Installing and configuring a secondary Samba-AD on Redhat and derivatives¶

Note

In this documentation, it is assumed:

That the main domain controller is called srvads1.

That the secondary domain controller is called srvads2.

That the domain is called mydomain.lan.

In the instructions below, you will replace mydomain.lan with your own domain name and srvads1 and srvads2 with the machine names of your choice.

On a 64-bit RedHat10 (or derivative) base, prepare a clean network configuration by following this documentation.

Packages of the latest version 4.22 validated by the Tranquil IT team can be downloaded from the url redhat-samba-4.22.

When it will be necessary to upgrade to Samba-4.23, just change the repository url to redhat-samba-4.23 and follow the upgrade notes on the upgrade page.

Retrieve the RPM signature key and configure a YUM repository (note: CentOS7 support ends with Samba 4.20):

wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-10 https://samba.tranquil.it/RPM-GPG-KEY-TISSAMBA-10
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-10
echo "[tis-samba]
name=tis-samba
baseurl=https://samba.tranquil.it/redhat10/samba-4.22/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-10" > /etc/yum.repos.d/tissamba.repo

wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-9 https://samba.tranquil.it/RPM-GPG-KEY-TISSAMBA-9
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-9

echo "[tis-samba]
name=tis-samba
baseurl=https://samba.tranquil.it/redhat9/samba-4.22/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-9" > /etc/yum.repos.d/tissamba.repo

wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8 https://samba.tranquil.it/RPM-GPG-KEY-TISSAMBA-8
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8

echo "[tis-samba]
name=tis-samba
baseurl=https://samba.tranquil.it/redhat8/samba-4.22/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8" > /etc/yum.repos.d/tissamba.repo

Verify the key fingerprint with sha256sum:

# For RHEL9 / RHEL10 :
sha256sum /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-9 || sha256sum /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-10
    05f21f368bdeb01453e37c3af2b8fcabba8986e2ce2b0d0298df6456a0bef60a /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-{[9-10]}

# For RHEL8 :
sha256sum /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8
    b3cd8395e3d211a8760e95b9bc239513e9384d6c954d17515ae29c18d32a4a11 /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8

Install the Samba-AD packages for RedHat and derivative distributions :

yum --enablerepo=crb install -y samba samba-dc samba-winbind samba-winbind-clients krb5-workstation ldb-tools bind chrony bind-utils samba-client python3-markdown

Warning

–enablerepo=crb will only work with derivative distros. If you are using a RedHat distro, please use the following command to enable crb repo:

subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms

Finalizing your basic configuration¶

Change /etc/hostname to contain the FQDN name of the machine:
```
srvads2.mydomain.lan
```
Modify /etc/hosts so that it contains the DNS resolution of the machine’s FQDN on its IP (i.e. not 127.0.0.1), with the long name then the short name:
```
127.0.0.1      localhost
192.168.1.12   srvads2.mydomain.lan srvads2
```
Reboot the machine so that it takes its new name into account by doing a reboot.

Note

a hostname -F /etc/hostname does not seem to be enough for the samba script which still gets the old name …

Joining the secondary controller to the domain¶

Configure the DNS to point to a Windows or Samba domain controller in /etc/resolv.conf:
```
search mydomain.lan
nameserver 192.168.1.11
```

Configuring Kerberos¶

Open /etc/krb5.conf, remove its contents and add:
```
[libdefaults]
  default_realm = MYDOMAIN.LAN
  dns_lookup_kdc = false
  dns_lookup_realm=false
[realms]
  MYDOMAIN.LAN = {
  kdc = 127.0.0.1
  kdc = 192.168.1.12
  }
```
Attention

It is necessary to respect the CAPITAL LETTERS and replace the 2 IPs by:
- The IP of your srvrodc first, we can use localhost 127.0.0.1.
- The IP of srvads as the second IP (ex 192.168.1.12).
Reboot the host:
```
reboot
```
After rebooting, ensure that kerberos is properly configured and that you get a TGT:

Attention

The default administrator is administrator in English (type the account password administrator, if it doesn’t return anything or you get a message about the password expiration, it’s ok).
```
kinit administrator
klist
```

Configuring Samba as a Secondary Domain Controller¶

Remove the configuration file /etc/samba/smb.conf which was automatically generated during package installation:
```
rm -f /etc/samba/smb.conf
```

Join srvads2 as a member of the domain:

samba-tool domain join mydomain.lan DC -U administrator --realm=MYDOMAIN.LAN -W MYDOMAIN

Modify the DNS to point to itself in /etc/resolv.conf:
```
nameserver 127.0.0.1
```

In /etc/samba/smb.conf, add the DNS forwarder:

[global]
   ...
   dns forwarder = 8.8.8.8
   ...

Activate the automatic start of the AD service:

systemctl enable samba
systemctl disable winbind nmb smb
systemctl mask winbind nmb smb

Point your Kerberos to the correct configuration file:

Hint

By default Samba-AD provisioning creates an example file krb5.conf in the directory /var/lib/samba/private.

This file is used by default by some Samba calls.

It is best to replace it with a symbolic link to /etc/kbr5.conf to avoid some side effects.
```
rm /var/lib/samba/private/krb5.conf
ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf
```
Restart Samba:
```
systemctl restart samba
```
Check that the DNS entries are correct:
```
samba_dnsupdate --verbose
```
If there are still some fails, use this method which allows to bypass kerberos:
```
samba_dnsupdate --use-samba-tool
```

Configuring SYSVOL¶

Graphically, you can retrieve the content of \srvads\sysvol from srvads1 and copy it to srvads2 from a Windows workstation as Domain Administrator. Or with command lines, on srvads2, run:
```
rsync -aP root@srvads1:/var/lib/samba/sysvol/ /var/lib/samba/sysvol/
```
Then reset the ACL on SYSVOL, and check the ACLs (it should return nothing if OK):
```
samba-tool ntacl sysvolreset
samba-tool ntacl sysvolcheck
```

Hint

While waiting for the development of a DFS-R officially supported by the Samba-team, Tranquil IT proposes the tis-sysvolsync tool to synchronize SYSVOL shares between Samba domain controllers.

Validating the new installation¶

Test the DNS connection from the DNS Active Directory console from the DNS Active Directory.
Test the connection from the Users and Computers Active Directory.
Check the status of the replications:
```
samba-tool drs showrepl
```

Configuring signed NTP¶

Configure the NTP by following the NTP service configuration documentation with Samba.

Configuring DNS hybrid¶

Before going into production, the internal Samba DNS must be replaced by the DNS hybrid. To do this, follow the documentation to integrate Samba with Bind9 on Redhat.

Great, if you have made it this far, then everything went well and you have a new operational secondary domain controller.