302SambaAD - amagerard/Freeradius GitHub Wiki
| 01- Synoptic | 02- SambaAD | 03- PdnsRecursor | 04- Settings |
|---|---|---|---|
| 05- Maintenance | 06- Selinux | 07- GnomeShell | |
| FreeRadius | DaloRadius | OpenLdap |
The SambaAD server is a TemplateVM clone. See installation TemplateVM.
Selinux must be and will always be "permissive".
vi /etc/crontab
@reboot root setenforce 0
Important.
You need a Windows 11 Pro computer to administer SambaAD.
This computer must be integrated into the domain.
For this example.
Name AD server: thot.dw.learn.lan
Ip AD server: 192.168.40.47/24
gateway: 192.168.40.254
Domain name: dw.learn.lan
vi /etc/hosts
192.168.40.47 thot.dw.learn.lan thot
vi /etc/hostname
thot.dw.learn.lan
vi /etc/sysconfig/network
# Created by anaconda
networking=yes
HOSTNAME=thot.dw.learn.lan
Change Network.
Example:
IP: 192.168.40.47/24
Gateway: 192.168.40.254
Name Server: 1.1.1.1
Search domain: dw.learn.lan
nmcli con mod eth0 ipv4.method "manual" ipv4.addresses 192.168.40.47/24
nmcli con mod eth0 ipv4.gateway 192.168.40.254
nmcli con mod eth0 ipv4.dns 1.1.1.1
nmcli con mod eth0 ipv4.dns-search dw.learn.lan
Read the new network configuration.
more /etc/NetworkManager/system-connections/eth0.nmconnection
Apply the new network configuration.
ifconfig eth0 0.0.0.0
systemctl restart NetworkManager
ifconfig eth0
Update.
RedHat may ask you to make a new subscription.
subscription-manager register --username <username> --password <password> --auto-attach --force
dnf update
Uninstall rmstp (if installed).
dnf remove msmtp
Restart.
reboot
Add rules for firewall.
vi /etc/ufw/applications.d/ufw-custom
[SRVADS]
title=SRVADS
description=Firewall access srvads
ports=88,135,389,445,464,636,3268,3269,50000:51000,49152:65535/tcp|88,389,464/udp
ufw reload
ufw allow IN SRVADS
ufw allow OUT SRVADS
Disable Avahi-Daemon (mDNS / Hello protocol).
systemctl stop avahi-daemon.service avahi-daemon.socket
systemctl disable avahi-daemon.service avahi-daemon.socket
After restarting, configuring the language of the system in English to facilitate the search for problems in the logs.
dnf install glibc-langpack-en
localectl set-locale LANG=en_US.utf8
localectl status
Check the useful packages to install.
dnf install epel-release wget sudo screen nmap telnet tcpdump rsync net-tools bind-utils htop
The installation made by samba.tranquil.it.
It's version 4.21 February 16, 2025.
https://samba.tranquil.it/redhat9/
The documentation is on the site.
https://samba.tranquil.it/doc/en/samba_config_server/redhat8/server_install_samba_redhat.html
Retrieve the RPM signature key and configure a YUM repository (sic):
wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-9 https://samba.tranquil.it/RPM-GPG-KEY-TISSAMBA-9
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-9
Edit tissamba.repo.
vi /etc/yum.repos.d/tissamba.repo
Add these lines.
[tis-samba]
name=tis-samba
baseurl=https://samba.tranquil.it/redhat9/samba-4.21/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-9
dnf update --allowerasing
dnf install samba samba-dc samba-winbind samba-winbind-clients krb5-workstation ldb-tools bind chrony bind-utils samba-client
Samba Active Directory Domaine Adjustment.
Settings kerberos.
Domain Name: dw.learn.lan.
Make a backup of krb5.conf.
cp /etc/krb5.conf /etc/krb5.conf_ori
Erase krb5.conf.
> /etc/krb5.conf
Edit krb5.conf.
vi /etc/krb5.conf
[libdefaults]
default_realm = DW.LEARN.LAN
dns_lookup_kdc = false
dns_lookup_realm = false
[realms]
DW.LEARN.LAN = {
kdc = 127.0.0.1
}
vi /etc/nsswitch.conf
Change "files windind" for theses lines.
passwd: files winbind
shadow: files winbind
group: files winbind
Make a backup of samba
cp /etc/samba/smb.conf /etc/samba/smb.conf_ori
Erase smb.conf.
> /etc/samba/smb.conf
Configure Samba with the role of domain controller. In the line that follows,
you will think of changing both the name of the Kerberos kingdom, and the short
name of the domain (Netbios name).
Samba-tools needs python3-markdown.
dnf install python3-markdown
samba-tool domain provision --realm=DW.LEARN.LAN --domain DW.LEARN --server-role=dc
Reset the Administrator password.
samba-tool user setpassword administrator
vi /etc/samba/smb.conf
Check the DNS forwarder line = xxx.xxx.xxx.xxx in your /etc/samba/smb.conf file.
It must point to a valid DNS server.
Example dns forwarder = 1.1.1.1
Change DNS resolution for the local machine.
nmcli con mod eth0 ipv4.dns 127.0.0.1
nmcli con mod eth0 ipv4.dns-search dw.learn.lan
Read the new network configuration.
more /etc/NetworkManager/system-connections/eth0.nmconnection
Apply the new network configuration.
systemctl restart NetworkManager
cat /etc/resolv.conf
The Samba Domain Creation Script creates a /var/lib/samba/private/krb5.conf useless file.
It must be deleted and replaced by a symbolic link to the /etc/krb5.conf file.
rm -f /var/lib/samba/private/krb5.conf
ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf
Enable Samba so that it starts automatically at the next reboot.
systemctl enable --now samba
Restart the machine.
reboot
Check samba AD.
kinit Administrator
Password for [email protected]:
Warning: Your password will expire in 41 days on Tue 19 Mar 2024 03:15:07 PM CET
klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]
Valid starting Expires Service principal
02/06/2024 15:32:39 02/07/2024 01:32:39 krbtgt/[email protected]
renew until 02/07/2024 15:32:34
nslookup thot.dw.learn.lan
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: thot.dw.learn.lan
Address: 192.168.40.47
nslookup google.fr
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: google.fr
Address: 142.250.179.99
Name: google.fr
Address: 2a00:1450:4007:808::2003
wbinfo -u
DW.LEARN\administrator
DW.LEARN\guest
DW.LEARN\krbtgt
kdestroy to empty klist.
klist
Be careful the account is administrator.
vi /etc/chrony.conf
Add these settings.
# Windows computer synchronization
ntpsigndsocket /var/lib/samba/ntp_signd
The chrony time daemon listens on the localhost interface on UDP port 323.
vi /etc/chrony.conf
Add these line
#Not daemon listens on the localhost interface on UDP port 323
cmdport 0
Add subnet authorization.
In this example the authorized subnets are:
192.168.80.0/24
192.168.60.0/24
192.168.40.0/24
192.168.90.0/24
vi /etc/chrony.conf
#authorization
allow 192.168.80.0/24
allow 192.168.60.0/24
allow 192.168.40.0/24
allow 192.168.49.0/24
#listen only host
allow 127.0.0.0/8
chown root:chrony /var/lib/samba/ntp_signd/
chmod 750 /var/lib/samba/ntp_signd/
systemctl restart chronyd
Add rule ntp and dns on firewall.
ufw allow IN ntp
ufw allow IN dns
From a computer joined to the domain dw.learn.lan.
Information (Microsoft):
To join a computer to a domain :
- On the Desktop, click the Start button, type Control Panel, and then press ENTER.
- Navigate to System and Security, and then click System.
- Under Computer name, domain, and workgroup settings, click Change settings.
- Under the Computer Name tab, click Change.
- Under Member of, click Domain, type the name of the domain that you wish this computer to join, and then click OK.
- Click OK in the Computer Name/Domain Changes dialog box, and then restart the computer.
On the Windows Administrator computer.
Open administrator console.
w32tm /config /syncfromflags:domhier
w32tm /config /update
w32tm /resync /nowait
All is OK.
Find the bug about NTP on Windows .
From a computer joined to the domain dw.learn.lan.
On the Windows Administrator computer.
Open regedit .
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config]
"FileLogSize"=dword:10000000 (REG_DWORD --> dword)
"FileLogName"="C:\Windows\Temp\w32time.log" (REG_SZ --> string)
"FileLogEntries"="0-300" (REG_SZ --> string)
Operation in NTP mode named.
From a computer joined to the domain dw.learn.lan.
On the Windows Administrator computer.
Open regedit.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters]
...
"Type"="NTP"
"ntpserver"="thot.dw.learn.lan"
Stop and start time service.
From a computer joined to the domain dw.learn.lan.
On the Windows Administrator computer.
Open administrator console.
net stop w32time
net start w32time
Check synchronization.
w32tm /monitor
From a computer joined to the domain dw.learn.lan.
Open session with administrator.
Go to settings.
Apps or System
optional feature
View Features.
RSAT: Active Directory Domain Services and Lightweight Directory Services Tools.
RSAT: Group Policy Management Tools.
RSAT: DNS Server tools.
The RSAT install is very long. Maybe more than an hour.
After install go to "All apps" and "Windows Tools" (Windows 11).
Samba-tool from Server SambaAd are scripts to create users and groups and other utilities.
It is not very easy to manage users and groups.
I recommend using RSAT from a Windows administrator account to create users and groups.
But it is good to know that these scripts exist.
https://sleeplessbeastie.eu/2022/05/16/how-to-manage-unix-groups-and-users-in-samba-active-directory/
Example:
group: cats
user: octo , bigcatop
domain: OCTOCAT
Create groups.
samba-tool group add cats --gid-number 8000 --nis-domain OCTOCAT --description "Cats group"
Edit group.
samba-tool group edit cats
Create users.
samba-tool user create \
octo 0ctOpass \
--given-name Octo --surname Cat --home-directory /home/octocat \
--uid octo --uid-number 10000 --gid-number 10000 \
--unix-home /home/octocat \
--gecos 'Octo Cat' \
--nis-domain OCTOCAT \
--login-shell=/bin/bash
samba-tool user create bigcatop vmDev8Pass!
Display user information.
samba-tool user show bigcatop
Get user groups.
samba-tool user getgroups bigcatop
List users.
samba-tool user list
Define password expiration.
samba-tool user setexpiry --days 120 bigcatop
samba-tool user setexpiry --noexpiry bigcatop
Add user to group.
samba-tool group addmembers cats bigcatop,octo
List groups.
samba-tool group list
List group members.
samba-tool group listmembers cats
Remove user from a group.
samba-tool group removemembers cats bigcatop
Delete group.
samba-tool group delete cats
Delete user.
samba-tool user delete bigcatop
Change user password.
samba-tool user password -U bigcatop
Samba-tool is the only way to manage a secondary SambaAd server.
A prerequisite on Microsoft's AD server training is recommended.
View FSMO role owners.
samba-tool fsmo show
Verifying synchronization in multiple DCs.
samba-tool drs showrepl
Transfer of FSMO roles.
Execution must be done on the domain controller that takes over the role(s).
samba-tool fsmo transfer --role=all -U administrator
Removing a domain controller.
The execution must be done on the domain controller that is removed from the domain
with a local account (not from the domain).
samba-tool domain demote -U administrator