Samba AD

2019-01-31

A guide to using Samba for LDAP, Active Directory, and Dynamic DNS.

Install BIND

First install BIND 9 since Samba’s internal DNS does not support wildcards entries.

Follow Samba BIND Setup

$ sudo apt install bind9 ldap-utils

Modify the named config /etc/bind/named.conf.options to include networks we allow DNS forwarding.

        allow-query {
                127.0.0.1;
                10.0.0.0/8;
                172.16.0.0/12;
                192.168.0.0/16;
        };

        recursion yes;

        forwarders {
                172.16.31.1;
        };

        forward only;

Also uncomment the include line in /etc/bind/named.conf.local to provide reverse lookups.

include "/etc/bind/zones.rfc1918";

Restart named.

clint:~$ sudo systemctl restart bind9

Install Samba

Check the samba version

clint:~$ samba -V
Version 4.7.6-Ubuntu

This Samba version is too old, therefore build from source following Build Guide.

Start with Install dependencies.

clint:~$ sudo apt purge samba
clint:~$ sudo apt remove libwbclient0
clint:~$ sudo apt auto-remove
clint:~$ sudo apt-get install acl attr autoconf bind9utils bison build-essential debhelper \
dnsutils docbook-xml docbook-xsl flex gdb libjansson-dev krb5-user libacl1-dev libaio-dev \
libarchive-dev libattr1-dev libblkid-dev libbsd-dev libcap-dev libcups2-dev libgnutls28-dev \
libgpgme-dev libjson-perl libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl \
libpopt-dev libreadline-dev nettle-dev perl perl-modules-5.26 pkg-config python-all-dev \
python-crypto python-dbg python-dev python-dnspython python3-dnspython python-gpg \
python3-gpg python-markdown python3-markdown python3-dev xsltproc zlib1g-dev liblmdb-dev \
lmdb-utils libsystemd-dev

clint:~/code$ wget https://download.samba.org/pub/samba/stable/samba-4.11.2.tar.gz

clint:~/code$ tar -zxf samba-4.11.2.tar.gz

Configure & Compile

Use configure options to match the samba directory structure more or less match what we expect on Ubuntu. The list below is modifed from Vapour-Apps.

clint:~/code/samba-4.11.2$ # sed -E "/Type=notify|NotifyAccess=all/d" ./bin/default/packaging/systemd/samba.service

clint:~/code/samba-4.11.2$ ./configure \
--prefix=/usr \
--enable-fhs \
--sysconfdir=/etc \
--localstatedir=/var \
--libexecdir=/usr/lib \
--with-privatedir=/var/lib/samba/private \
--with-smbpasswd-file=/etc/samba/smbpasswd \
--with-piddir=/var/run/samba \
--with-pammodulesdir=/lib/x86_64-linux-gnu/security \
--libdir=/usr/lib/x86_64-linux-gnu \
--with-modulesdir=/usr/lib/x86_64-linux-gnu/samba \
--datadir=/usr/share \
--with-lockdir=/var/run/samba \
--with-statedir=/var/lib/samba \
--with-cachedir=/var/cache/samba \
--systemd-install-services

Start the make with a thread per cpu.

clint:~/code/samba-4.11.2$ make -j4

Install

If you would like a apt package use checkinstall. My results were mixed. Specify the version in --pkgversion to match Ubuntu format for Samba. This is version 4.11.

clint:~/code/samba-4.11.2$ sudo apt install checkinstall
clint:~/code/samba-4.11.2$ make install
clint:~/code/samba-4.11.2$ sudo checkinstall --requires='acl,attr,bind9utils,bison,debhelper,dnsutils,docbook-xml,docbook-xsl,flex,gdb,krb5-user,libacl1-dev,libattr1-dev,libcups2-dev,libgnutls28-dev,libgpgme11-dev,libjson-perl,libldap2-dev,libncurses5-dev,libpam0g-dev,libparse-yapp-perl,perl,perl-modules,python-crypto,python-dbg,python-dnspython,python3-dnspython,python-gpg,python3-gpg,python-markdown,python3-markdown,xsltproc,lmdb-utils' -y --pkgversion=2:4.11.2

**********************************************************************

 Done. The new package has been installed and saved to

 /home/clint/code/samba-4.11.2/samba_4.11.2-1_amd64.deb

 You can remove it from your system anytime using: 

      dpkg -r samba

**********************************************************************

Create systemd Service Files

modifed from https://wiki.samba.org/index.php/Managing_the_Samba_AD_DC_Service_Using_Systemd

ubuntu is still using /lib/systemd instead of /usr/lib/systemd.

$ cat <<EOF >/lib/systemd/system/samba-ad-dc.service
[Unit]
Description=Samba Active Directory Domain Controller
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
ExecStart=/usr/sbin/samba -D
PIDFile=/var/run/samba/samba.pid
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target
EOF

$ sudo systemctl daemon-reload
$ sudo systemctl enable samba-ad-dc
Created symlink /etc/systemd/system/multi-user.target.wants/samba-ad-dc.service → /lib/systemd/system/samba-ad-dc.service.
$ sudo systemctl start samba-ad-dc

Get the status

$ systemctl status samba-ad-dc
● samba-ad-dc.service - Samba Active Directory Domain Controller

Samba Configuration

Setup a few variables for use in the installation. These need to be customized to your domain name, etc..

clint:~$ sudo rm /etc/samba/smb.conf

clint:~$ export DOMAIN=lab

clint:~$ export REALM=LAB.EXAMPLE.com

clint:~$ export PASSWD=********

Following Samba as AD Controller

clint:~$ sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=BIND9_DLZ --realm=$REALM --domain=$DOMAIN --adminpass=$PASSWD

A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
Setting up fake yp server settings
Once the above files are installed, your Samba AD server will be ready to use
Server Role:           active directory domain controller
Hostname:              jump
NetBIOS Domain:        LAB
DNS Domain:            lab.example.com
DOMAIN SID:            S-1-5-21-111679553-2008934376-681026361

clint:~$ sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

Things you do only in lab–turn off password aging and complexity.

clint:~$ sudo samba-tool domain passwordsettings set --complexity=off
clint:~$ sudo samba-tool domain passwordsettings set --history-length=0
clint:~$ sudo samba-tool domain passwordsettings set --min-pwd-age=0
clint:~$ sudo samba-tool domain passwordsettings set --max-pwd-age=0

Follow the Samba Bind DLZ Guide

Add Samba’s DNS configuration to named by editing /etc/bind/named.conf and adding this line:

 include "/var/lib/samba/bind-dns/named.conf";

Add Dynamic DNS Updates to named configuration by adding this line to /etc/bind/named.conf.options

    tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";

Restart bind.

clint:~$ sudo systemctl restart bind9

Fix App Armor

Fix App Armor so bind can read the configuration file in the Samba directory using this guide.

Allow a local apparmor profile for bind by editing /etc/apparmor.d/local/usr.sbin.named

# Samba DLZ and Active Directory Zones --cbm
/var/lib/samba/bind-dns/named.conf rm,
/var/lib/samba/private/dns.keytab r,
/var/lib/samba/bind-dns/** rwk,
/etc/samba/smb.conf r,
/usr/lib/x86_64-linux-gnu/samba/** rm,
/usr/lib/x86_64-linux-gnu/** rm,
/dev/urandom rw,
clint:~$ sudo systemctl reload apparmor.service
clint:~$ sudo systemctl restart bind9

Use journalctl to check logs.

Test DNS Records

Test the DNS records.

clint:~$ host -t SRV _ldap._tcp.lab.example.com. 127.0.0.1
clint:~$ host -t SRV _kerberos._udp.lab.example.com. 127.0.0.1
clint:~$ host -t A jump.lab.example.com.

Configure LDAPS

The default setup creates a self-signed certificate in /var/lib/samba/private/tls. Follow Samba LDAP Guide if you would like to specify your own cert.

Skip SSL verification by adding “tls” line to /etc/samba/smb.conf.

# Skip TLS check
tls verify peer = no_check

This server had docker running since its a test server so we also need to limit Samba’s interfaces binding by add these lines to /etc/samba/smb.conf.

# Don't use Docker interfaces
bind interfaces only = yes
interfaces = lo en* eth*

Restart Samba

clint:~$ sudo systemctl restart samba

Allow anonymous binds and searches

Follow Firstyear’s blog for adding anonymous binds and searches.

clint:~$ samba-tool forest directory_service dsheuristics 0000002 -H ldaps://localhost --simple-bind-dn="$ADMIN"

clint:~$ samba-tool dsacl set --objectdn=$BASEDN --sddl='(A;;RPLCLORC;;;AN)' --simple-bind-dn="$ADMIN" --password=$PASSWD

clint:~$ samba-tool dsacl set --objectdn=$BASEDN --sddl='(A;CI;RPLCLORC;;;AN)' --simple-bind-dn="$ADMIN" --password=$PASSWD

clint:~$ samba-tool dsacl set --objectdn=$BASEDN --sddl='(A;CI;RPLCLORC;;;AN)' --simple-bind-dn="$ADMIN" --password=$PASSWD

LDAP SSL in on port 636. Basic is 389. Check that Samba is listening to LDAP ports.

$ sudo lsof -i -P -n | grep -E '636|389'

Add Sample Data

Following Samba Adding Users Guide, add a user.

clint:~$ sudo samba-tool user create user --given-name User --surname Masters \
--nis-domain $DOMAIN \
--uid-number 2005 \
--login-shell /bin/bash \
--unix-home /home/user \
--gid-number 2005 \
--gecos 'Test User,,,'

Create groups

clint:~$ samba-tool group add pks-users \
-H $SERVER -U $USER%$PASSWD

clint:~$ samba-tool group addmembers pks-users clint \
-H $SERVER -U $USER%$PASSWD

Test the Sample Data

clint:~$ export ADMIN=administrator@lab.example.com clint:~$ export BASEDN=DC=lab,DC=cbmasters,DC=com clint:~$ ldapsearch -b $BASEDN -H ldap://localhost -x

samba-tool user show –URL=ldap://localhost clint

In the application that is going to search LDAP, set the following parameters:

| User Search Base | cn=Users,dc=labs,dc=example,dc=com | | User Search Filter | sAMAccountName={0} | | Group Search Base | cn=Users,dc=labs,dc=example,dc=com | | Group Search Filter | member={0} |

Password

Tags: homelab ldap

author

Authored By Masters

This article is licensed under a Creative Commons Attribution 4.0 International License.

❮ BGP & NSX-T & USG Hugo ❯
This website uses cookies to ensure you get the best experience on our website. Learn more Got it