Installing and configuring a secondary Samba-AD on Redhat and derivatives
Note
In this documentation, it is assumed:
That the main domain controller is called srvads1.
That the secondary domain controller is called srvads2.
That the domain is called mydomain.lan.
In the instructions below, you will replace mydomain.lan with your own domain name and srvads1 and srvads2 with the machine names of your choice.
On a 64-bit Redhat8 (or derivative) base, prepare a clean network configuration by following this documentation.
Packages of the latest version 4.20 validated by the Tranquil IT team can be downloaded from the url https://samba.tranquil.it/redhat9/samba-4.20/.
When it will be necessary to upgrade to Samba-4.21, just change the repository url to https://samba.tranquil.it/redhat9/samba-4.21/ and follow the upgrade notes on the upgrade page.
Retrieve the RPM signature key and configure a YUM repository:
wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-7 https://samba.tranquil.it/RPM-GPG-KEY-TISSAMBA-7
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-7
echo "[tis-samba]
name=tis-samba
baseurl=https://samba.tranquil.it/redhat7/samba-4.20/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8" > /etc/yum.repos.d/tissamba.repo
wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8 https://samba.tranquil.it/RPM-GPG-KEY-TISSAMBA-8
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8
echo "[tis-samba]
name=tis-samba
baseurl=https://samba.tranquil.it/redhat8/samba-4.20/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8" > /etc/yum.repos.d/tissamba.repo
wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-9 https://samba.tranquil.it/RPM-GPG-KEY-TISSAMBA-9
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-9
echo "[tis-samba]
name=tis-samba
baseurl=https://samba.tranquil.it/redhat9/samba-4.20/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-9" > /etc/yum.repos.d/tissamba.repo
Verify the key fingerprint with sha256sum:
# For RHEL7 / RHEL8 : sha256sum /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8 b3cd8395e3d211a8760e95b9bc239513e9384d6c954d17515ae29c18d32a4a11 /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8 # For RHEL9 : sha256sum /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-9 05f21f368bdeb01453e37c3af2b8fcabba8986e2ce2b0d0298df6456a0bef60a /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8
Install the Samba-AD packages for RedHat9 and derivative distributions:
yum --enablerepo=crb install -y samba samba-dc samba-winbind samba-winbind-clients krb5-workstation ldb-tools bind chrony bind-utils samba-client python3-markdown
Finalizing your basic configuration
Change
/etc/hostname
to contain the FQDN name of the machine:srvads2.mydomain.lan
Modify
/etc/hosts
so that it contains the DNS resolution of the machine’s FQDN on its IP (i.e. not 127.0.0.1), with the long name then the short name:127.0.0.1 localhost 192.168.1.12 srvads2.mydomain.lan srvads2
Reboot the machine so that it takes its new name into account by doing a reboot.
Note
a hostname -F /etc/hostname does not seem to be enough for the samba script which still gets the old name …
Joining the secondary controller to the domain
Configure the DNS to point to a Windows or Samba domain controller in
/etc/resolv.conf
:search mydomain.lan nameserver 192.168.1.11
Configuring Kerberos
Open
/etc/krb5.conf
, remove its contents and add:[libdefaults] default_realm = MYDOMAIN.LAN dns_lookup_kdc = false dns_lookup_realm=false [realms] MYDOMAIN.LAN = { kdc = 127.0.0.1 kdc = 192.168.1.12 }
Attention
It is necessary to respect the CAPITAL LETTERS and replace the 2 IPs by:
The IP of your srvrodc first, we can use localhost 127.0.0.1.
The IP of srvads as the second IP (ex 192.168.1.12).
Reboot the host:
reboot
After rebooting, ensure that kerberos is properly configured and that you get a TGT:
Attention
The default administrator is administrator in English (type the account password administrator, if it doesn’t return anything or you get a message about the password expiration, it’s ok).
kinit administrator klist
Configuring Samba as a Secondary Domain Controller
Remove the configuration file
/etc/samba/smb.conf
which was automatically generated during package installation:rm -f /etc/samba/smb.conf
Join srvads2 as a member of the domain:
samba-tool domain join mydomain.lan DC -U administrator --realm=MYDOMAIN.LAN -W MYDOMAIN
Modify the DNS to point to itself in
/etc/resolv.conf
:nameserver 127.0.0.1
In
/etc/samba/smb.conf
, add the DNS forwarder:[global] ... dns forwarder = 8.8.8.8 ...
Activate the automatic start of the AD service:
systemctl enable samba systemctl disable winbind nmb smb systemctl mask winbind nmb smb
Point your Kerberos to the correct configuration file:
Hint
By default Samba-AD provisioning creates an example file
krb5.conf
in the directory/var/lib/samba/private
.This file is used by default by some Samba calls.
It is best to replace it with a symbolic link to
/etc/kbr5.conf
to avoid some side effects.rm /var/lib/samba/private/krb5.conf ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf
Restart Samba:
systemctl restart samba
Check that the DNS entries are correct:
samba_dnsupdate --verbose
If there are still some fails, use this method which allows to bypass kerberos:
samba_dnsupdate --use-samba-tool
Configuring SYSVOL
Graphically, you can retrieve the content of
\srvads\sysvol
from srvads1 and copy it to srvads2 from a Windows workstation as Domain Administrator. Or with command lines, on srvads2, run:rsync -aP root@srvads1:/var/lib/samba/sysvol/ /var/lib/samba/sysvol/
Then reset the ACL on SYSVOL, and check the ACLs (it should return nothing if OK):
samba-tool ntacl sysvolreset samba-tool ntacl sysvolcheck
Hint
While waiting for the development of a DFS-R officially supported by the Samba-team, Tranquil IT proposes the tis-sysvolsync tool to synchronize SYSVOL shares between Samba domain controllers.
Validating the new installation
Test the DNS connection from the DNS Active Directory console from the DNS Active Directory.
Test the connection from the Users and Computers Active Directory.
Check the status of the replications:
samba-tool drs showrepl
Configuring signed NTP
Configure the NTP by following the NTP service configuration documentation with Samba.
Configuring Bind-DLZ
Before going into production, the internal Samba DNS must be replaced by the Bind-DLZ module. To do this, follow the documentation to integrate Samba with Bind9.
Great, if you have made it this far, then everything went well and you have a new operational secondary domain controller.