Installing and configuring a Samba-AD RODC on Redhat or derivatives

Note

EnterpriseLinux8 distribution and derivatives do not yet embed Samba-AD packages. Indeed Samba-AD relies on Heimdal Kerberos for Active Directory support while RedHat only distributes and supports products based on Kerberos-MIT.

Choosing the DNS suffix for the domain

For the choice of the domain name, there are two options:

• Use a DNS suffix ending in .lan, for example mydomain.lan.

• Use a sub-domain of a public domain you own, for example ad.mycompany.com.

Attention

In any case it is absolutely necessary to avoid suffixes in .local because this suffix has been appropriated by Apple for its Bonjour protocol / mDNS.

In the instructions below, the domain name will be mydomain.lan which you will replace with the domain name of your choice.

Installing the RedHat8 or derivative server

To install a new Redhat8 (physical or virtual machine) without a GUI and only with the SSH service installed (minimal type installation), use this procedure for Redhat.

This documentation is also valid for a RedHat7 host.

Note

We recommend the installation of Samba-AD on Linux (Debian or RedHat8 or derivative), configured according to the ANSSI Recommendations for configuring a GNU / Linux system.

Note

Make sure you don’t have dependencies to SSSD.

Configuring the network functions of your server

Configuring the DNS name

Hint

The name of your new Samba-AD server must not exceed 15 characters (limit linked to sAMAccountName in Active Directory). In this documentation we will use the name srvads.

The server name must be a FQDN name, i.e. the concatenation of the machine name and the DNS suffix.

• Modify the file /etc/hostname and fill in the FQDN name of the server:

  srvads.mydomain.lan
  

• Edit /etc/hosts, fill in the name FQDN and the short name of the server.

Hint

• On the line corresponding to the IP address of the Samba-AD server put first the FQDN name, then the short name.

• Do not modify the line(s) containing the term localhost:

# /etc/hosts of the Samba-AD server
10.0.0.10 srvads.mydomain.lan srvads

Configuring the IP address of your server

• Modify the file /etc/sysconfig/network-scripts/ifcfg-eth0 and set a static IP address. The file to modify can be different, for example ifcfg-ens0:

  # /etc/sysconfig/network-scripts/ifcfg-eth0 du serveur Samba-AD
  TYPE="Ethernet"
  BOOTPROTO="static"
  NAME="eth0"
  ONBOOT="yes"
  IPADDR=10.0.0.10
  NETMASK=255.255.255.0
  GATEWAY=10.0.0.254
  DNS1=10.0.0.1
  

• Apply the network configuration by rebooting the machine with a reboot.

Hint

If you have a corporate proxy.

To add the proxy to install Yum packages, add the following lines at the end of /etc/yum.conf adapting them to your context:

proxy=http://proxy.mydomain.lan:3128
#proxy_username=
#proxy_password=

To configure the proxy for the different commands of the root user, add the following lines at the end of /root/.bashrc:

export http_proxy=http://proxy.mydomain.lan:3128
export https_proxy=http://proxy.mydomain.lan:3128
export ftp_proxy=http://proxy.mydomain.lan:3128
#export no_proxy=.lan,.local

To take this change into account immediately, do source /root/.bashrc.

Configuring the security of your server

• After the reboot, set the system language to English to make it easier to find problems in the logs:

  localectl set-locale LANG=en_US.utf8
  localectl status
  

• Ensure that SELinux is deactivated:

  vi /etc/selinux/config
  

  Then in the file, replace the current value by (beware, you have to modify the line SELINUX= and not the line SELINUXTYPE=!):

  SELINUX=disabled
  

  After reboot, check that SELinux is disabled, the sestatus command should return:

  SELinux status: disabled
  

• Configure firewall rules to open the ports necessary for Samba-AD to work:

  systemctl start firewalld
  systemctl enable firewalld
  firewall-cmd --zone=public --add-port=53/tcp --add-port=53/udp --permanent
  firewall-cmd --zone=public --add-port=88/tcp --add-port=88/udp --permanent
  firewall-cmd --zone=public --add-port=135/tcp --permanent
  firewall-cmd --zone=public --add-port=389/tcp --add-port=389/udp --permanent
  firewall-cmd --zone=public --add-port=445/tcp --permanent
  firewall-cmd --zone=public --add-port=464/tcp --add-port=464/udp --permanent
  firewall-cmd --zone=public --add-port=636/tcp --permanent
  firewall-cmd --zone=public --add-port=3268/tcp --permanent
  firewall-cmd --zone=public --add-port=3269/tcp --permanent
  firewall-cmd --zone=public --add-port=50000-51000/tcp --permanent
  firewall-cmd --zone=public --add-port=49152-65535/tcp --permanent
  systemctl restart firewalld
  

• Disable avahi-daemon (mDNS protocol / bonjour):

  systemctl stop avahi-daemon.service avahi-daemon.socket
  systemctl disable avahi-daemon.service avahi-daemon.socket
  

Adding useful tools for your server

• Update the distribution and install the EPEL repository and some essential tools:

RHEL7-RHEL8RHEL9

yum update -y
yum install -y epel-release
yum install -y wget sudo screen nmap telnet tcpdump rsync net-tools bind-utils htop

You can now go to the next step and install Samba-AD on your RedHat8 or derivative distribution.

Packages of the latest version 4.19 validated by the Tranquil IT team can be downloaded from the url https://samba.tranquil.it/redhat8/samba-4.19/. When it will be necessary to upgrade to Samba-4.19, just change the repository url to https://samba.tranquil.it/redhat8/samba-4.19/ and follow the upgrade notes on the upgrade page.

• Retrieve the RPM signature key and configure a YUM repository:

RHEL7RHEL8RHEL9

wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-7 https://samba.tranquil.it/RPM-GPG-KEY-TISSAMBA-7
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-7

echo "[tis-samba]
name=tis-samba
baseurl=https://samba.tranquil.it/redhat7/samba-4.19/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8" > /etc/yum.repos.d/tissamba.repo

• Verify the key fingerprint with sha256sum:

  # For RHEL7 / RHEL8 :
  sha256sum /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8
      b3cd8395e3d211a8760e95b9bc239513e9384d6c954d17515ae29c18d32a4a11 /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8
  
  # For RHEL9 :
  sha256sum /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-9
      05f21f368bdeb01453e37c3af2b8fcabba8986e2ce2b0d0298df6456a0bef60a /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8
  

• Install the Samba-AD packages for RedHat8 and derivative distributions:

  yum install -y samba samba-dc samba-winbind samba-winbind-clients krb5-workstation ldb-tools bind chrony bind-utils samba-client
  

Attention

For RODC support, it is imperative to use a version of Samba higher than 4.9. The RODC support is globally functional but it is not complete, it lacks NTLM authentication forwarding when the password hash has not been synchronized.

Setting up the RODC service

• Configure the /etc/resolv.conf file by pointing to your RW domain controller.

• Join the machine to the domain:

  samba-tool domain join mydomain.lan RODC -U MYDOMAIN\\Administrator
  

• In /etc/samba/smb.conf, add the DNS forwarder:

  dns forwarder = 8.8.8.8
  

• Start the Samba service with systemctl start samba.

• Edit /etc/resolv.conf to make it point to itself:

  search mydomain.lan
  nameserver 127.0.0.1
  

Testing user password replication on the RODC server

• On srvads, add a user as a member of the Allowed RODC Password Replication Group.

• On srvrodc:

  samba-tool rodc preload myuser --server=srvads.mydomain.lan
  

• If all went well:

  Replicating DN CN=myuser,CN=Users,DC=mondomaine,DC=lan
  Exop on[CN=myuser,CN=Users,DC=mondomaine,DC=lan] objects[1] linked_values[0]