Setup Process

Clean Installation of samba & dependencies

The domain controller dc0.v.ucc.asn.au is based off a clone of samurai, cleaned up and configured using the steps below. dc1.v.ucc.asn.au was set up as a fresh install based on Debian 9.5.0 (netinst).

A fresh domain controller can probably be set up using the same steps; Note: These instructions are valid for Samba 4.7 and 4.8.5, older versions of Samba may be missing important configuration options and newer ones may behave slightly differently.

• Configure name resolution

  • Edit /etc/hosts

    127.0.0.1       localhost
    192.168.9.2     dc0.v.ucc.asn.au        dc0
    192.168.9.3     dc1.v.ucc.asn.au        dc1

  • Edit /etc/resolv.conf

    search ad.v.ucc.asn.au
    search v.ucc.asn.au
    search ucc.asn.au
    # This is configured to forward ad.* queries back to us and also deals with other DNS magic, so use it instead of ourselves as primary nameserver
    nameserver 192.168.9.35

• Purge existing configs and packages:

  apt-get -y purge samba* libpam-sss libnss-sss libgpgme11 krb5-* sssd-* libsss-* winbind
  rm -rf /etc/samba /etc/krb5.conf /etc/krb5.keytab /var/run/samba/ /var/lib/samba/ /var/cache/samba/ /var/lib/sss

• Configure the apt repositories and preferences

  • Edit /etc/apt/preferences.d/80-ucc-samba, add the following:

    Package: *
    Pin: release a=stable
    Pin-Priority: 900
    
    Package: *
    Pin: release a=stable-backports
    Pin-Priority: 800
    
    Package: *
    Pin: release a=testing
    Pin-Priority: 99
    
    Package: *
    Pin: release a=unstable
    Pin-Priority: 98

  • Edit /etc/apt/sources.list.d/debian-unstable.list:

    # Testing repository - main, contrib and non-free branches
    deb http://mirror.waia.asn.au/debian testing main non-free contrib
    deb-src http://mirror.waia.asn.au/debian testing main non-free contrib
    
    # Testing security updates repository
    deb http://security.debian.org/ testing/updates main contrib non-free
    deb-src http://security.debian.org/ testing/updates main contrib non-free
    
    # Unstable repo main, contrib and non-free branches, no security updates here
    deb http://mirror.waia.asn.au/debian unstable main non-free contrib
    deb-src http://mirror.waia.asn.au/debian unstable main non-free contrib

• Install packages:

  apt-get update && apt-get -y upgrade
  apt-get -y -t testing install samba sssd-ad sssd-tools sssd-krb5 krb5-user libpam-krb5 libpam-sss libnss-sss libgpgme11 smbclient winbind
  apt-get -y install net-tools vim less molly-guard chrony rsync csync2 nfs-common finger sudo zsh git dnsutils mlocate

The rest of these instructions are based off the official Samba AD setup guide.

• Disable the systemd units for the non-DC setup & default configuration:

  systemctl stop smbd
  systemctl stop nmbd
  systemctl stop winbind
  systemctl disable smbd
  systemctl disable nmbd
  systemctl disable winbind

• Remove all Samba database and config files, such as *.tdb and *.ldb files, so we can start with a clean installation. (note: when installing the packages, some of these files may have been recreated since the purge step above, so don't skip this step.

  rm -fv /etc/samba/smb.conf /etc/krb5.conf /etc/krb5.keytab
  find /var/run/samba/ /var/lib/samba/ /var/cache/samba/ | grep -e tdb -e ldb | xargs rm -f

Provisioning a new AD Domain

Make sure you start with a clean installation. Note: Don't do this unless you want to set up a fresh domain, in which case you will need to change all the settings below to appropriate values.

• Provision the new domain:

  samba-tool domain provision --use-rfc2307 --realm=ad.v.ucc.asn.au --domain=VUCC --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass=$PASSWORD

• Copy /var/lib/samba/private/krb5.conf to /etc/krb5.conf:

  cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

  • Make sure /etc/krb5.conf looks something like this, add lines where necessary.

    [libdefaults]
            default_realm = AD.V.UCC.ASN.AU
            dns_lookup_realm = false
            dns_lookup_kdc = true
            rdns = false
            forwardable = yes

• Export the domain's keytab

  samba-tool domain exportkeytab /etc/krb5.keytab

• Edit /etc/nsswitch.conf

  # /etc/nsswitch.conf
  # See http://wiki.ucc.asn.au/ActiveDirectoryNew
  
  passwd:         files sss
  group:          files sss
  shadow:         files
  gshadow:        files
  
  hosts:          files dns
  networks:       files
  
  protocols:      db files
  services:       db files sss
  ethers:         db files
  rpc:            db files
  
  netgroup:       nis sss
  sudoers:        files

• and /etc/sssd/sssd.conf

  [sssd]
  config_file_version = 2
  domains = ad.v.ucc.asn.au
  services = nss, pam, pac
  
  [domain/AD.V.UCC.ASN.AU]
  enumerate = true
  id_provider = ad
  auth_provider = ad
  chpass_provider = ad
  access_provider = ad
  ldap_id_mapping = false

• fix sssd.conf permissions

  chmod 600 /etc/sssd/sssd.conf

• enable sssd auth in pam via pam-auth-update

• Start the samba service:

  systemctl unmask samba-ad-dc
  systemctl enable samba-ad-dc
  systemctl restart samba-ad-dc
  systemctl enable sssd
  systemctl restart sssd

• DO NOT use winbind on a domain controller, it sucks for multiple reasons. Note that winbindd will still run for internal use by samba - it just isn't being used for nss.

• Make it restart automatically if something crashes: systemctl edit samba-ad-dc

  # this will end up in /etc/systemd/system/samba-ad-dc.service.d/override.conf when it gets saved
  [Service]
  Restart=on-failure

Joining a new DC to an existing AD domain

Make sure you start with a clean installation.

• Copy /etc/sssd/sssd.conf, /etc/krb5.conf, /etc/nsswitch.conf from an existing domain controller.

• verify kerberos with: kinit <username>

• join the domain with: samba-tool domain join ad.v.ucc.asn.au DC -U"VUCC\Administrator" --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes'

  • You may see an error saying something about DNS not being configured, you can probably ignore it.

• replicate the SYSVOL directory to the new DC, then fix the permissions with: samba-tool ntacl sysvolreset

• start the samba service, the service may have a different name depending on the samba version used.

• samba-tool domain exportkeytab /etc/krb5.keytab
  chmod 600 /etc/sssd/sssd.conf
  systemctl unmask samba-ad-dc
  systemctl enable samba-ad-dc
  systemctl restart samba-ad-dc
  systemctl enable sssd
  systemctl restart sssd

• enable sssd auth in pam via pam-auth-update

Sysvol replication

Samba doesn't support sysvol replication and probably never will, but they have some (old) suggested workarounds. At the most basic level, the directory /var/lib/samba/sysvol must be synchronised between DCs to keep things working smoothly. Unfortunately the filesystem needs to support xattr and POSIX ACLs so using a simple NFS share isn't possible, and rsync is painful when it comes to two-way synchronisation.

Fortunately csync2 does exactly what we want (minus ACLs/xattr, but those can be fixed using samba-tool ntacl sysvolreset). Here's how you can set it up.

• put the following into /etc/csync2.cfg (and update with the correct domain controller hostnames): see the documentation

  #### csync2 configuration
  # disable 
  nossl dc[01] dc[01];
  group vucc-domain-controllers
  {
          host dc0 dc1;
          key /etc/csync2.key-vucc;
          include /var/lib/samba/sysvol;
  
          # restart samba-ad-dc if changes to the configuration file /etc/samba/smb.conf are synced
          action
          {
                  pattern /etc/samba/smb.conf;
                  exec "/bin/systemctl samba-ad-dc reload";
                  do-local;
          }
  
          # fix xattrs on files when they are updated
          action
          {
                  pattern /var/lib/samba/sysvol;
                  exec "/usr/bin/samba-tool ntacl sysvolreset";
                  do-local;
          }
  
          # Store backups (with logical names) somewhere reasonable
          backup-directory /var/lib/samba/sysvol-backups;
          backup-generations 3;
  
          # automatically resolve conflicts by overwriting older files with newer ones
          auto younger;
  }

• edit the crontab on one node:

  dc0# crontab -e
  # sync every minute
  * * * * * /usr/sbin/csync2 -x

• csync2 is run as an inetd service, so you can check that the following line is present in /etc/inetd.conf on all servers in the cluster

  csync2          stream  tcp     nowait  root    /usr/sbin/csync2        csync2 -i -l

• generate a csync2 pre-shared key (PSK) and copy it and /etc/csync2.cfg to all the DCs in the cluster:

  csync2 -k /etc/csync2.key-vucc
  scp /etc/csync2.key-vucc /etc/csync2.cfg dc1:/etc dc2:/etc dc3:/etc ...

• make sure the directory /var/lib/samba/sysvol-backups exists on all nodes of the cluster

• Done! It should work now.

To manually replicate the sysvol directories between DCs:

dc0# scp -ar /var/lib/samba/sysvol dc1:/var/lib/samba/sysvol
dc1# samba-tool ntacl sysvolreset

Diagnostics

Sometimes group memberships don't seem to be updated, this can often be fixed by clearing the cache:

• sss_cache -E if using sssd

• net cache flush if using winbind

• Or if the above fails to have an effect, try rejoining to the domain using the instructions below.

Sometimes, everything may break rather catastrophically. This may be due to the keytabs at /etc/krb5.keytab and /var/lib/samba/private/secrets.keytab becoming out of sync.

• The current solution (on samson) is to symlink the keytabs as follows:

  # ln -s /etc/krb5.keytab /var/lib/samba/private/secrets.keytab
  # ls -l /etc/krb5.keytab
  lrwxrwxrwx 1 root root 37 Nov 26 16:51 /etc/krb5.keytab -> /var/lib/samba/private/secrets.keytab

• Verify that the host principal is present in the keytab:

  # klist -k | grep -i $(hostname)
     3 [email protected]

• The same principal and variations including the same hostname may appear multiple times. This is normal (and maybe necessary?).