Installing and configuring Samba-AD on RHEL and derivatives
Note
EnterpriseLinux8 distribution and derivatives do not embed Samba-AD packages. Indeed Samba-AD relies on Heimdal Kerberos for Active Directory support while RedHat only distributes and supports products based on Kerberos-MIT.
Note
Tranquil IT RPMs are currently validated for Redhat7, Redhat8 and Redhat9 (and derivatives like CentOS, AlmaLinux, OracleLinux, etc.).
If you want to stick to a community supported derivative of Redhat, we recommand to use AlmaLinux8.4 which we are currently using for building and testing.
Choosing the DNS suffix for the domain
For the choice of the domain name, there are two options:
Use a DNS suffix ending in
.lan
, for examplemydomain.lan
.Use a sub-domain of a public domain you own, for example
ad.mycompany.com
.
Attention
In any case it is absolutely necessary to avoid suffixes in .local
because this suffix has been appropriated by Apple for its Bonjour protocol / mDNS.
In the instructions below, the domain name will be mydomain.lan
which you will replace with the domain name of your choice.
Installing the RedHat8 or derivative server
To install a new Redhat8 (physical or virtual machine) without a GUI and only with the SSH service installed (minimal type installation), use this procedure for Redhat.
This documentation is also valid for a RedHat7 host.
Note
We recommend the installation of Samba-AD on Linux (Debian or RedHat8 or derivative), configured according to the ANSSI Recommendations for configuring a GNU / Linux system.
Note
Make sure you don’t have dependencies to SSSD.
Configuring the network functions of your server
Configuring the DNS name
Hint
The name of your new Samba-AD server must not exceed 15 characters (limit linked to sAMAccountName
in Active Directory).
In this documentation we will use the name srvads.
The server name must be a FQDN name, i.e. the concatenation of the machine name and the DNS suffix.
Modify the file
/etc/hostname
and fill in the FQDN name of the server:srvads.mydomain.lan
Edit
/etc/hosts
, fill in the name FQDN and the short name of the server.
Hint
On the line corresponding to the IP address of the Samba-AD server put first the FQDN name, then the short name.
Do not modify the line(s) containing the term
localhost
:
# /etc/hosts of the Samba-AD server
10.0.0.10 srvads.mydomain.lan srvads
Configuring the IP address of your server
Modify the file
/etc/sysconfig/network-scripts/ifcfg-eth0
and set a static IP address. The file to modify can be different, for exampleifcfg-ens0
:# /etc/sysconfig/network-scripts/ifcfg-eth0 du serveur Samba-AD TYPE="Ethernet" BOOTPROTO="static" NAME="eth0" ONBOOT="yes" IPADDR=10.0.0.10 NETMASK=255.255.255.0 GATEWAY=10.0.0.254 DNS1=10.0.0.1
Apply the network configuration by rebooting the machine with a reboot.
Hint
If you have a corporate proxy.
To add the proxy to install Yum packages, add the following lines at the end of /etc/yum.conf
adapting them to your context:
proxy=http://proxy.mydomain.lan:3128
#proxy_username=
#proxy_password=
To configure the proxy for the different commands of the root user, add the following lines at the end of /root/.bashrc
:
export http_proxy=http://proxy.mydomain.lan:3128
export https_proxy=http://proxy.mydomain.lan:3128
export ftp_proxy=http://proxy.mydomain.lan:3128
#export no_proxy=.lan,.local
To take this change into account immediately, do source /root/.bashrc.
Configuring the security of your server
After the reboot, set the system language to English to make it easier to find problems in the logs:
localectl set-locale LANG=en_US.utf8 localectl status
Ensure that SELinux is deactivated:
vi /etc/selinux/config
Then in the file, replace the current value by (beware, you have to modify the line SELINUX= and not the line SELINUXTYPE=!):
SELINUX=disabled
After reboot, check that SELinux is disabled, the sestatus command should return:
SELinux status: disabled
Configure firewall rules to open the ports necessary for Samba-AD to work:
systemctl start firewalld systemctl enable firewalld firewall-cmd --zone=public --add-port=53/tcp --add-port=53/udp --permanent firewall-cmd --zone=public --add-port=88/tcp --add-port=88/udp --permanent firewall-cmd --zone=public --add-port=135/tcp --permanent firewall-cmd --zone=public --add-port=389/tcp --add-port=389/udp --permanent firewall-cmd --zone=public --add-port=445/tcp --permanent firewall-cmd --zone=public --add-port=464/tcp --add-port=464/udp --permanent firewall-cmd --zone=public --add-port=636/tcp --permanent firewall-cmd --zone=public --add-port=3268/tcp --permanent firewall-cmd --zone=public --add-port=3269/tcp --permanent firewall-cmd --zone=public --add-port=50000-51000/tcp --permanent firewall-cmd --zone=public --add-port=49152-65535/tcp --permanent systemctl restart firewalld
Disable avahi-daemon (mDNS protocol / bonjour):
systemctl stop avahi-daemon.service avahi-daemon.socket systemctl disable avahi-daemon.service avahi-daemon.socket
Adding useful tools for your server
Update the distribution and install the EPEL repository and some essential tools (subscription-manager commands are only available on RedHat distros, not derivative):
yum update -y
yum install -y epel-release
yum install -y wget sudo screen nmap telnet tcpdump rsync net-tools bind-utils htop
subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms
dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
yum install -y wget sudo screen nmap telnet tcpdump rsync net-tools bind-utils htop
You can now go to the next step and install Samba-AD on your RedHat8 or derivative distribution.
Packages of the latest version 4.20 validated by the Tranquil IT team can be downloaded from the url https://samba.tranquil.it/redhat9/samba-4.20/.
When it will be necessary to upgrade to Samba-4.21, just change the repository url to https://samba.tranquil.it/redhat9/samba-4.21/ and follow the upgrade notes on the upgrade page.
Retrieve the RPM signature key and configure a YUM repository:
wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-7 https://samba.tranquil.it/RPM-GPG-KEY-TISSAMBA-7
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-7
echo "[tis-samba]
name=tis-samba
baseurl=https://samba.tranquil.it/redhat7/samba-4.20/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8" > /etc/yum.repos.d/tissamba.repo
wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8 https://samba.tranquil.it/RPM-GPG-KEY-TISSAMBA-8
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8
echo "[tis-samba]
name=tis-samba
baseurl=https://samba.tranquil.it/redhat8/samba-4.20/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8" > /etc/yum.repos.d/tissamba.repo
wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-9 https://samba.tranquil.it/RPM-GPG-KEY-TISSAMBA-9
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-9
echo "[tis-samba]
name=tis-samba
baseurl=https://samba.tranquil.it/redhat9/samba-4.20/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-9" > /etc/yum.repos.d/tissamba.repo
Verify the key fingerprint with sha256sum:
# For RHEL7 / RHEL8 : sha256sum /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8 b3cd8395e3d211a8760e95b9bc239513e9384d6c954d17515ae29c18d32a4a11 /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8 # For RHEL9 : sha256sum /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-9 05f21f368bdeb01453e37c3af2b8fcabba8986e2ce2b0d0298df6456a0bef60a /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8
Install the Samba-AD packages for RedHat9 and derivative distributions :
yum --enablerepo=crb install -y samba samba-dc samba-winbind samba-winbind-clients krb5-workstation ldb-tools bind chrony bind-utils samba-client python3-markdown
Warning
–enablerepo=crb will only work with derivative distros. If you are using a RedHat distro, please use the following command to enable crb repo:
subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms
Instantiating the Active Directory Samba domain
Configuring Kerberos
Modify the file
/etc/krb5.conf
and replace all its contents by the 4 following lines by specifying the Active Directory domain of your organization (here MYDOMAIN.LAN):
Attention
The default_realm
must absolutely be written in UPPERCASE LETTERS!!
[libdefaults]
default_realm = MYDOMAIN.LAN
dns_lookup_kdc = false
dns_lookup_realm = false
[realms]
MYDOMAIN.LAN = {
kdc = 127.0.0.1
}
Configuring Samba
Delete the file
/etc/samba/smb.conf
if it has already been generated (it will be regenerated by the instantiation command):rm -f /etc/samba/smb.conf
Configure Samba with the role of domain controller. In the following line, you will think about changing both the name of the kerberos kingdom, and the short name of the domain (netbios name):
samba-tool domain provision --realm=MYDOMAIN.LAN --domain MYDOMAIN --server-role=dc
Reset the administrator password:
samba-tool user setpassword administrator
Check the line
dns forwarder = xxx.xxx.xxx
in your/etc/samba/smb.conf
. It must point to a valid DNS server, e.g.:dns forwarder = 1.1.1.1
Reconfigure the DNS resolution for the local machine. In the
/etc/sysconfig/network-scripts/ifcfg-xxxx
file of the network interface, replace the following line:DNS1=127.0.0.1
Restart NetworkManager to take into account the changes and check that the resolver has been reported in
/etc/resolv.conf
:systemctl restart NetworkManager
The Samba domain creation script creates an unnecessary
/var/lib/samba/private/krb5.conf
file. It must be removed and replaced by a symbolic link to the/etc/krb5.conf
file:rm -f /var/lib/samba/private/krb5.conf ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf
Activate Samba so that it starts automatically at the next reboot:
systemctl enable samba systemctl start samba
Reboot the machine with a reboot to verify that Samba reboots:
reboot
After rebooting, test that the kerberos is properly configured and that you get a TGT. Type the password for the administrator account you defined above with the command samba-tool setpassword. If it does not return anything or you get a message about the password expiration, it is fine).
kinit administrator klist
Attention
Samba-AD made the wise choice not to implement the translation of system accounts. The default Administrator is therefore administrator in English.
Test the DNS:
dig @localhost google.fr dig @localhost srvads.mydomain.lan dig -t SRV @localhost _ldap._tcp.mydomain.lan
Validating the new installation with a Windows client
You can now join a Windows client in your new domain.
To manage your new domain, the management interfaces must be installed on a Windows workstation. The Samba command line is efficient for many administrative tasks, and the RSAT graphical interfaces are a good complement to the command line.
To install the RSAT tools, follow the page on installing RSAT on your management machine.
Once RSAT is installed:
Create and delete a DNS record from the DNS Active Directory console.
Create and delete a user account or a machine account from the Users and Computers Active Directory console.
Create a new GPO.
Great, if you have made it this far, then everything is going well and you have a new Samba Active Directory domain up and running.
Now we will configure the DNS service in BindDLZ mode to improve the performance of your Samba-AD.