Written by #xxaxxelxx

Gentoo // Samba 4.5 as AD DC

… still fighting – means: try and error + under construction.

Sources:
https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End

https://wiki.gentoo.org/wiki/Samba/Active_Directory_Guide

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting

https://wiki.samba.org/index.php/Adding_users_with_samba_tool

https://wiki.samba.org/index.php?title=User_and_Group_management

https://wiki.samba.org/index.php/User_Home_Folders

https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles

Configure NTP

 emerge ntp
 rc-update add ntp-client default

Check /etc/hosts

# CHECK #
10.81.100.150	dc.test.local dc

Strategy
Use Sambas own Heimdal kerberos.
Using Sambas own internal DNS backend with DNS forwarder.
This machine is a dedicated ADDC. Files will be stored on a samba domain member file server.
ADDC’s IP is 10.81.100.150, host name is DC

Selecting Sambas USE flags

 addc addns -system-mitkrb5 gnutls winbind gssapi quota fam ldap cups
 emerge samba

Create /etc/krb5.conf 

 [libdefaults]
	default_realm = SAMDOM.TEST.LOCAL
	dns_lookup_realm = false
	dns_lookup_kdc = true

Provisioning

Delete an existing /etc/samba/smb.conf – provisioning creates a brand new smb.conf

 samba-tool domain provision --use-rfc2307 --interactive

REALM: SAMDOM.TEST.LOCAL

Domain: SAMDOM

Server role: dc

Use SAMBA_INTERNAL as DNS backend.

Select your companys internal (or external :] ) DNS resolver as DNS forwarder.

The resulting /etc/samba/smb.conf should be similar to

 # Global parameters
 [global]
	netbios name = DC
	realm = SAMDOM.TEST.LOCAL
	workgroup = SAMDOM
	dns forwarder = [YOUR_COMPANYS_DNS_RESOLVER]
	server role = active directory domain controller
	idmap_ldb:use rfc2307 = yes

 [netlogon]
	path = /var/lib/samba/sysvol/samdom.test.irmedia/scripts
	read only = No

 [sysvol]
	path = /var/lib/samba/sysvol
	read only = No

Your Active Directory Domain Controller machine should resolve all names against sambas internal DNS:
Edit /etc/resolv.conf

 domain samdom.test.local
 nameserver 10.81.100.150
 nameserver 8.8.8.8

ATTENTION: Do not use /etc/init.d/samba start, it will fail

Create a samba start script in /etc/local.d and make it excutable

 # DANCING SAMBA 
 test -d /run/samba || mkdir -p /run/samba
 test -d /var/log/samba || mkdir -p /var/log/samba
 /usr/sbin/samba 
 if [ $? -eq 0 ]; then
    echo "SAMBA started."
 else
    echo "SAMBA failed."
 fi
 # END

Create a samba stop script in /etc/local.d and make it excutable

 # THE LAST DANCE
 pkill samba
 if [ $? -eq 0 ]; then
    echo "SAMBA stopped."
 else
    echo "Stopping SAMBA failed."
 fi
 # END

####################################

Maintenance under Windows
Check this (!!!): https://wiki.samba.org/index.php/Installing_RSAT

Install RSAT-Tools (for Windows 7: https://www.microsoft.com/en-us/download/details.aspx?id=7887) on a Windows machine.

Start “Windows Programs and Features” and enable the required tools.

Run gpmc.msc or dsa.msc or ..

Maintenance under Linux
Check this (!!!): https://www.tecmint.com/manage-samba4-active-directory-linux-command-line/

list users and machines

 pdbedit -L -w

delete users and machines

 pdbedit -x COMPUTER$
 pdbedit -x USER

Additional Info:

Have had to add the pid directory to the newly created smb.conf

Have had to create /var/run/samba directory

Tune password complexity

 samba-tool domain passwordsettings show

 samba-tool domain passwordsettings set --complexity=off 
 samba-tool domain passwordsettings set --history-length=0
 samba-tool domain passwordsettings set --min-pwd-age=0
 samba-tool domain passwordsettings set --max-pwd-age=0
 samba-tool user setexpiry Administrator --noexpiry
 samba-tool domain passwordsettings set --min-pwd-length=0

HINTS:
xidNumber is the UNIX user Id (root -> 0)

Show and edit users properties:

# ldbedit -e mcedit -H /usr/local/samba/private/sam.ldb 'sAMAccountName=zuppiuser'

ATTENTION: Adding a user with samba-tool:

home-directory should be double quoted
home-drive needs trailing ‘:’ (like U:) – otherwise z: will be used.

HINT:
If you create corresponding local unix users additional to samba users and you give them a shell like /sbin/noshell, do not forget to add this shell to /etc/shells.

TESTING
…coming soon.

MAINTENANCE
…coming soon.

One thought on “Gentoo // Samba 4.5 as AD DC

  1. Nice Guide!
    Got me going, but for some odd reason I can’t check smb share file/folder security permissions in windows 10.
    Doing so crashes explorer/COM Surrogate, no idea what’s up.

    Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.