 server and turning off the DC server

~$ sudo systemctl stop samba-ad-dc 
 # On dc2 try and use kinit
~$ kinit Administrator
 # If you are asked for your password and it says it will expire then the backup server is working. 
 # On dc1, turn the primary DC back on.
~$ sudo systemctl start samba-ad-dc





References

Comments

Popular posts from this blog

Turn on Default Duplex Printing on Mac