Way back in the dim and distant past – well 2008 to be exact – I finally replaced my Windows 2003 domain controller with one built using Linux (initially Fedora and then Centos), samba, Fedora Directory Server and the BIND packages. The good thing about it was that it worked and gave me the file services that I was looking for and centralized authorization, but the downside was that administration of it was a pig. I ended up developing scripts to semi automate as much of the tedium as I could. And then Centos 7 came out, And samba 4. Such excitement.
So to start the upgrade I looked at the differing internet articles written about the setup procedure. I then tried a number, but none worked. Or at least, not for me. So I thought I would document exactly what I did in the hope that other might benefit.
Acknowledgments:
This document is a continuation, if you will, of the Setup a Samba Active Directory Domain Controller document that can be found on the samba.org wiki, here: https://wiki.samba.org/index.php/Setup_ ... Controller. To the author(s) of that document I offer my heartfelt thanks, but found that the document did not cover all the steps required to implement a Domain Controller using samba 4. This is my attempt to continue that document to include all necessary steps.
Needless to say, any error and omissions in this document are mine and mine alone: and I would appreciate it if you would let me know of any that you find.
Background:
Over a number of years I have developed a home network that I use to test my wilder flights of fancy. Typically I use this setup to evaluate operating system, software packages, hardware components. I use it both for functional tests and performance testing, and so all the hardware is available to be re-used and re-configured at any time. The only exception to this are three disks that are reserved as data disks, and they contain either the original or backup copies of all data that I do not want to lose. For this reason, I tend to use separate disks for the operating system in all my machines, and keep the data on other disks.
So my testbed comprises three servers and three workstations. The whole is physically wired together and shared a single IP addressing scheme. This table describes their functions.
Hostname Function Operating System
seagoon Domain Controller Centos 7.1
minnie Mail Server Centos 7.1
bloodnock Web Server Centos 7.1
eccles Workstation Windows 7
bluebottle Workstation Windows XP
moriarty Workstation Fedora 22
Prerequisites for the domain controller:
I installed the latest version of Centos for this, and added all the updates so that I had the latest versions of all the software packages. I installed the KDE workstation with the optional extras. No development kit.
So on to select a version of samba. The implementation of samba 4 in the Centos repositories uses MIT Kerberos, which does not support the Active Directory Domain Controller (Kerberos issues). The sernet implementation used Heimdall Kerberos, which does. Effectively my existing dc doesn’t use Kerberos at all, and acts as an NT style dc. So I could either go with that again or see if I could get a real one working. So I made the decision to use the Sernet version, which provides the functionality up to AD 2008 R2.
This leads to more choices. I now had to decide whether to use a free-standing DNS package (BIND) and integrate that, or to use the internal DNS server. I decided that I did not need the extra functionality offered by bind as my network is not that complex and unlikely to get so (unless I win multi-millions), so I went with the internal DNS server.
To save a huge complication I shut down selinux and the firewall. After I get this up and running I will look more closely at these two and configure them. I tried installing with both these running and, to put it mildly, the number of failures I experienced was frightening. So I shut them down, I also added test procedures during the installation process to have incremental checks to make sure everything was good so far.
These are the settings I decided to use:
AD DC Hostname: seagoon
AD DNS Domain Name: home
Kerberos Realm: HOME.LOCAL
NT4 Domain Name/NetBIOS Name: HOME
IP Address: 192.168.1.2
Server Role: Domain Controller (DC)
Forwarder DNS Server: 64.71.205.178
Now we can begin configuring.
Firstly, add the necessary repositories so that we can get the latest version of samba. Create the repository file to look like this:
[sernet-samba-4.2]
name=SerNet Samba 4.2 Packages (centos-7)
type=rpm-md
baseurl=https:// sernet-samba.public:Noo1oxe4zo@download.sernet.de/packages/samba/4.2/centos/7/
gpgcheck=1
gpgkey=https:// sernet-samba-public:Noo1oxe4zo@download.sernet.de/packages/samba/4.2/centos/7/repodata/repomd.xml.key
enabled=1
Next shut down selinux and the firewall
$ kwrite /etc/sysconfig/selinux
$ systemctl stop firewalld
$ systemctl disable firewalld
Now we need to install the sernet version. This is now simple.
$ yum install sernet-samba* -y
$ samba -V
$ smbclient -V
These last two commands will give the version of samba installed, showing that it is working. Next to configure the domain. Initially get rid of any smb.conf file that you have installed. If you don’t then you lose the configuration information.
$ rm /etc/samba/smb.conf
$ samba-tool domain provision --use-rfc2307 -–interactive
We now have a domain controller set out. The output from this will look something like:
$ samba-tool domain provision --use-rfc2307 --interactive
Realm: HOME.LOCAL
Domain [HOME]: home
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [192.168.1.2]: 64.71.255.198
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=home,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=home,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: seagoon
NetBIOS Domain: HOME
DNS Domain: home.local
DOMAIN SID: S-1-5-21-4099758469-585074862-2330530104
It also creates the Kerberos configuration file, which then needs to be copied into /etc.
$ cp /var/lib/samba/private/krb5.conf /etc
Now edit the samba start file so that is starts as AD
$ kwrite /etc/default/sernet-samba
And edit the SAMBA_START_MODE line to be “ad”
Now configure Centos so that samba starts up when you reboot.
$ systemctl start sernet-samba-ad
$ chkconfig sernet-samba-ad on
$ chkconfig sernet-samba-smbd off
$ chkconfig sernet-samba-nmbd off
$ chkconfig sernet-samba-winbindd off
So now it is test time. First check that AD is up and running at the correct level and that we can access the data store
$ samba-tool domain level show
$ smbclient -L localhost -U%
$ smbclient //localhost/netlogon -UAdministrator -c 'ls'
Next test the DNS component to make sure it has the appropriate entries for AD
$ host -t SRV _ldap._tcp.home.local
$ host -t SRV _kerberos._udp.home.local
$ host -t A seagoon.home.local
Now test the Kerberos implementation to ensure that is set up correctly
$ kinit administrator@HOME.LOCAL
$ klist
Finally add a user to AD
$ samba-tool user list
$ samba-tool user add barry
$ samba-tool group list
All that remains now is to go to your Windows boxes and join them to the domain.
**EDIT** Most of the commands listed here were the result of cutting and pasting the history of my installation. Unfortunately I did not completely clean up the errors I made - so I have just done that.
Creating a Domain Controller with Centos 7
Re: Creating a Domain Controller with Centos 7
barry905,
How did you create the repository file for samba?
Thanks,
RJ
How did you create the repository file for samba?
Thanks,
RJ
Re: Creating a Domain Controller with Centos 7
This is the error I'm getting:
Any ideas?
Regards,
Lester Espinosa
Code: Select all
[root@dc1 ~]# samba-tool domain provision --use-rfc2307 --interactive
Realm [CENTOS.COM]:
Domain [CENTOS]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [192.168.10.1]:
Administrator password:
Retype password:
Looking up IPv4 addresses
More than one IPv4 address found. Using 192.168.122.1
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=centos,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
ERROR(ldb): uncaught exception - operations error at ../source4/dsdb/samdb/ldb_modules/password_hash.c:2237
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 434, in run
nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 2169, in provision
skip_sysvolacl=skip_sysvolacl)
File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1792, in provision_fill
next_rid=next_rid, dc_rid=dc_rid)
File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1450, in fill_samdb
"KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le'))
File "/usr/lib64/python2.7/site-packages/samba/provision/common.py", line 55, in setup_add_ldif
ldb.add_ldif(data, controls)
File "/usr/lib64/python2.7/site-packages/samba/__init__.py", line 224, in add_ldif
self.add(msg, controls)Regards,
Lester Espinosa
Re: Creating a Domain Controller with Centos 7
I had that error as well. To get around it, I renamed /etc/krb5.conf to /etc/krb5.conf.orig, then re-ran the provision command. Seems to work past the error. I could provision, and join an existing AD domain as a DC. Replication worked.
But after I joined the domain, kinit fails with "unexpected response" errors. so there is more to do...
But after I joined the domain, kinit fails with "unexpected response" errors. so there is more to do...
Re: Creating a Domain Controller with Centos 7
Any update to this? installed 2 IPA servers before I realized its not exactly was I need. Would like to have better support for windows