[Samba] RE : debian wheezy, sernet samba 4.1.3 join Windows 2008R2 AD as DC. Success ( basic Howto included )

Hubert, Laurent Laurent.Hubert at USherbrooke.ca
Fri Dec 27 09:38:49 MST 2013 

Thanks for your How To Louis.
Looks like a  Chrismass gift!.

Here one question and one comment.

Q: What will be your modifications for a member server instead of a AD?
I  supposed we have to remove the bind section,  install  sernet-samba instead of sernet-samba-ad.
and use SAMBA_START_MODE="classic" in /etc/default/sernet-samba. Do you agree?   Do you see other changes?


C: My comment is about  the line 
   chmod 755 /var/lib/samba/private/  
That you set in order to allow bind to access its files in  /var/lib/samba/private/.
I think that, when the setup is validated,  it is more appropriate for  security in  mind 
to set group owner of  /var/lib/samba/private/   to the bind group. 

drwxr-x---  2 root bind           4096 déc  5 15:33 private

As you have done for  /var/lib/samba/private/dns.keytab  and /var/lib/samba/private/dns/


Anyway thanks for this contribution.

Laurent


________________________________________
De : samba-bounces at lists.samba.org [samba-bounces at lists.samba.org] de la part de L.P.H. van Belle [belle at bazuin.nl]
Envoyé : 23 décembre 2013 02:48
À : samba at lists.samba.org
Objet : [Samba] debian wheezy,  sernet samba 4.1.3 join Windows 2008R2 AD as DC. Success ( basic        Howto included )

Hai,

After serveral setups and testing if completed a successfull install of sernet samba 4.1.3 which joined a windows 2008R2 AD domain.
You can use this also on on ubuntu 12.04.

This is the "HowTo" how i did my setup.
questions improvements, please add them and share them.

# ( date 23-12-2013 )
# Sernet samba 4.1.3 on debian Wheezy
# Windows 2008R2 AD DC , with dhcp and dns.
# SETUP : Samba 4 AD DC with bind9 DLZOPEN , joined as DC.
#
# info found on these site linkes:
#
# https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC
# http://wiki.samba.org/index.php/Dns-backend_bind
# https://wiki.samba.org/index.php/Configure_NTP
# https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
#
# and lots of info for the mailing list users, thank you guys and girls.
#
#
# PRE SETUP !
# Im adding the linux hostname and IP adres in the dns server of windows in front installing debian.
#
# Install a minimal debian wheezy with only ssh-server installed from the installer menu.
# use hostname AND domainname, and keep the same as windows server dns.
#
# remove the line cdrom ( or put # infront ) of /etc/apt/sources.list if needed.
apt-get update
apt-get install apt-transport-https mc zip bzip2 arj
update-alternatives --config editor
# ( im choosing mcedit as default, it's what you prefer. )
#
# setup apt : create file :
mcedit /etc/apt/sources.list.d/sernet-samba-4.1.list
#
# add the sernet lines to it, you need to register at sernet for this, its free.
# go to http://www.enterprisesamba.com/samba/
#
# install de sernet keys for authenticity:
wget http://ftp.sernet.de/pub/sernet-samba-keyring_1.4_all.deb
dpkg -i sernet-samba-keyring_1.4_all.deb
rm sernet-samba-keyring_1.4_all.deb
#
apt-get update
apt-get upgrade
# if ok, nothing to do, if not update before proceding.
#
#
# check the hostname and domainname of the server.
hostname -f
# ( gives hostname.mainoffice.domain.tld )
hostname -s
# ( gives hostname )
hostname -d
# ( gives mainoffice.domain.tld )
#
# check : /etc/hosts file.
cat /etc/hosts
# you should not have 127.0.1.1 servername.domain.tld
# change the 127.0.1.1 to the correct ip ( as in DNS exists )
# check : /etc/resolve.conf
cat /etc/resolve.conf
# this is minimal
# domain subdomain.domain.tld
# search subdomain.domain.tld
# nameserver IP_OF_AD_SERVER ( or an other server wich kan resovle the windows dns and AD )
# ( you can have 3 nameservers ips!  )
#  also im use-ing domain and search, because i have multiple domains in my dns server.
# with search and domain i always have the main domain to search in first.
#
reboot
# ( just to be sure.  )
#
# Setup samba as DC in windows domain.
apt-get install sernet-samba-ad bind9 acl attr quota fam libnet-ldap-perl krb5-user ntp
#
# After install rights to watch out for.
ls -al /var/lib/samba/
# drwxr-x---  2 root root 4096 Dec  7 20:46 private
# i.m.o. this should be drwxr-xr-x  ( 755 )
# now bind cannot acces private  folder and we need to access it.
# ( we will do this AFTER the join, because the join wil reset rights also )
ls -al /var/lib/samba/private
# ( at this point empty )
#
# stop some services before we change them.
/etc/init.d/bind9 stop
/etc/init.d/ntp stop
#
# so at this point almost nothing is running, only ssh-server  ( syslog fam )
#
#
# ---- SETUP Time: service NTP
# http://wiki.samba.org/index.php/Configure_NTP
# setup time server for the samba server.
# edit  /etc/ntp.conf
mcedit /etc/ntp.conf
# add at least.:
server IP_OF_AD_server
# If your use-ing a windows server as time source, do not add external of other time server in the config.
# 1 server has external source, all other connect to the internal server ( the windows AD server )
#
# and i added
server my_time_ad_windows_server_IP_adres
ntpsigndsocket /var/lib/samba/ntp_signd/
restrict default kod nomodify notrap nopeer mssntp
# start ntp
/etc/init.d/ntp start
#
# time wil sync, if you have more then 5 min difference, set the time manualy the first time.
# reboot the server if you did set the time manual.
# on my server the bios time is set to UTC.
# on the os the time is set to UTC +1 hours ( for me, depends on you time zone )
# ( set time:  date -s "2 OCT 2006 18:00:00" )
# ( set clock to hardware bios:  hwclock --systohc --utc )
#
# reboot and check again if you changed your time. !
#
#
# ---- SETUP bind9: service DNS
# http://wiki.samba.org/index.php/Dns-backend_bind
# change in /etc/bind/named.options.conf
mcedit /etc/bind/named.options.conf
# change auth-nxdomain yes
# add     allow-transfer { none; };
#         notify no;
#         empty-zones-enable no;
#
#         allow-query {
#         127.0.0.1/32;
#         192.168.1.0/24;        <=change to your ip range
#         };
#
#         allow-recursion {
#         127.0.0.1/32;
#         192.168.1.0/24;       <=change to your ip range
#         };
#
#  // DNS dynamic updates via Kerberos (optional, but recommended)
#  // added before we need it, therefore the // in the next line.
#     //    tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
#
# ##
#
# change /etc/bind/named.options.local
mcedit /etc/bind/named.options.local
# So now just add in named.conf.local these lines: ( keep the // , we remove it later )
# // adding the dlopen ( Bind DLZ ) module for samba
# //include "/var/lib/samba/private/named.conf";
#
# ok bind is setup is ready, test it.
# start bind :
/etc/init.d/bind9 start
#
# test bind :
host 127.0.0.1 127.0.0.1
host localhost. 127.0.0.1
#
# ----- SETUP / CHECK krb5.conf
# the debian default works out of the box, IF you set the domainname correct at install of the server.
# test kerberos:
type: kinit administrator
type: klist
#
# -------------------------------------------------------
#
# ---- SETUP SAMBA: service ad / smb /nmbd
# enabled ad in /etc/default/sernet-samba for the AD server.
mcedit /etc/default/sernet-samba
# change this to : SAMBA_START_MODE="ad"
# change      : SAMBA_RESTART_ON_UPDATE="yes"
#
# Do not start samba yet.
#
#
# Join the domain.
samba-tool domain join SUBDOMAIN.DOMAIN.TLD DC -Uadministrator --realm=SUBDOMAIN.DOMAIN.TLD --dns-backend=BIND9_DLZ
# and at the end you see:
# Joined domain ROTTERDAM (SID S-1-5-21-3130855540-2228390408-1497266713) as a DC
#
# Now we recheck the rights of folders and files in /var/lib/samba/private/
#
ls -al /var/lib/samba  ( about the same before joining)
# The important folder :
ls -al /var/lib/samba/private/
# drwxrwx--- 3 root bind    4096 Dec 20 11:36 dns
# -rw------- 1 root root     947 Dec 20 11:36 dns.keytab
# -rw-r--r-- 1 root root    2270 Dec 20 11:36 dns_update_list
# -rw------- 1 root root 1286144 Dec 20 11:36 hklm.ldb
# -rw------- 1 root root 1286144 Dec 20 11:36 idmap.ldb
# -rw-r--r-- 1 root root     100 Dec 20 11:36 krb5.conf
# -rw-r--r-- 1 root root     575 Dec 20 11:36 named.conf
# -rw-r--r-- 1 root root    2204 Dec 20 11:36 named.txt
# -rw------- 1 root root 1286144 Dec 20 11:36 privilege.ldb
# -rw------- 1 root root 4251648 Dec 20 11:36 sam.ldb
# drwxr-x--- 2 root bind    4096 Dec 20 11:36 sam.ldb.d
# -rw------- 1 root root    1367 Dec 20 11:36 secrets.keytab
# -rw------- 1 root root 1286144 Dec 20 11:36 secrets.ldb
# -rw------- 1 root root  430080 Dec 20 11:36 secrets.tdb
# -rw------- 1 root root 1286144 Dec 20 11:36 share.ldb
# -rw-r--r-- 1 root root     955 Dec 20 11:36 spn_update_list
# drwx------ 2 root root    4096 Dec 20 11:36 tls
#
#
# The files generated are in /var/lib/samba/private/
# i changed the rights on the private folder so its accessable for bind.
# chmod 755 /var/lib/samba/private
#
# read /var/lib/samba/private/named.txt and for debian/ubuntu we change the group from named to bind
chgrp bind /var/lib/samba/private/dns.keytab
chmod g+r /var/lib/samba/private/dns.keytab
#
# compaire the sam database folders
# root at mysamba4servername:/var/lib/samba/private# ls -al dns/sam.ldb.d/
# total 27932
# drwxrwx--- 2 root bind    4096 Dec 20 11:36 .
# drwxrwx--- 3 root bind    4096 Dec 20 11:36 ..
# -rw-rw---- 1 root bind 8183808 Dec 20 11:36 CN=CONFIGURATION,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
# -rw-rw---- 1 root bind 8986624 Dec 20 11:36 CN=SCHEMA,CN=CONFIGURATION,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
# -rw-rw---- 2 root bind 5398528 Dec 20 11:36 DC=DOMAINDNSZONES,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
# -rw-rw---- 2 root bind 4317184 Dec 20 11:36 DC=FORESTDNSZONES,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
# -rw-rw---- 1 root bind 1286144 Dec 20 11:36 DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
# -rw-rw---- 2 root bind  421888 Dec 20 11:36 metadata.tdb
#
# root at mysamba4servername:/var/lib/samba/private# ls -al sam.ldb.d/
# total 34724
# drwxr-x--- 2 root bind     4096 Dec 20 11:36 .
# drwxr-x--- 5 root root     4096 Dec 20 11:36 ..
# -rw------- 1 root root 10547200 Dec 20 11:36 CN=CONFIGURATION,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
# -rw------- 1 root root 10547200 Dec 20 11:36 CN=SCHEMA,CN=CONFIGURATION,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
# -rw-rw---- 2 root bind  5398528 Dec 20 11:36 DC=DOMAINDNSZONES,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
# -rw-rw---- 2 root bind  4317184 Dec 20 11:36 DC=FORESTDNSZONES,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
# -rw------- 1 root root  4317184 Dec 20 11:36 DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
# -rw-rw---- 2 root bind   421888 Dec 20 11:36 metadata.tdb
#
# 3 should be the same, these are hardlinked. ( info see wiki.samba.org )
# -rw-rw---- 2 root bind   421888 Dec 20 11:36 metadata.tdb
# -rw-rw---- 2 root bind  5398528 Dec 20 11:36 DC=DOMAINDNSZONES,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
# -rw-rw---- 2 root bind  4317184 Dec 20 11:36 DC=FORESTDNSZONES,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
#
#
#
# stop bind:
/etc/init.d/bind9 stop
# enable the keytab line :         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
# remove the //  infront .
# enable the  include "/var/lib/samba/private/named.conf";
#
#
# start bind:
/etc/init.d/bind9 start
# check logs :
cat /var/log/daemon.log | grep named
#look for ( like) :
# Dec 20 12:56:36 mysamba4servername named[12362]: Loading 'AD DNS Zone' using driver dlopen
# Dec 20 12:56:36 mysamba4servername named[12362]: samba_dlz: started for DN DC=SUBDOMAIN,DC=DOMAIN,DC=TLD
# Dec 20 12:56:36 mysamba4servername named[12362]: samba_dlz: starting configure
# Dec 20 12:56:36 mysamba4servername named[12362]: samba_dlz: configured writeable zone '249.168.192.in-addr.arpa'
# Dec 20 12:56:36 mysamba4servername named[12362]: samba_dlz: configured writeable zone 'SUBDOMAIN.DOMAIN.TLD'
# Dec 20 12:56:36 mysamba4servername named[12362]: samba_dlz: configured writeable zone '_msdcs.SUBDOMAIN.DOMAIN.TLD'
# and
# Dec 20 12:56:36 mysamba4servername named[12362]: running
#
# start samba
/etc/init.d/sernet-samba-ad start
# check logs.
cat /var/log/daemon.log
# Dec 20 12:58:34 mysamba4servername smbd[12520]: [2013/12/20 12:58:34.159605,  0] ../source3/printing/print_cups.c:151(cups_connect)
# Dec 20 12:58:34 mysamba4servername smbd[12520]:   Unable to connect to CUPS server localhost:631 - Connection refused
# Dec 20 12:58:34 mysamba4servername smbd[12519]: [2013/12/20 12:58:34.160474,  0] ../source3/printing/print_cups.c:528(cups_async_callback)
# Dec 20 12:58:34 mysamba4servername smbd[12519]:   failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
#
# to disable these printing messages.
# add in smb.conf ( global )
# ---- disable printing completely
#        load printers = no
#        printing = bsd
#        printcap name = /dev/null
#        disable spoolss = yes
#
# I prefer a seperated server which is only printserver.
#
## samba created the ntp_signd folder in /var/lib/samba
# now correct the rights so ntp can access it.
#
chgrp ntp /var/lib/samba/ntp_signd
#
/etc/init.d/sernet-samba-ad restart
#
# test
samba-tool drs showrepl  ( wil resolve the windows server )
samba-tool drs showrepl mysamba4servername  ( wil resolve over the sambaserver server )
#
# you can ignore:
# Warning: No NC replicated for Connection!
# ( see faq, below on wiki https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC )
#
# This done, now you have a basic setup for samba4 is running without errors.
# this server wil be DC only, only going to use the netlogon ( and sysvol ) for this setup.
# user wil login on the server, only connect to sysvol/netlogon
# so no need for getent wbinfo ( etc etc )
#
# for your info : getent passwd gives only my linux users back.
#      : wbinfo -u ( -g )  gives only my windows AD users.
#   for users, config your nsswitch.conf in /etc/  but you better do this on the "file/member" server.
#
#

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list