Contents
Setup Process
Clean Installation of samba & dependencies
The domain controller dc0.v.ucc.asn.au is based off a clone of samurai, cleaned up and configured using the steps below. dc1.v.ucc.asn.au was set up as a fresh install based on Debian 9.5.0 (netinst).
A fresh domain controller can probably be set up using the same steps; Note: These instructions are valid for Samba 4.7 and 4.8.5, older versions of Samba may be missing important configuration options and newer ones may behave slightly differently.
- Configure name resolution
Edit /etc/hosts
127.0.0.1 localhost 192.168.9.2 dc0.v.ucc.asn.au dc0 192.168.9.3 dc1.v.ucc.asn.au dc1
Edit /etc/resolv.conf
search ad.v.ucc.asn.au search v.ucc.asn.au search ucc.asn.au # This is configured to forward ad.* queries back to us and also deals with other DNS magic, so use it instead of ourselves as primary nameserver nameserver 192.168.9.35
Purge existing configs and packages:
apt-get -y purge samba* libpam-sss libnss-sss libgpgme11 krb5-* sssd-* libsss-* winbind rm -rf /etc/samba /etc/krb5.conf /etc/krb5.keytab /var/run/samba/ /var/lib/samba/ /var/cache/samba/ /var/lib/sss
- Configure the apt repositories and preferences
Edit /etc/apt/preferences.d/80-ucc-samba, add the following:
Package: * Pin: release a=stable Pin-Priority: 900 Package: * Pin: release a=stable-backports Pin-Priority: 800 Package: * Pin: release a=testing Pin-Priority: 99 Package: * Pin: release a=unstable Pin-Priority: 98
Edit /etc/apt/sources.list.d/debian-unstable.list:
# Testing repository - main, contrib and non-free branches deb http://mirror.waia.asn.au/debian testing main non-free contrib deb-src http://mirror.waia.asn.au/debian testing main non-free contrib # Testing security updates repository deb http://security.debian.org/ testing/updates main contrib non-free deb-src http://security.debian.org/ testing/updates main contrib non-free # Unstable repo main, contrib and non-free branches, no security updates here deb http://mirror.waia.asn.au/debian unstable main non-free contrib deb-src http://mirror.waia.asn.au/debian unstable main non-free contrib
Install packages:
apt-get update && apt-get -y upgrade apt-get -y -t testing install samba sssd-ad sssd-tools sssd-krb5 krb5-user libpam-krb5 libpam-sss libnss-sss libgpgme11 smbclient winbind apt-get -y install net-tools vim less molly-guard chrony rsync csync2 nfs-common finger sudo zsh git dnsutils mlocate
The rest of these instructions are based off the official Samba AD setup guide.
Disable the systemd units for the non-DC setup & default configuration:
systemctl stop smbd systemctl stop nmbd systemctl stop winbind systemctl disable smbd systemctl disable nmbd systemctl disable winbind
Remove all Samba database and config files, such as *.tdb and *.ldb files, so we can start with a clean installation. (note: when installing the packages, some of these files may have been recreated since the purge step above, so don't skip this step.
rm -fv /etc/samba/smb.conf /etc/krb5.conf /etc/krb5.keytab find /var/run/samba/ /var/lib/samba/ /var/cache/samba/ | grep -e tdb -e ldb | xargs rm -f
Provisioning a new AD Domain
Make sure you start with a clean installation. Note: Don't do this unless you want to set up a fresh domain, in which case you will need to change all the settings below to appropriate values.
Provision the new domain:
samba-tool domain provision --use-rfc2307 --realm=ad.v.ucc.asn.au --domain=VUCC --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass=$PASSWORD
Copy /var/lib/samba/private/krb5.conf to /etc/krb5.conf:
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
Make sure /etc/krb5.conf looks something like this, add lines where necessary.
[libdefaults] default_realm = AD.V.UCC.ASN.AU dns_lookup_realm = false dns_lookup_kdc = true rdns = false forwardable = yes
Export the domain's keytab
samba-tool domain exportkeytab /etc/krb5.keytab
Edit /etc/nsswitch.conf
# /etc/nsswitch.conf # See http://wiki.ucc.asn.au/ActiveDirectoryNew passwd: files sss group: files sss shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss sudoers: files
and /etc/sssd/sssd.conf
[sssd] config_file_version = 2 domains = ad.v.ucc.asn.au services = nss, pam, pac [domain/AD.V.UCC.ASN.AU] enumerate = true id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad ldap_id_mapping = false
fix sssd.conf permissions
chmod 600 /etc/sssd/sssd.conf
enable sssd auth in pam via pam-auth-update
Start the samba service:
systemctl unmask samba-ad-dc systemctl enable samba-ad-dc systemctl restart samba-ad-dc systemctl enable sssd systemctl restart sssd
DO NOT use winbind on a domain controller, it sucks for multiple reasons. Note that winbindd will still run for internal use by samba - it just isn't being used for nss.
Make it restart automatically if something crashes: systemctl edit samba-ad-dc
# this will end up in /etc/systemd/system/samba-ad-dc.service.d/override.conf when it gets saved [Service] Restart=on-failure
Joining a new DC to an existing AD domain
Make sure you start with a clean installation.
Copy /etc/sssd/sssd.conf, /etc/krb5.conf, /etc/nsswitch.conf from an existing domain controller.
verify kerberos with: kinit <username>
join the domain with: samba-tool domain join ad.v.ucc.asn.au DC -U"VUCC\Administrator" --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes'
- You may see an error saying something about DNS not being configured, you can probably ignore it.
replicate the SYSVOL directory to the new DC, then fix the permissions with: samba-tool ntacl sysvolreset
- start the samba service, the service may have a different name depending on the samba version used.
samba-tool domain exportkeytab /etc/krb5.keytab chmod 600 /etc/sssd/sssd.conf systemctl unmask samba-ad-dc systemctl enable samba-ad-dc systemctl restart samba-ad-dc systemctl enable sssd systemctl restart sssd
enable sssd auth in pam via pam-auth-update
Sysvol replication
Samba doesn't support sysvol replication and probably never will, but they have some (old) suggested workarounds. At the most basic level, the directory /var/lib/samba/sysvol must be synchronised between DCs to keep things working smoothly. Unfortunately the filesystem needs to support xattr and POSIX ACLs so using a simple NFS share isn't possible, and rsync is painful when it comes to two-way synchronisation.
Fortunately csync2 does exactly what we want (minus ACLs/xattr, but those can be fixed using samba-tool ntacl sysvolreset). Here's how you can set it up.
put the following into /etc/csync2.cfg (and update with the correct domain controller hostnames): see the documentation
#### csync2 configuration # disable nossl dc[01] dc[01]; group vucc-domain-controllers { host dc0 dc1; key /etc/csync2.key-vucc; include /var/lib/samba/sysvol; # restart samba-ad-dc if changes to the configuration file /etc/samba/smb.conf are synced action { pattern /etc/samba/smb.conf; exec "/bin/systemctl samba-ad-dc reload"; do-local; } # fix xattrs on files when they are updated action { pattern /var/lib/samba/sysvol; exec "/usr/bin/samba-tool ntacl sysvolreset"; do-local; } # Store backups (with logical names) somewhere reasonable backup-directory /var/lib/samba/sysvol-backups; backup-generations 3; # automatically resolve conflicts by overwriting older files with newer ones auto younger; }
edit the crontab on one node:
dc0# crontab -e # sync every minute * * * * * /usr/sbin/csync2 -x
csync2 is run as an inetd service, so you can check that the following line is present in /etc/inetd.conf on all servers in the cluster
csync2 stream tcp nowait root /usr/sbin/csync2 csync2 -i -l
generate a csync2 pre-shared key (PSK) and copy it and /etc/csync2.cfg to all the DCs in the cluster:
csync2 -k /etc/csync2.key-vucc scp /etc/csync2.key-vucc /etc/csync2.cfg dc1:/etc dc2:/etc dc3:/etc ...
make sure the directory /var/lib/samba/sysvol-backups exists on all nodes of the cluster
Done! It should work now.
To manually replicate the sysvol directories between DCs:
dc0# scp -ar /var/lib/samba/sysvol dc1:/var/lib/samba/sysvol dc1# samba-tool ntacl sysvolreset
Diagnostics
Sometimes group memberships don't seem to be updated, this can often be fixed by clearing the cache:
sss_cache -E if using sssd
net cache flush if using winbind
- Or if the above fails to have an effect, try rejoining to the domain using the instructions below.
Sometimes, everything may break rather catastrophically. This may be due to the keytabs at /etc/krb5.keytab and /var/lib/samba/private/secrets.keytab becoming out of sync.
The current solution (on samson) is to symlink the keytabs as follows:
# ln -s /etc/krb5.keytab /var/lib/samba/private/secrets.keytab # ls -l /etc/krb5.keytab lrwxrwxrwx 1 root root 37 Nov 26 16:51 /etc/krb5.keytab -> /var/lib/samba/private/secrets.keytab
Verify that the host principal is present in the keytab:
# klist -k | grep -i $(hostname) 3 [email protected]
- The same principal and variations including the same hostname may appear multiple times. This is normal (and maybe necessary?).