Fedora enablement
Fedora currently needs a patched Samba package to enable the missing Domain Controller functionality. This guide is written against Samba 4.1.3 and Fedora 19, but later versions will work.
Hopefully this change will make it into official packages when Samba will be built with the system’s MIT Kerberos implementation. You can grab the latest Samba source packages from Koji.
The first patch is for disabling MIT Kerberos integration and enabling Heimdal Kerberos with Domain Controller functionality in the Redhat/Fedora package. This has also been reported upstream:
--- samba.spec 2014-02-10 10:00:52.000000000 +0100
+++ samba.spec.dc 2014-02-11 10:43:35.038262193 +0100
@@ -38,8 +38,8 @@
%endif
%endif
-%global with_mitkrb5 1
-%global with_dc 0
+%global with_mitkrb5 0
+%global with_dc 1
%if %{with testsuite}
# The testsuite only works with a full build right now.
@@ -81,6 +81,7 @@
Source4: smb.conf.default
Source5: pam_winbind.conf
Source6: samba.pamd
+Source7: samba.service
Source200: README.dc
Source201: README.downgrade
@@ -245,6 +246,13 @@
Group: Applications/System
Requires: %{name}-common = %{samba_depver}
Requires: %{name}-libs = %{samba_depver}
+Requires: tdb-tools >= %{libtdb_version}
+
+%if %with_dc
+Requires(post): systemd
+Requires(preun): systemd
+Requires(postun): systemd
+%endif
Provides: samba4-dc-libs = %{samba_depver}
Obsoletes: samba4-dc-libs < %{samba_depver}
@@ -631,6 +639,9 @@
%if ! %with_dc
install -m 0644 %{SOURCE200} packaging/README.dc
install -m 0644 %{SOURCE200} packaging/README.dc-libs
+%else
+# Systemd unit files
+install -p -m 644 -D %{SOURCE7} %{buildroot}%{_unitdir}/samba.service
%endif
install -d -m 0755 %{buildroot}%{_unitdir}
@@ -693,6 +704,16 @@
%post dc-libs -p /sbin/ldconfig
%postun dc-libs -p /sbin/ldconfig
+
+%post dc
+%systemd_post samba.service
+
+%preun dc
+%systemd_preun samba.service
+
+%postun dc
+%systemd_postun_with_restart samba.service
+
%endif # with_dc
%post libs -p /sbin/ldconfig
@@ -1054,6 +1075,7 @@
%{_datadir}/samba/setup
%{_mandir}/man8/samba.8*
%{_mandir}/man8/samba-tool.8*
+%{_unitdir}/samba.service
%else # with_dc
%doc packaging/README.dc
%exclude %{_mandir}/man8/samba.8*
The second patch is for BIND, and is used to re-enable the ISC SPN negotiation when enabling GSS authentication, see samba-technical mailing post and CentOS bug 6526 for details. This patch is required only if you don’t have Kerberos 5 packages installed with at least the following versions/revisions:
* krb5-1.12.1-5.fc21
* krb5-1.11.5-4.fc20
* krb5-1.11.3-21.fc19
Note that to enable you actually have to disable the –disable-isc-spnego parameter.
--- bind.spec.old 2014-02-11 11:12:59.762770598 +0100
+++ bind.spec 2014-02-11 11:12:40.219951833 +0100
@@ -394,7 +394,6 @@
%endif
%if %{GSSTSIG}
--with-gssapi=yes \
- --disable-isc-spnego \
%endif
--enable-fixed-rrset \
--with-docbook-xsl=%{_datadir}/sgml/docbook/xsl-stylesheets \
Version change
Do not forget to bump the Epoch in the RPM spec file so packages do not conflict and are not overwritten by official packages with a lower epoch.
After patching, rebuild the packages with your favorite tools, rpmbuild
, mock
or koji
, whatever your preference is.
Software installation
Install BIND server (required also for other optional domains), the NTP server, the Samba suite and some additional tools used by our environment on the selected server. For servers; replace also firewalld with the base iptables service:
rpm -e firewalld
yum install iptables-services bind bind-utils ntp samba-dc samba-client tdb-tools \
krb5-workstation policycoreutils-devel libselinux-utils cups
systemctl enable iptables
systemctl start cups
systemctl enable named
systemctl stop chronyd
systemctl disable chronyd
systemctl enable ntpd
systemctl enable samba
Networking
Disable IPv6
I had to disable IPv6 for my internal network, you might need to have it enabled. Do the following to permanently disable IPv6:
sysctl -w net.ipv6.conf.all.disable_ipv6=1
echo "net.ipv6.conf.all.disable_ipv6=1" > /etc/sysctl.conf
Firewall configuration
The following ports need to be opened on the firewall:
* TCP: 53, 88, 135, 445, 464, 1024-5000, 3268
* UDP: 53, 88, 123, 389, 464
Ports 1024-5000 are for the RPC services used by Samba, while port tcp/53 is used by Bind to receive DNS GSS record updates (they use TCP, not UDP).
Create the file /etc/sysconfig/iptables
and insert the following contents:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -d 192.168.23.8 --dport 5666 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -d 192.168.23.8 --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp -d 192.168.23.8 --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -d 192.168.23.8 --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -d 192.168.23.8 --dport 88 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp -d 192.168.23.8 --dport 88 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp -d 192.168.23.8 --dport 123 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -d 192.168.23.8 --dport 135 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -d 192.168.23.8 --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp -d 192.168.23.8 --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -d 192.168.23.8 --dport 445 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -d 192.168.23.8 --dport 464 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp -d 192.168.23.8 --dport 464 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -d 192.168.23.8 -m multiport --ports 1024:5000 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -d 192.168.23.8 --dport 3268 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Then start the firewall:
systemctl start iptables
Provisioning the domain
First setup and provisioning can be executed with SELinux disabled to be later re-enabled. This helps debugging issues that are not otherwise present with DAC permissions. Execute the following commands as root to start the provisioning:
setenforce 0
rm -f /etc/samba/smb.conf
samba-tool domain provision --dns-backend=BIND9_DLZ --realm=EXAMPLE.COM \
--domain=EXAMPLE --server-role=dc --function-level=2008_R2 \
--adminpass=Password01
Alternatively it can be run without parameters and the installation will be interactive. An output like the following will be returned:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=example,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=example,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
See /var/lib/samba/private/named.conf for an example configuration include file for BIND
and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: samba
NetBIOS Domain: EXAMPLE
DNS Domain: example.com
DOMAIN SID: S-1-5-21-1504993763-4098306314-3392174306
Disable NetBIOS
Edit the file /etc/samba/smb.conf
and make sure that the [global] section contains the following lines (in addition to the others) to disable NetBIOS support:
[global]
server services = -dns, -nbt
smb ports = 445
Windows 2000 and later systems setup two connections simultaniously to a server one on port 445 and one on port 139. If it gets a response from port 445 it will reset (RST) the port 139 connection. If it only gets a response from port 139, that one is used. If you disable NBT (NetBIOS over TCP/IP) on your client only port 445 is being tried. Pre-Windows 2000 clients only use port 139.
Configure Kerberos
Copy the provision generated Kerberos file to the default system location:
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
Make sure the Kerberos configuration file contains the check-ticket-addresses directive; as it is required for clients connecting through a NAT; which is the case for our IIMs / Remote PCs.
--- /etc/krb5.conf.old 2013-04-08 15:49:33.310944976 +0200
+++ /etc/krb5.conf 2013-04-08 15:49:57.989473099 +0200
@@ -2,3 +2,6 @@
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
+
+[kdc]
+ check-ticket-addresses = false
Configure NTP server
Change the NTP configuration file to enable Microsoft signed time queries:
--- /etc/ntp.conf.default 2013-08-09 10:10:07.362235547 +0200
+++ /etc/ntp.conf 2013-08-19 12:31:44.356572515 +0200
@@ -5,8 +5,8 @@
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
-restrict default kod nomodify notrap nopeer noquery
-restrict -6 default kod nomodify notrap nopeer noquery
+restrict default kod nomodify notrap nopeer noquery mssntp
+restrict -6 default kod nomodify notrap nopeer noquery mssntp
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
@@ -51,3 +51,5 @@
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
+
+ntpsigndsocket /var/lib/samba/ntp_signd/
Change permissions of the NTP folders which should be accessible by the NTP daemon:
chgrp ntp /var/lib/samba/ntp_signd/
Configure DNS server
Look at the hints in the previous output regarding Bind and modify the file /etc/named.conf
and remember to fill appropriately the zone files with the correct records. Replace my addresses with yours, of course.
--- named.conf.rpmnew 2013-10-30 12:35:25.000000000 +0100
+++ named.conf 2014-02-11 10:19:13.361403985 +0100
@@ -8,29 +8,24 @@
//
options {
- listen-on port 53 { 127.0.0.1; };
+ listen-on port 53 { 127.0.0.1; 192.168.1.8; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
- allow-query { localhost; };
+ // forwarders { 192.168.1.54; 192.168.1.55; };
+ allow-query { any; };
- /*
- - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- - If you are building a RECURSIVE (caching) DNS server, you need to enable
- recursion.
- - If your recursive DNS server has a public IP address, you MUST enable access
- control to limit queries to your legitimate users. Failing to do so will
- cause your server to become part of large scale DNS amplification
- attacks. Implementing BCP38 within your network would greatly
- reduce such attack surface
- */
- recursion yes;
-
- dnssec-enable yes;
- dnssec-validation yes;
- dnssec-lookaside auto;
+ /* Allow recursion from Samba server itself and its Windows management system */
+ allow-recursion {
+ 192.168.1.8;
+ 192.168.1.11;
+ };
+
+ dnssec-enable no;
+ dnssec-validation no;
+ // dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
@@ -38,7 +33,8 @@
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
- session-keyfile "/run/named/session.key";
+
+ tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};
logging {
@@ -56,3 +52,6 @@
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
+dlz "example.com" {
+ database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so";
+};
The DNS server can also to be authoritative for additional stub zones hosted in the same BIND instance, as an example:
// Additional zones required for EXAMPLE
zone "swisslos.ch" IN {
type master;
file "/var/named/swisslos.ch.zone";
};
Change permissions to reach the folders containing the dynamic zones which should be accessible by Bind:
chgrp named /var/lib/samba/private /etc/krb5.conf
chmod g+rx /var/lib/samba/private
Disable IPv6 also on Bind, to avoid flooding the logs with unwanted messages. Add the following line to /etc/sysconfig/named
:
OPTIONS="-4"
Starting services
Make the Samba system use its Bind recursive DNS server as primary DNS. This is required for proper Samba 4 operation of the Domain Controller. Any external request made by the server will be forwarded through the POP DNS servers.
Edit /etc/sysconfig/network-scripts/ifcfg-
and change the DNS1 line to read as follows:
DNS1=192.168.1.8
Then delete all other DNS* lines from the file. Afterwards restart the network:
systemctl restart NetworkManager
Finally start Bind, NTP server and Samba:
systemctl start named
systemctl start samba
systemctl start ntpd
Troubleshooting
For debugging, launch Bind, the NTP server and Samba with the following options to start them in the foreground:
named -u named -f -g -d 2
ntpd -u ntp:ntp -g -I 192.168.23.08 -D 3
samba -i -M single -d 3
MS-SNTP troubleshooting
To troubleshoot NTP settings, perform the following command on the Windows clients to check the Windows Time Service settings and status:
w32tm /query /status /verbose
You should obtain an output like the following:
Leap Indicator: 0(no warning)
Stratum: 4 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0458527s
Root Dispersion: 7.9058500s
ReferenceId: 0xC0A81708 (source IP: 192.168.1.8)
Last Successful Sync Time: 8/19/2013 2:33:08 PM
Source: samba.example.com
Poll Interval: 10 (1024s)
Phase Offset: -0.0377036s
ClockRate: 0.0156007s
State Machine: 1 (Hold)
Time Source Flags: 2 (Authenticated )
Server Role: 0 (None)
Last Sync Error: 0 (The command completed successfully.)
Time since Last Good Sync Time: 34.8648825s
It identifies the last succesful sync time; the fact that the client / server communication is using MS-SNTP to communicate (Time Source Flags: 2 (Authenticated )) and that the last command was executed successfully.
In case it doesn’t work; to manually set Windows Time Service configuration to read NTP settings from the domain perform the following commands to reset the configuration and to sync again the client to the server:
w32tm /config /update /syncfromflags:DOMHIER
w32tm /resync
Then check again the status with the previous command.
If the time server specified in the Windows client is a normal NTP server, then the Windows client will not ask for MS-SNTP signed responses. The command to synchronize the clock is as follows:
w32tm /config /update /syncfromflags:MANUAL
w32tm /resync
This is the output of the query:
Leap Indicator: 0(no warning)
Stratum: 5 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0853119s
Root Dispersion: 7.8537712s
ReferenceId: 0xC0A80101 (source IP: 192.168.1.1)
Last Successful Sync Time: 1/28/2014 3:47:02 PM
Source: 192.168.1.1
Poll Interval: 10 (1024s)
Phase Offset: 0.3340008s
ClockRate: 0.0156001s
State Machine: 1 (Hold)
Time Source Flags: 0 (None)
Server Role: 0 (None)
Last Sync Error: 0 (The command completed successfully.)
Time since Last Good Sync Time: 3.3566832s
Please note that the Time Source Flags do not list the sync as Authenticated.
Kerberos authentication
Test the Active Directory Administrator password and check that the Kerberos ticket and password policies are valid:
$ kinit administrator@EXAMPLE.COM
Password for administrator@EXAMPLE.COM:
Warning: Your password will expire in 41 days on Mon 20 May 2013 02:19:04 PM CEST
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator@EXAMPLE.COM
Valid starting Expires Service principal
04/08/2013 15:45:14 04/09/2013 01:45:14 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 04/09/2013 15:45:10
SMB/CIFS file sharing
You should now see all your local default shares by browsing:
$ smbclient -L localhost -U%
To test that authentication is working, you should try to connect to the netlogon share using the Administrator password you set earlier:
$ smbclient //localhost/netlogon -UAdministrator%'Password01' -c 'ls'
To see that all the required DNS records are exposed in the DNS, launch the following commands:
$ host -t SRV _ldap._tcp.example.com.
_ldap._tcp.example.com has SRV record 0 100 389 samba.example.com.
$ host -t SRV _kerberos._udp.example.com.
_kerberos._udp.example.com has SRV record 0 100 88 samba.example.com.
$ host -t A samba.example.com.
samba.example.com has address 192.168.1.8
DNS and GSSEC records insertion/deletion
To test DNS dynamic updates perform the following command on the Windows client:
ipconfig /registerdns
This will create a DNS record for the system in the Active Directory DNS zone using a secure Kerberos authenticated update.
If the record does not appear start debugging on the server for DNS records availability and proper functioning of the DLZ zone. To proceed launch the following command with both Samba and Bind running:
samba_dnsupdate --verbose --all-names
samba_dnsupdate --verbose
This will fetch all the minimum required DNS records for Active Directory from the Samba database and try to re-insert them into the zone using a kerberized (GSSEC) DNS update to the Bind server.
In case you obtain the following message while trying to run the above command:
dns_tkey_negotiategss: TKEY is unacceptable
This means you have some problems with your current Bind Kerberos keytab file. Perform the following command to check that the service principals are contained in the file:
# klist -k -K -t /var/lib/samba/private/dns.keytab
Keytab name: FILE:/var/lib/samba/private/dns.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
If you obtain an empty list like the one above, extra the DNS service principal with the following command.
samba-tool domain exportkeytab --principal=DNS/samba.example.com \
/var/lib/samba/private/dns.keytab
After generation, make sure to check again its contents. If the file is totally corrupt, regenerate it and apply permissions again. You should have some contents like the following:
# klist -k -K -t /var/lib/samba/private/dns.keytab
Keytab name: FILE:/var/lib/samba/private/dns.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
1 15/04/2013 14:08:56 DNS/samba.example.com@EXAMPLE.COM (0xd95bd6c789b30d0d)
1 15/04/2013 14:08:56 DNS/samba.example.com@EXAMPLE.COM (0xd95bd6c789b30d0d)
1 15/04/2013 14:08:56 DNS/samba.example.com@EXAMPLE.COM (0x9208e7dd4029fe8bdaa18dee16ffb8fc)
1 15/04/2013 14:08:56 DNS/samba.example.com@EXAMPLE.COM (0x79c8d7df152f3a7d5c42a3fe64248caa4faf854579b66453bea9af7c155286f9)
1 15/04/2013 14:08:56 DNS/samba.example.com@EXAMPLE.COM (0x5ab2a4df523518d47d3b8f6be79faa2f)
In case you’re guessing what are those weird record types (like RT) you see queried in Samba’s DNS by Windows Clients, please look at the following links:
* http://www.iana.org/assignments/dns-parameters/dns-parameters.xml
* http://technet.microsoft.com/en-us/library/cc758321%28v=ws.10%29.aspx
Windows client networking adjustments
Disable NetBios over TCP/IP
To make the necessary tests; make sure that the Windows system has NetBIOS over TCP/IP disabled in the Advanced TCP/IP settings configuration pane.
Windows 2000 and later systems setup two connections simultaniously to a server one on port 445 and one on port 139. If it gets a response from port 445 it will reset (RST) the port 139 connection. If it only gets a response from port 139, that one is used. If you disable NBT (NetBIOS over TCP/IP) on your client only port 445 is being tried. Pre-Windows 2000 clients only use port 139.
Disable Teredo IPv6 Tunneling
To disable Teredo IPv6 Tunnelling execute the following command in an Administrator Windows command prompt:
netsh interface teredo set state disabled
Disable NCSI testing
To disable Network Connectivity Status Indicator checking on Microsoft servers for internet connectivity, start the Group Policy Editor (gpedit.msc); navigate to the correct tree and set “Turn off Windows Network Connectivity Status Indicator active tests” to Enable.
Windows firewall integration
For Windows 7, the following ports need to be enabled in the firewall; all the other rules should be disabled. This is a subset of the ones listed in Microsoft’s Active Directory required ports:
* TCP: 135, 445, 3268, 1024-5000, 49154
* UDP: 123
* TCP/UDP: 53, 88, 389, 464
To make the RPC server listen only on port 49154; the following registry file needs to be applied and the system rebooted:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Internet]
"Ports"=hex(7):34,00,39,00,31,00,35,00,34,00,00,00,00,00
"PortsInternetAvailable"="Y"
"UseInternetPorts"="Y"
Commands to add the Windows Firewall rules from the command line:
netsh advfirewall firewall add rule name="Samba-TCP-In" protocol=TCP localport="88,135,445,49154" action=allow dir=IN remoteip=192.168.1.8
netsh advfirewall firewall add rule name="Samba-UDP-In" protocol=UDP localport="88" action=allow dir=IN remoteip=192.168.1.8
netsh advfirewall firewall add rule name="Samba-TCP-Out" protocol=TCP localport="53,88,135,389,445,464,1024-5000,3268" action=allow dir=OUT remoteip=192.168.1.8
netsh advfirewall firewall add rule name="Samba-UDP-Out" protocol=UDP localport="53,88,389,464" action=allow dir=OUT remoteip=192.168.1.8
To debug connections, use the PortQueryUI command that you can download from the Microsoft website:
* http://www.microsoft.com/en-us/download/details.aspx?id=24009
Like this:
Like Loading...
Recent Comments