Samba-dc

Languages:

English

	Work in Progress:
	work in progress, even doc is in progress, use at your own risk has marked this page as a Work in Progress. The contents off this page may be in flux, please have a look at this page history the to see list of changes.

samba-dc

samba-dc logo
Maintainer	maintainer
Url	https://wiki.koozali.org
Source:	smeserver-samba-dc
Category	Category you want
Tags	File, this, with, a, list, of, tags

Maintainer

initial work of Bunkobugsy

Version

Description

This package provides templates for samba Active Directory support. More details found here.

It will replace upstream samba packages with AD enabled ones from SIG/FastTrack repo. More details found here. Recently more up to date packages are available on Fedora Copr.

If you're not ok with this, you could try Remote ADDC which lets you use the AD DC of your choice: Windows Server, TurnKey Linux DC, RazDC or another Samba DC in a container.

A secondary samba service will use separate samba data directories, set up via a distinct samba configuration.

This ensures that samba-dc instance won't interfere with normal filesharing samba services provided by SME core.

User accounts created in SME will be kept in sync with the LDAP service provided by samba Active Directory. More details here.

Users logged in to domain joined Windows PCs will have access to SME's samba shares via their namesake usernames and matching passwords. https://wiki.koozali.org/Client_Authentication:Windows#Login_to_shared_resources

In an Active Directory Kerberos requires an accurate time synchronization so make sure to set up NTP for all client computers.

Active Directory DC locating relies on DNS resolution, be sure that Windows PCs are all configured to only use SME's IP for DNS.

Installation

/sbin/e-smith/db yum_repositories set fasttrack-updates repository \
Name 'Fedora Copr Samba-DC' \
BaseURL 'https://copr-be.cloud.fedoraproject.org/results/bunkobugsy/Samba-DC/epel-8-x86_64/' \
IncludePkgs samba*,python3-samba*,libnetapi,libsmbclient,libwbclient \
EnableGroups no \
GPGCheck no \
Visible yes \
Priority 9 \
status enabled

signal-event dnf-modify

dnf --enablerepo=smecontribs install smeserver-samba-dc

signal-event reboot     #just to be sure

/sbin/e-smith/db yum_repositories set fasttrack-updates repository \
Name 'Rocky Linux 8.10 - SIG FastTrack Updates' \
BaseURL 'http://dl.rockylinux.org/$sigcontentdir/$releasever/fasttrack/$basearch/fasttrack-updates/' \
IncludePkgs samba*,python3-samba*,libnetapi,libsmbclient,libwbclient,python3-setproctitle \
EnableGroups no \
GPGCheck no \
Visible yes \
Priority 9 \
status enabled

signal-event dnf-modify

dnf --enablerepo=smecontribs install smeserver-samba-dc

signal-event reboot     #just to be sure

Configuration

you can list the available configuration with the following command :

config show samba

Some of the properties are not shown, but are defaulted in a template or a script. Here is a list with default and expected values :

Add samba virtual interface

Samba in AD mode provides services that need a separate virtual interface.

A free static IP address needs to be chosen from the same range as SME's local network that is outside the DHCP pool.

WARNING: changing this IP address after the domain is provisioned can cause problems and is not supported.

config setprop samba SambaIP a.b.c.d
/etc/e-smith/events/actions/update-ifcfg-1
systemctl restart network

Confirm that the samba virtual interface is working

ip a | grep a.b.c.d

or check

ifconfig

It can be disabled anytime ONLY if domain is not operational.

config delprop samba SambaIP
/etc/e-smith/events/actions/update-ifcfg
systemctl restart network

Set domain administrator password

Provisioning will fail unless a password is chosen that matches the complexity requirements. More details found here.

Random Strong Password Generator can be used.

WARNING: make sure to keep a copy of this password and do not modify this key after the domain is provisioned.

config setprop samba Password Blu3Onyx!

Provisioning will also reserve the administrator user in SME for domain administrator, make sure it is not already used.

Choosing realm

By default provisioning will use for realm current Windows workgroup name (default: sme-server) and append .INTERNAL to it.

Active Directory DC locating relies on DNS resolution, samba internal DNS will handle this via domain-remote feature.

Make sure realm does not match SME's primary or additional domains because additional domains might get overwritten.

Choose well the realm by setting Windows workgroup before provisioning because domain rename is not supported.

WARNING: domain rename is only possible for now with complete domain reset and loss of all machine accounts.

Provisioning

provision

After a successful provisioning DO NOT CHANGE any configuration values.

Testing

To confirm Active Directory functionality

systemctl status samba
samba-tool domain info a.b.c.d                  #SambaIP set above
realm -v discover sme-server.internal           #in this example
kinit -V administrator                          #enter domain administrator password set above
klist
sambatool user list
sambatool computer list
smbstatus --configfile=/etc/samba/samba.conf
samba-tool processes --configfile=/etc/samba/samba.conf

Usual SME network shares are accessible on \\SME-IP\ whereas NETLOGON and SYSVOL are visible at \\SambaIP\

smbclient -L localhost -U admin                 #enter SME admin password
smbclient -L a.b.c.d -U administrator           #SambaIP set above, enter domain administrator password set above

If all went well you can proceed to joining Windows PCs to the domain using domain administrator and password.

Before first login all users and admin must have their passwords reset from https://SME-IP/smanager/useraccounts or https://SME-IP/server-manager - Collaboration - Users.

For migrating user profiles from one domain to another ForensiT User Profile Wizard Freeware Edition can be used.

WARNING: disabling samba service is not supported as user accounts and passwords will get out of sync.

Restoring missing user accounts can be done, passwords for created users need to be reset.

syncadusers

Password policies

Password changing is only possible from https://SME-IP/smanager/userpassword or https://SME-IP/user-password portals.

For now password changing via Ctrl-Alt-Delete is not supported and will be disabled via password policies.

To prohibit the "Change a password" option from the CTRL+ALT+DEL screen using Group Policy, navigate to User Configuration > Policies > Administrative Templates > System > Ctrl+ALT+DEL Options and enable the "Remove Change Password" policy. You can also achieve this on a local machine by editing the registry at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System and creating a DWORD value named DisableChangePassword set to 1.

To prevent passwords from getting out of sync Password contrib will be installed and password aging will be activated.

Database backup and check

samba-tool domain backup offline --targetdir=/root --configfile=/etc/samba/samba.conf

samba-tool dbcheck --cross-ncs --configfile=/etc/samba/samba.conf
samba-tool dbcheck --cross-ncs --fix --yes --configfile=/etc/samba/samba.conf

Uninstall

remove custom repository

/sbin/e-smith/db yum_repositories delete fasttrack-updates
signal-event dnf-modify

remove contrib

dnf remove smeserver-samba-dc

return to upstream samba packages

dnf update

Bugs

Please raise bugs under the SME-Contribs section in bugzilla

and select the smeserver-samba-dc component or use this link

Below is an overview of the current issues for this contrib:

Changelog

Only released version in smecontrib are listed here.