Samba 4 - domain controller: Difference between revisions

From Skytech
Jump to navigation Jump to search
(No difference)

Revision as of 17:36, 19 February 2014


Prereq

Install

apt-get install build-essential libacl1-dev libattr1-dev \
   libblkid-dev libgnutls-dev libreadline-dev python-dev \
   python-dnspython gdb pkg-config libpopt-dev libldap2-dev \
   dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl samba

Verify correct filesystem support

Install/setup ntpd

# Associate to the public NTP pool servers
server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org

# Location of drift file
driftfile /var/lib/ntp/ntp.drift

# Location of the log file
logfile /var/log/ntp

# Location of the update directory
ntpsigndsocket /var/lib/samba/ntp_signd/

# Restrictions
restrict default kod nomodify notrap nopeer mssntp
restrict 127.0.0.1
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery

Copy kerberos conf

( Default configs should have been created by now ... )

mv /etc/krb5.conf{,.default}
cp /var/lib/samba/private/krb5.conf /etc

Setup as domain controller

samba-tool domain provision --use-rfc2307 --interactive --use-xattrs=yes

Argument Explanations

--use-rfc2307
    this argument adds POSIX attributes (UID/GID) to the AD Schema. This will be necessary if you intend to authenticate Linux, BSD, or OS X clients (including the local machine) in addition to Microsoft Windows. 

--use-xattrs=yes
    this argument enables the use of unix extended attributes (ACLs) for files hosted on this server. If you intend not have file shares on the domain controller, you can omit this switch (but this is not recommended). You should also ensure that any filesystems that will host Samba shares are mounted with support for ACLs. 

--interactive
    this parameter forces the provision script to run interactively. Alternately, you can review the help for the provision step by running samba-tool domain provision --help

Setup replicator/secondary domain controller

Install and setup a server with the above but stop short of running the samba-tool domain provision ... cmd

Make sure you can use the nameserver the existing DC is using (ie point your namserver whatever the existing one is using).

Start replication:

samba-tool domain join HQ.SKYTECH.DK DC -Uadministrator --realm=HQ.SKYTECH.DK

I had to manually create both dns on the PDC -

Basically, follow the checklist here: https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Check_required_DNS_entries_of_the_new_host

Since I was setting up a new DC paired with another Samba setup I could skip the part about "repadm ..."

Check replication status:

samba-tool drs showrepl

Switching to 'backup' DC if PDC dies horribly

The extra DC will take over if the primary goes down - but if you want to promote the 'backup' one you can do the win equiv of dcpromo with:

samba-tool fsmo seize --role=all*

* Be sure to understand all the fsmo roles before doing this! Also if they're distributed to forest zones/machines/dc make sure to account for them all.

Docs/guides/troubleshooting

Found inspirations @ various sites:

Also I had some issues with DNS - make sure it is pointing to the ip of the machine running samba.

Administering DC via windows 7 / Win XP

To administer it with a windows setup, one must download RSAT ( http://www.microsoft.com/en-us/download/details.aspx?id=7887 ).

After installation enable the Active directory mmc pages from "Windows default programs".

Make sure you're logged into the domain as administrator (or put your user in domain-admin group) on the win-machine and then fire up mmc. Now you can control everything from here.

Group Policy

Everything except setting password complexity seems to work

Setting password complexity

I couldn't get password complexity to work with the samba server and it is currently not working.

Also keep in mind samba functions like a windows 2003 server so you can't do any fine-grained control of password policy in different groups/OU - it is globally defined.

It has to be done from the command line:

~# samba-tool domain passwordsettings set --complexity=off
Password complexity deactivated!
All changes applied successfully!

~# samba-tool domain passwordsettings show --complexity=off
Password informations for domain 'DC=hq,DC=skytech,DC=dk'

Password complexity: off
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 1
Maximum password age (days): 42

(samba-tool domain passwordsettings --help to get more info about options)
  • Read more here: https://wiki.samba.org/index.php/Samba_AD_management_from_windows#Notes

    Join domain with a linux machine

    Install software and join domain

    Using likewise-open it is wevy wevy easy to join a domain.

    First install it (I choose the -gui version, but otherwise feel free to use the CLI version):

    GUI:
    ~# sudo aptitude install likewise-open5-gui
    
    ## Run it (remember to run as sudo or you'll just get weird errors!) and enter domain + username. You'll be prompted for a domain admin user+pass.
    ~# sudo domainjoin-gui 
    
    ## CLI:
    ~# sudo domainjoin-cli join DOMAIN_NAME USER
    

    After a successfull join you should be able to browse network shares etc.

    Login as domain user with ssh

    If you want to login as a ssh domain user, you need to use

    user: <DOMAIN>\<DOMAIN_USER>

    pass: <DOMAIN_USER_PASS>

    and you'll be logged in a the domain user (in something like /home/likewise-open/<DOMAIN_USER>)

    Getting sudo rights

    You'll prob. find you don't have any sudo rights now (exactly like you have to add yourself to local computer admin to do the equivalent on a windows machine) - you can fix that by adding yourself to the right sudoers group.

    ## Add to sudoers (visudo, edit file directly etc) .. then add the domain group you're in
    %<DOMAIN>\<DOMAIN_GROUP> ALL=(ALL) ALL
    
    ## Example
    "%HQ\domain^users" ALL=(ALL) ALL
    

    I had to use "" to get it to work. To find your group simply do a id "<DOMAIN>\<DOMAIN_USER>"

    To lookup users, groups etc just act like on a normal LDAP network - ie all of getent will work:

    ~# getent group
    

    Login with normal GUI desktop as domain user

    You've probably figured this out already - just like with SSH just change your username to be:

    <DOMAIN>\<DOMAIN_USER>

    and then your domain pass.

    XFCE on linux mint (16 - petra )

    I went through some trouble finding out how to do this. Eventually I switched away from default mdm -> lightdm.

    Then I changed my /etc/lightdm/lightdm.conf to look like:

    [SeatDefaults]
    user-session=cinnamon
    greeter-hide-users=true
    greeter-show-manual-login=true
    greeter-session=lightdm-gtk-greeter
    

    To actually switch I did:

    ~# sudo apt-get install lightdm-gtk-greeter
    
    ## It should prompt for which manager you want, otherwise issue:
    ~# sudo dpkg-reconfigure lightdm