Installing and configuring a Samba-AD RODC on Redhat or derivatives
Note
EnterpriseLinux8 distribution and derivatives do not yet embed Samba-AD packages. Indeed Samba-AD relies on Heimdal Kerberos for Active Directory support while RedHat only distributes and supports products based on Kerberos-MIT.
Choosing the DNS suffix for the domain
For the choice of the domain name, there are two options:
Use a DNS suffix ending in
.lan
, for examplemydomain.lan
.Use a sub-domain of a public domain you own, for example
ad.mycompany.com
.
Attention
In any case it is absolutely necessary to avoid suffixes in .local
because this suffix has been appropriated by Apple for its Bonjour protocol / mDNS.
In the instructions below, the domain name will be mydomain.lan
which you will replace with the domain name of your choice.
Installing the RedHat8 or derivative server
To install a new Redhat8 (physical or virtual machine) without a GUI and only with the SSH service installed (minimal type installation), use this procedure for Redhat.
This documentation is also valid for a RedHat7 host.
Note
We recommend the installation of Samba-AD on Linux (Debian or RedHat8 or derivative), configured according to the ANSSI Recommendations for configuring a GNU / Linux system.
Note
Make sure you don’t have dependencies to SSSD.
Configuring the network functions of your server
Configuring the DNS name
Hint
The name of your new Samba-AD server must not exceed 15 characters (limit linked to sAMAccountName
in Active Directory).
In this documentation we will use the name srvads.
The server name must be a FQDN name, i.e. the concatenation of the machine name and the DNS suffix.
Modify the file
/etc/hostname
and fill in the FQDN name of the server:srvads.mydomain.lan
Edit
/etc/hosts
, fill in the name FQDN and the short name of the server.
Hint
On the line corresponding to the IP address of the Samba-AD server put first the FQDN name, then the short name.
Do not modify the line(s) containing the term
localhost
:
# /etc/hosts of the Samba-AD server
10.0.0.10 srvads.mydomain.lan srvads
Configuring the IP address of your server
Modify the file
/etc/sysconfig/network-scripts/ifcfg-eth0
and set a static IP address. The file to modify can be different, for exampleifcfg-ens0
:# /etc/sysconfig/network-scripts/ifcfg-eth0 du serveur Samba-AD TYPE="Ethernet" BOOTPROTO="static" NAME="eth0" ONBOOT="yes" IPADDR=10.0.0.10 NETMASK=255.255.255.0 GATEWAY=10.0.0.254 DNS1=10.0.0.1
Apply the network configuration by rebooting the machine with a reboot.
Hint
If you have a corporate proxy.
To add the proxy to install Yum packages, add the following lines at the end of /etc/yum.conf
adapting them to your context:
proxy=http://proxy.mydomain.lan:3128
#proxy_username=
#proxy_password=
To configure the proxy for the different commands of the root user, add the following lines at the end of /root/.bashrc
:
export http_proxy=http://proxy.mydomain.lan:3128
export https_proxy=http://proxy.mydomain.lan:3128
export ftp_proxy=http://proxy.mydomain.lan:3128
#export no_proxy=.lan,.local
To take this change into account immediately, do source /root/.bashrc.
Configuring the security of your server
After the reboot, set the system language to English to make it easier to find problems in the logs:
localectl set-locale LANG=en_US.utf8 localectl status
Ensure that SELinux is deactivated:
vi /etc/selinux/config
Then in the file, replace the current value by (beware, you have to modify the line SELINUX= and not the line SELINUXTYPE=!):
SELINUX=disabled
After reboot, check that SELinux is disabled, the sestatus command should return:
SELinux status: disabled
Configure firewall rules to open the ports necessary for Samba-AD to work:
systemctl start firewalld systemctl enable firewalld firewall-cmd --zone=public --add-port=53/tcp --add-port=53/udp --permanent firewall-cmd --zone=public --add-port=88/tcp --add-port=88/udp --permanent firewall-cmd --zone=public --add-port=135/tcp --permanent firewall-cmd --zone=public --add-port=389/tcp --add-port=389/udp --permanent firewall-cmd --zone=public --add-port=445/tcp --permanent firewall-cmd --zone=public --add-port=464/tcp --add-port=464/udp --permanent firewall-cmd --zone=public --add-port=636/tcp --permanent firewall-cmd --zone=public --add-port=3268/tcp --permanent firewall-cmd --zone=public --add-port=3269/tcp --permanent firewall-cmd --zone=public --add-port=50000-51000/tcp --permanent firewall-cmd --zone=public --add-port=49152-65535/tcp --permanent systemctl restart firewalld
Disable avahi-daemon (mDNS protocol / bonjour):
systemctl stop avahi-daemon.service avahi-daemon.socket systemctl disable avahi-daemon.service avahi-daemon.socket
Adding useful tools for your server
Update the distribution and install the EPEL repository and some essential tools (subscription-manager commands are only available on RedHat distros, not derivative):
yum update -y
yum install -y epel-release
yum install -y wget sudo screen nmap telnet tcpdump rsync net-tools bind-utils htop
subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms
dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
yum install -y wget sudo screen nmap telnet tcpdump rsync net-tools bind-utils htop
You can now go to the next step and install Samba-AD on your RedHat8 or derivative distribution.
Packages of the latest version 4.20 validated by the Tranquil IT team can be downloaded from the url https://samba.tranquil.it/redhat9/samba-4.20/.
When it will be necessary to upgrade to Samba-4.21, just change the repository url to https://samba.tranquil.it/redhat9/samba-4.21/ and follow the upgrade notes on the upgrade page.
Retrieve the RPM signature key and configure a YUM repository:
wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-7 https://samba.tranquil.it/RPM-GPG-KEY-TISSAMBA-7
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-7
echo "[tis-samba]
name=tis-samba
baseurl=https://samba.tranquil.it/redhat7/samba-4.20/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8" > /etc/yum.repos.d/tissamba.repo
wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8 https://samba.tranquil.it/RPM-GPG-KEY-TISSAMBA-8
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8
echo "[tis-samba]
name=tis-samba
baseurl=https://samba.tranquil.it/redhat8/samba-4.20/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8" > /etc/yum.repos.d/tissamba.repo
wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-9 https://samba.tranquil.it/RPM-GPG-KEY-TISSAMBA-9
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-9
echo "[tis-samba]
name=tis-samba
baseurl=https://samba.tranquil.it/redhat9/samba-4.20/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-9" > /etc/yum.repos.d/tissamba.repo
Verify the key fingerprint with sha256sum:
# For RHEL7 / RHEL8 : sha256sum /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8 b3cd8395e3d211a8760e95b9bc239513e9384d6c954d17515ae29c18d32a4a11 /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8 # For RHEL9 : sha256sum /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-9 05f21f368bdeb01453e37c3af2b8fcabba8986e2ce2b0d0298df6456a0bef60a /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8
Install the Samba-AD packages for RedHat9 and derivative distributions :
yum --enablerepo=crb install -y samba samba-dc samba-winbind samba-winbind-clients krb5-workstation ldb-tools bind chrony bind-utils samba-client python3-markdown
Warning
–enablerepo=crb will only work with derivative distros. If you are using a RedHat distro, please use the following command to enable crb repo:
subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms
Attention
For RODC support, it is imperative to use a version of Samba higher than 4.9. The RODC support is globally functional but it is not complete, it lacks NTLM authentication forwarding when the password hash has not been synchronized.
Setting up the RODC service
Configure the
/etc/resolv.conf
file by pointing to your RW domain controller.Join the machine to the domain:
samba-tool domain join mydomain.lan RODC -U MYDOMAIN\\Administrator
In
/etc/samba/smb.conf
, add the DNS forwarder:dns forwarder = 8.8.8.8
Start the Samba service with systemctl start samba.
Edit
/etc/resolv.conf
to make it point to itself:search mydomain.lan nameserver 127.0.0.1
Testing user password replication on the RODC server
On srvads, add a user as a member of the Allowed RODC Password Replication Group.
On srvrodc:
samba-tool rodc preload myuser --server=srvads.mydomain.lan
If all went well:
Replicating DN CN=myuser,CN=Users,DC=mondomaine,DC=lan Exop on[CN=myuser,CN=Users,DC=mondomaine,DC=lan] objects[1] linked_values[0]