.. Reminder for header structure: Parts (H1) : #################### with overline Chapters (H2) : ******************** with overline Sections (H3) : ==================== Subsections (H4) : -------------------- Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^ Paragraphs (H6) : """"""""""""""""""""" .. |date| date:: .. meta:: :description: Installing and configuring Samba-AD on RHEL8 / RHEL9 and derivatives :keywords: install, Redhat8, RHEL8, AlmaLinux8, CentOS8, CloudOS8, Samba, Samba-AD, configure, documentation .. _server_install_samba_redhat: ############################################################ Installing and configuring Samba-AD on RHEL and derivatives ############################################################ .. note:: EnterpriseLinux8 distribution and derivatives do not embed Samba-AD packages. Indeed Samba-AD relies on Heimdal Kerberos for Active Directory support while RedHat only distributes and supports products based on Kerberos-MIT. .. note:: Tranquil IT RPMs are currently validated for Redhat7, Redhat8 and Redhat9 (and derivatives like CentOS, AlmaLinux, OracleLinux, etc.). If you want to stick to a community supported derivative of Redhat, we recommand to use AlmaLinux8.4 which we are currently using for building and testing. .. include:: server_prepare_redhat.rst.inc .. include:: server_install_samba_redhat_repo.rst.inc *********************************************** Instantiating the Active Directory Samba domain *********************************************** .. _configure_kerberos_redhat: Configuring Kerberos ==================== * Modify the file :file:`/etc/krb5.conf` and **replace all its contents by the 4 following lines** by specifying the Active Directory domain of your organization (here *MYDOMAIN.LAN*): .. attention:: The ``default_realm`` must absolutely be written in **UPPERCASE LETTERS**!! .. code-block:: bash [libdefaults] default_realm = MYDOMAIN.LAN dns_lookup_kdc = false dns_lookup_realm = false [realms] MYDOMAIN.LAN = { kdc = 127.0.0.1 } Configuring Samba ================= * Delete the file :file:`/etc/samba/smb.conf` if it has already been generated (it will be regenerated by the instantiation command): .. code-block:: bash rm -f /etc/samba/smb.conf * Configure Samba with the role of domain controller. In the following line, you will think about changing both the name of the *kerberos kingdom*, and the short name of the domain (netbios name): .. code-block:: bash samba-tool domain provision --realm=MYDOMAIN.LAN --domain MYDOMAIN --server-role=dc * Reset the *administrator* password: .. code-block:: bash samba-tool user setpassword administrator * Check the line ``dns forwarder = xxx.xxx.xxx`` in your :file:`/etc/samba/smb.conf`. It must point to a valid DNS server, e.g.: .. code-block:: ini dns forwarder = 1.1.1.1 * Reconfigure the DNS resolution for the local machine. In the :file:`/etc/sysconfig/network-scripts/ifcfg-xxxx` file of the network interface, replace the following line: .. code-block:: ini DNS1=127.0.0.1 * Restart :program:`NetworkManager` to take into account the changes and check that the *resolver* has been reported in :file:`/etc/resolv.conf`: .. code-block:: bash systemctl restart NetworkManager * The Samba domain creation script creates an unnecessary :file:`/var/lib/samba/private/krb5.conf` file. It must be removed and replaced by a symbolic link to the :file:`/etc/krb5.conf` file: .. code-block:: bash rm -f /var/lib/samba/private/krb5.conf ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf * Activate Samba so that it starts automatically at the next reboot: .. code-block:: bash systemctl enable samba systemctl start samba * Reboot the machine with a :command:`reboot` to verify that Samba reboots: .. code-block:: bash reboot * After rebooting, test that the kerberos is properly configured and that you get a :abbr:`TGT (Ticket Granting Ticket)`. Type the password for the *administrator* account you defined above with the command :command:`samba-tool setpassword`. If it does not return anything or you get a message about the password expiration, it is fine). .. code-block:: bash kinit administrator klist .. attention:: Samba-AD made the wise choice not to implement the translation of system accounts. The default Administrator is therefore **administrator** in English. * Test the DNS: .. code-block:: bash dig @localhost google.fr dig @localhost srvads.mydomain.lan dig -t SRV @localhost _ldap._tcp.mydomain.lan Validating the new installation with a Windows client ===================================================== You can now join a Windows client in your new domain. To manage your new domain, the management interfaces must be installed on a Windows workstation. The Samba command line is efficient for many administrative tasks, and the :abbr:`RSAT (Remote Server Administration Tools)` graphical interfaces are a good complement to the command line. To install the RSAT tools, follow the page on :ref:`installing RSAT on your management machine `. Once RSAT is installed: * Create and delete a DNS record from the :guilabel:`DNS Active Directory` console. * Create and delete a user account or a machine account from the :guilabel:`Users and Computers Active Directory console`. * Create a new GPO. Great, if you have made it this far, then everything is going well and you have a new Samba Active Directory domain up and running. Now we will :ref:`configure the DNS service in BindDLZ mode ` to improve the performance of your Samba-AD.