Samba 4 Domain Controller Installation on CentOS 7

Starting from version 4.0, Samba is able to run as an Active Directory (AD) domain controller (DC). In this tutorial, I will show you how to configure Samba 4 as a domain controller with Windows 10, CentOS 7 and CentOS 6 clients.

In this tutorial, I will compile Samba 4 from source. If you are seeking for a Samba 4 RPM based installation and SELinux configuration for Samba 4, please see my new Samba 4 tutorial here.

I will be using 3 Systems, one CentOS 7 server and a Windows 10 client for remote management, a CentOS 7 and CentOS 6 client.

  • 192.168.1.190 Samba4 AD centos7
  • 192.168.1.191 remote management win 10
  • 192.168.1.22 - client Authentication - centos 7
  • 192.168.1.192 - client Authentication - centos 6

Installation of Samba 4

192.168.1.190 Samba4 AD centos 7

Basis is a CentOS 7 with a minimal install and SELinux disabled.

      
[[email protected] ~]# sestatus
SELinux status: disabled
[[email protected] ~]#
      

Make an entry in the /etc/hosts file.

[[email protected] ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.190   samba4.sunil.cc samba4
[[email protected] ~]#
      

Install the epel repo.

[[email protected] ~]# yum install epel-release -y

Install all the packages needed to compile samba4.

[[email protected] ~]# yum install perl gcc libacl-devel libblkid-devel gnutls-devel readline-devel python-devel gdb pkgconfig krb5-workstation zlib-devel setroubleshoot-server libaio-devel setroubleshoot-plugins\
policycoreutils-python libsemanage-python setools-libs-python setools-libs popt-devel libpcap-devel sqlite-devel libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel keyutils-libs-devel\
cyrus-sasl-devel cups-devel bind-utils libxslt docbook-style-xsl openldap-devel pam-devel bzip2 vim wget -y

Now download samba4 package . I use samba-4.6.0 which is latest during this setup.

[[email protected] ~]#  wget https://download.samba.org/pub/samba/stable/samba-4.6.0.tar.gz

Now lets install samba4.

  [[email protected] ~]# tar -zxvf samba-4.6.0.tar.gz
  [[email protected] ~]# cd samba-4.6.0
  [[email protected] samba-4.6.0]# ./configure --enable-debug --enable-selftest --with-ads --with-systemd --with-winbind
  [[email protected] samba-4.6.0]# make && make install
  

The installation will take about 10 minutes depending on the system speed.

Now we will do the domain provisioning.

[[email protected] samba]# samba-tool domain provision --use-rfc2307 --interactive
Realm [SUNIL.CC]:
 Domain [SUNIL]:
 Server Role (dc, member, standalone) [dc]: dc
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
 DNS forwarder IP address (write 'none' to disable forwarding) [4.2.2.1]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=sunil,DC=cc
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
ERROR(ldb): uncaught exception - operations error at ../source4/dsdb/samdb/ldb_modules/password_hash.c:2820
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 471, in run
    nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 2175, in provision
    skip_sysvolacl=skip_sysvolacl)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1787, in provision_fill
    next_rid=next_rid, dc_rid=dc_rid)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1447, in fill_samdb
    "KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le'))
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/common.py", line 55, in setup_add_ldif
    ldb.add_ldif(data, controls)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/__init__.py", line 225, in add_ldif
    self.add(msg, controls)

[[email protected] samba]#

There will be some errors when we do the provisioning of domain.

To fix them, please comment out the below line in /etc/krb5.conf.

  --------
  #includedir /etc/krb5.conf.d/
  --------

Run the domain provisioning again and now the domain will get created without errors.

  [[email protected] etc]# samba-tool domain provision --use-rfc2307 --interactive
Realm [SUNIL.CC]:
 Domain [SUNIL]:
 Server Role (dc, member, standalone) [dc]:
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
 DNS forwarder IP address (write 'none' to disable forwarding) [4.2.2.1]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=sunil,DC=cc
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=sunil,DC=cc
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              samba4
NetBIOS Domain:        SUNIL
DNS Domain:            sunil.cc
DOMAIN SID:            S-1-5-21-2936486394-2075362935-551615353

[[email protected] etc]#
  

Make sure the ports are open in the firewall.

[[email protected] etc]#firewall-cmd --add-port=53/tcp --permanent;firewall-cmd --add-port=53/udp --permanent;firewall-cmd --add-port=88/tcp --permanent;firewall-cmd --add-port=88/udp --permanent; \
firewall-cmd --add-port=135/tcp --permanent;firewall-cmd --add-port=137-138/udp --permanent;firewall-cmd --add-port=139/tcp --permanent; \
firewall-cmd --add-port=389/tcp --permanent;firewall-cmd --add-port=389/udp --permanent;firewall-cmd --add-port=445/tcp --permanent; \
firewall-cmd --add-port=464/tcp --permanent;firewall-cmd --add-port=464/udp --permanent;firewall-cmd --add-port=636/tcp --permanent; \
firewall-cmd --add-port=1024-5000/tcp --permanent;firewall-cmd --add-port=3268-3269/tcp --permanent
[[email protected] ~]# firewall-cmd --reload
  

Create a startup script to autostart the service during reboot.

[[email protected] ~]# cat /etc/systemd/system/samba.service
[Unit]
Description= Samba 4 Active Directory
After=syslog.target
After=network.target

[Service]
Type=forking
PIDFile=/usr/local/samba/var/run/samba.pid
ExecStart=/usr/local/samba/sbin/samba

[Install]
WantedBy=multi-user.target
[[email protected] ~]#

[[email protected] ~]# systemctl enable samba
Created symlink from /etc/systemd/system/multi-user.target.wants/samba.service to /etc/systemd/system/samba.service.
[root[email protected] ~]# systemctl start samba
  

Adding the Windows host to the domain

192.168.1.191 remote management win 10

Make sure the host is added with a static ipaddress.

Windows host with static IP

Adding the host to the domain.

 

  

To manage Samba4 from Windows, we need to have the Microsoft Remote Server Tools (RSAT) installed.

The wiki page has the links https://wiki.samba.org/index.php/Installing_RSAT

Installing RSAT tool in Windows 10

Run the installer.

 

 

 

After reboot go to run and type in dsa.msc

Click on sunil.cc domain and right click new -> Users.

Creating a test user.

Client authentication with Samba 4 on CentOS 7

192.168.1.22 - client Authentication on CentOS 7

Installation of packages:

[[email protected] ~]# yum -y install realmd sssd oddjob oddjob-mkhomedir adcli samba-common

Check connectivity with samba4:

   [[email protected] ~]# realm discover SUNIL.CC
sunil.cc
  type: kerberos
  realm-name: SUNIL.CC
  domain-name: sunil.cc
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U
  login-policy: allow-realm-logins
[[email protected] ~]#
   

Joining the domain.

[[email protected] ~]#  realm join SUNIL.CC
Password for Administrator:
[[email protected] ~]#

Check whether we are able to get the user from samba4.

[[email protected] ~]# id SUNIL\\testuser
uid=1570001104([email protected]) gid=1570000513(domain [email protected]) groups=1570000513(domain [email protected])
[[email protected] ~]#

Configure sssd.

[[email protected] ~]# cat /etc/sssd/sssd.conf

[sssd]
domains = sunil.cc
config_file_version = 2
services = nss, pam

[domain/sunil.cc]
ad_domain = sunil.cc
krb5_realm = SUNIL.CC
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%[email protected]%d
access_provider = ad
[[email protected] ~]#

Restart sssd.

[[email protected] ~]# systemctl restart sssd
[[email protected] ~]# systemctl enable sssd

Check the user.

[[email protected] ~]# id [email protected]
uid=1570001105([email protected]) gid=1570000513(domain [email protected]) groups=1570000513(domain [email protected]),1570000512(domain [email protected]),1570000572(denied rodc password replication [email protected])
[[email protected] ~]#

To get the user without domain name.

[[email protected] ~]# vim /etc/sssd/sssd.conf
-----------
------------
use_fully_qualified_names = False
-----------
-----------

Restart sssd and check id command.

[[email protected] ~]# systemctl restart sssd
[[email protected] ~]# id sambauser
uid=1570001105(sambauser) gid=1570000513(domain users) groups=1570000513(domain users),1570000512(domain admins),1570000572(denied rodc password replication group)
[[email protected] ~]#

Client authentication with Samba 4 on CentOS 6

192.168.1.192 - client Authentication on CentOS 6.

Installation of packages.

   [[email protected] db]#  yum install pam pam_ldap pam_krb5 sssd sssd-ldap sssd-common authconfig oddjob oddjob-mkhomedir openldap openldap-clients krb5-workstation adcli -y
   

Change the kerberos config file.

   [[email protected] db]# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = SUNIL.CC
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 SUNIL.CC = {
  kdc = samba4.sunil.cc
  admin_server = samba4.sunil.cc
 }

[domain_realm]
 .sunil.cc = SUNIL.CC
 sunil.cc = SUNIL.CC
[[email protected] db]#

   

We will use adcli command to join the domain.

   [[email protected] db]# adcli info sunil.cc
[domain]
domain-name = sunil.cc
domain-short = SUNIL
domain-forest = sunil.cc
domain-controller = samba4.sunil.cc
domain-controller-site = Default-First-Site-Name
domain-controller-flags = pdc gc ldap ds kdc timeserv closest writable good-timeserv full-secret
domain-controller-usable = yes
domain-controllers = samba4.sunil.cc
[computer]
computer-site = Default-First-Site-Name
[[email protected] db]#
[[email protected] db]# adcli join sunil.cc
Password for [email protected]:
[[email protected] db]#
   

Make sure the kerberos ticket is created.

   [[email protected] db]# klist -ke
   

Configure authentication.

   [[email protected] db]# authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
   

Modify the sssd config now to do the authentication.

   [[email protected] db]# cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam, ssh, autofs
config_file_version = 2
domains = sunil.cc

[domain/sunil.cc]
id_provider = ad
# Uncomment if service discovery is not working
# ad_server = server.win.example.com
default_shell = /bin/bash
fallback_homedir = /home/%u
[[email protected] db]#
   

Restart sssd service.

   [[email protected] db]# chkconfig sssd on
[[email protected] db]# service sssd restart
Stopping sssd:                                             [  OK  ]
Starting sssd:                                             [  OK  ]
[[email protected] db]#
   

Validating user.

   [[email protected] db]# id sambauser
uid=1570001105(sambauser) gid=1570000513(domain users) groups=1570000513(domain users),1570000512(domain admins),1570000572(denied rodc password replication group)
[[email protected] db]#
   
Share this page:

Suggested articles

17 Comment(s)

Add comment

Comments

From: Maciej at: 2017-04-06 13:46:33

For the love of everything, people writing tutorials, stop telling users to disable SELinux. It's very bad practise, no excuses!

From: iron_michael86 at: 2017-04-06 15:23:18

Agreed Maciej .Point noted will have it enabled in the next tutorial.

From: Bradipo at: 2017-04-07 03:30:11

Well. Nice on doing a tuturial but I fail to understand why samba is compiled from source since packages are available in cemtos 7.

Further more why does SELinux get disabled if it is very very easy to find the information on how to add rules and change booleans to allow samba to act as a dc.

I strongly suggest the writer of the article actually goes RTFM.

Central authentication and we haphazardly turn of a system that does really well to protect breaches from happening on the main server that does authentication for a whole network.

Makes me wonder where botnets come from.

From: iron_michael86 at: 2017-04-07 07:55:46

Bradipo,

Samba 4 rpm on Fedora/Redhat/CentOS does not support AD-DC mode

Samba 4 for ubuntu doesnt support CTDB (cluster config).

Sernet enterprise supplies rpm for centos 7 but you will need to pay for it.

Hence that is the reason I compiled it from the source. Selinux I agreed that I should have it enforced. When I was preparing this document selinux was disabled on my system , but when you setup the environment , please have it enabled .

Let me know how your setup goes , incase you still face any issue I will help you resolve it 

Cheers

From: django at: 2017-04-07 12:00:23

Do you need Windows pro OR is a Windows home machine able to join The domain as well?

From: iron_michael86 at: 2017-04-08 04:27:06

Win home edition doesn't support domain joining I think

From: joda666 at: 2017-04-09 00:42:12

Yes you need Pro, Enterprise or Education versions of Windows to connect the computer to a domain.

From: Abhay at: 2017-05-04 05:52:48

Hi There,

 

I have installed centos 7 on VM Player and trying to configure Samba4 AD but I am stuck with below.

 

When I ran samba-tool as shown in article, I got below error. Could you please help here?

samba-tool domain provision --use-rfc2307 --interactive[[email protected] bin]# samba-tool domain provision --use-rfc2307 --interactive-bash: samba-tool: command not found[[email protected] bin]# ./samba-tool domain provision --use-rfc2307 --interactiveTraceback (most recent call last): File "./samba-tool", line 33, in <module> from samba.netcmd.main import cmd_sambatoolImportError: No module named samba.netcmd.main

From: pharms at: 2017-05-06 05:27:57

I had the same problem, fixed it by adding the samba path to my path:

# export PATH=$PATH:/usr/local/samba/bin

and, towards the bottom of /etc/profile:

pathmunge /usr/local/samba/bin after

 

From: pharms at: 2017-05-09 08:06:39

Have followed the article step-by-step and have a functioning DC and connected Windows 10 client - thanks for the excellent instructions!

Is there any chance that you could add a section on setting up home and group shares? This is the next step in completing the process, but seems to be more difficult to accomplish than it should be - at least compared with a non-DC samba environment.

From: Hasan at: 2017-07-12 10:52:20

"samba-tool: command not found......"

how to solve it? Please..help me...!

From: OliKaa at: 2017-08-11 13:05:51

Hello Hasan,you can use the samba-tool with full path:/usr/local/samba/bin/samba-tool domain provision --use-rfc2307 --interactiveGreetz!

From: Narsimha at: 2017-07-15 09:44:22

Hi Micael,

Excellent article and it is working fine for single subnet but when i am trying to work on multiple subnets then the windows systems are not able to contact the pdc server.

My testing network is 192.168.1.0/24 and working environment is 192.168.2.0/24 and 192.168.4.0/24.

I am able to connect to the machine in the 192.168.1.0/24 network but i am unable to connect from 192.168.2.0 & 192.168.4.0.

How to resolve this. Can any one help me.

From: baw at: 2017-09-13 08:44:20

Hello I had error when i fill,please help..

ERROR(<class 'samba.provision.ProvisioningError'>): Provision failed - ProvisioningError: guess_names: 'realm=CENTONG7.ID' in /usr/local/samba/etc/smb.conf must match chosen realm 'CENTONG.ID'!  Please remove the smb.conf file and let provision generate it

  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 471, in run

    nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)

  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 2028, in provision

    sitename=sitename, rootdn=rootdn, domain_names_forced=(samdb_fill == FILL_DRS))

  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 609, in guess_names

    raise ProvisioningError("guess_names: 'realm=%s' in %s must match chosen realm '%s'!  Please remove the smb.conf file and let provision generate it" % (lp.get("realm").upper(), lp.configfile, realm))

 

From: ganesh jat at: 2017-10-05 07:49:31

when i compile my code(make && make install) after we use ( samba-tool domain provision --use-rfc2307 --interactive

bash: samba-tool: command not found...

) this command that time i am face this issue please as soon as possiable reply me...

this command not work proper...

From: vicky at: 2017-10-12 16:49:26

Is this only for windows 10 or i can use it windows7 as well?

From: mark at: 2017-10-24 13:16:24

samba-tool domain provision --use-rfc2307 --interactiveshowing samba-tool: command not found