SAMBA Domain Controller

From Comprofix
Jump to: navigation, search

This guide is for installing SAMBA for use as a Domain Controller.

Installation Debian Linux should run on any x86_64 compatible machine with a minimum of 512 MB RAM. A working internet connection is required.

Download the installation media from your nearest Debian CD mirror - https://www.debian.org/CD/http-ftp/. Create a bootable USB or CD using this media.

Boot from your Installation USB or CD and select Install when prompted.

Select a Language The default language is English. Select your required Language and press Enter to continue.

Select your Location The default location is United States. Select your required location and press Enter to continue. The location is used to set your timezone.

Configure the keyboard The default Keymap is American English. Select your required Keymap and press Enter to continue.

Configure the Network Enter a hostname for the machine. Press Enter to continue. Enter a Domain Name. This can be left blank. Press Enter to continue.

Root Password Enter a password for the root user. You will be asked to enter this twice.

You can leave this blank and your user will be granted sudo privileges.

Setup User Enter Full name of the new user. This can be the same as the username. Press Enter to continue Enter the username you wish to use. Press Enter to continue. Enter the username's password. You will be asked for this twice.

Setup Clock Based on your Location you selected earlier you will be presented with a time zone selection. Select your time zone and press Enter to continue.

Partition Disks The default selection is Guided - use entire disk. This is the recommended selection. Press Enter to continue.

Select the disk to install to and press Enter to continue.

Under Partitioning scheme use All files in one partition. Using a separate partition for your home folder is not covered by this installation guide. Press Enter to continue.

Select Finish Partitioning and write changes to disk. Press Enter to continue. Select Yes to write changes to disks. Press Enter to continue.

Configure the Package manager Select Debian archive mirror country

This will default to the location you selected earlier in the installation. If you wish to change it select a country to use its Debian mirror. Press Enter to continue.

Select your nearest mirror

Select your nearest mirror and press Enter to continue.

Proxy Access

If you need to use a Proxy to access the outside world, enter the proxy information here. Otherwise leave it blank. Press Enter to continue.

Software Selection Select No on the Package Survey. Press Enter to continue.

A Desktop Environment is not required. So Deselect it.

Deselect print server.

Select SSH Server.

Press Enter to continue.

Boot Loader Select Yes to install GRUB Boot Loader. Press Enter to continue. Select drive to install GRUB Boot Loader onto. Press Enter to continue.

Finish the Installation Remove the installation media from your computer. Press Enter to reboot your machine.

Post-Installation Before we begin setting up SAMBA we need to install some packages and make some system changes

Update repository Enable the contrib and non-free repositories.

sed -i 's|main.*|main contrib non-free|g' /etc/apt/sources.list apt update Upgrade Packages Perform a system upgrade to ensure all packages are updated

apt update apt upgrade apt dist-upgrade apt autoremove Install System utilities apt install zsh vim git curl apt-transport-https build-essential linux-headers-$(uname -r) net-tools dnsutils xattr acl Initial Configuration for Samba4 Update fstab Next, open machine /etc/fstab

vim /etc/fstab When in VIM press 'i' to enter INSERT mode. Add ",user_xattr,acl" as per below screenshot Samba-fstab.png Save and exit the file Press ESC after modifying the file. Type :x to save and exit the file. Reboot the system Set the system hostname echo "dc01.example.lan" > /etc/hostname NOTE: Change dc01.example.lan to the machine name and your domain name.

Update hosts file Update /etc/hosts with your Machines IP Address

vim /etc/hosts When in VIM press 'i' to enter INSERT mode. Update the IP Address of your machine as per example below. Samba-hosts.png Save and exit the file Press ESC after modifying the file. Type :x to save and exit the file. Reboot the system Update resolv.conf Update resolve.conf with your servers IP Address so it can look up AD DNS

vim /etc/resolv.conf When in VIM press 'i' to enter INSERT mode. The domain and search are the name of your DOMAIN The First nameserver is your AD Servers IP Address The Second nameserver is Google's DNS Samba-resolv.png

Save and exit the file Press ESC after modifying the file. Type :x to save and exit the file. Reboot the system Set static IP Address Edit your /etc/network/interface file and set a static IP Address

vim /etc/network/interfaces

  1. The primary network interface

allow-hotplug eth0 iface eth0 inet static

   address 10.0.2.4
   netmask 255.255.255.0
   network 10.0.2.1

Save and exit the file Press ESC after modifying the file. Type :x to save and exit the file. Reboot the system Install SAMBA Packages apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind During this install you will be asked to specify some server settings.

REALM = EXAMPLE.LAN HOSTNAME = DC01.EXAMPLE.LAN Enter the realm above in the first screen, then enter the hostname in the next two screens.

Please Note that the above entries must be done in CAPITAL letters.

Provision Samba AD DC for Your Domain Disable Services systemctl stop samba-ad-dc smbd nmbd winbind systemctl disable samba-ad-dc smbd nmbd winbind Provision SAMBA mv /etc/samba/smb.conf /etc/samba/smb.conf.orig samba-tool domain provision --use-rfc2307 --interactive Select the defaults.

Set a secure Administrator password.

Edit the /etc/samba/smb.conf file and add the following like to the end of the [global] section

ldap server require strong auth = No Kerberos Setup mv /etc/krb5.conf /etc/krb5.conf.initial ln -s /var/lib/samba/private/krb5.conf /etc/ Update krb5.conf as per below

[libdefaults]

   default = EXAMPLE.LAN
   dns_lookup_realm = false
   dns_lookup_kdc = true

[realms]

   EXAMPLE.LAN = {
       kdc = dc01.example.lan:88
       default_domain = example.lan
   }

[domain_realm]

   .example.lan = EXAMPLE.LAN
   example.lan = EXAMPLE.LAN

Enable Services systemctl unmask samba-ad-dc systemctl enable samba-ad-dc systemctl start samba-ad-dc Reboot the system

Testing and SAMBA Configuration At this moment Samba should be fully operational at your premises. The highest domain level Samba is emulating should be Windows AD DC 2008 R2.

It can be verified with the help of samba-tool utility.

samba-tool domain level show Test the DNS resolver by issuing queries and pings against some AD DC crucial records, as in the below excerpt. Replace the domain name accordingly.

ping –c3 example.lan #Domain Name ping –c3 dc01.example.lan #FQDN ping –c3 dc01 #Host Run following few queries against Samba Active Directory Domain Controller..

host –t A example.lan host –t A dc01.example.lan host –t SRV _kerberos._udp.example.lan # UDP Kerberos SRV record host -t SRV _ldap._tcp.example.lan # TCP LDAP SRV record Verify Kerberos authentication by requesting a ticket for the domain administrator account and list the cached ticket. Write the domain name portion with uppercase.

kinit administrator@EXAMPLE.LAN klist Samba and Kerberos are allowing logins and responding. But as you can see the password will expire in 41 days. This will cause issues with Samba so we need to turn off the Password Expire and while we are making changes we will also turn off the password complexity for new accounts.

samba-tool domain passwordsettings set --complexity=off samba-tool domain passwordsettings set --history-length=0 samba-tool domain passwordsettings set --min-pwd-age=0 samba-tool domain passwordsettings set --max-pwd-age=0 samba-tool domain passwordsettings set --min-pwd-length=0 samba-tool user setexpiry Administrator --noexpiry