Installing and configuring a secondary Samba-AD on Redhat and derivatives

Note

In this documentation, it is assumed:

  • That the main domain controller is called srvads1.

  • That the secondary domain controller is called srvads2.

  • That the domain is called mydomain.lan.

In the instructions below, you will replace mydomain.lan with your own domain name and srvads1 and srvads2 with the machine names of your choice.

  • On a 64-bit Redhat8 (or derivative) base, prepare a clean network configuration by following this documentation.

Packages of the latest version 4.20 validated by the Tranquil IT team can be downloaded from the url https://samba.tranquil.it/redhat9/samba-4.20/.

When it will be necessary to upgrade to Samba-4.21, just change the repository url to https://samba.tranquil.it/redhat9/samba-4.21/ and follow the upgrade notes on the upgrade page.

  • Retrieve the RPM signature key and configure a YUM repository:

wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-7 https://samba.tranquil.it/RPM-GPG-KEY-TISSAMBA-7
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-7

echo "[tis-samba]
name=tis-samba
baseurl=https://samba.tranquil.it/redhat7/samba-4.20/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8" > /etc/yum.repos.d/tissamba.repo
  • Verify the key fingerprint with sha256sum:

    # For RHEL7 / RHEL8 :
    sha256sum /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8
        b3cd8395e3d211a8760e95b9bc239513e9384d6c954d17515ae29c18d32a4a11 /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8
    
    # For RHEL9 :
    sha256sum /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-9
        05f21f368bdeb01453e37c3af2b8fcabba8986e2ce2b0d0298df6456a0bef60a /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8
    
  • Install the Samba-AD packages for RedHat9 and derivative distributions :

    yum --enablerepo=crb install -y samba samba-dc samba-winbind samba-winbind-clients krb5-workstation ldb-tools bind chrony bind-utils samba-client python3-markdown
    

    Warning

    –enablerepo=crb will only work with derivative distros. If you are using a RedHat distro, please use the following command to enable crb repo:

    subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms
    

Finalizing your basic configuration

  • Change /etc/hostname to contain the FQDN name of the machine:

    srvads2.mydomain.lan
    
  • Modify /etc/hosts so that it contains the DNS resolution of the machine’s FQDN on its IP (i.e. not 127.0.0.1), with the long name then the short name:

    127.0.0.1      localhost
    192.168.1.12   srvads2.mydomain.lan srvads2
    
  • Reboot the machine so that it takes its new name into account by doing a reboot.

    Note

    a hostname -F /etc/hostname does not seem to be enough for the samba script which still gets the old name …

Joining the secondary controller to the domain

  • Configure the DNS to point to a Windows or Samba domain controller in /etc/resolv.conf:

    search mydomain.lan
    nameserver 192.168.1.11
    

Configuring Kerberos

  • Open /etc/krb5.conf, remove its contents and add:

    [libdefaults]
      default_realm = MYDOMAIN.LAN
      dns_lookup_kdc = false
      dns_lookup_realm=false
    [realms]
      MYDOMAIN.LAN = {
      kdc = 127.0.0.1
      kdc = 192.168.1.12
      }
    

    Attention

    It is necessary to respect the CAPITAL LETTERS and replace the 2 IPs by:

    • The IP of your srvrodc first, we can use localhost 127.0.0.1.

    • The IP of srvads as the second IP (ex 192.168.1.12).

  • Reboot the host:

    reboot
    
  • After rebooting, ensure that kerberos is properly configured and that you get a TGT:

    Attention

    The default administrator is administrator in English (type the account password administrator, if it doesn’t return anything or you get a message about the password expiration, it’s ok).

    kinit administrator
    klist
    

Configuring Samba as a Secondary Domain Controller

  • Remove the configuration file /etc/samba/smb.conf which was automatically generated during package installation:

    rm -f /etc/samba/smb.conf
    
  • Join srvads2 as a member of the domain:

    samba-tool domain join mydomain.lan DC -U administrator --realm=MYDOMAIN.LAN -W MYDOMAIN
    
  • Modify the DNS to point to itself in /etc/resolv.conf:

    nameserver 127.0.0.1
    
  • In /etc/samba/smb.conf, add the DNS forwarder:

    [global]
       ...
       dns forwarder = 8.8.8.8
       ...
    
  • Activate the automatic start of the AD service:

    systemctl enable samba
    systemctl disable winbind nmb smb
    systemctl mask winbind nmb smb
    
  • Point your Kerberos to the correct configuration file:

    Hint

    By default Samba-AD provisioning creates an example file krb5.conf in the directory /var/lib/samba/private.

    This file is used by default by some Samba calls.

    It is best to replace it with a symbolic link to /etc/kbr5.conf to avoid some side effects.

    rm /var/lib/samba/private/krb5.conf
    ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf
    
  • Restart Samba:

    systemctl restart samba
    
  • Check that the DNS entries are correct:

    samba_dnsupdate --verbose
    
  • If there are still some fails, use this method which allows to bypass kerberos:

    samba_dnsupdate --use-samba-tool
    

Configuring SYSVOL

  • Graphically, you can retrieve the content of \srvads\sysvol from srvads1 and copy it to srvads2 from a Windows workstation as Domain Administrator. Or with command lines, on srvads2, run:

    rsync -aP root@srvads1:/var/lib/samba/sysvol/ /var/lib/samba/sysvol/
    
  • Then reset the ACL on SYSVOL, and check the ACLs (it should return nothing if OK):

    samba-tool ntacl sysvolreset
    samba-tool ntacl sysvolcheck
    

Hint

While waiting for the development of a DFS-R officially supported by the Samba-team, Tranquil IT proposes the tis-sysvolsync tool to synchronize SYSVOL shares between Samba domain controllers.

Validating the new installation

  • Test the DNS connection from the DNS Active Directory console from the DNS Active Directory.

  • Test the connection from the Users and Computers Active Directory.

  • Check the status of the replications:

    samba-tool drs showrepl
    

Configuring signed NTP

Configuring Bind-DLZ

Before going into production, the internal Samba DNS must be replaced by the Bind-DLZ module. To do this, follow the documentation to integrate Samba with Bind9.

Great, if you have made it this far, then everything went well and you have a new operational secondary domain controller.