With the last version of samba 4 comes with Active directory logon and administration protocols, including typical active directory support and full interoperability with Microsoft Active Directory servers. This is possible with the combination of a LDAP directory,  heimdal kerberos authentication, dynamic DNS server and the necessary remote procedure calls RPC.
For complete list of the new changes you can see the next url: http://wiki.samba.org/index.php/Samba4

samba_logo_4c

This post covers the initial installation and configuration of samba 4 as Active Directory domain controller, on Centos 6 using bind 9 as DNS backend and NTPD (4.2.6) server used by the clients.

– Change the hostname:

# vi /etc/sysconfig/network

HOSTNAME=centos-dc

– Disable selinux:

# vi /etc/sysconfig/selinux

SELINUX=disabled

# setenforce 0

– Install some dependencies:

# yum -y install gcc make wget python-devel gnutls-devel openssl-devel libacl-devel krb5-server krb5-libs krb5-workstation bind bind-libs bind-utils

– Download and compile samba4:

# wget http://ftp.samba.org/pub/samba/samba-latest.tar.gz
# tar -xzvf samba-latest.tar.gz
# cd samba-latest/
# ./configure --enable-selftest
# make && make install

– Provisioning a new domain:

# /usr/local/samba/bin/samba-tool domain provision --realm=opentodo.net --domain=OPENTODO --adminpass 'P@ssw0rd' --server-role=dc --dns-backend=BIND9_DLZ

The dns backend BIND9_DLZ uses samba4 AD to store zone information

– Edit named configuration:

# rndc-confgen -a -r /dev/urandom

 

# vi /etc/named.conf

options {
listen-on port 53 { any; };
forwarders {192.168.1.8; };
allow-query { any; };
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};
include "/usr/local/samba/private/named.conf";

– Edit resolv.conf:

# vi /etc/resolv.conf

nameserver 127.0.0.1
domain opentodo.net

– Edit kerberos server configuration:

# vi /etc/krb5.conf

[libdefaults]
default_realm = OPENTODO.NET
dns_lookup_realm = false
dns_lookup_kdc = true

– Download and install the last version of ntp (4.2.6 comes with ntp sign support):

# wget http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.6p5.tar.gz
# tar -xzvf ntp-4.2.6p5.tar.gz
# cd ntp-4.2.6p5
# ./configure --enable-ntp-signd
# make && make install

– Configuring NTP:

# vi /etc/ntp.conf

server 127.127.1.0
fudge 127.127.1.0 stratum 10
server 0.pool.ntp.org iburst prefer
server 1.pool.ntp.org iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
restrict default kod nomodify notrap nopeer mssntp
restrict 127.0.0.1
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery

– Setting up the correct permissions:

# chown named:named /usr/local/samba/private/dns
# chown named:named /usr/local/samba/private/dns.keytab
# chmod 775 /usr/local/samba/private/dns

– Configuring samba init script:

# vi /etc/init.d/samba4

 

#! /bin/bash
#
# samba4 Bring up/down samba4 service
#
# chkconfig: - 90 10
# description: Activates/Deactivates all samba4 interfaces configured to
# start at boot time.
#
### BEGIN INIT INFO
# Provides:
# Should-Start:
# Short-Description: Bring up/down samba4
# Description: Bring up/down samba4
### END INIT INFO
# Source function library.
. /etc/init.d/functions

if [ -f /etc/sysconfig/samba4 ]; then
. /etc/sysconfig/samba4
fi

CWD=$(pwd)
prog="samba4"

start() {
# Attach irda device
echo -n $"Starting $prog: "
/usr/local/samba/sbin/samba
sleep 2
if ps ax | grep -v "grep" | grep -q /samba/sbin/samba ; then success $"samba4 startup"; else failure $"samba4 startup"; fi
echo
}
stop() {
# Stop service.
echo -n $"Shutting down $prog: "
killall samba
sleep 2
if ps ax | grep -v "grep" | grep -q /samba/sbin/samba ; then failure $"samba4 shutdown"; else success $"samba4 shutdown"; fi
echo
}
status() {
/usr/local/samba/sbin/samba --show-build
}

# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status irattach
;;
restart|reload)
stop
start
;;
*)
echo $"Usage: $0 {start|stop|restart|status}"
exit 1
esac

exit 0

 

# chmod 755 /etc/init.d/samba4

– Configuring ntp init script:

# vi /etc/init.d/ntp

 

#! /bin/bash
#
# ntp Bring up/down ntp service
#
#chkconfig: - 99 30
#description: Bring up/down ntp
#
### BEGIN INIT INFO
# Provides:
# Should-Start:
# Short-Description: Bring up/down ntp
# Description: Bring up/down ntp
### END INIT INFO
# Source function library.
. /etc/init.d/functions

CWD=$(pwd)
NTPD=/usr/local/bin/ntpd
prog="ntp"
start() {
# Attach irda device
echo -n $"Starting $prog: "
$NTPD -p /var/run/ntpd.pid
sleep 2
if ps ax | grep -v "grep" | grep -q $NTPD ; then success $"ntp startup"; else failure $"ntp startup"; fi
echo
}
stop() {
# Stop service.
echo -n $"Shutting down $prog: "
kill -9 `cat /var/run/ntpd.pid` > /dev/null 2>&1
sleep 2
if ps ax | grep -v "grep" | grep -q $NTPD ; then failure $"ntp shutdown"; else success $"ntp shutdown"; fi
echo
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload)
stop
start
;;
*)
echo $"Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0

 

# chmod 755 /etc/init.d/ntp

– Start services:

# /etc/init.d/named start
# /etc/init.d/ntp start
# /etc/init.d/samba4 start

– Initialize services at boot time:

# chkconfig --levels 235 samba4 on
# chkconfig --levels 235 ntp on
# chkconfig --levels 235 named on

– Adding iptables rules:

# vi /etc/sysconfig/iptables

-A INPUT -m udp -p udp --dport 53 -m comment --comment "DNS" -j ACCEPT
-A INPUT -m udp -p udp --dport 123 -m comment --comment "NTP" -j ACCEPT
-A INPUT -m udp -p udp --dport 135 -m comment --comment "RPC UDP" -j ACCEPT
-A INPUT -m udp -p udp --dport 138 -m comment --comment "NetBIOS Netlogon and Browsing" -j ACCEPT
-A INPUT -m udp -p udp --dport 389 -m comment --comment "LDAP UDP" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -m comment --comment "Kerberos" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -m comment --comment "Kerberos Password Management" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -m comment --comment "NetBIOS Session" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -m comment --comment "SMB CIFS" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -m comment --comment "LDAP TCP" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -m comment --comment "LDAP SSL" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3268 -m comment --comment "LDAP Global Catalog" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3269 -m comment --comment "LDAP Global Catalog SSL" -j ACCEPT

# service iptables restart

Sources

http://wiki.samba.org/index.php/Samba4/HOWTO

https://fedoraproject.org/w/index.php?title=Features/Samba4

– NTP init script and iptables rules edited by Marc (see the comments), Thanks!!

Samba4 as AD domain controller on Centos 6
Tagged on:         

32 thoughts on “Samba4 as AD domain controller on Centos 6

  • January 8, 2013 at 20:34
    Permalink

    Thanks for your post! I found a few useful items while reading this article.

    When using the above script for NTP, I got the following when attempting `chkconfig –levels 235 ntp on`
    “service ntp does not support chkconfig”

    Little bit of hacking with the samba script allowed me to make a pretty and useful ntp startup script. The part that chkconfig looks for is this line:
    # chkconfig: – 55 10
    (I chose 55 as the start due to some searching on the interwebs)

    The above line allows chkconfig to create the proper symlinks for the start/stop locations in rc#.d.

    Here is the pretty startup script:

    ====START SCRIPT=====
    #! /bin/bash
    #
    # ntp Bring up/down ntp service
    #
    # chkconfig: – 55 10
    # description: Bring up/down ntp
    #
    ### BEGIN INIT INFO
    # Provides:
    # Should-Start:
    # Short-Description: Bring up/down ntp
    # Description: Bring up/down ntp
    ### END INIT INFO
    # Source function library.
    . /etc/init.d/functions

    CWD=$(pwd)
    NTPD=/usr/local/bin/ntpd
    prog=”ntp”
    start() {
    # Attach irda device
    echo -n $”Starting $prog: ”
    $NTPD -p /var/run/ntpd.pid
    sleep 2
    if ps ax | grep -v “grep” | grep -q $NTPD ; then success $”ntp startup”; else failure $”ntp startup”; fi
    echo
    }
    stop() {
    # Stop service.
    echo -n $”Shutting down $prog: ”
    kill -9 `cat /var/run/ntpd.pid` > /dev/null 2>&1
    sleep 2
    if ps ax | grep -v “grep” | grep -q $NTPD ; then failure $”ntp shutdown”; else success $”ntp shutdown”; fi
    echo
    }
    # See how we were called.
    case “$1″ in
    start)
    start
    ;;
    stop)
    stop
    ;;
    restart|reload)
    stop
    start
    ;;
    *)
    echo $”Usage: $0 {start|stop|restart}”
    exit 1
    esac
    exit 0
    =====END SCRIPT=====

    As for iptables, I like to have comments for what the ports are:

    =====START IPTABLES=====
    -A INPUT -m udp -p udp –dport 53 -m comment –comment “DNS” -j ACCEPT
    -A INPUT -m udp -p udp –dport 123 -m comment –comment “NTP” -j ACCEPT
    -A INPUT -m udp -p udp –dport 135 -m comment –comment “RPC UDP” -j ACCEPT
    -A INPUT -m udp -p udp –dport 138 -m comment –comment “NetBIOS Netlogon and Browsing” -j ACCEPT
    -A INPUT -m udp -p udp –dport 389 -m comment –comment “LDAP UDP” -j ACCEPT
    -A INPUT -m state –state NEW -m tcp -p tcp –dport 88 -m comment –comment “Kerberos” -j ACCEPT
    -A INPUT -m state –state NEW -m tcp -p tcp –dport 464 -m comment –comment “Kerberos Password Management” -j ACCEPT
    -A INPUT -m state –state NEW -m tcp -p tcp –dport 139 -m comment –comment “NetBIOS Session” -j ACCEPT
    -A INPUT -m state –state NEW -m tcp -p tcp –dport 445 -m comment –comment “SMB CIFS” -j ACCEPT
    -A INPUT -m state –state NEW -m tcp -p tcp –dport 389 -m comment –comment “LDAP TCP” -j ACCEPT
    -A INPUT -m state –state NEW -m tcp -p tcp –dport 636 -m comment –comment “LDAP SSL” -j ACCEPT
    -A INPUT -m state –state NEW -m tcp -p tcp –dport 3268 -m comment –comment “LDAP Global Catalog” -j ACCEPT
    -A INPUT -m state –state NEW -m tcp -p tcp –dport 3269 -m comment –comment “LDAP Global Catalog SSL” -j ACCEPT
    =====END IPTABLES=====

    Good luck to you on this, and I again thank you for the posting, as it got me pointed in the right direction 🙂

    Reply
  • January 8, 2013 at 23:07
    Permalink

    First of all Very Thanks Marc for your correction!! The init script for ntp was incomplete and your script is more solid than mine, I edited the post to include your script. I also include your iptables rules commented very important to clarify the ports that we have opened! Very useful the chkconfig documented in the man page: http://linux.about.com/library/cmd/blcmdl8_chkconfig.htm
    Thanks a lot for your time and do this post more consistent to help another people!!!

    Reply
  • January 19, 2013 at 17:17
    Permalink

    congratulations on the script! I have a doubt boys!
      in – Edit named configuration:

    forwarders {192.168.1.8; };
    ..
    The ip “192.168.1.8” is my GATEWAY??
    or should ip the my CentOS?

    sorry for bad english! i am brazilian! ;]

    Reply
    • January 19, 2013 at 21:07
      Permalink

      Hi Mike!! Thanks for your comment! The ip address 192.168.1.8 is used in the dns configuration is the address of a dns server to request the domains that this server can’t resolve (forwarder).

      Reply
      • February 22, 2013 at 13:47
        Permalink

        Hi Ivan
        Is the IP=192.168.1.8 separate DNS server ?

        Reply
        • February 22, 2013 at 20:07
          Permalink

          Hi troy0x,

          Yes the ip address mentioned is a server to resolve dns queries that the local server cannot resolve, like other internet domains.

          Reply
      • February 22, 2013 at 20:35
        Permalink

        So i need to setup DNS server ???
        Do you have a specific page link to setup DNS server ??
        and why i need to setup the separate DNS server ??

        Reply
  • January 30, 2013 at 15:28
    Permalink

    Very nice and thorough tutorial, but seem to be having a problem with bind, just wondering if anyone has seen this before. After bind is all sorted out it fails to load with the error message: samba_dlz: Failed to connect to /usr/local/samba/private/dns/sam.ldb. Any help would be much appreciated!

    Reply
    • January 30, 2013 at 18:32
      Permalink

      Thanks Chris!! which version of bind are you using? You can see the version executing named -v

      Reply
      • January 30, 2013 at 21:47
        Permalink

        I believe I was using 9.8.2, can’t get any more detailed than that I am afraid, I did not manage to solve this problem but did find a way around that worked perfectly, not meaning to detract from your tutorial but for those with the same problem as me, I used the samba interior dns server and this tutorial: alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller.

        Regardless of me using a different route, you have written a very easy to follow tutorial that did help me a lot. The only flaw I can think of is you don’t make it clear to ensure selinux is off before continuing, restarting at that point or using setenforce -permissive (guessing that command from memory) will do the trick.

        Cheers
        Chris

        Reply
  • February 16, 2013 at 15:09
    Permalink

    You can use this chunk of script (just copy & paste it) to download, build and install ntp RPMS from source. With this there is no need to create an ntp init script as it’s included with the RPM.

    # Install NTP >root4.2.6
    yum -y remove ntp ntpdate
    yum -y install libcap-devel openssl-devel libedit-devel wget
    mkdir -p ~/install_files/ntp
    cd ~/install_files/ntp
    wget http://vault.centos.org/6.3/os/Source/SPackages/ntp-4.2.4p8-2.el6.centos.src.rpm
    rpm -i ntp-4.2.4p8-2.el6.centos.src.rpm
    cd ~/rpmbuild/SOURCES
    wget http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.6p5.tar.gz
    cd ~/rpmbuild/SPECS
    cp ntp.spec ntp.spec.bak
    sed -i ‘s/Version: 4.2.4p8/Version: 4.2.6p5/g’ ntp.spec
    sed -i ‘s/–enable-linuxcaps/–enable-linuxcaps –enable-ntp-signd/g’ ntp.spec
    sed -i ‘s/%patch/#%patch/g’ ntp.spec
    sed -i ‘s/%{_sbindir}/tickadj/%{_sbindir}/tickadjn%{_sbindir}/sntp/g’ ntp.spec
    rpmbuild -ba ntp.spec
    cd ~/rpmbuild/RPMS/$(uname -p)/
    rpm -i ntp-4.2.6p5-2.el6.$(uname -p).rpm ntpdate-4.2.6p5-2.el6.$(uname -p).rpm

    Reply
  • March 27, 2013 at 03:03
    Permalink

    Hi, I can’t start up the named service:

    [root@ad bind9]# service named start
    Starting named: [FAILED]

    Here’s my messages log:

    Mar 26 21:56:14 localhost named[3618]: Loading ‘AD DNS Zone’ using driver dlopen
    Mar 26 21:56:14 localhost named[3618]: dlz_dlopen failed to open library ‘/usr/local/samba/lib/bind9/dlz_bind9.so’ – /usr/local/samba/lib/bind9/dlz_bind9.so: failed to map segment from shared object: Permission denied
    Mar 26 21:56:14 localhost named[3618]: dlz_dlopen of ‘AD DNS Zone’ failed
    Mar 26 21:56:14 localhost named[3618]: SDLZ driver failed to load.
    Mar 26 21:56:14 localhost named[3618]: DLZ driver failed to load.
    Mar 26 21:56:14 localhost named[3618]: loading configuration: failure
    Mar 26 21:56:14 localhost named[3618]: exiting (due to fatal error)
    [root@ad bind9]#

    I’m using CentOS6.4. How can I fix this?

    Thanks!

    Reply
  • April 2, 2013 at 07:26
    Permalink

    Very thankful for your tutorial its useful for me. I did it without any problem in Centos6.
    And successfully added windows clients to SAMBA4.

    I am unable to add linux SAMBA client to SAMBA4.

    Can you provide doc for adding domain member for Linux clients. I tried but failed.

    Thanks in advance.. Kapil

    Reply
    • April 2, 2013 at 19:52
      Permalink

      Thank you Kapil!! You can try with likewise-open, I used it to authenticate Linux clients to AD servers.

      Reply
  • April 2, 2013 at 18:16
    Permalink

    You need to rename /etc/init.d/samba to /etc/init.d/samba4 otherwise the killall samba command in the stop section of the init script will also kill the utility script and give an error when stoping or restarting the samba service.

    A very well written todo, thank you.

    Reply
    • April 2, 2013 at 19:49
      Permalink

      Changed it!! Thanks for your suggestion!!

      Reply
  • April 10, 2013 at 14:53
    Permalink

    Please am much more in love with Linux and i really need help on this samba4 Domain controller thing..I want to master it will your tutorials really helps but can i get it in a pdf form cuz is not always that am on the internet…i will be very grateful and if i could get other tutorials on other types of Linux servers like i would be much more grateful…keep up with your good work and may God richly Bless U….George from Ghana…!!!

    Reply
  • August 19, 2013 at 22:18
    Permalink

    Thank You, it help me a lot! It works fine.
    Can we import users and machines from old samba versions? I’m updating an old samba version 3.0.26 that uses the file /etc/samba/smbpasswd and I don’t want to join the computers in domain again.

    Reply
  • Pingback:bpn4it | samba4 AD configuration

  • December 11, 2013 at 09:39
    Permalink

    do not forget add “acl” in fstab

    # cat /etc/fstab
    /dev/mapper/vg_dc-lv_root / ext4 defaults,acl 1 1

    Reply
  • July 2, 2014 at 13:04
    Permalink

    Firstly great tutorial.

    Has anyone else had issues with Clients being denied the right to update dns records.

    DC1 named[1019]: client 10.1.1.145#64455: update ‘murrayas.local/IN’ denied

    samba_dnsupdate –verbose –all-names works perfectly and all updates are successful. So it looks like its a configuration that is denying clients only seeing as the server is allowed.

    Any ideas??

    Reply
  • August 26, 2014 at 14:15
    Permalink

    Hi
    I’ve been excluded my internal dns and now, I can’t put any machine in domain.
    Is it possible add internal dns without do a new domain provision by samba-tool?
    My external dns works properly.
    In dig command, just show my external IP.
    Thanks

    Reply
  • August 29, 2014 at 02:18
    Permalink

    Check out RazDC. A fully automated samba4 domain controller with a web interface. Yes, its built on latest centos 6.5 and samba 4.1.

    Reply
  • September 15, 2014 at 17:06
    Permalink

    Thank for you greate post, but can you post 1 article about Backup DC?

    Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Follow

Get every new post delivered to your Inbox

Join other followers: