Installing and configuring Samba-AD on RHEL and derivatives

Note

EnterpriseLinux8 distribution and derivatives do not embed Samba-AD packages. Indeed Samba-AD relies on Heimdal Kerberos for Active Directory support while RedHat only distributes and supports products based on Kerberos-MIT.

Note

Tranquil IT RPMs are currently validated for Redhat7, Redhat8 and Redhat9 (and derivatives like CentOS, AlmaLinux, OracleLinux, etc.).

If you want to stick to a community supported derivative of Redhat, we recommand to use AlmaLinux8.4 which we are currently using for building and testing.

Choosing the DNS suffix for the domain

For the choice of the domain name, there are two options:

Use a DNS suffix ending in .lan, for example mydomain.lan.
Use a sub-domain of a public domain you own, for example ad.mycompany.com.

Attention

In any case it is absolutely necessary to avoid suffixes in .local because this suffix has been appropriated by Apple for its Bonjour protocol / mDNS.

In the instructions below, the domain name will be mydomain.lan which you will replace with the domain name of your choice.

Installing the RedHat8 or derivative server

To install a new Redhat8 (physical or virtual machine) without a GUI and only with the SSH service installed (minimal type installation), use this procedure for Redhat.

This documentation is also valid for a RedHat7 host.

Note

We recommend the installation of Samba-AD on Linux (Debian or RedHat8 or derivative), configured according to the ANSSI Recommendations for configuring a GNU / Linux system.

Note

Make sure you don’t have dependencies to SSSD.

Configuring the network functions of your server

Configuring the DNS name

Hint

The name of your new Samba-AD server must not exceed 15 characters (limit linked to sAMAccountName in Active Directory). In this documentation we will use the name srvads.

The server name must be a FQDN name, i.e. the concatenation of the machine name and the DNS suffix.

Modify the file /etc/hostname and fill in the FQDN name of the server:
```
srvads.mydomain.lan
```
Edit /etc/hosts, fill in the name FQDN and the short name of the server.

Hint

On the line corresponding to the IP address of the Samba-AD server put first the FQDN name, then the short name.
Do not modify the line(s) containing the term localhost:

# /etc/hosts of the Samba-AD server
10.0.0.10 srvads.mydomain.lan srvads

Configuring the IP address of your server

Modify the file /etc/sysconfig/network-scripts/ifcfg-eth0 and set a static IP address. The file to modify can be different, for example ifcfg-ens0:

# /etc/sysconfig/network-scripts/ifcfg-eth0 du serveur Samba-AD
TYPE="Ethernet"
BOOTPROTO="static"
NAME="eth0"
ONBOOT="yes"
IPADDR=10.0.0.10
NETMASK=255.255.255.0
GATEWAY=10.0.0.254
DNS1=10.0.0.1

Apply the network configuration by rebooting the machine with a reboot.

Hint

If you have a corporate proxy.

To add the proxy to install Yum packages, add the following lines at the end of /etc/yum.conf adapting them to your context:

proxy=http://proxy.mydomain.lan:3128
#proxy_username=
#proxy_password=

To configure the proxy for the different commands of the root user, add the following lines at the end of /root/.bashrc:

export http_proxy=http://proxy.mydomain.lan:3128
export https_proxy=http://proxy.mydomain.lan:3128
export ftp_proxy=http://proxy.mydomain.lan:3128
#export no_proxy=.lan,.local

To take this change into account immediately, do source /root/.bashrc.

Configuring the security of your server

After the reboot, set the system language to English to make it easier to find problems in the logs:
```
localectl set-locale LANG=en_US.utf8
localectl status
```
Ensure that SELinux is deactivated:
```
vi /etc/selinux/config
```
Then in the file, replace the current value by (beware, you have to modify the line SELINUX= and not the line SELINUXTYPE=!):
```
SELINUX=disabled
```
After reboot, check that SELinux is disabled, the sestatus command should return:
```
SELinux status: disabled
```

Configure firewall rules to open the ports necessary for Samba-AD to work:

systemctl start firewalld
systemctl enable firewalld
firewall-cmd --zone=public --add-port=53/tcp --add-port=53/udp --permanent
firewall-cmd --zone=public --add-port=88/tcp --add-port=88/udp --permanent
firewall-cmd --zone=public --add-port=135/tcp --permanent
firewall-cmd --zone=public --add-port=389/tcp --add-port=389/udp --permanent
firewall-cmd --zone=public --add-port=445/tcp --permanent
firewall-cmd --zone=public --add-port=464/tcp --add-port=464/udp --permanent
firewall-cmd --zone=public --add-port=636/tcp --permanent
firewall-cmd --zone=public --add-port=3268/tcp --permanent
firewall-cmd --zone=public --add-port=3269/tcp --permanent
firewall-cmd --zone=public --add-port=50000-51000/tcp --permanent
firewall-cmd --zone=public --add-port=49152-65535/tcp --permanent
systemctl restart firewalld

Disable avahi-daemon (mDNS protocol / bonjour):

systemctl stop avahi-daemon.service avahi-daemon.socket
systemctl disable avahi-daemon.service avahi-daemon.socket

Adding useful tools for your server

Update the distribution and install the EPEL repository and some essential tools:

yum update -y
yum install -y epel-release
yum install -y wget sudo screen nmap telnet tcpdump rsync net-tools bind-utils htop

subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms
dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
yum install -y wget sudo screen nmap telnet tcpdump rsync net-tools bind-utils htop

You can now go to the next step and install Samba-AD on your RedHat8 or derivative distribution.

Packages of the latest version 4.19 validated by the Tranquil IT team can be downloaded from the url https://samba.tranquil.it/redhat8/samba-4.19/. When it will be necessary to upgrade to Samba-4.19, just change the repository url to https://samba.tranquil.it/redhat8/samba-4.19/ and follow the upgrade notes on the upgrade page.

Retrieve the RPM signature key and configure a YUM repository:

wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-7 https://samba.tranquil.it/RPM-GPG-KEY-TISSAMBA-7
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-7

echo "[tis-samba]
name=tis-samba
baseurl=https://samba.tranquil.it/redhat7/samba-4.19/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8" > /etc/yum.repos.d/tissamba.repo

wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8 https://samba.tranquil.it/RPM-GPG-KEY-TISSAMBA-8
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8

echo "[tis-samba]
name=tis-samba
baseurl=https://samba.tranquil.it/redhat8/samba-4.19/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8" > /etc/yum.repos.d/tissamba.repo

wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-9 https://samba.tranquil.it/RPM-GPG-KEY-TISSAMBA-9
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-9

echo "[tis-samba]
name=tis-samba
baseurl=https://samba.tranquil.it/redhat9/samba-4.19/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-9" > /etc/yum.repos.d/tissamba.repo

Verify the key fingerprint with sha256sum:

# For RHEL7 / RHEL8 :
sha256sum /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8
    b3cd8395e3d211a8760e95b9bc239513e9384d6c954d17515ae29c18d32a4a11 /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8

# For RHEL9 :
sha256sum /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-9
    05f21f368bdeb01453e37c3af2b8fcabba8986e2ce2b0d0298df6456a0bef60a /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8

Install the Samba-AD packages for RedHat8 and derivative distributions:

yum install -y samba samba-dc samba-winbind samba-winbind-clients krb5-workstation ldb-tools bind chrony bind-utils samba-client

Instantiating the Active Directory Samba domain

Configuring Kerberos

Modify the file /etc/krb5.conf and replace all its contents by the 4 following lines by specifying the Active Directory domain of your organization (here MYDOMAIN.LAN):

Attention

The default_realm must absolutely be written in UPPERCASE LETTERS!!

[libdefaults]
  default_realm = MYDOMAIN.LAN
  dns_lookup_kdc = false
  dns_lookup_realm = false

[realms]
  MYDOMAIN.LAN = {
  kdc = 127.0.0.1
  }

Configuring Samba

Delete the file /etc/samba/smb.conf if it has already been generated (it will be regenerated by the instantiation command):
```
rm -f /etc/samba/smb.conf
```
Configure Samba with the role of domain controller. In the following line, you will think about changing both the name of the kerberos kingdom, and the short name of the domain (netbios name):
```
samba-tool domain provision --realm=MYDOMAIN.LAN --domain MYDOMAIN --server-role=dc
```

Reset the administrator password:

samba-tool user setpassword administrator

Check the line dns forwarder = xxx.xxx.xxx in your /etc/samba/smb.conf. It must point to a valid DNS server, e.g.:
```
dns forwarder = 1.1.1.1
```
Reconfigure the DNS resolution for the local machine. In the /etc/sysconfig/network-scripts/ifcfg-xxxx file of the network interface, replace the following line:
```
DNS1=127.0.0.1
```
Restart NetworkManager to take into account the changes and check that the resolver has been reported in /etc/resolv.conf:
```
systemctl restart NetworkManager
```
The Samba domain creation script creates an unnecessary /var/lib/samba/private/krb5.conf file. It must be removed and replaced by a symbolic link to the /etc/krb5.conf file:
```
rm -f /var/lib/samba/private/krb5.conf
ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf
```
Activate Samba so that it starts automatically at the next reboot:
```
systemctl enable samba
systemctl start samba
```
Reboot the machine with a reboot to verify that Samba reboots:
```
reboot
```
After rebooting, test that the kerberos is properly configured and that you get a TGT. Type the password for the administrator account you defined above with the command samba-tool setpassword. If it does not return anything or you get a message about the password expiration, it is fine).
```
kinit administrator
klist
```
Attention

Samba-AD made the wise choice not to implement the translation of system accounts. The default Administrator is therefore administrator in English.

Test the DNS:

dig @localhost google.fr
dig @localhost srvads.mydomain.lan
dig -t SRV @localhost _ldap._tcp.mydomain.lan

Validating the new installation with a Windows client

You can now join a Windows client in your new domain.

To manage your new domain, the management interfaces must be installed on a Windows workstation. The Samba command line is efficient for many administrative tasks, and the RSAT graphical interfaces are a good complement to the command line.

To install the RSAT tools, follow the page on installing RSAT on your management machine.

Once RSAT is installed:

Create and delete a DNS record from the DNS Active Directory console.
Create and delete a user account or a machine account from the Users and Computers Active Directory console.
Create a new GPO.

Great, if you have made it this far, then everything is going well and you have a new Samba Active Directory domain up and running.

Now we will configure the DNS service in BindDLZ mode to improve the performance of your Samba-AD.