CentOS Samba 4 - Active Directory Domain Controller

With the recent stable release of Samba 4, it is possible to create a compatible Active Directory Domain Controller that runs on the Linux platform. Samba 4 has been in beta for years now, but with the stable release as of December 11, 2012 you should now have a compelling argument for implementing Samba into your enterprise IT network. Samba 4 is a complete re-working of the Samba code and to sum it up best is to simply quote from the Samba 4 website:

“Samba 4 is available for download via the Samba Website or from the Git repository. In short, you can join a Windows (all recent releases should be supported) machine to a Samba 4 domain, and it will behave much as it does in AD, including Kerberos domain logins where applicable. The official press release can be found on the Samba website.”

The Setup

For detailed information of configuring and setup of Samba 4 it is best to refer to the Samba4 HOWTO.

The following is how to setup and configure a basic Samba 4 domain controller running on CentOS 6.3 or 6.4. Once configured and installed, you can then administer Active Directory using Microsoft's Remote Server Administration Tools from a Windows XP, Vista, or 7 client that supports Active Directory. Note: your Windows client must be a Professional, Business or Ultimate edition.

This howto assumes you have the following:

• functioning basic server running CentOS 6.3 or 6.4 x86_64 with root access
• your CentOS server is using an IP address of 192.168.0.2 (change to your liking)
• FQDN of 'samba.mydomain.com'  (change to your liking)
• default gateway IP address: 192.168.0.1 (change to your network gateway)
• a Windows XP, Vista or 7 client that supports Active Directory
• disabled SELinux (disabled to reduce complications)
• DNS forwarding IP address using OpenDNS: 208.67.222.222 (change to you liking)

Download and Installation

NOTE: All commands here are run as 'root' user. You do not need to be root for all commands (which is recommended) but for simplicity sake root will be used here to eliminate confusion.

1. Login as root and update your server

# yum update

2. Install the following packages required for installing and building Samba 4:

# yum install glibc glibc-devel gcc python* libacl-devel krb5-workstation krb5-libs pam_krb5

3. Query your rpm database to find any instances of older samba packages:

# rpm -qa | grep samba

4. If there are any older samba packages remove them with YUM:

# yum remove samba-winbind-client samba-common samba-client

5. Install git to dowload the latest Samba 4 version:

# yum install git-core

6. Use a directory of your choice and download the latest version of samba from git:

# git clone git://git.samba.org/samba.git samba-master

7. Reboot the server as a precaution so that all packages or kernel updates will be applied:

# shutdown -r now

8. Login again as root and then build samba:

# cd samba-master
# ./configure --enable-debug --enable-selftest
# make

9. If everything reports okay you can then install samba:

# make install

You should now have samba installed to '/usr/local/samba'.

Provision Samba 4

The provision step sets up a basic user database, and is used when you are setting up your Samba4 server in its own domain.

As root issue this command:

# /usr/local/samba/bin/samba-tool domain provision

The 'domain provision' tool should pick defaults for you automatically. Change to your configurations if necessary:

Realm [MYDOMAIN.COM]: Domain [MYDOMAIN]: (press Enter)
Server Role (dc, member, standalone) [dc]: (press Enter)
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: (press Enter)
DNS forwarder IP address (write 'none' to disable forwarding) [192.168.0.1]: 208.67.222.222
Administrator password: <your_secret_admin_password>
Retype password:

If above was successful, stdout should look similar to this:

Creating CN=MicrosoftDNS,CN=System,DC=mydomain,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: samba
NetBIOS Domain: MYDOMAIN
DNS Domain: mydomain.com
DOMAIN SID: S-1-5-xx-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx

NOTE: You may need to remove the '/usr/local/samba/etc/smb.conf' file if you are re-running the provision command. If you encounter any errors when running the provision command, you may need to install the necessary missing packages or fix errors and then run './configure', 'make' and 'make install' commands again as stated above. Remember to do a  'make clean' in the root of your 'samba-master' directory  before running 'make' again.

If the provision setup was successful reboot the server:

# shutdown -r now

Start Samba 4 AD DC

Start the samba daemon:

# /usr/local/samba/sbin/samba

If you would like Samba to start at boot, append the following to your '/etc/rc.d/rc.local' file:

/usr/local/samba/sbin/samba

Testing Samba as an Active Directory DC

Verify you are indeed running the correct version of Samba. Your version should start with version 4 (note: samba daemon must be running):

# /usr/local/samba/sbin/samba -V
Version 4.1.0pre1-GIT-c1fb37d

Verify you are running the correct samba-client version:

# /usr/local/samba/bin/smbclient --version
Version 4.1.0pre1-GIT-c1fb37d

Now run this command to list the shares on your Samba4 server:

# /usr/local/samba/bin/smbclient -L localhost -U%
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-c1fb37d] 

 Sharename       Type      Comment 
 ---------       ----      ------- 
 netlogon        Disk      
 sysvol          Disk      
 IPC$            IPC       IPC Service (Samba 4.1.0pre1-GIT-c1fb37d) 
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-c1fb37d] 

 Server               Comment 
 ---------            ------- 

 Workgroup            Master 
 ---------            -------

 

Configure DNS

You will need to edit your '/etc/resolv.conf' and '/etc/sysconfig/network-scripts/ifcfg-eth0' file so that Samba will use it's internal DNS correctly. If you specified a forwarding DNS server when you provisioned earlier, DNS should work correctly (you can verify this in /usr/local/samba/etc/smb.conf). Here is an example of my current '/usr/local/samba/etc/smb.conf' file:

# cat /usr/local/samba/etc/smb.conf
# Global parameters
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
netbios name = SAMBA
server role = active directory domain controller
dns forwarder = 208.67.222.222

[netlogon]
path = /usr/local/samba/var/locks/sysvol/mydomain.com/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

Edit your '/etc/resolv.conf' file to look like this:

# Generated by NetworkManager
domain mydomain.com
nameserver 192.168.0.2

Next you need to edit '/etc/sysconfig/network-scripts/ifcfg-eth0' so DNS is changed here also. It should look something like this:

DEVICE="eth0"
BOOTPROTO="none"
DEFROUTE="yes"
DNS1="192.168.0.2" #MUST CHANGE THIS TO YOUR HOST IP ADDRESS!!
GATEWAY="192.168.0.1"
HWADDR="86:C4:C1:0D:29:AD"
IPADDR="192.168.0.2"
IPV4_FAILURE_FATAL="yes"
IPV6INIT="no"
NAME="System eth0"
NM_CONTROLLED="yes"
ONBOOT="yes"
PREFIX="24"
TYPE="Ethernet"

Reboot the server for all network changes and DNS to take effect.

Testing DNS

Make sure that samba is running and then test to make sure that DNS is working properly. Run the following commands and compare the output to what is shown:

# host -t SRV _ldap._tcp.mydomain.com.
_ldap._tcp.mydomain.com has SRV record 0 100 389 samba.mydomain.com.

# host -t SRV _kerberos._udp.mydomain.com.
_kerberos._udp.mydomain.com has SRV record 0 100 88 samba.mydomain.com.

# host -t A samba.mydomain.com.
samba.mydomain.com has address 192.168.0.2

The answers you get should be similar to the ones above (adjusted for your DNS domain name and hostname). If you get any errors, carefully check your system logs and your '/etc/resolv.conf' and '/etc/sysconfig/network-scripts/ifcfg-eth0' files.

Disable Firewall (Optional)

To reduce the chances of problems you can completely disable the firewall on the Samba 4 server. Once you have successfully joined a Windows client to the domain you could then re-enable the firewall and configure IP Tables correctly.

To use the menu-based firewall utility, install this package:

# yum install system-config-firewall

Then issue this command for the menu-based firewall configuration:

# /usr/bin/system-config-firewall-tui

Disable the firewall and then reboot the server.

Configure Kerberos

In CentOS 6.3 or 6.4, kerberos is handled by the '/etc/krb5.conf' file. Make a backup copy of this original file, and then replace the existing file, if any, with the sample from /usr/local/samba/share/setup/krb5.conf.

# cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf

Edit the file and replace ${REALM} with the value you chose for the '--realm' parameter of the provision command earlier, make sure to enter the realm in uppercase letters. It should look something like this:

# cat /etc/krb5.conf
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true

Testing Kerberos

The simplest test is to use the 'kinit' command as follows:

# kinit administrator@MYDOMAIN.COM
Password for administrator@MYDOMAIN.COM:
Warning: Your password will expire in 41 days on Sun Feb 3 14:21:51 2013

NOTE: You must specify your domain realm MYDOMAIN.COM in uppercase letters!!

'kinit' will not give you any output. To verify that Kerberos is working, and that you received a ticket, run the following:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYDOMAIN.COM

Valid starting Expires Service principal
12/23/12 15:39:28 12/24/12 01:39:28 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 12/24/12 15:39:19

NTP (Network Time Protocol)

Make sure that 'ntpd' is running and installed. If 'ntpd' is not installed you can install it with YUM:

# yum install ntp

Enable ntpd:

# /etc/init.d/ntpd start

Also, use the 'chkconfig' command to have ntpd run at boot:

# chkconfig ntpd on

NOTE: CORRECT TIME IS IMPORTANT FOR KERBEROS TO FUNCTION CORRECTLY. MAKE SURE NTPD IS RUNNING ON THE SAMBA SERVER AND THAT YOU SET THE WINDOWS CLIENT TO THE MOST ACCURATE TIME POSSIBLE! THE WINDOWS CLIENT TIME SHOULD BE SET TO THE EXACT TIME OF THE SAMBA 4 SERVER WITHIN A FEW SECONDS IF POSSIBLE.

Configure Windows Client to Join Domain

The following will describe how to add a Windows 7 client to the samba DC. For other versions of Windows the same principle should be the same.

To simplify and to limit errors with DHCP, we will assign a static IP address to our Windows 7 client NIC. Configure your network device as follows:

Click 'OK' to save the changes.

Now bring up a command prompt in windows and ping the Samba DC:

ping 192.168.0.2

Verify that DNS is working correctly by pinging the FQDN:

ping samba.mydomain.com

If you get replies from both then this is a good sign and should mean that your Samba DC is functional. Also, you may need to reboot Windows for network settings to take effect.

Configure Date, Time and Time Zone on Windows Client

Active Directory uses Kerberos as the backend for authentication. Kerberos requires that the system clocks on the client and server be synchronized to within a few seconds of each other. If they are not synchronized, then authentication will fail for apparently no reason. Adjust your date, time and time zone accordingly on your Windows client to match your Samba 4 server.

 

Join Windows 7 Client to the Domain

1. Right-click 'My Computer' icon and choose 'Properties'

2. From the left-side pane click 'Advanced system settings'

3. Choose the 'Computer Name' tab and click 'Change...'

4. Select option 'Domain', and insert MYDOMAIN.COM. If this fails just try MYDOMAIN.

5. When it requests a username and password, type 'Administrator' as the username and then enter your password. (password = the password you used when you ran the 'samba-tool domain provision' command)

6. You should get a message box stating 'Welcome to the MYDOMAIN.COM domain'

7. Click OK on this message box and the Properties window, and you will then be instructed to restart your computer.

8. After restarting you should be presented with the normal login dialog. Click on 'Switch User' button.

9. Choose 'Other user' and then enter in the following:

Press 'Enter' or the arrow button.

10. You should then authenticate and then login to Windows.

Install Windows Remote Administration Tools

To install the GUI tools to manage the domain you must install the Remote Server Administration Tools. This will allow you easily manage the domain using Active Directory.

Windows 7

1. Download the Windows Remote Server Administration Tools

2. Follow the 'Install RSAT' instructions

3. Enable the necessary components in 'Control Panel -> Programs -> Turn Windows features on or off -> Remote Server Administration Tools'

4. You may need to add the Administrative Tools to your start menu. Right-click 'Start button' and select 'Properties -> Start Menu tab - Customize... -> System administrative tools - Display on the All Programs menu'

Managing Samba 4 AD DC from Windows 7 Client

This is beyond the scope of this article. For further information please refer to the Samba4 HOWTO

Configure the Firewall

Once you have been able to successfully have your windows clients attach to your Samba 4 DC, it is prudent to renable the firewall on your CentOS 6.3 Samba 4 DC. Simply run the firewall command again:

# /usr/bin/system-config-firewall-tui

Configure the firewall to have AT LEAST these ports open:

53, TCP & UDP (DNS)

88, TCP & UDP (Kerberos authentication)

135, TCP (MS RPC)

137, UDP (NetBIOS name service)

138, UDP (NetBIOS datagram service)

139, TCP (NetBIOS session service)

389, TCP & UDP (LDAP)

445, TCP (MS-DS AD)

464, TCP & UDP (Kerberos change/set password)

1024, TCP (AD?)

For RSAT tools and extras other ports may need to be opened. Microsoft has a list of the port required which you can find here: http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx