Hint
This documentation is valid for Samba-AD from version 4.8 onwards.
Installing and Configuring Samba-AD RODC on Debian
Attention
For RODC support, it is recommended to use a recent version of Samba. RODC support is generally functional and its robustness continues to improve!
Installing the operating system
Install a basic Debian machine with only ssh activated.
You may follow this documentation d’installation pour Debian 64 bits.
Preparing the RODC
In this documentation, it is assumed:
That the existing RWDC server is called srvads and that the forest and domain level is in 2008R2. To do this you can run the following command on the RWDC:
samba-tool domain level show
That the new server you just installed is called srvrodc.
That the domain is called mydomain.lan.
That a test user is called myuser.
In the instructions below, you will replace mydomain.lan with your own domain name and srvrodc with the machine name of your choice.
Retrieving the necessary packages
Tranquil IT’s DEBs are currently validated for Debian 11 & 12.
The packages of the latest version validated by the engineering team at Tranquil IT can be downloaded from the url https://samba.tranquil.it/debian/samba-4.20/.
When it will be necessary to migrate to the next version of Samba, you’ll just have to update the repository url like for example https://samba.tranquil.it/debian/samba-4.20/.
For more comfort, you can define an apt repository and add our GPG public key:
wget -qO- https://samba.tranquil.it/tissamba-pubkey.gpg | tee /usr/share/keyrings/tissamba.gpg > /dev/null
sha256sum /usr/share/keyrings/tissamba.gpg
bd0f7140edd098031fcb36106b24a6837b067f1c847f72cf262fa012f14ce2dd /usr/share/keyrings/tissamba.gpg
echo "deb [signed-by=/usr/share/keyrings/tissamba.gpg] https://samba.tranquil.it/debian/samba-4.20/ $(lsb_release -c -s) main" > /etc/apt/sources.list.d/tissamba.list
Installing the packages
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install samba winbind libnss-winbind krb5-user smbclient ldb-tools python3-cryptography
unset DEBIAN_FRONTEND
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install samba winbind libnss-winbind krb5-user smbclient ldb-tools python3-crypto
unset DEBIAN_FRONTEND
Configuring network settings carefully
Change
/etc/hostname
to contain the FQDN:srvrodc.mydomain.lan
Modify the
/etc/hosts
file so that it contains the DNS resolution of the machine’s FQDN on its IP, with the long name then the short name:127.0.0.1 localhost 192.168.3.11 srvrodc.mydomain.lan srvrodc
Configuring the DNS
In the file /etc/resolv.conf
carefully enter the IP address of your DNS server.
search mydomain.lan
nameserver 192.168.1.11
Configuring Kerberos
Open
/etc/krb5.conf
, remove its contents and add:[libdefaults] default_realm = MYDOMAIN.LAN dns_lookup_kdc = false dns_lookup_realm=false [realms] MYDOMAIN.LAN = { kdc = 127.0.0.1 kdc = 192.168.1.12 }
Attention
It is necessary to respect the CAPITAL LETTERS and replace the 2 IPs by:
The IP of your srvrodc first, we can use localhost 127.0.0.1.
The IP of srvads as the second IP (ex 192.168.1.12).
Reboot the host:
reboot
After rebooting, ensure that kerberos is properly configured and that you get a TGT:
Attention
The default administrator is administrator in English (type the account password administrator, if it doesn’t return anything or you get a message about the password expiration, it’s ok).
kinit administrator klist
Setting up the RODC service
Join the machine to the domain:
samba-tool domain join mydomain.lan RODC -U MYDOMAIN\\Administrator
In the file
/usr/local/samba/etc/smb.conf
, add the DNS forwarder:dns forwarder = 8.8.8.8
Launch the Samba service with /usr/local/samba/sbin/samba:
/usr/local/samba/sbin/samba
Edit
/etc/resolv.conf
to make it point to itself:search mydomain.lan nameserver 127.0.0.1
Testing user password replication on the RODC server
On srvads, add a user as a member of the Allowed RODC Password Replication Group;
On srvrodc:
samba-tool rodc preload myuser --server=srvads.mydomain.lan
If all went well:
Replicating DN CN=myuser,CN=Users,DC=mondomaine,DC=lan
Exop on[CN=myuser,CN=Users,DC=mondomaine,DC=lan] objects[1] linked_values[0]