Skip to main content

Installing and configuring a secondary Samba-AD on Debian 12 (bookworm)

 

In this documentation, it is assumed:

  • That the main domain controller is called srvads1.
  • That the secondary domain controller is called srvads2.
  • That the domain is called mydomain.lan.
In the instructions below, you will replace mydomain.lan with your own domain name and srvads1 and srvads2 with the machine names of your choice.

Preparing the Virtual machine

1. For the file /etc/hosts, modify it so that it contains the DNS resolution of the machine’s FQDN on its IP (i.e. not the localohst 127.0.0.1 line), specifying the long name then the short name:

127.0.0.1        localhost
10.0.0.10        srvads1.mydomain.lan srvads1
192.168.1.12   srvads2.mydomain.lan srvads2

2. Define an apt repository and add our GPG public key:

wget -qO-  https://samba.tranquil.it/tissamba-pubkey.gpg | tee /usr/share/keyrings/tissamba.gpg > /dev/null sha256sum /usr/share/keyrings/tissamba.gpg   bd0f7140edd098031fcb36106b24a6837b067f1c847f72cf262fa012f14ce2dd  /usr/share/keyrings/tissamba.gpg

echo "deb [signed-by=/usr/share/keyrings/tissamba.gpg] https://samba.tranquil.it/debian/samba-4.20/ $(lsb_release -c -s) main" > /etc/apt/sources.list.d/tissamba.list

Installing the packages

export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install samba winbind libnss-winbind krb5-user smbclient ldb-tools python3-cryptography
unset DEBIAN_FRONTEND

Configuring Kerberos

1. Open /etc/krb5.conf, remove its contents and add:

[libdefaults]
   default_realm = MYDOMAIN.LAN
   dns_lookup_kdc = false
   dns_lookup_realm=false
[realms]
   MYDOMAIN.LAN = {
   kdc = 127.0.0.1
   kdc = 192.168.1.12
  }


Attention !!!

It is necessary to respect the CAPITAL LETTERS and replace the 2 IPs by:
  • The IP of your srvrodc first, we can use localhost 127.0.0.1.
  • The IP of srvads as the second IP (ex 192.168.1.12).
2. Reboot the host:

 reboot

3.  After rebooting, ensure that kerberos is properly configured and that you get a TGT:

kinit administrator
klist

Configuring Samba as a Secondary Domain Controller

1. Remove the configuration file /etc/samba/smb.conf which was automatically generated during package installation:

rm -f /etc/samba/smb.conf

2. Join the Domain Controller as a member of the domain. Replace the values mydomain.lan, MYDOMAIN.LAN and MYDOMAIN with the values of your domain:

samba-tool domain join mydomain.lan DC -U administrator --realm=MYDOMAIN.LAN -W MYDOMAIN

3. Modify the DNS to point to itself in /etc/resolv.conf:

nameserver 127.0.0.1

4. In /etc/samba/smb.conf, add the DNS forwarder:

[global]
   ...
   dns forwarder = 8.8.8.8
   ...

5. Activate the automatic start of the AD service:

systemctl disable winbind nmbd smbd
systemctl mask winbind nmbd smbd
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc

6. Point your Kerberos to the correct configuration file:

Hint !!!


By default Samba-AD provisioning creates an example file krb5.conf in the directory /var/lib/samba/private.

This file is used by default by some Samba calls.

It is best to replace it with a symbolic link to /etc/kbr5.conf to avoid some side effects.

rm /var/lib/samba/private/krb5.conf
ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf

7. Restart Samba:

pkill -9 smbd
pkill -9 nmbd
pkill -9 winbindd
systemctl restart samba-ad-dc

8. Check that the DNS entries have been created:

samba_dnsupdate --verbose --use-samba-tool

Configuring SYSVOL

1. Graphically, you can retrieve the content of \srvads\sysvol from srvads1 and copy it to srvads2 from a Windows workstation as Domain Administrator. Or with command lines, on srvads2, run:

rsync -aP root@srvads1:/var/lib/samba/sysvol/ /var/lib/samba/sysvol/

2. Then reset the ACL on SYSVOL, and check the ACLs (it should return nothing if OK):

samba-tool ntacl sysvolreset
samba-tool ntacl sysvolcheck

Validating the new installation

  • Check the status of the replications with samba-tool drs showrepl. The replicas may take a few minutes to set up. Once the replicas are correct (5 Inbound replications and 5 Outbound replications), you can proceed to the following checks.
  • Test the DNS connection from the DNS Active Directory console.
  • Test the connection with the Users and Computers Active Directory console
Check replication:

samba-tool drs showrepl

Check domain level:

samba-tool domain level show

Verify DNS SRV records:

host -t SRV _ldap._tcp.mydomain.lan
host -t SRV _kerberos._tcp.mydomain.lan

Configuring signed NTP

  • Configure the NTP by following the NTP service configuration documentation with Samba.

Configuring Bind-DLZ

Before going into production, the internal Samba DNS must be replaced by the Bind-DLZ module. To do this, follow the documentation to integrate Samba with Bind9.
Labels:

Comments

Post a Comment