Install Samba Active Directory: Difference between revisions

Server Prep

• apt-get install build-essential libattr1-dev libblkid-dev libgnutls-dev libreadline-gplv2-dev python-dev autoconf python-dnspython gdb pkg-config bind9utils libpopt-dev krb5-config krb5-user libkrb5-dev python-dev libacl1-dev xsltproc docbook apache2-mpm-itk docbook-xsl
• edit /etc/fstab, make sure root mountpoint has acl enabled (ext4 relatime,acl,errors=remount-ro 0 1)

Obtain and Install

• Download latest copy of samba from http://ftp.samba.org/pub/samba/
• cd /usr/src/
• wget http://ftp.samba.org/pub/samba/samba-4.0.7.tar.gz
• tar zxf samba-4.0.7.tar.gz
• cd samba-4.0.7/
• ./configure
• make
• make install
• samba-tool domain provision --realm=computerisms.com --domain=computerisms --host-name=houselian --host-ip=192.168.26.10 --adminpass='The1TrueB0b' --server-role='domain controller' --dns-backend=BIND9_DLZ
• mv /etc/krb5.conf /etc/krb5.conf.orig
• cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
• sed -i '1,/^MANDATORY_MANPATH/ {/^MANDATORY_MANPATH/i\
  MANDATORY_MANPATH /usr/local/samba/share/man
  }' /etc/manpath.config

Start Samba

• ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so
• ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so.2
• mkdir -p -m 1755 /var/service/samba
• mkdir -p -m 0755 /var/service/samba/log
• vi /var/service/samba/run
• ln -s /var/service/multilog.run /var/service/samba/log/run
• chmod 755 /var/service/samba/run
• cd /service/
• ln -s /var/service/samba/
• sv <= make sure samba is running

Configure Samba and Related Services

• vi /usr/local/samba/etc/smb.conf
• vi /etc/nsswitch.conf
• vi /etc/hosts
• vi /etc/resolv.conf
• echo "include \"/usr/local/samba/private/named.conf\";" >> /etc/bind/named.conf
• /etc/init.d/bind9 restart
• kinit administrator@COMPUTERISMS.COM
• svc -t /service/samba
• vi /etc/bind/named.conf.options
• echo "restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap nopeer" >> /etc/ntp.conf
• /etc/init.d/bind9 restart
• /etc/init.d/ntp restart

Configure Shares

• chgrp -R users /home/data/{people,Departments,Common}
• chmod 2770 /home/data/{people,Departments,Common}

Redirect Domain to External Web Server

• rm /etc/apache2/sites-enabled/000-default
• rm /etc/apache2/sites-available/default*
• rm /Computerisms/sites/index.html
• vi /etc/apache2/ports.conf
• vi /etc/apache2/sites-available/computerisms.com.conf
• a2ensite computerisms.com
• /etc/init.d/apache2 reload
• samba-tool dns add houselian computerisms.com www A 64.251.25.76
• ensure the external webserver is configured with ServerAlias www.computerisms.com

Configure Bind to Allow Samba to Start After Reboot

• vi /root/scripts/bindwait.sh
• crontab -e
  • @reboot sleep 20; nohup bash /root/scripts/bindwait.sh &

Test Everything

• smbclient --version
  Version 4.0.7 <= Confirm output is correct
• smbclient -L localhost -U% <= Confirm shares show up as follows:

Domain=[COMPUTERISMS] OS=[Unix] Server=[Samba 4.0.7]

	Sharename       Type      Comment
	---------       ----      -------
	netlogon        Disk      
	sysvol          Disk      
	Departments     Disk      Departmental Storage
	IPC$            IPC       IPC Service (Samba 4.0.7)
Domain=[COMPUTERISMS] OS=[Unix] Server=[Samba 4.0.7]

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------

• smbclient //localhost/netlogon -U'administrator%The1TrueB0b'
  smb: \> quit <= Confirm this brings you to an smb: prompt
• host -t SRV _ldap._tcp.computerisms.com.
  _ldap._tcp.computerisms.com has SRV record 0 100 389 houselian.computerisms.com. <= Confirm output matches this record
• host -t SRV _kerberos._udp.computerisms.com.
  _kerberos._udp.computerisms.com has SRV record 0 100 88 houselian.computerisms.com. <= Confirm output matches this record
• host -t A houselian.computerisms.com.
  houselian.computerisms.com has address 192.168.26.10 <= Confirm output matches this record
• klist <= Confirm spelling and dates are correct:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@COMPUTERISMS.COM

Valid starting    Expires           Service principal
22/07/2013 16:29  23/07/2013 02:29  krbtgt/COMPUTERISMS.COM@COMPUTERISMS.COM
	renew until 23/07/2013 16:29

• ntpq -c "rv 0 clock" 192.168.26.10
  clock=d5984c91.369e0a26 Mon, Jul 22 2013 17:28:01.213 <= Confirm output is correct
• dig computerisms.ca @192.168.26.10 <= Confirm you can resolve non-local domains

Configure Administrative and Authentication Accounts

• samba-tool user setexpiry --noexpiry Administrator
• samba-tool user add bob.miller --given-name=Bob --surname=Miller
• samba-tool group addmembers 'Domain Admins' 'bob.miller'
• samba-tool user setexpiry --noexpiry bob.miller
• samba-tool user add authenticator
• samba-tool user setexpiry --noexpiry authenticator

Join Adminlian to the Domain

• start=>right-click Computer=>properties=>change settings link=>change button=>set domain to COMPUTERISMS.COM=>ok=>Authenticate with account bob.miller=>ok=>close=>restart now
• at logon screen=>switch users=>enter username COMPUTERISMS\bob.miller and correct password
• download and install rsat from http://www.microsoft.com/en-us/download/details.aspx?id=7887
• After RSAT is installed, go into control panel=>programs=>windows features, and enabled RSAT tools.
  • At the very least you will need most of the stuff under role administration tools

Testing and Setup

• Open ADUC=>Create Group listarchive=>Add user bob.miller to it

Write Logon Scripts

• vi /usr/local/samba/var/locks/sysvol/computerisms.com/scripts/logon.bat <= Do this in Notepad at \\houselian\netlogon
• enable script logon.bat for bob.miller

Install the CA by GPO

• This works for IE (most of the time), but not outlook (yet), and each browser has its own cert store
• use winscp to obtain the Computerisms.Certificate.Authority.p12, put it on adminlian's desktop
• open group policy management=>Forest=>Domains=>Computerisms.com=>right-click Default Domain Policy=>Edit
• Computer Configuration=>Policies=>Windows Settings=>Security Settings=>Public Key Policies=>right-click Trusted Root Certification Authorities=>Import
• Next=>Browse to Desktop=>Show all Files=>Select Computerisms.Certificate.Authority.p12=>next=>Enter Password=>Next=>Place in Trusted Root Certifcation Authorities=>Next=>Finish
• click ok. Log out and back in. open IE and browse to anywhere.computerisms.com
  • If cert warning is still presented, check event viewer
    • Windows unable to read the gpt.ini file => run samba-tool ntacl sysvolreset

Notes and Examples

• Syntax example: ldbsearch -H ldap://192.168.26.10:389 -b "CN=Users,DC=computerisms,DC=com" -U administrator@COMPUTERISMS.COM cn=*