Installing and configuring Samba-AD on RHEL and derivatives

Note

EnterpriseLinux8 distribution and derivatives do not embed Samba-AD packages. Indeed Samba-AD relies on Heimdal Kerberos for Active Directory support while RedHat only distributes and supports products based on Kerberos-MIT.

Note

Tranquil IT RPMs are currently validated for Redhat7, Redhat8 and Redhat9 (and derivatives like CentOS, AlmaLinux, OracleLinux, etc.).

If you want to stick to a community supported derivative of Redhat, we recommand to use AlmaLinux8.4 which we are currently using for building and testing.

Choosing the DNS suffix for the domain

For the choice of the domain name, there are two options:

  • Use a DNS suffix ending in .lan, for example mydomain.lan.

  • Use a sub-domain of a public domain you own, for example ad.mycompany.com.

Attention

In any case it is absolutely necessary to avoid suffixes in .local because this suffix has been appropriated by Apple for its Bonjour protocol / mDNS.

In the instructions below, the domain name will be mydomain.lan which you will replace with the domain name of your choice.

Installing the RedHat8 or derivative server

To install a new Redhat8 (physical or virtual machine) without a GUI and only with the SSH service installed (minimal type installation), use this procedure for Redhat.

This documentation is also valid for a RedHat7 host.

Note

We recommend the installation of Samba-AD on Linux (Debian or RedHat8 or derivative), configured according to the ANSSI Recommendations for configuring a GNU / Linux system.

Note

Make sure you don’t have dependencies to SSSD.

Configuring the network functions of your server

Configuring the DNS name

Hint

The name of your new Samba-AD server must not exceed 15 characters (limit linked to sAMAccountName in Active Directory). In this documentation we will use the name srvads.

The server name must be a FQDN name, i.e. the concatenation of the machine name and the DNS suffix.

  • Modify the file /etc/hostname and fill in the FQDN name of the server:

    srvads.mydomain.lan
    
  • Edit /etc/hosts, fill in the name FQDN and the short name of the server.

Hint

  • On the line corresponding to the IP address of the Samba-AD server put first the FQDN name, then the short name.

  • Do not modify the line(s) containing the term localhost:

# /etc/hosts of the Samba-AD server
10.0.0.10 srvads.mydomain.lan srvads

Configuring the IP address of your server

  • Modify the file /etc/sysconfig/network-scripts/ifcfg-eth0 and set a static IP address. The file to modify can be different, for example ifcfg-ens0:

    # /etc/sysconfig/network-scripts/ifcfg-eth0 du serveur Samba-AD
    TYPE="Ethernet"
    BOOTPROTO="static"
    NAME="eth0"
    ONBOOT="yes"
    IPADDR=10.0.0.10
    NETMASK=255.255.255.0
    GATEWAY=10.0.0.254
    DNS1=10.0.0.1
    
  • Apply the network configuration by rebooting the machine with a reboot.

Hint

If you have a corporate proxy.

To add the proxy to install Yum packages, add the following lines at the end of /etc/yum.conf adapting them to your context:

proxy=http://proxy.mydomain.lan:3128
#proxy_username=
#proxy_password=

To configure the proxy for the different commands of the root user, add the following lines at the end of /root/.bashrc:

export http_proxy=http://proxy.mydomain.lan:3128
export https_proxy=http://proxy.mydomain.lan:3128
export ftp_proxy=http://proxy.mydomain.lan:3128
#export no_proxy=.lan,.local

To take this change into account immediately, do source /root/.bashrc.

Configuring the security of your server

  • After the reboot, set the system language to English to make it easier to find problems in the logs:

    localectl set-locale LANG=en_US.utf8
    localectl status
    
  • Ensure that SELinux is deactivated:

    vi /etc/selinux/config
    

    Then in the file, replace the current value by (beware, you have to modify the line SELINUX= and not the line SELINUXTYPE=!):

    SELINUX=disabled
    

    After reboot, check that SELinux is disabled, the sestatus command should return:

    SELinux status: disabled
    
  • Configure firewall rules to open the ports necessary for Samba-AD to work:

    systemctl start firewalld
    systemctl enable firewalld
    firewall-cmd --zone=public --add-port=53/tcp --add-port=53/udp --permanent
    firewall-cmd --zone=public --add-port=88/tcp --add-port=88/udp --permanent
    firewall-cmd --zone=public --add-port=135/tcp --permanent
    firewall-cmd --zone=public --add-port=389/tcp --add-port=389/udp --permanent
    firewall-cmd --zone=public --add-port=445/tcp --permanent
    firewall-cmd --zone=public --add-port=464/tcp --add-port=464/udp --permanent
    firewall-cmd --zone=public --add-port=636/tcp --permanent
    firewall-cmd --zone=public --add-port=3268/tcp --permanent
    firewall-cmd --zone=public --add-port=3269/tcp --permanent
    firewall-cmd --zone=public --add-port=50000-51000/tcp --permanent
    firewall-cmd --zone=public --add-port=49152-65535/tcp --permanent
    systemctl restart firewalld
    
  • Disable avahi-daemon (mDNS protocol / bonjour):

    systemctl stop avahi-daemon.service avahi-daemon.socket
    systemctl disable avahi-daemon.service avahi-daemon.socket
    

Adding useful tools for your server

  • Update the distribution and install the EPEL repository and some essential tools (subscription-manager commands are only available on RedHat distros, not derivative):

yum update -y
yum install -y epel-release
yum install -y wget sudo screen nmap telnet tcpdump rsync net-tools bind-utils htop

You can now go to the next step and install Samba-AD on your RedHat8 or derivative distribution.

Packages of the latest version 4.20 validated by the Tranquil IT team can be downloaded from the url https://samba.tranquil.it/redhat9/samba-4.20/.

When it will be necessary to upgrade to Samba-4.21, just change the repository url to https://samba.tranquil.it/redhat9/samba-4.21/ and follow the upgrade notes on the upgrade page.

  • Retrieve the RPM signature key and configure a YUM repository:

wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-7 https://samba.tranquil.it/RPM-GPG-KEY-TISSAMBA-7
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-7

echo "[tis-samba]
name=tis-samba
baseurl=https://samba.tranquil.it/redhat7/samba-4.20/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8" > /etc/yum.repos.d/tissamba.repo
  • Verify the key fingerprint with sha256sum:

    # For RHEL7 / RHEL8 :
    sha256sum /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8
        b3cd8395e3d211a8760e95b9bc239513e9384d6c954d17515ae29c18d32a4a11 /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8
    
    # For RHEL9 :
    sha256sum /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-9
        05f21f368bdeb01453e37c3af2b8fcabba8986e2ce2b0d0298df6456a0bef60a /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8
    
  • Install the Samba-AD packages for RedHat9 and derivative distributions :

    yum --enablerepo=crb install -y samba samba-dc samba-winbind samba-winbind-clients krb5-workstation ldb-tools bind chrony bind-utils samba-client python3-markdown
    

    Warning

    –enablerepo=crb will only work with derivative distros. If you are using a RedHat distro, please use the following command to enable crb repo:

    subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms
    

Instantiating the Active Directory Samba domain

Configuring Kerberos

  • Modify the file /etc/krb5.conf and replace all its contents by the 4 following lines by specifying the Active Directory domain of your organization (here MYDOMAIN.LAN):

Attention

The default_realm must absolutely be written in UPPERCASE LETTERS!!

[libdefaults]
  default_realm = MYDOMAIN.LAN
  dns_lookup_kdc = false
  dns_lookup_realm = false

[realms]
  MYDOMAIN.LAN = {
  kdc = 127.0.0.1
  }

Configuring Samba

  • Delete the file /etc/samba/smb.conf if it has already been generated (it will be regenerated by the instantiation command):

    rm -f /etc/samba/smb.conf
    
  • Configure Samba with the role of domain controller. In the following line, you will think about changing both the name of the kerberos kingdom, and the short name of the domain (netbios name):

    samba-tool domain provision --realm=MYDOMAIN.LAN --domain MYDOMAIN --server-role=dc
    
  • Reset the administrator password:

    samba-tool user setpassword administrator
    
  • Check the line dns forwarder = xxx.xxx.xxx in your /etc/samba/smb.conf. It must point to a valid DNS server, e.g.:

    dns forwarder = 1.1.1.1
    
  • Reconfigure the DNS resolution for the local machine. In the /etc/sysconfig/network-scripts/ifcfg-xxxx file of the network interface, replace the following line:

    DNS1=127.0.0.1
    
  • Restart NetworkManager to take into account the changes and check that the resolver has been reported in /etc/resolv.conf:

    systemctl restart NetworkManager
    
  • The Samba domain creation script creates an unnecessary /var/lib/samba/private/krb5.conf file. It must be removed and replaced by a symbolic link to the /etc/krb5.conf file:

    rm -f /var/lib/samba/private/krb5.conf
    ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf
    
  • Activate Samba so that it starts automatically at the next reboot:

    systemctl enable samba
    systemctl start samba
    
  • Reboot the machine with a reboot to verify that Samba reboots:

    reboot
    
  • After rebooting, test that the kerberos is properly configured and that you get a TGT. Type the password for the administrator account you defined above with the command samba-tool setpassword. If it does not return anything or you get a message about the password expiration, it is fine).

    kinit administrator
    klist
    

    Attention

    Samba-AD made the wise choice not to implement the translation of system accounts. The default Administrator is therefore administrator in English.

  • Test the DNS:

    dig @localhost google.fr
    dig @localhost srvads.mydomain.lan
    dig -t SRV @localhost _ldap._tcp.mydomain.lan
    

Validating the new installation with a Windows client

You can now join a Windows client in your new domain.

To manage your new domain, the management interfaces must be installed on a Windows workstation. The Samba command line is efficient for many administrative tasks, and the RSAT graphical interfaces are a good complement to the command line.

To install the RSAT tools, follow the page on installing RSAT on your management machine.

Once RSAT is installed:

  • Create and delete a DNS record from the DNS Active Directory console.

  • Create and delete a user account or a machine account from the Users and Computers Active Directory console.

  • Create a new GPO.

Great, if you have made it this far, then everything is going well and you have a new Samba Active Directory domain up and running.

Now we will configure the DNS service in BindDLZ mode to improve the performance of your Samba-AD.