Samba 4 Active Directory Domain Controller on Ubuntu 20.04 Server
This post will detail how to setup a pair of active directory domain controllers using Samba 4 on Ubuntu 20.04 Server. One will be a primary domain controller and the other will be a backup domain controller. This provides redundancy incase one server has to go down for updates.
Pre-Requisites
- Two independent linux servers, this guide will use Ubuntu 20.04 Server.
- A domain name, sometimes called a fully qualified domain name (FQDN).
Network Configuration
Hostname | Domain | IP Address |
---|---|---|
dc1 | ad.ifsg.ca | 192.168.2.10 |
dc2 | ad.ifsg.ca | 192.168.2.11 |
Setup the Primary Domain Controller
This is broken up into pre-configuration of the server, installation and post-installation configuration.Pre-configuration of the server
Set the hostname of the primary domain controller to dc1
~$ sudo hostnamectl set-hostname dc1
~$ sudo nano /etc/hosts
# Add the following line to the /etc/hosts file:
192.168.2.10 dc1.ad.ifsg.ca dc1
Package installation
Install all of the required packages for Samba
~$ sudo apt-get install -y acl attr samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user dnsutils chrony net-tools
Provision the primary Samba domain controller. The first step is to ensure that Samba is not running, search for any Samba processes and if it is present kill the "root process" pid.
~$ ps -ax | grep samba
1593 ? Ss 0:00 samba: root process
4319 pts/0 S+ 0:00 grep --color=auto samba
~$ sudo kill 1593
Now move the default smb.conf and krb5.conf files installed by the package manager
~$ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
~$ sudo mv /etc/krb5.conf /etc/krb5.conf.orig
Run the samba-tool in interactive mode to configure the primary domain controller
- This needs to be run as root (aka sudo), so it can write the configuration files to /etc/ and elsewhere
- The configuration tool will first ask for you to provide several pieces of information, the default is between square brackets []. You should be able to click through with the defaults, but the following were the settings I used:
- Realm = AD.IFSG.CA
- Domain = AD
- DNS backbone = SAMBA_INTERNAL
- I am configuring using the Internal DNS, you can use BIND9 but that is outside the scope of this guide.
- DNS forwarder IP address = 208.67.222.222 208.67.220.220
- Several DNS IPs can be provided by separating them with a space
- Administrator password
- Should meet the minimum requirements as indicated in Microsoft's complexity requirements
~$ sudo samba-tool domain provision --use-rfc2307 --interactive
Realm [AD.IFSG.CA]
Domain [AD]
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [127.0.0.53]: 208.67.222.222 208.67.220.220
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constrant on local domainSIDs
Adding DomainDN: DC=ad,DC=ifsg,DC=ca
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers and extended rights
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Repackaging database from v1 to v2 format
Repack: repacked 10000 records so far
Repackaging database from v1 to v2 format
Repackaging database from v1 to v2 format
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=ad,DC=ifsg,DC=ca
Creating DomainDnsZones and ForestDnsZones partitions
Population DomainDnsZones and ForestDnsZones partitions
Repacking database from v1 to v2 format
Setting up sam.lbd rootDSE marking as syncronized
Fixing privision GUIDs
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Merge the contents of the file with your system krb5.conf or replace it with this one. Do not create a symlink!
Setting up fake yp server settings
Once the above files are installed, your Samba AD server will be ready to use
Server Role: active directory domain controller
Hostname: dc1
NetBIOS Domain: AD
DNS Domain: ad.ifsg.ca
DOMAIN SID: S-1 ...
Post install configuration and testing
Copy the krb5.conf file that samba-tool created to /etc/
~$ sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
The Samba domain controller can now be started
~$ sudo samba
Check the DNS settings
~$ host -t SRV _ldap._tcp.ad.ifsg.ca
Host _ldap._tcp.ad.ifsg.ca not found: 3(NXDOMAIN)
~$ host -t SRV _kerberos._udp.ad.ifsg.ca
Host _kerberos._udp.ad.ifsg.ca not found: 3(NXDOMAIN)
~$ host -t A dc1.ad.ifsg.ca
dc1.ad.ifsg.ca has address 192.168.2.10
This seems to indicate that DNS is not working properly, per Rico Sharp's documentation, this is caused by Ubuntu's built-in DNS server (systemd-resolve) is overriding the internal DNS server that Samba has. We can see this is the case by checking what is listening on port 53
~$ sudo netstat -tulpn | grep :53
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 120/systemd-resolve
udp 0 0 127.0.0.53:53 0.0.0.0:* 120/systemd-resolve
To fix this we can disable the systemd-resolve service on the server
~$ sudo systemctl stop systemd-resolved
~$ sudo systemctl disable systemd-resolved
~$ sudo unlink /etc/resolv.conf
~$ sudo nano /etc/resolv.conf
nameserver 192.168.2.10
search ad.ifsg.ca
~$ sudo reboot
Start the Samba domain controller again
~$ sudo samba
Check the DNS settings again, these should resolve correctly now
~$ host -t SRV _ldap._tcp.ad.ifsg.ca
_ldap._tcp.ad.ifsg.ca has SRV record 0 100 389 dc1.ad.ifsg.ca.
~$ host -t SRV _kerberos._udp.ad.ifsg.ca
_kerberos._udp.ad.ifsg.ca has SRV record 0 100 88 dc1.ad.ifsg.ca.
~$ host -t A dc1.ad.ifsg.ca
dc1.ad.ifsg.ca has address 192.168.2.10
We now need to configure the network time protocol (NTP) server, chronyd. Chronyd enables time syncronization which is required by the DC to function; however, by default it is not configured during the Samba setup process. What is more, the Samba instructions point us in the wrong direction for where the NTP socket folder is setup.
~$ samba -b | grep 'NTP' | awk '{print $NF}'
/var/lib/samba/ntp_signd
By default, the permissions and group settings will not let chronyd use this socket.
~$ ls -ld /var/lib/samba/ntp_signd
drwxr-x--- 2 root root 4096 Jan 24 05:08 /var/lib/samba/ntp_signd
Change the permissions as follows.
~$ sudo chown root:_chrony /var/lib/samba/ntp_signd/
~$ sudo chmod 750 /var/lib/samba/ntp_signd/
~$ ls -ld /var/lib/samba/ntp_signd
drwxr-x--- 2 root _chrony 4096 Jan 24 05:08 /var/lib/samba/ntp_signd
Now edit the chronyd configuration file to connect it to the above socket and enable connections on the network.
~$ sudo nano /etc/chrony/chrony.conf
# Settings for Samba DC
allow 192.168.2.0/24 # dns netmask
ntpsigndsocket /var/lib/samba/ntp_signd
By defafult Samba is not configured to run as a service meaning it will not startup automatically with the server. Running Samba as a service can be accomplished using systemd. First though, kill the Samba process so the service setup does not fail.
~$ ps -ax | grep samba
1593 ? Ss 0:00 samba: root process
4319 pts/0 S+ 0:00 grep --color=auto samba
~$ sudo kill 1593
Now configure Samba to run as a systemd service. Mask the smbd, nmbd and winbind services and unmask the samba-ad-dc service.
~$ sudo systemctl mask smbd nmbd winbind
~$ sudo systemctl disable smbd nmbd winbind
~$ sudo systemctl stop smbd nmbd winbind
~$ sudo systemctl unmask samba-ad-dc
~$ sudo systemctl start samba-ad-dc
~$ sudo systemctl enable samba-ad-dc
Reboot the server and test!
~$ sudo reboot
~$ sudo systemctl status samba-ad-dc
Now confirm the server is working, test using kinit
~$ kinit Administrator
If you this worked, you should have entered your password and seen a message about your password expiring in # days
Setup the Backup Domain Controller
This will also be broken up into a few different sections
Pre-configuration of the server
Set the hostname of the primary domain controller to dc2
~$ sudo hostnamectl set-hostname dc2
~$ sudo nano /etc/hosts
# Add the following line to the /etc/hosts file:
192.168.2.10 dc1.ad.ifsg.ca dc1
192.168.2.11 dc2.ad.ifsg.ca dc2
Package installation
Install all of the required packages for Samba
~$ sudo apt-get install -y acl attr samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user dnsutils chrony net-tools
Provision the backup Samba domain controller. The first step is to ensure that Samba is not running, search for any Samba processes and if it is present kill the "root process" pid.
~$ ps -ax | grep samba
1593 ? Ss 0:00 samba: root process
4319 pts/0 S+ 0:00 grep --color=auto samba
~$ sudo kill 1593
Now move the default smb.conf and krb5.conf files installed by the package manager
~$ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
~$ sudo mv /etc/krb5.conf /etc/krb5.conf.orig
Now move the default smb.conf and krb5.conf files installed by the package manager
~$ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
~$ sudo mv /etc/krb5.conf /etc/krb5.conf.orig
We can now try and install the backup DC server
~$ sudo samba-tool domain join ad.ifsg.ca DC -W AD -U Administrator
We get an error that it can't find a primary AD server to connect to. This seems to be related to the systemd-resolved and is preventing samba-tool from seeing the primary AD server. To fix this edit the /etc/resolv.conf and try again.
~$ sudo cp /etc/resolv.conf /etc/resolv.conf.orig
~$ sudo nano /etc/resolv.conf
Change nameserver to 192.168.2.10
Change search to ad.ifsg.ca
Try installing the backup DC server again
~$ sudo samba-tool domain join ad.ifsg.ca DC -W AD -U Administrator
Finding a writable DC for domain 'ad.ifsg.ca'
Found DC dc1.ad.ifsg.ca
Password for [AD\Administrator]:
workgroup is AD
realm is ad.ifsg.ca
Adding CN=DC2,OU=Domain Controlls,DC=ac,DC=ifsg,DC=ca
Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ac,DC=ifsg,DC=ca
Adding CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ac,DC=ifsg,DC=ca
Adding SPNs to CN=DC2,OU=Domain Controllers,DC=ac,DC=ifsg,DC=ca
Setting acount password for DC2$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constrant on local domainSIDs
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Merge the contents of the file with your system krb5.conf or replace it with this one. Do not create a symlink!
Provision OK for domain DN DC=ad,DC=ifsg,DC=ca
Starting replication
[ works through replicating the databases ]
Adding 1 remote DNS records for DC2.ad.ifsg.ca
Adding DNA A record DC2.ad.ifsg.ca for IPv4: 192.168.2.11
Adding DNS CNAME record [long id]._msdcs.ad.ifsg.ca for DC2.ad.ifsg.ca
All other DNS recordxcs (like _ldap SRV records) will be created samba_dnsupdate on first startup
Replicating new DNS records in DC=DomainDnsZones,DC=ad,DC=ifsg,DC=ca
Replicating new DNS records in DC=ForestDnsZones,DC=ad,DC=ifsg,DC=ca
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSyncronized and dsServiceName
Setting up secrets database
Joined daomin AD (SID S-1 ... ) as a DC
Post install configuration and testing
Copy the krb5.conf file that samba-tool created to /etc/
~$ sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
We can attempt startup of the Samba backup domain controller
~$ sudo samba
Check the DNS settings
~$ host -t SRV _ldap._tcp.ad.ifsg.ca
Host _ldap._tcp.ad.ifsg.ca not found: 3(NXDOMAIN)
~$ host -t SRV _kerberos._udp.ad.ifsg.ca
Host _kerberos._udp.ad.ifsg.ca not found: 3(NXDOMAIN)
~$ host -t A dc1.ad.ifsg.ca
dc1.ad.ifsg.ca has address 192.168.2.10
Same problem as we saw with the primary DC server. Checking what is listening on port 53 indicates the same problem.
~$ sudo netstat -tulpn | grep :53
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 120/systemd-resolve
udp 0 0 127.0.0.53:53 0.0.0.0:* 120/systemd-resolve
To fix this we can disable the systemd-resolve service on the server
~$ sudo systemctl stop systemd-resolved
~$ sudo systemctl disable systemd-resolved
~$ sudo unlink /etc/resolv.conf
~$ sudo nano /etc/resolv.conf
nameserver 192.168.2.11
search ad.ifsg.ca
~$ sudo reboot
Start the Samba domain controller again
~$ sudo samba
Check the DNS settings again, these should resolve correctly now. There will be two lines in for ldap and kerberos connections as we now have a second domain controller.
~$ host -t SRV _ldap._tcp.ad.ifsg.ca
_ldap._tcp.ad.ifsg.ca has SRV record 0 100 389 dc1.ad.ifsg.ca.
_ldap._tcp.ad.ifsg.ca has SRV record 0 100 389 dc2.ad.ifsg.ca.
~$ host -t SRV _kerberos._udp.ad.ifsg.ca
_kerberos._udp.ad.ifsg.ca has SRV record 0 100 88 dc1.ad.ifsg.ca.
_kerberos._udp.ad.ifsg.ca has SRV record 0 100 88 dc2.ad.ifsg.ca.
~$ host -t A dc1.ad.ifsg.ca
dc1.ad.ifsg.ca has address 192.168.2.10
~$ host -t A dc2.ad.ifsg.ca
dc2.ad.ifsg.ca has address 192.168.2.11
As before we need to configure the NTP server chronyd.
~$ samba -b | grep 'NTP' | awk '{print $NF}'
/var/lib/samba/ntp_signd
By default, the permissions and group settings will not let chronyd use this socket.
~$ ls -ld /var/lib/samba/ntp_signd
drwxr-x--- 2 root root 4096 Jan 24 05:08 /var/lib/samba/ntp_signd
Change the permissions as follows.
~$ sudo chown root:_chrony /var/lib/samba/ntp_signd/
~$ sudo chmod 750 /var/lib/samba/ntp_signd/
~$ ls -ld /var/lib/samba/ntp_signd
drwxr-x--- 2 root _chrony 4096 Jan 24 05:08 /var/lib/samba/ntp_signd
Now edit the chronyd configuration file to connect it to the above socket and enable connections on the network.
~$ sudo nano /etc/chrony/chrony.conf
# Settings for Samba DC
allow 192.168.2.0/24 # dns netmask
ntpsigndsocket /var/lib/samba/ntp_signd
By defafult Samba is not configured to run as a service meaning it will not startup automatically with the server. Running Samba as a service can be accomplished using systemd. First though, kill the Samba process so the service setup does not fail.
~$ ps -ax | grep samba
1593 ? Ss 0:00 samba: root process
4319 pts/0 S+ 0:00 grep --color=auto samba
~$ sudo kill 1593
Now configure Samba to run as a systemd service. Mask the smbd, nmbd and winbind services and unmask the samba-ad-dc service.
~$ sudo systemctl mask smbd nmbd winbind
~$ sudo systemctl disable smbd nmbd winbind
~$ sudo systemctl stop smbd nmbd winbind
~$ sudo systemctl unmask samba-ad-dc
~$ sudo systemctl start samba-ad-dc
~$ sudo systemctl enable samba-ad-dc
Reboot the server and test!
~$ sudo reboot
~$ sudo systemctl status samba-ad-dc
Now confirm the server is working, test using kinit
~$ kinit Administrator
If you this worked, you should have entered your password and seen a message about your password expiring in # days
Lastly, confirm that redundancy is working by ssh'ing into the dc1 server and turning off the DC server
~$ sudo systemctl stop samba-ad-dc
# On dc2 try and use kinit
~$ kinit Administrator
# If you are asked for your password and it says it will expire then the backup server is working.
# On dc1, turn the primary DC back on.
~$ sudo systemctl start samba-ad-dc
Comments
Post a Comment