How to Install Samba as DC on Ubuntu Server 18.04

[LHammonds]

RESEARCH ON HOLD

Do not attempt to follow any notes typed up so far

GOALS:
* Create an Active Directory Domain Controller
* Allow Windows PCs to authenticate against the domain
* Allow Windows PCs to join the domain
* Share files on Linux to Windows PCs

Outline

1. DONE - Install Ubuntu Server
2. DONE - Prerequisites
3. DONE - Samba DC Install (Primary)
4. NOT STARTED - Samba DC Install (Secondary)
5. DONE - Domain user management
6. DONE - Setup file shares
7. NOT STARTED - Backup / Restore domain
8. NOT STARTED - DNS
9. NOT STARTED - DHCP
10. NOT STARTED - ?

Might need to break it out into phases:

1. Phase 1 = DC1
2. Phase 2 = DNS
3. Phase 3 = DHCP
4. Phase 4 = File Shares
5. Phase 5 = DC2
6. Phase 6 = Backups

BeyondTrust direct download (Likewise-Open) - GitHub

Windows AD Note: Guide on how to join to MS AD

Old Outline when I "thought" I would be doing OpenLDAP and Samba Active Directory:

1. IN PROGRESS - Directory Design
2. DONE - Install Ubuntu Server
3. DONE - Prerequisites
   • DONE - Hostname / Domain name resolution
   • DONE - Install Apache web server
   • NOT STARTED - Create self-signed SSL certificate
   • NOT STARTED - Apply SSL to Apache
4. DONE - Install OpenLDAP
5. IN PROGRESS - Configure OpenLDAP
6. NOT STARTED - Configure organizational units via command-line
7. NOT STARTED - Configure organizational units via web-interface
8. NOT STARTED - Configure users via command-line
9. NOT STARTED - Configure users via web-interface
10. NOT STARTED - Join Windows computers to the domain
11. NOT STARTED - Join Linux computers to the domain
12. NOT STARTED - Backup / Restore
13. NOT STARTED - Redundant server

--------------------------------------------------------------------------------------------------------------

Greetings and salutations,

I hope this thread will be helpful to those who follow in my foot steps as well as getting any advice based on what I have done / documented.

To discuss this thread, please participate here: Ubuntu Forums >>need to create thread<<

High-level overview

This thread will cover installation of a dedicated Ubuntu server as an Active Directory server. Samba will be used as the authentication and file-sharing service (separately). The server will be installed inside a virtual machine in vSphere running on ESXi servers. Notes will also be supplied for doing the same thing for VirtualBox on a Windows 7/8/10 PC. Although there are some VMware-specific and VirtualBox-specific steps, they are very few and the majority of this documentation will work for other Virtual Machines or even directly installed onto a physical machine (e.g. bare-metal install). If you have any advice on doing things better, please let me know by replying to >>this thread on the Ubuntu forums<< (need to create).

Tools utilized in this process

• Ubuntu Server 18.04.3 LTS, 64-bit
• Samba 4.3.11
• Portable PuTTY 0.72
• VMware vSphere 6.0.0
• VirtualBox 6.0.12

Helpful links

The list below are sources of information that was helpful in the creation of this document.

• Single Sign-On
• Ubuntu Documentation
• Ubuntu Firewall Basics
• Samba Documentation
• Setting up Samba as an active domain controller
• Avorix DC Install script (only for useful snippets)

Assumptions

This documentation will need to make use of some very-specific information that will most-likely be different for each person / location. And as such, this information will be noted in this section. They will be highlighted in red throughout the document as a reminder that you should plug-in your own value rather than actually using these "place-holder" values.

Under no circumstance should you use the actual values listed below. They are place-holders for the real thing. This is just a checklist template you need to have answered before you start the install process.

Wherever you see RED in this document, you need to substitute it for you will use in your environment.

• Domain Name: mydomain.local
• Ubuntu Server name: dc1
• Server FQDN: dc1.mydomain.local
• Domain Admin Password: MyDomainAdminPass
• Internet domain: mydomain.local
• Ubuntu Server IP address: 192.168.107.99
• Ubuntu Server IP subnet mask: 255.255.255.0
• Ubuntu Server IP gateway: 192.168.107.1
• Internal DNS Server 1: 192.168.107.212
• Internal DNS Server 2: 192.168.107.213
• External DNS Server 1: 8.8.8.8
• Ubuntu Admin ID: administrator
• Ubuntu Admin Password: myadminpass
• Email Server (remote): 192.168.107.25

It is also assumed the reader knows how to use the VI editor. If not, you will need to beef up your skill set or use a different editor in place of it.

[LHammonds]

Install Ubuntu Server

The Ubuntu Server Long-Term Support (LTS) is free but we have the option of buy support and that is the main reason this server was selected.

The steps for setting up the base server are covered in this article: How to install and configure Ubuntu Server

It is assumed that the server was configured according to that article with the exceptions that the assumptions in red (variables above) are used instead of the assumptions in that document since we are building a Samba server.

[LHammonds]

Prerequisites

Code: Select all

vi /etc/hosts

127.0.0.1 localhost localhost.localdomain 192.168.107.99 dc1.mydomain.local dc1

NOTE: The hostname and domain name must not resolve to the loopback IP (127.0.0.1 or 127.0.1.1)

Code: Select all

vi /etc/hostname

dc1

Make sure to add "acl" to the options for each partition in /etc/fstab

Code: Select all

vi /etc/fstab

Code: Select all

# <file system> <mount point>   <type>  <options>       <dump>  <pass>
/dev/mapper/dc1--vg-root /               ext4    errors=remount-ro,acl 0       1

NOTE: If you made any changes to fstab, reboot for it to take effect.

[LHammonds]

Install Samba

Install the following packages and answer the questions below when prompted:

Code: Select all

apt install samba smbclient winbind libnss-winbind libpam-winbind krb5-user krb5-config krb5-locales

Make sure the Kerberos realm is in all CAPS:

MYDOMAIN.LOCAL

Make sure the hostname for the Kerberos server is lowercase and the suffix matches your domain name:

dc1.mydomain.local

Make sure the hostname for administrative server is lowercase and same as your hostname:

dc1.mydomain.local

[LHammonds]

NOTE: Samba will need to be wiped to a clean state...otherwise it will fail upon initial provisioning when it tries to create a new smb.conf file.

Shutdown all Samba-related services

Code: Select all

systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service

Verify that no Samba processes are running:

Code: Select all

ps ax | egrep "samba|smbd|nmbd|winbindd"

Find the current Samba the configuration file:

Code: Select all

smbd -b | grep "CONFIGFILE"

If the above output was "/etc/samba/smb.conf" then issue the below command to rename the configuration file:

Code: Select all

mv /etc/samba/smb.conf /etc/samba/smb.bak

Find all Samba database files:

Code: Select all

smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"

Remove the .tdb and .ldb database files based on the above output.

Code: Select all

rm /var/run/samba/*.[t,l]db
rm /var/lib/samba/*.[t,l]db
rm /var/cache/samba/*.[t,l]db
rm /var/lib/samba/private/*.[t,l]db

Provision the domain with the following command and answer the questions as noted below:

Code: Select all

samba-tool domain provision --use-rfc2307 --interactive

Realm: MYDOMAIN.LOCAL
Domain: MYDOMAIN
Server Role: dc
DNS backend: SAMBA_INTERNAL
DNS forwarder IP address: 192.168.107.1
Administrator password: MyDomainAdminPass

Rename the existing Kerberos configuration file.

Code: Select all

mv /etc/krb5.conf /etc/krb5.bak

Symlink the Kerberos main configuration file to the Samba Kerberos file.

Code: Select all

ln --symbolic /var/lib/samba/private/krb5.conf /etc/
ls -l /etc/krb*

Start and enable Samba Active Directory Domain Controller daemons:

Code: Select all

systemctl unmask samba-ad-dc.service
systemctl start samba-ad-dc.service
systemctl enable samba-ad-dc.service

Check on the status of the service...make sure it shows "active (running)"

Code: Select all

systemctl status samba-ad-dc.service

Example output:

Code: Select all

samba-ad-dc.service - LSB: start Samba daemons for the AD DC
   Loaded: loaded (/etc/init.d/samba-ad-dc; bad; vendor preset: enabled)
   Active: active (running) since Fri 2017-12-15 15:56:04 CST; 2min 28s ago
     Docs: man:systemd-sysv-generator(8)
   CGroup: /system.slice/samba-ad-dc.service
           ├─2795 /usr/sbin/samba -D
           ├─2796 /usr/sbin/samba -D
           ├─2797 /usr/sbin/samba -D
           ├─2798 /usr/sbin/samba -D
           ├─2799 /usr/sbin/samba -D
           ├─2800 /usr/sbin/samba -D
           ├─2801 /usr/sbin/samba -D
           ├─2802 /usr/sbin/samba -D
           ├─2803 /usr/sbin/smbd -D --option=server role check:inhibit=yes --for
           ├─2804 /usr/sbin/samba -D
           ├─2805 /usr/sbin/samba -D
           ├─2806 /usr/sbin/samba -D
           ├─2807 /usr/sbin/samba -D
           ├─2808 /usr/sbin/samba -D
           ├─2809 /usr/sbin/samba -D
           ├─2810 /usr/sbin/winbindd -D --option=server role check:inhibit=yes -
           ├─2814 /usr/sbin/smbd -D --option=server role check:inhibit=yes --for
           ├─2815 /usr/sbin/winbindd -D --option=server role check:inhibit=yes -
lines 1-23

If you do not have a long list like the above, it is entirely possible your password was not "complex" enough. Scroll up and see if you notice that kind of message when provisioning the domain. If the password is the issue, start this section over and wipe out all the Samba settings and then use an appropriately complex password.

Verify the list of all services required by an Active Directory to run properly.

Code: Select all

netstat –tulpn| egrep 'smbd|samba'

Example output:

Code: Select all

unix  2      [ ]         DGRAM                    20120    /var/lib/samba/private/msg.sock/2806
unix  2      [ ]         DGRAM                    20122    /var/lib/samba/private/msg.sock/2807
unix  2      [ ]         DGRAM                    20124    /var/lib/samba/private/msg.sock/2808
unix  2      [ ]         DGRAM                    20128    /var/lib/samba/private/msg.sock/2809
unix  2      [ ]         DGRAM                    20166    /var/lib/samba/private/msg.sock/2803
unix  2      [ ]         DGRAM                    20172    /var/lib/samba/private/msg.sock/2810
unix  2      [ ]         DGRAM                    20187    /var/lib/samba/private/msg.sock/2814
unix  2      [ ]         DGRAM                    20190    /var/lib/samba/private/msg.sock/2815
unix  2      [ ]         DGRAM                    20225    /var/lib/samba/private/msg.sock/2818
unix  2      [ ]         DGRAM                    20235    /var/lib/samba/private/msg.sock/2819
unix  2      [ ]         DGRAM                    20248    /var/lib/samba/private/msg.sock/2820
unix  2      [ ]         DGRAM                    20051    /var/lib/samba/private/msg.sock/2795
unix  2      [ ]         DGRAM                    20069    /var/lib/samba/private/msg.sock/2797
unix  2      [ ]         DGRAM                    20070    /var/lib/samba/private/msg.sock/2796
unix  2      [ ]         DGRAM                    20074    /var/lib/samba/private/msg.sock/2799
unix  2      [ ]         DGRAM                    20075    /var/lib/samba/private/msg.sock/2798
unix  2      [ ]         DGRAM                    20083    /var/lib/samba/private/msg.sock/2801
unix  2      [ ]         DGRAM                    20088    /var/lib/samba/private/msg.sock/2802
unix  2      [ ]         DGRAM                    20090    /var/lib/samba/private/msg.sock/2800
unix  2      [ ]         DGRAM                    20115    /var/lib/samba/private/msg.sock/2805
unix  2      [ ]         DGRAM                    20119    /var/lib/samba/private/msg.sock/2804
unix  3      [ ]         STREAM     CONNECTED     20204    /var/lib/samba/winbindd_privileged/pipe

[LHammonds]

Samba local Linux authentication using AD accounts

Code: Select all

vi /etc/samba/smb.conf

Add the following under the [global] section:

Code: Select all

winbind enum users = yes
winbind enum groups = yes

Modify PAM to allow AD authentication and open sessions

Run the PAM configuration utility:

Code: Select all

pam-auth-update

Set the following and press ENTER

Code: Select all

[*] Unix authentication
[*] Winbind NT/Active Directory authentication
[*] Register user sessions in the systemd control group hierarchy
[*] Create home directory on login
[*] Inheritable Capabilities Management
    <Ok>    <Cancel>

Code: Select all

vi /etc/nsswitch.conf

change:

Code: Select all

passwd:         compat
group:          compat

to:

Code: Select all

passwd:         compat winbind
group:          compat winbind

Code: Select all

vi /etc/pam.d/common-password

change:

Code: Select all

password        [success=1 default=ignore]      pam_winbind.so use_authtok try_first_pass

to:

Code: Select all

password        [success=1 default=ignore]      pam_winbind.so try_first_pass

Repeat the above removal of "use_authtok" each time PAM updates are installed and each time you execute "pam-auth-update"

Edit the Samba configuration and make it look like the following:

Code: Select all

vi /etc/samba/smb.conf

# Global parameters [global] workgroup = MYDOMAIN realm = MYDOMAIN.LOCAL netbios name = DC1 server role = active directory domain controller dns forwarder = 192.168.107.1 idmap_ldb:use rfc2307 = yes winbind enum users = yes winbind enum groups = yes winbind use default domain = true winbind offline logon = false winbind nss info = rfc2307 winbind use default domain = yes template shell = /bin/bash template homedir = /home/%D/%U restrict anonymous = 2 idmap config *:range = 5000-9999 idmap config CB:backend = ad idmap config CB:schema_mode = rfc2307 idmap config CB:range = 10000-29999 ## To disable Roaming profiles, comment out "logon path" and "logon home" ## logon path places Windows profile into their home directory # logon path = \\%N\%U\profile ## logon home specifies the home directory location # logon home = \\%N\%U ## domain logons provides netlogon causing Samba to act as a DC domain logons = yes logon drive = H: ## logon script are the commands that run once user is logged in logon script = logon.cmd ## add machine script automatically creates the Machine Trust Account ## needed for a workstation to join the domain add machine script = sudo /usr/sbin/useradd -N -g machines -c Machine -d /var/lib/samba -s /bin/false %u [netlogon] path = /var/lib/samba/sysvol/mydomain.local/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [share] path = /srv/samba/share read only = no writeable = yes directory mask = 777 create mask = 777 comment = "Shared data directory"

Make sure the config file is valid:

Code: Select all

testparm /etc/samba/smb.conf

After verifying smb.conf, restart the necessary services for the changes to take effect:

Code: Select all

systemctl restart samba-ad-dc

[LHammonds]

Common command line usage

Show Groups

Code: Select all

samba-tool group list
wbinfo -g
getent group | grep MYDOMAIN

Show Users

Code: Select all

samba-tool user list
wbinfo -u
getent passwd | grep MYDOMAIN

Show user profile info

Code: Select all

wbinfo -i JohnDoe

Show members in a group

Code: Select all

samba-tool group listmembers "Domain Users"

Create/delete a domain user

Code: Select all

samba-tool user add JohnDoe --given-name=John --surname=Doe --mail-address=John.Doe@gmail.com --login-shell=/bin/false
samba-tool user delete JohnDoe

Reset password

Code: Select all

samba-tool user setpassword JohnDoe

Disable/Enable domain user

Code: Select all

samba-tool user disable JohnDoe
samba-tool user enable JohnDoe

Create/Delete a domain group

Code: Select all

samba-tool group add MyGroup
samba-tool group delete MyGroup

Add/Remove domain user to a group

Code: Select all

samba-tool group addmembers MyGroup JohnDoe
samba-tool group removemembers MyGroup JohnDoe

Show domain password settings

Code: Select all

samba-tool domain passwordsettings show

Modify password settings

Code: Select all

samba-tool domain passwordsettings set --complexity=on
samba-tool domain passwordsettings set --history-length=3
samba-tool domain passwordsettings set --min-pwd-age=0
samba-tool domain passwordsettings set --max-pwd-age=90
samba-tool domain passwordsettings set --min-pwd-length=7

Add a domain user to the sudo group for root privileges

Code: Select all

usermod -aG sudo 'MYDOMAIN\JohnDoe'

[LHammonds]

Firewall Settings

Modify the firewall script in the Samba section so it looks like this:

Code: Select all

vi /var/scripts/prod/en-firewall.sh

Code: Select all

echo "Allowing Samba file sharing connections"
ufw allow proto tcp to any port 135,139,445 comment 'Samba Share' 1>/dev/null 2>&1
ufw allow proto udp to any port 137,138 comment 'Samba Share' 1>/dev/null 2>&1
ufw allow proto tcp to any port 464,389,53,88,636 comment 'Samba AD' 1>/dev/null 2>&1
ufw allow proto udp to any port 464,389,53,88 comment 'Samba AD' 1>/dev/null 2>&1
ufw allow proto tcp to any port 3268,3269,49152:65535 comment 'Samba AD' 1>/dev/null 2>&1

Reference Link: Samba AD DC Port Usage

Join Windows 10 PC to Domain

NOT STARTED

Command to get current policy information on Windows 10:

Code: Select all

gpresult /H GPResult.htm