# Install Samba 4 ADDC with BIND_DLZ # Install a basic debian jessie (or Ubuntu-Server) with distribution-packages only. # Install packages apt-get install samba libpam-heimdal heimdal-clients ldb-tools winbind libpam-winbind smbclient libnss-winbind bind9 bind9utils # delete /etc/samba/smb.conf from package installation rm /etc/samba/smb.conf # check hostname hostname -f addc1.example.net # Start provisioning with BIND_DLZ samba-tool domain provision # Provision with rfc2307-Schema samba-tool domain provision --use-rfc2307 --domain=EXAMPLE --realm=EXAMPLE.NET --dns-backend=BIND9_DLZ # This will read all parameters from the commandline # list /etc/samba/smb.conf [global] workgroup = EXAMPLE realm = EXAMPLE.NET netbios name = ADDC1 server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate # if provisioned with rfc2307 idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/example.net/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No # copy or link /var/lib/samba/private/krb5.conf to /etc cp /var/lib/samba/private/krb5.conf /etc # Change DNS-Server to own IP vi /etc/network/interfaces dns-nameservers 192.168.56.81 dns-search example.net # check /etc/resolv.conf cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 192.168.56.81 search example.net ## setup bind9 # edit named.conf.options vi /etc/bind/named.conf.options forwarders { 8.8.8.8; }; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; # edit /etc/bind/named.conf.local vi /etc/bind/named.conf.local include "/var/lib/samba/private/named.conf"; # check if the right bind-version is active in /var/lib/samba/private/named.conf # check permission ls -ld /var/lib/samba/private/ drwxr-xr-x 6 root root 4096 Jun 23 18:39 /var/lib/samba/private/ ls -l /var/lib/samba/private/named.conf -rw-r--r-- 1 root root 678 Jun 23 18:39 /var/lib/samba/private/named.conf ls -ld /var/lib/samba/private/dns drwxrwx--- 3 root bind 4096 Jun 23 18:39 /var/lib/samba/private/dns ls -ld /var/lib/samba/private/dns.keytab -rw-r----- 1 root bind 737 Jun 23 18:39 /var/lib/samba/private/dns.keytab ls -l /var/lib/samba/private/dns/ total 2948 -rw-rw---- 1 root bind 3014656 Jun 23 18:39 sam.ldb drwxrwx--- 2 root bind 4096 Jun 23 18:39 sam.ldb.d ls -l /var/lib/samba/private/dns/sam.ldb.d/ total 25184 -rw-rw---- 1 root bind 7884800 Jun 23 18:39 CN=CONFIGURATION,DC=EXAMPLE,DC=NET.ldb -rw-rw---- 1 root bind 7700480 Jun 23 18:39 CN=SCHEMA,CN=CONFIGURATION,DC=EXAMPLE,DC=NET.ldb -rw-rw---- 2 root bind 4247552 Jun 23 18:38 DC=DOMAINDNSZONES,DC=EXAMPLE,DC=NET.ldb -rw-rw---- 1 root bind 1286144 Jun 23 18:39 DC=EXAMPLE,DC=NET.ldb -rw-rw---- 2 root bind 4247552 Jun 23 18:38 DC=FORESTDNSZONES,DC=EXAMPLE,DC=NET.ldb -rw-rw---- 2 root bind 421888 Jun 23 18:39 metadata.tdb # Bind9 is protected by apparmor so you have to change some settings # edit /etc/apparmor.d/usr.sbin.named vi /etc/apparmor.d/usr.sbin.named /etc/bind/** r, /var/lib/bind/** rw, /var/lib/bind/ rw, /var/cache/bind/** lrw, /var/cache/bind/ rw, /var/lib/samba/private/** rw, # otherwise you will get errormessages in /var/lib/syslog about permission problems # Restart apparmor systemctl restart apparmor.service # make sure "bind"-group has read and write permission to all listed files # start bind9 systemctl restart bind9.service # check /var/log/syslog for the following lines tail -200 /var/log/syslog Jun 23 19:02:21 addc1 named[3633]: listening on IPv4 interface eth1, 192.168.56.81#53 Jun 23 19:02:21 addc1 named[3633]: generating session key for dynamic DNS Jun 23 19:02:21 addc1 named[3633]: sizing zone task pool based on 5 zones Jun 23 19:02:21 addc1 named[3633]: Loading 'AD DNS Zone' using driver dlopen Jun 23 19:02:21 addc1 named[3633]: samba_dlz: started for DN DC=example,DC=net Jun 23 19:02:21 addc1 named[3633]: samba_dlz: starting configure Jun 23 19:02:21 addc1 named[3633]: samba_dlz: configured writeable zone 'example.net' Jun 23 19:02:21 addc1 named[3633]: samba_dlz: configured writeable zone '_msdcs.example.net' # reboot the system reboot # after reboot check for samba-services ps ax | grep samba 798 ? Ss 0:00 /usr/sbin/samba -D 817 ? S 0:00 /usr/sbin/samba -D 818 ? S 0:00 /usr/sbin/samba -D 819 ? S 0:00 /usr/sbin/samba -D 820 ? S 0:00 /usr/sbin/samba -D 821 ? S 0:01 /usr/sbin/samba -D 822 ? S 0:00 /usr/sbin/samba -D 823 ? S 0:00 /usr/sbin/samba -D 824 ? S 0:00 /usr/sbin/samba -D 825 ? S 0:00 /usr/sbin/samba -D 827 ? S 0:00 /usr/sbin/samba -D 828 ? S 0:00 /usr/sbin/samba -D 830 ? S 0:00 /usr/sbin/samba -D # check if bind is running ps ax | grep named 512 ? Ssl 0:00 /usr/sbin/named -f -u bind # update DNS samba_dnsupdate --verbose --all-names # test dns host -t SRV _kerberos._tcp.example.net _kerberos._tcp.example.net has SRV record 0 100 88 addc1.example.net. host -t SRV _ldap._tcp.example.net _ldap._tcp.example.net has SRV record 0 100 389 addc1.example.net. host -t SRV _gc._tcp.example.net _gc._tcp.example.net has SRV record 0 100 3268 addc1.example.net. host addc1.example.net addc1.example.net has address 192.168.56.81 # setup a ntp-server apt-get install ntp # write new /etc/ntp.conf server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/lib/samba/ntp_signd/ restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery # set permission for the socket chgrp ntp /var/lib/samba/ntp_signd/ # restart ntp systemctl restart ntp ## Setup a second ADDC # Install packages apt-get install samba libpam-heimdal heimdal-clients ldb-tools winbind libpam-winbind smbclient libnss-winbind bind9 bind9utils # remove /etc/samba/smb.conf from package rm /etc/samba/smb.conf # Set nameserver to first DC vi /etc/network/interfaces dns-nameservers 192.168.56.81 dns-search example.net # check /etc/resolv.conf nameserver 192.168.56.81 search example.net # copy /etc/krb5.conf from fist DC scp root@addc1:/etc/krb5.conf /etc # test kerberos root@addc2:~# kinit administrator administrator@EXAMPLE.NET's Password: root@addc2:~# klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: administrator@EXAMPLE.NET Issued Expires Principal Jun 24 10:32:52 2016 Jun 24 20:32:49 2016 krbtgt/EXAMPLE.NET@EXAMPLE.NET # Add reverse DNS-zone to first DC root@addc1:~# kinit administrator administrator@EXAMPLE.NET's Password: root@addc1:~# samba-tool dns zonecreate addc1.example.net 56.168.192.in-addr.arpa -k yes Zone 56.168.192.in-addr.arpa created successfully # Create records for ADDCs root@addc1:~# samba-tool dns add addc1.example.net 56.168.192.in-addr.arpa 81 PTR addc1.example.net -k yes Record added successfully root@addc1:~# samba-tool dns add addc1.example.net 56.168.192.in-addr.arpa 82 PTR addc2.example.net -k yes Record added successfully root@addc1:~# samba-tool dns add addc1.example.net example.net addc2 A 192.168.56.82 -k yes Record added successfully # Test the resolving of ADDCs root@addc1:~# host 192.168.56.81 81.56.168.192.in-addr.arpa domain name pointer addc1.example.net. root@addc1:~# host 192.168.56.82 82.56.168.192.in-addr.arpa domain name pointer addc2.example.net. root@addc1:~# host addc2 addc2.example.net has address 192.168.56.82 root@addc2:~# host addc2 addc2.example.net has address 192.168.56.82 root@addc2:~# host 192.168.56.82 82.56.168.192.in-addr.arpa domain name pointer addc2.example.net. root@addc2:~# host addc1 addc1.example.net has address 192.168.56.81 root@addc2:~# host 192.168.56.81 81.56.168.192.in-addr.arpa domain name pointer addc1.example.net. # join second DC to domain samba-tool domain join --dns-backend=BIND9_DLZ example.net DC --realm=example.net -Uadministrator ... Setting up secrets database See /var/lib/samba/private/named.conf for an example configuration include file for BIND and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates Joined domain EXAMPLE (SID S-1-5-21-3596913681-218800659-1303836490) as a DC # list /etc/samba/smb.conf [global] workgroup = EXAMPLE realm = example.net netbios name = ADDC2 server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate # if you provisioned addc1 with rfc2307-Schema add the following line to your smb.conf idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/example.net/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No # setup bind9 # edit named.conf.options vi /etc/bind/named.conf.options forwarders { 8.8.8.8; }; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; # edit /etc/bind/named.conf.local vi /etc/bind/named.conf.local include "/var/lib/samba/private/named.conf"; # check if the right bind-version is activ in /var/lib/samba/private/named.conf # check permission ls -ld /var/lib/samba/private/ drwxr-xr-x 6 root root 4096 Jun 23 18:39 /var/lib/samba/private/ ls -l /var/lib/samba/private/named.conf -rw-r--r-- 1 root root 678 Jun 23 18:39 /var/lib/samba/private/named.conf ls -ld /var/lib/samba/private/dns drwxrwx--- 3 root bind 4096 Jun 23 18:39 /var/lib/samba/private/dns ls -l /var/lib/samba/private/dns.keytab -rw-r----- 1 root bind 737 Jun 23 18:39 /var/lib/samba/private/dns.keytab ls -l /var/lib/samba/private/dns/ total 2948 -rw-rw---- 1 root bind 3014656 Jun 23 18:39 sam.ldb drwxrwx--- 2 root bind 4096 Jun 23 18:39 sam.ldb.d ls -l /var/lib/samba/private/dns/sam.ldb.d/ total 25184 -rw-rw---- 1 root bind 7884800 Jun 23 18:39 CN=CONFIGURATION,DC=EXAMPLE,DC=NET.ldb -rw-rw---- 1 root bind 7700480 Jun 23 18:39 CN=SCHEMA,CN=CONFIGURATION,DC=EXAMPLE,DC=NET.ldb -rw-rw---- 2 root bind 4247552 Jun 23 18:38 DC=DOMAINDNSZONES,DC=EXAMPLE,DC=NET.ldb -rw-rw---- 1 root bind 1286144 Jun 23 18:39 DC=EXAMPLE,DC=NET.ldb -rw-rw---- 2 root bind 4247552 Jun 23 18:38 DC=FORESTDNSZONES,DC=EXAMPLE,DC=NET.ldb -rw-rw---- 2 root bind 421888 Jun 23 18:39 metadata.tdb # make sure "bind"-group has read and write permission to all listed files # Bind9 is protected by apparmor so you have to change some settings # edit /etc/apparmor.d/usr.sbin.named vi /etc/apparmor.d/usr.sbin.named /etc/bind/** r, /var/lib/bind/** rw, /var/lib/bind/ rw, /var/cache/bind/** lrw, /var/cache/bind/ rw, /var/lib/samba/private/** rw, # restart apparmor systemctl restart apparmor.service # start bind9 systemctl restart bind9.service # check /var/log/syslog for the following lines tail -200 /var/log/syslog Jun 23 19:02:21 addc1 named[3633]: listening on IPv4 interface eth1, 192.168.56.81#53 Jun 23 19:02:21 addc1 named[3633]: generating session key for dynamic DNS Jun 23 19:02:21 addc1 named[3633]: sizing zone task pool based on 5 zones Jun 23 19:02:21 addc1 named[3633]: Loading 'AD DNS Zone' using driver dlopen Jun 23 19:02:21 addc1 named[3633]: samba_dlz: started for DN DC=example,DC=net Jun 23 19:02:21 addc1 named[3633]: samba_dlz: starting configure Jun 23 19:02:21 addc1 named[3633]: samba_dlz: configured writeable zone 'example.net' Jun 23 19:02:21 addc1 named[3633]: samba_dlz: configured writeable zone '_msdcs.example.net' # change DNS-server setting to own IP vi /etc/network/interfaces dns-nameservers 192.168.56.82 dns-search example.net # reboot the second DC reboot # check /etc/resolv.conf nameserver 192.168.56.82 search example.net # After reboot check for Samba-services ps ax | grep samba 676 ? Ss 0:00 /usr/sbin/samba -D 789 ? S 0:00 /usr/sbin/samba -D 790 ? S 0:00 /usr/sbin/samba -D 791 ? S 0:00 /usr/sbin/samba -D 792 ? S 0:00 /usr/sbin/samba -D 793 ? S 0:01 /usr/sbin/samba -D 794 ? S 0:00 /usr/sbin/samba -D 795 ? S 0:00 /usr/sbin/samba -D 796 ? S 0:00 /usr/sbin/samba -D 797 ? S 0:00 /usr/sbin/samba -D 798 ? S 0:00 /usr/sbin/samba -D 799 ? S 0:00 /usr/sbin/samba -D 800 ? S 0:00 /usr/sbin/samba -D # check if bind9 is running ps ax | grep named 513 ? Ssl 0:00 /usr/sbin/named -f -u bind # update DNS samba_dnsupdate --verbose --all-names # test dns host -t SRV _kerberos._tcp.example.net _kerberos._tcp.example.net has SRV record 0 100 88 addc2.example.net. _kerberos._tcp.example.net has SRV record 0 100 88 addc1.example.net. host -t SRV _ldap._tcp.example.net _ldap._tcp.example.net has SRV record 0 100 389 addc2.example.net. _ldap._tcp.example.net has SRV record 0 100 389 addc1.example.net. host -t SRV _gc._tcp.example.net _gc._tcp.example.net has SRV record 0 100 3268 addc1.example.net. _gc._tcp.example.net has SRV record 0 100 3268 addc2.example.net. # !ATTENTION if you just see on line with SRV-Records, check the objectguid and add the missing CNAME! # setup a ntp-server apt-get install ntp # copy /etc/ntp.conf from first DC scp addc1:/etc/ntp.conf /etc # restart ntp systemctl restart ntp # check database-consistency on both DCs kinit administrator # check for "objectguid" and CNAME root@addc1:~# ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid # record 1 dn: CN=NTDS Settings,CN=ADDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=net objectGUID: 9fba93aa-5e34-48fc-826b-dddc24072883 # record 2 dn: CN=NTDS Settings,CN=ADDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=net objectGUID: b33e0b61-960c-41de-9271-6dad3f57ece0 host -t CNAME 9fba93aa-5e34-48fc-826b-dddc24072883._msdcs.example.net Host 9fba93aa-5e34-48fc-826b-dddc24072883._msdcs.example.net not found: 3(NXDOMAIN) host -t CNAME b33e0b61-960c-41de-9271-6dad3f57ece0._msdcs.example.net b33e0b61-960c-41de-9271-6dad3f57ece0._msdcs.example.net is an alias for addc1.example.net. # If one CNAME not exists, create it samba-tool dns add addc1 _msdcs.example.net 9fba93aa-5e34-48fc-826b-dddc24072883 CNAME addc2.example.net -k yes Record added successfully host -t CNAME 9fba93aa-5e34-48fc-826b-dddc24072883._msdcs.example.net 9fba93aa-5e34-48fc-826b-dddc24072883._msdcs.example.net is an alias for addc2.example.net. # best thing do a reboot reboot # after reboot check the replication root@addc2:~# kinit administrator administrator@EXAMPLE.NET's Password: root@addc1:~# kinit administrator administrator@EXAMPLE.NET's Password: # Recheck the SRV-Records if one Record was missing. root@addc2:~# samba-tool drs kcc -k yes Consistency check on addc2.example.net successful. root@addc1:~# samba-tool drs kcc -k yes Consistency check on addc1.example.net successful. # check database-replication on both DCs # make sure all checks are "successful" root@addc1:~# samba-tool drs showrepl ... ==== INBOUND NEIGHBORS ==== DC=ForestDnsZones,DC=example,DC=net Default-First-Site-Name\ADDC2 via RPC DSA object GUID: 9fba93aa-5e34-48fc-826b-dddc24072883 Last attempt @ Fri Jun 24 15:47:58 2016 CEST was successful 0 consecutive failure(s). Last success @ Fri Jun 24 15:47:58 2016 CEST ... ==== OUTBOUND NEIGHBORS ==== DC=ForestDnsZones,DC=example,DC=net Default-First-Site-Name\ADDC2 via RPC DSA object GUID: 9fba93aa-5e34-48fc-826b-dddc24072883 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) ... # test replication by creating a new user root@addc1:~# samba-tool user create u4 New Password: Retype Password: User 'u4' created successfully root@addc1:~# samba-tool user list Administrator dns-addc1 krbtgt Guest u1 u2 u3 u4 root@addc2:~# samba-tool user list Administrator dns-addc1 krbtgt Guest u1 u2 u3 u4 ## Now sysvol-replication must be set up # addc1 should be master (holds all fsmo-roles) # addc2 should be slave # start with addc1 # install xinetd and rsync apt-get install xinetd rsync # create a configuration file /etc/xinetd.d/rsync vi /etc/xinetd.d/rsync service rsync { disable = no only_from = 192.168.56.82 socket_type = stream wait = no user = root server = /usr/bin/rsync server_args = --daemon log_on_failure += USERID } # create a configuration file /etc/rsyncd.conf for rsync-server vi /etc/rsyncd.conf [sysvol] path = /var/lib/samba/sysvol/ comment = Samba sysvol uid = root gid = root read only = yes auth users = sysvol-repl secrets file = /etc/samba/rsync.secret # create password file /etc/samba/rsync.secret vi /etc/samba/rsync.secret sysvol-repl:secret # set permission chmod 600 /etc/samba/rsync.secret # restart xinetd systemctl restart xinetd.service # check /var/log/syslog for errors tail -30 /var/log/syslog Reading included configuration file: /etc/xinetd.d/rsync [file=/etc/xinetd.d/rsync] [line=26] # test replication on addc2 #install rsync apt-get install rsync # best thing is writing a short script vi /root/sysvol-repl.bash #!/bin/bash rsync --dry-run -XAavz --delete-after --password-file=/etc/samba/rsync.pass rsync://sysvol-repl@addc1:/sysvol /var/lib/samba/sysvol # make it executable chmod u+x /root/sysvol-repl.bash # create the password file vi /etc/samba/rsync.pass secret #set permission chmod 600 /etc/samba/rsync.pass # now start the script root@addc2:~# ./sysvol-repl.bash receiving file list ... done ./ example.net/ example.net/Policies/ example.net/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/ example.net/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI example.net/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/ example.net/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/ example.net/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/ example.net/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/GPT.INI example.net/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/MACHINE/ example.net/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/USER/ example.net/scripts/ sent 59 bytes received 1,336 bytes 2,790.00 bytes/sec total size is 40 speedup is 0.03 (DRY RUN) # if everything looks good remove "--dry-run" from script vi /root/sysvol-repl.bash #!/bin/bash rsync -XAavz --delete-after --password-file=/etc/samba/rsync.pass rsync://sysvol-repl@addc1:/sysvol /var/lib/samba/sysvol # rerun the script and list sysvol root@addc2:~# ls -l /var/lib/samba/sysvol/ insgesamt 8 drwxrwx---+ 4 root 3000003 4096 Jun 23 18:38 example.net root@addc2:~# ls -l /var/lib/samba/sysvol/example.net/ insgesamt 16 drwxrwx---+ 4 root 3000003 4096 Jun 23 18:38 Policies drwxrwx---+ 2 root 3000003 4096 Jun 23 18:38 scripts root@addc2:~# ls -l /var/lib/samba/sysvol/example.net/Policies/ insgesamt 16 drwxrwx---+ 4 3000008 3000008 4096 Jun 23 18:38 {31B2F340-016D-11D2-945F-00C04FB984F9} drwxrwx---+ 4 3000008 3000008 4096 Jun 23 18:38 {6AC1786C-016F-11D2-945F-00C04FB984F9} # Change shares in smb.conf of second dc to read only vi /etc/samba/smb.conf [netlogon] path = /var/lib/samba/sysvol/example.net/scripts read only = Yes [sysvol] path = /var/lib/samba/sysvol read only = Yes # Check permissions on sysvol # Now you have two DCs with bind9 as nameserver