Hint

This documentation is valid for Samba-AD from version 4.8 onwards.

Installing and Configuring Samba-AD RODC on Debian

Attention

For RODC support, it is recommended to use a recent version of Samba. RODC support is generally functional and its robustness continues to improve!

Installing the operating system

Install a basic Debian machine with only ssh activated.

You may follow this documentation d’installation pour Debian 64 bits.

Preparing the RODC

In this documentation, it is assumed:

  • That the existing RWDC server is called srvads and that the forest and domain level is in 2008R2. To do this you can run the following command on the RWDC:

    samba-tool domain level show
    
  • That the new server you just installed is called srvrodc.

  • That the domain is called mydomain.lan.

  • That a test user is called myuser.

In the instructions below, you will replace mydomain.lan with your own domain name and srvrodc with the machine name of your choice.

Retrieving the necessary packages

Tranquil IT’s DEBs are currently validated for Debian 11 & 12.

The packages of the latest version validated by the engineering team at Tranquil IT can be downloaded from the url https://samba.tranquil.it/debian/samba-4.20/.

When it will be necessary to migrate to the next version of Samba, you’ll just have to update the repository url like for example https://samba.tranquil.it/debian/samba-4.20/.

For more comfort, you can define an apt repository and add our GPG public key:

wget -qO-  https://samba.tranquil.it/tissamba-pubkey.gpg | tee /usr/share/keyrings/tissamba.gpg > /dev/null
sha256sum /usr/share/keyrings/tissamba.gpg
  bd0f7140edd098031fcb36106b24a6837b067f1c847f72cf262fa012f14ce2dd  /usr/share/keyrings/tissamba.gpg
echo "deb [signed-by=/usr/share/keyrings/tissamba.gpg] https://samba.tranquil.it/debian/samba-4.20/ $(lsb_release -c -s) main" > /etc/apt/sources.list.d/tissamba.list

Installing the packages

export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install samba winbind libnss-winbind krb5-user smbclient ldb-tools python3-cryptography
unset DEBIAN_FRONTEND

Configuring network settings carefully

  • Change /etc/hostname to contain the FQDN:

    srvrodc.mydomain.lan
    
  • Modify the /etc/hosts file so that it contains the DNS resolution of the machine’s FQDN on its IP, with the long name then the short name:

    127.0.0.1      localhost
    192.168.3.11   srvrodc.mydomain.lan srvrodc
    

Configuring the DNS

In the file /etc/resolv.conf carefully enter the IP address of your DNS server.

search mydomain.lan
nameserver 192.168.1.11

Configuring Kerberos

  • Open /etc/krb5.conf, remove its contents and add:

    [libdefaults]
      default_realm = MYDOMAIN.LAN
      dns_lookup_kdc = false
      dns_lookup_realm=false
    [realms]
      MYDOMAIN.LAN = {
      kdc = 127.0.0.1
      kdc = 192.168.1.12
      }
    

    Attention

    It is necessary to respect the CAPITAL LETTERS and replace the 2 IPs by:

    • The IP of your srvrodc first, we can use localhost 127.0.0.1.

    • The IP of srvads as the second IP (ex 192.168.1.12).

  • Reboot the host:

    reboot
    
  • After rebooting, ensure that kerberos is properly configured and that you get a TGT:

    Attention

    The default administrator is administrator in English (type the account password administrator, if it doesn’t return anything or you get a message about the password expiration, it’s ok).

    kinit administrator
    klist
    

Setting up the RODC service

  • Join the machine to the domain:

    samba-tool domain join mydomain.lan RODC -U MYDOMAIN\\Administrator
    
  • In the file /usr/local/samba/etc/smb.conf, add the DNS forwarder:

    dns forwarder = 8.8.8.8
    
  • Launch the Samba service with /usr/local/samba/sbin/samba:

/usr/local/samba/sbin/samba
  • Edit /etc/resolv.conf to make it point to itself:

    search mydomain.lan
    nameserver 127.0.0.1
    

Testing user password replication on the RODC server

  • On srvads, add a user as a member of the Allowed RODC Password Replication Group;

  • On srvrodc:

    samba-tool rodc preload myuser --server=srvads.mydomain.lan
    
  • If all went well:

Replicating DN CN=myuser,CN=Users,DC=mondomaine,DC=lan
Exop on[CN=myuser,CN=Users,DC=mondomaine,DC=lan] objects[1] linked_values[0]