Samba 4 Domain Controller Installation on CentOS 7

Installation of Samba 4

192.168.1.190 Samba4 AD centos 7

Basis is a CentOS 7 with a minimal install and SELinux disabled.

      
[[email protected] ~]# sestatus
SELinux status: disabled
[[email protected] ~]#

Make an entry in the /etc/hosts file.

[[email protected] ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.190   samba4.sunil.cc samba4
[[email protected] ~]#

Install the epel repo.

[[email protected] ~]# yum install epel-release -y

Install all the packages needed to compile samba4.

[[email protected] ~]# yum install perl gcc libacl-devel libblkid-devel gnutls-devel readline-devel python-devel gdb pkgconfig krb5-workstation zlib-devel setroubleshoot-server libaio-devel setroubleshoot-plugins\
policycoreutils-python libsemanage-python setools-libs-python setools-libs popt-devel libpcap-devel sqlite-devel libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel keyutils-libs-devel\
cyrus-sasl-devel cups-devel bind-utils libxslt docbook-style-xsl openldap-devel pam-devel bzip2 vim wget -y

Now download samba4 package . I use samba-4.6.0 which is latest during this setup.

[[email protected] ~]#  wget https://download.samba.org/pub/samba/stable/samba-4.6.0.tar.gz

Now lets install samba4.

  [[email protected] ~]# tar -zxvf samba-4.6.0.tar.gz
  [[email protected] ~]# cd samba-4.6.0
  [[email protected] samba-4.6.0]# ./configure --enable-debug --enable-selftest --with-ads --with-systemd --with-winbind
  [[email protected] samba-4.6.0]# make && make install

The installation will take about 10 minutes depending on the system speed.

Now we will do the domain provisioning.

[[email protected] samba]# samba-tool domain provision --use-rfc2307 --interactive
Realm [SUNIL.CC]:
 Domain [SUNIL]:
 Server Role (dc, member, standalone) [dc]: dc
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
 DNS forwarder IP address (write 'none' to disable forwarding) [4.2.2.1]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=sunil,DC=cc
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
ERROR(ldb): uncaught exception - operations error at ../source4/dsdb/samdb/ldb_modules/password_hash.c:2820
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 471, in run
    nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 2175, in provision
    skip_sysvolacl=skip_sysvolacl)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1787, in provision_fill
    next_rid=next_rid, dc_rid=dc_rid)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1447, in fill_samdb
    "KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le'))
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/common.py", line 55, in setup_add_ldif
    ldb.add_ldif(data, controls)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/__init__.py", line 225, in add_ldif
    self.add(msg, controls)

[[email protected] samba]#

There will be some errors when we do the provisioning of domain.

To fix them, please comment out the below line in /etc/krb5.conf.

  --------
  #includedir /etc/krb5.conf.d/
  --------

Run the domain provisioning again and now the domain will get created without errors.

  [[email protected] etc]# samba-tool domain provision --use-rfc2307 --interactive
Realm [SUNIL.CC]:
 Domain [SUNIL]:
 Server Role (dc, member, standalone) [dc]:
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
 DNS forwarder IP address (write 'none' to disable forwarding) [4.2.2.1]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=sunil,DC=cc
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=sunil,DC=cc
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              samba4
NetBIOS Domain:        SUNIL
DNS Domain:            sunil.cc
DOMAIN SID:            S-1-5-21-2936486394-2075362935-551615353

[[email protected] etc]#

Make sure the ports are open in the firewall.

[[email protected] etc]#firewall-cmd --add-port=53/tcp --permanent;firewall-cmd --add-port=53/udp --permanent;firewall-cmd --add-port=88/tcp --permanent;firewall-cmd --add-port=88/udp --permanent; \
firewall-cmd --add-port=135/tcp --permanent;firewall-cmd --add-port=137-138/udp --permanent;firewall-cmd --add-port=139/tcp --permanent; \
firewall-cmd --add-port=389/tcp --permanent;firewall-cmd --add-port=389/udp --permanent;firewall-cmd --add-port=445/tcp --permanent; \
firewall-cmd --add-port=464/tcp --permanent;firewall-cmd --add-port=464/udp --permanent;firewall-cmd --add-port=636/tcp --permanent; \
firewall-cmd --add-port=1024-5000/tcp --permanent;firewall-cmd --add-port=3268-3269/tcp --permanent
[[email protected] ~]# firewall-cmd --reload

Create a startup script to autostart the service during reboot.

[[email protected] ~]# cat /etc/systemd/system/samba.service
[Unit]
Description= Samba 4 Active Directory
After=syslog.target
After=network.target

[Service]
Type=forking
PIDFile=/usr/local/samba/var/run/samba.pid
ExecStart=/usr/local/samba/sbin/samba

[Install]
WantedBy=multi-user.target
[[email protected] ~]#

[[email protected] ~]# systemctl enable samba
Created symlink from /etc/systemd/system/multi-user.target.wants/samba.service to /etc/systemd/system/samba.service.
[[email protected] ~]# systemctl start samba

Adding the Windows host to the domain

192.168.1.191 remote management win 10

Make sure the host is added with a static ipaddress.

Adding the host to the domain.

To manage Samba4 from Windows, we need to have the Microsoft Remote Server Tools (RSAT) installed.

The wiki page has the links https://wiki.samba.org/index.php/Installing_RSAT

Installing RSAT tool in Windows 10

Run the installer.

After reboot go to run and type in dsa.msc

Click on sunil.cc domain and right click new -> Users.

Creating a test user.

Client authentication with Samba 4 on CentOS 7

192.168.1.22 - client Authentication on CentOS 7

Installation of packages:

[[email protected] ~]# yum -y install realmd sssd oddjob oddjob-mkhomedir adcli samba-common

Check connectivity with samba4:

   [[email protected] ~]# realm discover SUNIL.CC
sunil.cc
  type: kerberos
  realm-name: SUNIL.CC
  domain-name: sunil.cc
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U
  login-policy: allow-realm-logins
[[email protected] ~]#

Joining the domain.

[[email protected] ~]#  realm join SUNIL.CC
Password for Administrator:
[[email protected] ~]#

Check whether we are able to get the user from samba4.

[[email protected] ~]# id SUNIL\\testuser
uid=1570001104([email protected]) gid=1570000513(domain [email protected]) groups=1570000513(domain [email protected])
[[email protected] ~]#

Configure sssd.

[[email protected] ~]# cat /etc/sssd/sssd.conf

[sssd]
domains = sunil.cc
config_file_version = 2
services = nss, pam

[domain/sunil.cc]
ad_domain = sunil.cc
krb5_realm = SUNIL.CC
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%[email protected]%d
access_provider = ad
[[email protected] ~]#

Restart sssd.

[[email protected] ~]# systemctl restart sssd
[[email protected] ~]# systemctl enable sssd

Check the user.

[[email protected] ~]# id [email protected]
uid=1570001105([email protected]) gid=1570000513(domain [email protected]) groups=1570000513(domain [email protected]),1570000512(domain [email protected]),1570000572(denied rodc password replication [email protected])
[[email protected] ~]#

To get the user without domain name.

[[email protected] ~]# vim /etc/sssd/sssd.conf
-----------
------------
use_fully_qualified_names = False
-----------
-----------

Restart sssd and check id command.

[[email protected] ~]# systemctl restart sssd
[[email protected] ~]# id sambauser
uid=1570001105(sambauser) gid=1570000513(domain users) groups=1570000513(domain users),1570000512(domain admins),1570000572(denied rodc password replication group)
[[email protected] ~]#

Client authentication with Samba 4 on CentOS 6

192.168.1.192 - client Authentication on CentOS 6.

Installation of packages.

   [[email protected] db]#  yum install pam pam_ldap pam_krb5 sssd sssd-ldap sssd-common authconfig oddjob oddjob-mkhomedir openldap openldap-clients krb5-workstation adcli -y

Change the kerberos config file.

   [[email protected] db]# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = SUNIL.CC
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 SUNIL.CC = {
  kdc = samba4.sunil.cc
  admin_server = samba4.sunil.cc
 }

[domain_realm]
 .sunil.cc = SUNIL.CC
 sunil.cc = SUNIL.CC
[[email protected] db]#

We will use adcli command to join the domain.

   [[email protected] db]# adcli info sunil.cc
[domain]
domain-name = sunil.cc
domain-short = SUNIL
domain-forest = sunil.cc
domain-controller = samba4.sunil.cc
domain-controller-site = Default-First-Site-Name
domain-controller-flags = pdc gc ldap ds kdc timeserv closest writable good-timeserv full-secret
domain-controller-usable = yes
domain-controllers = samba4.sunil.cc
[computer]
computer-site = Default-First-Site-Name
[[email protected] db]#
[[email protected] db]# adcli join sunil.cc
Password for [email protected]:
[[email protected] db]#

Make sure the kerberos ticket is created.

   [[email protected] db]# klist -ke

Configure authentication.

   [[email protected] db]# authconfig --enablesssd --enablesssdauth --enablemkhomedir --update

Modify the sssd config now to do the authentication.

   [[email protected] db]# cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam, ssh, autofs
config_file_version = 2
domains = sunil.cc

[domain/sunil.cc]
id_provider = ad
# Uncomment if service discovery is not working
# ad_server = server.win.example.com
default_shell = /bin/bash
fallback_homedir = /home/%u
[[email protected] db]#

Restart sssd service.

   [[email protected] db]# chkconfig sssd on
[[email protected] db]# service sssd restart
Stopping sssd:                                             [  OK  ]
Starting sssd:                                             [  OK  ]
[[email protected] db]#

Validating user.

   [[email protected] db]# id sambauser
uid=1570001105(sambauser) gid=1570000513(domain users) groups=1570000513(domain users),1570000512(domain admins),1570000572(denied rodc password replication group)
[[email protected] db]#

view as pdf | print

Share this page:

28 Comment(s)

Add comment

Comments

By: Maciej

For the love of everything, people writing tutorials, stop telling users to disable SELinux. It's very bad practise, no excuses!

By: iron_michael86

Agreed Maciej .Point noted will have it enabled in the next tutorial.

By: Bishopolis

There are two types of people on the planet. The first type works at Redhat. The second type isn't paid to figure out why rsyslog rotation has been failing on a selinux problem because it can't write a temp file. Don't get me wrong: I've watched selinux evolve from nothing to the hindrance it is now, and I've been rooting for it every step of the way. Every new RHL (now RHEL) distro that drops, I install an apache server and try to serve a simple page. When it can't even start the service because of some bug not caught during testing by RH itself, I know the venn diagram of the two groups above has overlap. And I uninstall my test server and I disable selinux.

By: Bradipo

Well. Nice on doing a tuturial but I fail to understand why samba is compiled from source since packages are available in cemtos 7.

Further more why does SELinux get disabled if it is very very easy to find the information on how to add rules and change booleans to allow samba to act as a dc.

I strongly suggest the writer of the article actually goes RTFM.

Central authentication and we haphazardly turn of a system that does really well to protect breaches from happening on the main server that does authentication for a whole network.

Makes me wonder where botnets come from.

By: iron_michael86

Bradipo,

Samba 4 rpm on Fedora/Redhat/CentOS does not support AD-DC mode

Samba 4 for ubuntu doesnt support CTDB (cluster config).

Sernet enterprise supplies rpm for centos 7 but you will need to pay for it.

Hence that is the reason I compiled it from the source. Selinux I agreed that I should have it enforced. When I was preparing this document selinux was disabled on my system , but when you setup the environment , please have it enabled .

Let me know how your setup goes , incase you still face any issue I will help you resolve it

Cheers

By: django

Do you need Windows pro OR is a Windows home machine able to join The domain as well?

By: iron_michael86

Win home edition doesn't support domain joining I think

By: joda666

Yes you need Pro, Enterprise or Education versions of Windows to connect the computer to a domain.

By: Abhay

Hi There,

I have installed centos 7 on VM Player and trying to configure Samba4 AD but I am stuck with below.

When I ran samba-tool as shown in article, I got below error. Could you please help here?

samba-tool domain provision --use-rfc2307 --interactive[[email protected] bin]# samba-tool domain provision --use-rfc2307 --interactive-bash: samba-tool: command not found[[email protected] bin]# ./samba-tool domain provision --use-rfc2307 --interactiveTraceback (most recent call last): File "./samba-tool", line 33, in <module> from samba.netcmd.main import cmd_sambatoolImportError: No module named samba.netcmd.main

By: pharms

I had the same problem, fixed it by adding the samba path to my path:

# export PATH=$PATH:/usr/local/samba/bin

and, towards the bottom of /etc/profile:

pathmunge /usr/local/samba/bin after

By: pharms

Have followed the article step-by-step and have a functioning DC and connected Windows 10 client - thanks for the excellent instructions!

Is there any chance that you could add a section on setting up home and group shares? This is the next step in completing the process, but seems to be more difficult to accomplish than it should be - at least compared with a non-DC samba environment.

By: Hasan

"samba-tool: command not found......"

how to solve it? Please..help me...!

By: OliKaa

Hello Hasan,you can use the samba-tool with full path:/usr/local/samba/bin/samba-tool domain provision --use-rfc2307 --interactiveGreetz!

By: Narsimha

Hi Micael,

Excellent article and it is working fine for single subnet but when i am trying to work on multiple subnets then the windows systems are not able to contact the pdc server.

My testing network is 192.168.1.0/24 and working environment is 192.168.2.0/24 and 192.168.4.0/24.

I am able to connect to the machine in the 192.168.1.0/24 network but i am unable to connect from 192.168.2.0 & 192.168.4.0.

How to resolve this. Can any one help me.

By: baw

Hello I had error when i fill,please help..

ERROR(<class 'samba.provision.ProvisioningError'>): Provision failed - ProvisioningError: guess_names: 'realm=CENTONG7.ID' in /usr/local/samba/etc/smb.conf must match chosen realm 'CENTONG.ID'! Please remove the smb.conf file and let provision generate it

File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 471, in run

nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)

File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 2028, in provision

sitename=sitename, rootdn=rootdn, domain_names_forced=(samdb_fill == FILL_DRS))

File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 609, in guess_names

raise ProvisioningError("guess_names: 'realm=%s' in %s must match chosen realm '%s'! Please remove the smb.conf file and let provision generate it" % (lp.get("realm").upper(), lp.configfile, realm))

By: ganesh jat

when i compile my code(make && make install) after we use ( samba-tool domain provision --use-rfc2307 --interactive

bash: samba-tool: command not found...

) this command that time i am face this issue please as soon as possiable reply me...

this command not work proper...

By: vicky

Is this only for windows 10 or i can use it windows7 as well?

By: mark

samba-tool domain provision --use-rfc2307 --interactiveshowing samba-tool: command not found

By: fercho

hello, good tutorial, well explained

but I get the following error on my windows PC

An error occurred when making a query to the DNS for the resource record

Service Location (SRV) used to locate a domain controller

for the her.local domain:

The error was: "The DNS name does not exist."

(error code 0x0000232B RCODE_NAME_ERROR)

The request was for the SRV record for _ldap._tcp.dc._msdcs.her.local

The following are common causes of this error:

-The DNS SRV record is not registered in the DNS.

-One or more of the following zones does not include delegation to their zones

high schools:

her.local

local

. (the root zone)

By: Mikhail

Hello. I had the same problem. What have fixed for me was terminating the dnsmasq which was taking control of needed ports for the samba here is the link to the original post https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End#Samba_DNS_Server_Does_Not_Start

By: Jorge

For me was that server had IPV6 enabled, seems this Samba sample doesn't support it.

Disabling IPV6 from server did the trick

By: lu

No package samba45 available.No package samba45-winbind-clients available.No package samba45-winbind available.No package samba45-clientsamba45-dc available.No package samba45-pidl available.No package samba45-python available.No package samba45-winbind-krb5-locator available.No package perl-Parse-Yappperl-Test-Base available.Package python2-crypto-2.6.1-15.el7.x86_64 already installed and latest versionNo package samba45-common-tools available.Nothing to do

can i help me ,

thanks

By: qgar

Hello. Finally i "successfully" run Samba4 AD on Centos 7. Fistly i was strugling with unavailable NIC (mobo with nVidia chipset, had to instal kernel 4.4).

Why quotation marks around "successfully"? I added Win10 Pro to domain, but logging to ANY user account (local or domain) lasts for ages (5 mins or so, or sometimes even login process just breaks). When i shut down Samba4 server or just disconnect network cable (server od Win10 client) then login process is much faster.

I can ping Samba4 server from Win10 client successfully with short name or FQDN. I cannot ping Win10 client from Samba4 server. Pings to direct IP address works fine.

I think poor performance may be due to problem with dns and resolving names. I appended Win10 IP and name to /etc/hosts and its much faster now. But is it the whay it should be done or is it just a workaround?

By: Arnab

Hi, I am getting the following error and I am unable to connect from Windows system.One thing I have observed that "samba-tool" and "samba" is not accessible from any path. I need to reach absolute path to access those tool. Can you put some light on it?

May 19 14:14:49 server.entranscend samba[22733]: [2018/05/19 14:14:49.780921, 0] ../source4/smbd/service_stream.c:371(stream_setup_socket)

May 19 14:14:49 server.entranscend samba[22733]: stream_setup_socket: Failed to listen on 0.0.0.0:53 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED

May 19 14:14:49 server.entranscend samba[22733]: [2018/05/19 14:14:49.780980, 0] ../source4/dns_server/dns_server.c:649(dns_add_socket)

May 19 14:14:49 server.entranscend samba[22733]: Failed to bind to 0.0.0.0:53 TCP - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED

May 19 14:14:49 server.entranscend winbindd[22736]: [2018/05/19 14:14:49.867996, 0] ../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)

May 19 14:14:49 server.entranscend winbindd[22736]: initialize_winbindd_cache: clearing cache and re-creating with version number 2

May 19 14:14:49 server.entranscend winbindd[22736]: [2018/05/19 14:14:49.989064, 0] ../lib/util/become_daemon.c:138(daemon_ready)

May 19 14:14:49 server.entranscend winbindd[22736]: daemon_ready: STATUS=daemon 'winbindd' finished starting up and ready to serve connections

May 19 14:14:50 server.entranscend smbd[22723]: [2018/05/19 14:14:50.309530, 0] ../lib/util/become_daemon.c:138(daemon_ready)

May 19 14:14:50 server.entranscend smbd[22723]: daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to serve connections

By: Kalyan

Job for samba.service failed because a timeout was exceeded. See "systemctl status samba.service" and "journalctl -xe" for details.

please reply

By: Joe Doran

In latest versions seems there is a bug in configure code. Add the following to the end of the configure options.

--without-ldb-lmdb

ie for example:- ./configure --enable-debug --with-ads --with-systemd --with-winbind --without-ldb-lmdb

It seems the parameters got a bit messed up when coded. Bug still in there.

Cheers Joe.

By: Sam

I have followed the article step by step but when i am trying to create new user in window nothing pops up

By: Manu

Can't sign issue in windows. after login change domain client. please help.

Log in or Sign up

Samba 4 Domain Controller Installation on CentOS 7

On this page

Installation of Samba 4

Adding the Windows host to the domain

Installing RSAT tool in Windows 10

Client authentication with Samba 4 on CentOS 7

Client authentication with Samba 4 on CentOS 6

Suggested articles

28 Comment(s)

Comments