Installing and configuring a secondary Samba-AD on Redhat and derivatives

Note

In this documentation, it is assumed:

  • That the main domain controller is called srvads1.

  • That the secondary domain controller is called srvads2.

  • That the domain is called mydomain.lan.

In the instructions below, you will replace mydomain.lan with your own domain name and srvads1 and srvads2 with the machine names of your choice.

  • On a 64-bit Redhat8 (or derivative) base, prepare a clean network configuration by following this documentation.

Packages of the latest version 4.19 validated by the Tranquil IT team can be downloaded from the url https://samba.tranquil.it/redhat8/samba-4.19/. When it will be necessary to upgrade to Samba-4.19, just change the repository url to https://samba.tranquil.it/redhat8/samba-4.19/ and follow the upgrade notes on the upgrade page.

  • Retrieve the RPM signature key and configure a YUM repository:

wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-7 https://samba.tranquil.it/RPM-GPG-KEY-TISSAMBA-7
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-7

echo "[tis-samba]
name=tis-samba
baseurl=https://samba.tranquil.it/redhat7/samba-4.19/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8" > /etc/yum.repos.d/tissamba.repo

  • Verify the key fingerprint with sha256sum:

    # For RHEL7 / RHEL8 :
sha256sum /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8
    b3cd8395e3d211a8760e95b9bc239513e9384d6c954d17515ae29c18d32a4a11 /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8

# For RHEL9 :
sha256sum /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-9
    05f21f368bdeb01453e37c3af2b8fcabba8986e2ce2b0d0298df6456a0bef60a /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8

  • Install the Samba-AD packages for RedHat8 and derivative distributions:

    yum install -y samba samba-dc samba-winbind samba-winbind-clients krb5-workstation ldb-tools bind chrony bind-utils samba-client

Finalizing your basic configuration

  • Change /etc/hostname to contain the FQDN name of the machine:

    srvads2.mydomain.lan

  • Modify /etc/hosts so that it contains the DNS resolution of the machine’s FQDN on its IP (i.e. not 127.0.0.1), with the long name then the short name:

    127.0.0.1      localhost
192.168.1.12   srvads2.mydomain.lan srvads2

  • Reboot the machine so that it takes its new name into account by doing a reboot.

    Note

    a hostname -F /etc/hostname does not seem to be enough for the samba script which still gets the old name …

Joining the secondary controller to the domain

  • Configure the DNS to point to a Windows or Samba domain controller in /etc/resolv.conf:

    search mydomain.lan
nameserver 192.168.1.11

Configuring Kerberos

  • Open /etc/krb5.conf, remove its contents and add:

    [libdefaults]
  default_realm = MYDOMAIN.LAN
  dns_lookup_kdc = false
  dns_lookup_realm=false
[realms]
  MYDOMAIN.LAN = {
  kdc = 127.0.0.1
  kdc = 192.168.1.12
  }

    Attention

    It is necessary to respect the CAPITAL LETTERS and replace the 2 IPs by:

    • The IP of your srvrodc first, we can use localhost 127.0.0.1.

    • The IP of srvads as the second IP (ex 192.168.1.12).

  • Reboot the host:

    reboot

  • After rebooting, ensure that kerberos is properly configured and that you get a TGT:

    Attention

    The default administrator is administrator in English (type the account password administrator, if it doesn’t return anything or you get a message about the password expiration, it’s ok).

    kinit administrator
klist

Configuring Samba as a Secondary Domain Controller

  • Remove the configuration file /etc/samba/smb.conf which was automatically generated during package installation:

    rm -f /etc/samba/smb.conf

  • Join srvads2 as a member of the domain:

    samba-tool domain join mydomain.lan DC -U administrator --realm=MYDOMAIN.LAN -W MYDOMAIN

  • Modify the DNS to point to itself in /etc/resolv.conf:

    nameserver 127.0.0.1

  • In /etc/samba/smb.conf, add the DNS forwarder:

    [global]
   ...
   dns forwarder = 8.8.8.8
   ...

  • Activate the automatic start of the AD service:

    systemctl enable samba
systemctl disable winbind nmb smb
systemctl mask winbind nmb smb

  • Point your Kerberos to the correct configuration file:

    Hint

    By default Samba-AD provisioning creates an example file krb5.conf in the directory /var/lib/samba/private.

    This file is used by default by some Samba calls.

    It is best to replace it with a symbolic link to /etc/kbr5.conf to avoid some side effects.

    rm /var/lib/samba/private/krb5.conf
ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf

  • Restart Samba:

    systemctl restart samba

  • Check that the DNS entries are correct:

    samba_dnsupdate --verbose

  • If there are still some fails, use this method which allows to bypass kerberos:

    samba_dnsupdate --use-samba-tool

Configuring SYSVOL

  • Retrieve the contents of \srvadssysvol from srvads1 and copy it to srvads2 from a Windows workstation as Domain Administrator. On srvads2, run the command:

    rsync -aP root@srvads1:/var/lib/samba/sysvol/ /var/lib/samba/sysvol/

  • Then check the ACL on SYSVOL, and if necessary reset the ACLs:

    samba-tool ntacl sysvolreset
samba-tool ntacl sysvolcheck

Hint

While waiting for the development of a DFS-R officially supported by the Samba-team, Tranquil IT proposes the tis-sysvolsync tool to synchronize SYSVOL shares between Samba domain controllers.

Validating the new installation

  • Test the DNS connection from the DNS Active Directory console from the DNS Active Directory.

  • Test the connection from the Users and Computers Active Directory.

  • Check the status of the replications:

    samba-tool drs showrepl

Configuring signed NTP

Configuring Bind-DLZ

Before going into production, the internal Samba DNS must be replaced by the Bind-DLZ module. To do this, follow the documentation to integrate Samba with Bind9.

Great, if you have made it this far, then everything went well and you have a new operational secondary domain controller.