{"id":5924,"date":"2018-10-18T23:19:51","date_gmt":"2018-10-18T21:19:51","guid":{"rendered":"https:\/\/michlstechblog.info\/blog\/?p=5924"},"modified":"2018-10-19T14:27:31","modified_gmt":"2018-10-19T12:27:31","slug":"samba-setup-an-active-directory","status":"publish","type":"post","link":"https:\/\/michlstechblog.info\/blog\/samba-setup-an-active-directory\/","title":{"rendered":"Samba: Setup an Active Directory"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_5924 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_5924')){$('.twoclick_social_bookmarks_post_5924').socialSharePrivacy({\"services\":{\"flattr\":{\"uid\":\"Michl\",\"status\":\"on\",\"the_title\":\"Samba%3A%20Setup%20an%20Active%20Directory\",\"the_excerpt\":\"%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%20%0D%0A%20%0D%0A%0D%0A%20%0D%0A%0D%0A%0D%0AHi%2C%0D%0A%0D%0Aunfortunately%20Microsoft%20has%20deceided%20to%20discontinue%20its%20Small%20Buisiness%20Server%20and%20for%20small%20environments%20you%20not%20really%20want%20to%20buy%20an%20Windows%20Server%20and%20install%20them%20as%20an%20Active%20Directory%20Domain%20Controller.%20When%20Microsofts%20Cloud%20isn%27t%20also%20an%20option%20then%20you%20can%20use%20Samba%20%3A-%29.%0D%0A%20%28more%26hellip%3B%29\",\"txt_info\":\"2 clicks for more data protection:\\r\\n\\r\\nOnly when you click here, the button will be come active and you can send your recommendation to Flattr. When activating, data are transmitted to third parties. \",\"perma_option\":\"off\"}},\"txt_help\":\"When you activate these fields by clicking, information to Flattr may be transferred abroad, and probably may also stored there.\",\"settings_perma\":\"Enable permanently and accept data transmission. \",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/michlstechblog.info\\\/blog\\\/samba-setup-an-active-directory\\\/\",\"post_id\":5924,\"post_title_referrer_track\":\"Samba%3A+Setup+an+Active+Directory\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p><!--https:\/\/www.informatik-aktuell.de\/betrieb\/server\/samba-4-als-domaincontroller-einrichten-und-verwalten.html\nhttps:\/\/wiki.samba.org\/index.php\/Samba4\/HOWTO#Provisioning_Samba_AD_in_Non-interactive_Mode\nhttps:\/\/wiki.samba.org\/index.php\/DNS_Administration\nhttps:\/\/wiki.samba.org\/index.php\/Joining_a_Samba_DC_to_an_Existing_Active_Directory\nhttps:\/\/wiki.samba.org\/index.php\/Samba_Internal_DNS_Back_End => Forwarders\nhttps:\/\/www.server-world.info\/en\/note?os=Debian_9&p=samba&f=4--><br \/>\n<!--https:\/\/backports.debian.org\/changes\/stretch-backports.html--><br \/>\n<!--\/etc\/apt\/sources.list.d\/backports.list\ndeb http:\/\/ftp.debian.org\/debian stretch-backports main--><br \/>\n<!--\nhttps:\/\/wiki.samba.org\/index.php\/Package_Dependencies_Required_to_Build_Samba\nhttps:\/\/wiki.samba.org\/index.php\/Build_Samba_from_Source\n--><br \/>\n<!-- Samba build\napt-get install acl attr autoconf bind9utils bison build-essential \\\n  debhelper dnsutils docbook-xml docbook-xsl flex gdb libjansson-dev krb5-user \\\n  libacl1-dev libaio-dev libarchive-dev libattr1-dev libblkid-dev libbsd-dev \\\n  libcap-dev libcups2-dev libgnutls28-dev libgpgme-dev libjson-perl \\\n  libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl \\\n  libpopt-dev libreadline-dev nettle-dev perl perl-modules pkg-config \\\n  python-all-dev python-crypto python-dbg python-dev python-dnspython \\\n  python3-dnspython python-gpgme python3-gpgme python-markdown python3-markdown \\\n  python3-dev xsltproc zlib1g-dev liblmdb-dev lmdb-utils--><br \/>\n<!--Samba as Active Directory\napt-get update && apt-get upgrade && apt-get -y install samba dnsutils\napt-get -y install samba krb5-config winbind smbclient krb5-user\nmv \/etc\/samba\/smb.conf \/etc\/samba\/smb.conf.org\nComputername = Hostname\nnameserver in resolv.conf werden als DNS Forwarder in smb.conf eingetragen\nsamba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=HETZLES.LOCAL --domain=HETZLES --adminpass=\"Password!!!\"\n--><br \/>\n<!--\nTLS https:\/\/wiki.archlinux.org\/index.php\/Samba\/Active_Directory_domain_controller\n\n--><br \/>\n<!--\nbackup\/restore\/\nhttps:\/\/wiki.samba.org\/index.php\/Back_up_and_Restoring_a_Samba_AD_DC\n--> <\/p>\n<p><!-- FAQ\nhttps:\/\/wiki.samba.org\/index.php\/FAQ --><br \/>\n<!-- Delegate Join Computers https:\/\/wiki.samba.org\/index.php\/Delegation\/Joining_Machines_to_a_Domain --><\/p>\n<p>Hi,<\/p>\n<p>unfortunately Microsoft has deceided to discontinue its Small Buisiness Server and for small environments you not really want to buy an Windows Server and install them as an Active Directory Domain Controller. When Microsofts Cloud isn&#8217;t also an option then you can use Samba :-).<br \/>\n<!--more--><br \/>\nThese steps describes to install an Active Directory from scratch. First ensure you have a timeserver running in your network. If not I described to install and configure ntp for Linux in this <a href=\"https:\/\/michlstechblog.info\/blog\/linux-setup-ntp-server\/\">post<\/a>. ntpd can run on the same machine as samba.<\/p>\n<p>Also configure a <a href=\"https:\/\/michlstechblog.info\/blog\/systemd-setup-a-static-ip-address\/\" rel=\"noopener\" target=\"_blank\">static IP Address<\/a>. In this example 192.168.254.6.<\/p>\n<p>Base System is Linux Debian 9 stretch.<\/p>\n<p>Active Directory domain: franken.local<\/p>\n<p>Install packages. Kerberos REALM: FRANKEN.LOCAL (Uppercase Domain name)<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@debdev: ~ # apt-get update &amp;&amp; apt-get upgrade &amp;&amp; apt-get -y  samba attr dnsutils net-tools smbclient krb5-user krb5-config winbind libpam-winbind libnss-winbind libpam-krb5 \r\n<\/pre>\n<p>Set your hostname and reboot<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@debdev: ~ # hostnamectl set-hostname frankendc1\r\nroot@debdev: ~ # reboot\r\n<\/pre>\n<p>Move or delete to default smb.conf file<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@frankendc1: ~ # mv \/etc\/samba\/smb.conf \/etc\/samba\/smb.conf.org\r\n<\/pre>\n<p>Start Active Directory provisioning. Internal DNS backend is used, kerberos REALM: FRANKEN.LOCAL, NetBIOS Domainname: FRANKEN, &#8211;use-rfc2307 is only necessary when you want to use the <a href=\"https:\/\/wiki.samba.org\/index.php\/Setting_up_RFC2307_in_AD\" rel=\"noopener\" target=\"_blank\">NIS Extensions<\/a> for authenticating UNIX User against your AD.<\/p>\n<p>Note: This command line uses your Hostname as DC Hostname and adds configured DNS Servers from \/etc\/resolv.conf as forwarder to the the Samba integrated DNS Server. A random Administrator password is set. You can set your own password with the &#8211;adminpass= parameter, but you have to quota special characters like &#038;!. Best practise is to set it randomly and set after the installation has fished.<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@frankendc1: ~ # samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=FRANKEN.LOCAL --domain=FRANKEN\r\nAdmin password:        ~zl3=Q7nNHYHA+)!#_NeUKZv9.d\r\nServer Role:           active directory domain controller\r\nHostname:              frankendc1\r\nNetBIOS Domain:        FRANKEN\r\nDNS Domain:            franken.local\r\nDOMAIN SID:            S-1-5-21-2606902105-126693256-2254647617\r\n<\/pre>\n<p>Disable lecacy samba daemons, enable and start Active Directory<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@frankendc1: ~ # systemctl stop smbd nmbd winbind\r\nroot@frankendc1: ~ # systemctl disable smbd nmbd winbind\r\nroot@frankendc1: ~ # systemctl unmask samba-ad-dc\r\nroot@frankendc1: ~ # systemctl start samba-ad-dc\r\nroot@frankendc1: ~ # systemctl enable samba-ad-dc\r\n<\/pre>\n<p>Change \/etc\/resolv.conf to use the Samba integrated DNS Server. Remove the existing link (create by setting a static IP)<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@frankendc1: ~ # rm \/etc\/resolv.conf\r\n<\/pre>\n<p>and create a new <strong>\/etc\/resolv.conf<\/strong> with your domain in the search list and your static IP as DNS Server<br \/>\n<code><br \/>\nsearch franken.local<br \/>\nnameserver 192.168.254.6<br \/>\n<\/code><\/p>\n<p>Check if DNS works. Your new AD Domain and your dc should be resolved <\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@frankendc1: ~ # \r\n<\/pre>\n<p>Setup kerberos. Samba also generates an krd5.conf file \/var\/lib\/samba\/private\/krb5.conf but generate it yourself<br \/>\nREALM:                  FRANKEN.LOCAL<br \/>\nKerberos-Server:        frankendc1.franken.local<br \/>\nAdministrations-Server: frankendc1.franken.local<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@frankendc1:~# nslookup franken.local\r\nServer:         192.168.254.6\r\nAddress:        192.168.254.6#53\r\n\r\nName:   franken.local\r\nAddress: 192.168.254.6\r\nroot@frankendc1:~# nslookup frankendc1.franken.local\r\nServer:         192.168.254.6\r\nAddress:        192.168.254.6#53\r\n\r\nName:   frankendc1.franken.local\r\nAddress: 192.168.254.6\r\n<\/pre>\n<p>Samba builds a valid krb5.conf for your Directory for you. Copy to etc<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@frankendc1:~# cp  \/var\/lib\/samba\/private\/krb5.conf \/etc\/\r\n<\/pre>\n<p>add <strong>&#8220;default_ccache_name = \/tmp\/krb5cc_%{uid}&#8221;<\/strong> to section <strong>[libdefaults]<\/strong>. Like this:<br \/>\n<code><br \/>\n[libdefaults]<br \/>\n        default_ccache_name = \/tmp\/krb5cc_%{uid}<br \/>\n        default_realm = FRANKEN.LOCAL<br \/>\n        dns_lookup_realm = false<br \/>\n        dns_lookup_kdc = true<br \/>\n<\/code><\/p>\n<p>Initiate a final reboot<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@frankendc1:~# reboot\r\n<\/pre>\n<p>First connect. Try to get a kerberos ticket for the administrator (Note: REALM FRANKEN.LOCAL is case sensitiv)<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@frankendc1:~# kinit administrator@FRANKEN.LOCAL\r\nPasswort for administrator@FRANKEN.LOCAL:\r\nWarning: Your password will expire in 41 days on Fri Nov 29 21:19:41 2018\r\n<\/pre>\n<p>And show ticket(s)<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@frankendc1:~# klist\r\nTicket cache: FILE:\/tmp\/krb5cc_0\r\nDefault principal: administrator@FRANKEN.LOCAL\r\n\r\nValid starting     Expires            Service principal\r\n10\/18\/18 21:58:20  10\/19\/18 07:58:20  krbtgt\/FRANKEN.LOCAL@FRANKEN.LOCAL\r\n        renew until 10\/19\/18 21:58:11\r\n<\/pre>\n<p>If you got a kerberos ticket you can use it for the samba-tool command to authenticate against your new Active Directory without entering your password each time you called samba-tool.<\/p>\n<p>Important: samba-tool uses the existing kerberos ticket but the server parameter must be filled with name not the IP Address of the Domain Controller!! Otherwise samba-tool asks for a User\/password.<\/p>\n<p>If your intergrated DNS should also be authoritative for the reverse DNS zone (resolves IP Addesses to hostnames) for subnet 192.168.254.0\/24 create the zone. <\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@frankendc1:~# samba-tool dns zonecreate frankendc1.franken.local 254.168.192.in-addr.arpa\r\nZone 254.168.192.in-addr.arpa created successfully\r\n<\/pre>\n<p>Your Active Directory is now up and running. You can now join Computers to your Domain. Install the Microsoft RSAT Tools to manage it.<\/p>\n<p>Here are a set of helpful command line examples for samba-tool. <\/p>\n<p>Showing the domain level<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@frankendc1:~# samba-tool domain level show\r\nDomain and forest function level for domain 'DC=franken,DC=local'\r\n\r\nForest function level: (Windows) 2008 R2\r\nDomain function level: (Windows) 2008 R2\r\nLowest function level of a DC: (Windows) 2008 R2\r\n<\/pre>\n<p>(Re)set a Users password. Here the password for the Administrator<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@frankendc1:~# samba-tool user setpassword --filter=samaccountname=Administrator\r\n<\/pre>\n<p>Get a user password hash<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@frankendc1:~# samba-tool user getpassword --filter=samaccountname=Administrator --attributes==msDS-KeyVersionNumber,unicodePwd,virtualClearTextUTF16\r\n<\/pre>\n<p>Get all DNS zones<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@frankendc1:~# samba-tool dns zonelist\r\n<\/pre>\n<p>Query the DNS<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@frankendc1:~# samba-tool dns query frankendc1.franken.local franken.local frankendc1.franken.local A\r\n  Name=, Records=2, Children=0\r\n    A: 192.168.2.6 (flags=f0, serial=110, ttl=900)\r\n<\/pre>\n<p>Show local shares<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nsmbclient -L localhost -U% -k\r\n<\/pre>\n<p>Group Policies<br \/>\nTo configure Group Policies Administrative Templates copy the content of your Windows 10 C:\\windows\\PolicyDefinition Folder to all Domain Controllers sysvol folder. Samba do currently <a href=\"https:\/\/wiki.samba.org\/index.php\/SysVol_replication_(DFS-R)\" rel=\"noopener\" target=\"_blank\">not support<\/a> the replication of the sysvol folder. You must implement your own replication via <a href=\"https:\/\/wiki.samba.org\/index.php\/Rsync_based_SysVol_replication_workaround\" rel=\"noopener\" target=\"_blank\">rsync <\/a>or robocopy<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nC:\\&gt; mkdir \\\\frankendc1.franken.local\\sysvol\\Policies\\PolicyDefinition\r\nC:\\&gt; mkdir \\\\frankendc2.franken.local\\sysvol\\Policies\\PolicyDefinition\r\nC:\\&gt; robocopy \/s C:\\Windows\\PolicyDefinition \\\\frankendc1.franken.local\\sysvol\\Policies\\PolicyDefinition\r\nC:\\&gt; robocopy \/s C:\\Windows\\PolicyDefinition \\\\frankendc2.franken.local\\sysvol\\Policies\\PolicyDefinition\r\n<\/pre>\n<p>Michael<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi, unfortunately Microsoft has deceided to discontinue its Small Buisiness Server and for small environments you not really want to buy an Windows Server and install them as an Active Directory Domain Controller. When Microsofts Cloud isn&#8217;t also an option then you can use Samba :-).<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1265,3,1256],"tags":[95,635,143,404,119,415,368,1122,1266,1039],"class_list":["post-5924","post","type-post","status-publish","format-standard","hentry","category-active-directory","category-linux","category-samba","tag-active-directory","tag-build","tag-create","tag-dns","tag-install","tag-kerberos","tag-ntp","tag-samba","tag-samba-tool","tag-setup"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/5924","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/comments?post=5924"}],"version-history":[{"count":55,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/5924\/revisions"}],"predecessor-version":[{"id":6019,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/5924\/revisions\/6019"}],"wp:attachment":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/media?parent=5924"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/categories?post=5924"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/tags?post=5924"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}