Installing and configuring a secondary Samba-AD on Debian

Note

In this documentation, it is assumed:

That the main domain controller is called srvads1.
That the secondary domain controller is called srvads2.
That the domain is called mydomain.lan.

In the instructions below, you will replace mydomain.lan with your own domain name and srvads1 and srvads2 with the machine names of your choice.

Preparing the Virtual machine

On a 64-bit Debian, prepare the network configuration of the machine following the same documentation as for a new domain controller.
For the file /etc/hosts, modify it so that it contains the DNS resolution of the machine’s FQDN on its IP (i.e. not the localohst 127.0.0.1 line), specifying the long name then the short name:

127.0.0.1      localhost
192.168.1.12   srvads2.mydomain.lan srvads2

Retrieving the necessary packages

Tranquil IT’s DEBs are currently validated for Debian 11 & 12.

The packages of the latest version validated by the engineering team at Tranquil IT can be downloaded from the url https://samba.tranquil.it/debian/samba-4.20/.

When it will be necessary to migrate to the next version of Samba, you’ll just have to update the repository url like for example https://samba.tranquil.it/debian/samba-4.20/.

For more comfort, you can define an apt repository and add our GPG public key:

wget -qO-  https://samba.tranquil.it/tissamba-pubkey.gpg | tee /usr/share/keyrings/tissamba.gpg > /dev/null
sha256sum /usr/share/keyrings/tissamba.gpg
  bd0f7140edd098031fcb36106b24a6837b067f1c847f72cf262fa012f14ce2dd  /usr/share/keyrings/tissamba.gpg
echo "deb [signed-by=/usr/share/keyrings/tissamba.gpg] https://samba.tranquil.it/debian/samba-4.20/ $(lsb_release -c -s) main" > /etc/apt/sources.list.d/tissamba.list

Installing the packages

export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install samba winbind libnss-winbind krb5-user smbclient ldb-tools python3-cryptography
unset DEBIAN_FRONTEND

export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install samba winbind libnss-winbind krb5-user smbclient ldb-tools python3-crypto
unset DEBIAN_FRONTEND

Configuring Kerberos

Open /etc/krb5.conf, remove its contents and add:
```
[libdefaults]
  default_realm = MYDOMAIN.LAN
  dns_lookup_kdc = false
  dns_lookup_realm=false
[realms]
  MYDOMAIN.LAN = {
  kdc = 127.0.0.1
  kdc = 192.168.1.12
  }
```
Attention

It is necessary to respect the CAPITAL LETTERS and replace the 2 IPs by:
- The IP of your srvrodc first, we can use localhost 127.0.0.1.
- The IP of srvads as the second IP (ex 192.168.1.12).
Reboot the host:
```
reboot
```
After rebooting, ensure that kerberos is properly configured and that you get a TGT:

Attention

The default administrator is administrator in English (type the account password administrator, if it doesn’t return anything or you get a message about the password expiration, it’s ok).
```
kinit administrator
klist
```

Configuring Samba as a Secondary Domain Controller

Remove the configuration file /etc/samba/smb.conf which was automatically generated during package installation:
```
rm -f /etc/samba/smb.conf
```
Join the Domain Controller as a member of the domain. Replace the values mydomain.lan, MYDOMAIN.LAN and MYDOMAIN with the values of your domain:
```
samba-tool domain join mydomain.lan DC -U administrator --realm=MYDOMAIN.LAN -W MYDOMAIN
```
Modify the DNS to point to itself in /etc/resolv.conf:
```
nameserver 127.0.0.1
```

In /etc/samba/smb.conf, add the DNS forwarder:

[global]
   ...
   dns forwarder = 8.8.8.8
   ...

Activate the automatic start of the AD service:

systemctl disable winbind nmbd smbd
systemctl mask winbind nmbd smbd
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc

Point your Kerberos to the correct configuration file:

Hint

By default Samba-AD provisioning creates an example file krb5.conf in the directory /var/lib/samba/private.

This file is used by default by some Samba calls.

It is best to replace it with a symbolic link to /etc/kbr5.conf to avoid some side effects.
```
rm /var/lib/samba/private/krb5.conf
ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf
```

Restart Samba:

pkill -9 smbd
pkill -9 nmbd
pkill -9 winbindd
systemctl restart samba-ad-dc

Check that the DNS entries have been created:

samba_dnsupdate --verbose --use-samba-tool

Configuring SYSVOL

Graphically, you can retrieve the content of \srvads\sysvol from srvads1 and copy it to srvads2 from a Windows workstation as Domain Administrator. Or with command lines, on srvads2, run:
```
rsync -aP root@srvads1:/var/lib/samba/sysvol/ /var/lib/samba/sysvol/
```
Then reset the ACL on SYSVOL, and check the ACLs (it should return nothing if OK):
```
samba-tool ntacl sysvolreset
samba-tool ntacl sysvolcheck
```

Hint

While waiting for the development of a DFS-R officially supported by Samba-team, Tranquil IT proposes the tis-sysvolsync tool to synchronize SYSVOL shares between Samba domain controllers.

Validating the new installation

Check the status of the replications with samba-tool drs showrepl. The replicas may take a few minutes to set up. Once the replicas are correct (5 Inbound replications and 5 Outbound replications), you can proceed to the following checks.
Test the DNS connection from the DNS Active Directory console.
Test the connection with the Users and Computers Active Directory console.

Configuring signed NTP

Configure the NTP by following the NTP service configuration documentation with Samba.

Configuring Bind-DLZ

Before going into production, the internal Samba DNS must be replaced by the Bind-DLZ module. To do this, follow the documentation to integrate Samba with Bind9.

Great, if you have made it this far, then everything went well and you have a new operational secondary domain controller.