Samba4 active directory on centos 7

Samba is a software suite which is opensource, it runs on Unix based systems. The main advantage of samba is it can communicate with Windows clients. Today we will see how we can configure samba4 active directory on centos7. Samba is able to provide many services mainly using CIFS (Common Internet File System).  The below services are provided by samba,

• File & print services (File Server and Print Server)
• Authentication and Authorization
• DNS (name resolution) etc.

To know more about samba follow this link.

Samba4 Active Directory Setup

This task is performed on Centos 7, you can use any rpm based system.

Update the available repositories,

# yum update -y

Check the SELinux status:

# sestatus

# vi /etc/sysconfig/selinux

SELINUX=disabled

Reboot the system and check the SELinux status again.

# sestatus

Now set the hostname,

# hostnamectl set-hostname samba4ad.example.com

Install the epel repo,

# yum install epel-release -y

Install all the packages needed to compile samba4.

# yum install perl gcc libacl-devel libblkid-devel gnutls-devel
readline-devel python-devel gdb pkgconfig krb5-workstation zlib-devel
setroubleshoot-server libaio-devel setroubleshoot-plugins\policycoreutils-python
libsemanage-python setools-libs-python setools-libs popt-devel libpcap-devel
sqlite-devel libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel
keyutils-libs-devel\cyrus-sasl-devel cups-devel bind-utils libxslt docbook-style-xsl
openldap-devel pam-devel bzip2 vim wget -y

Now download the samba4 package. I have use samba-4.8.9, you can download the latest version from the link.

# cd /
# wget https://download.samba.org/pub/samba/stable/samba-4.8.9.tar.gz

Now let’s install samba4.

# tar -zxvf samba-4.8.9.tar.gz
# cd samba-4.8.9
# ./configure --enable-debug --enable-selftest --with-ads --with-systemd --with-winbind
# make && make install

The Whole installation process will take time (around 15-20 minutes) depending on the system speed.

Now on the next step, we will do the domain provisioning.

# samba-tool domain provision --use-rfc2307 --interactive

You might get this error:

if you get such error then try with this one,

# /usr/local/samba/bin/samba-tool domain provision --use-rfc2307 --interactive

Output:

[[email protected] ~]# /usr/local/samba/bin/samba-tool domain provision --use-rfc2307 
--interactive
 Realm [EXAMPLE.COM]:              press enter
 Domain [EXAMPLE]:                press enter
 Server Role (dc, member, standalone) [dc]:  press enter
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: press enter
 DNS forwarder IP address (write 'none' to disable forwarding) [192.168.42.2]: press enter
 Administrator password:  enter password
 Retype password:          Repeat
 Looking up IPv4 addresses
 Looking up IPv6 addresses
 No IPv6 address will be assigned
 Setting up share.ldb
 Setting up secrets.ldb
 Setting up the registry
 Setting up the privileges database
 Setting up idmap db
 Setting up SAM db
 Setting up sam.ldb partitions and settings
 Setting up sam.ldb rootDSE
 Pre-loading the Samba 4 and AD schema
 Adding DomainDN: DC=example,DC=com
 Adding configuration container
 Setting up sam.ldb schema
 Setting up sam.ldb configuration data
 Setting up display specifiers
 Modifying display specifiers
 Adding users container
 Modifying users container
 Adding computers container
 Modifying computers container
 Setting up sam.ldb data
 Setting up well known security principals
 Setting up sam.ldb users and groups

 ERROR(ldb): uncaught exception - operations error at ../source4/dsdb/samdb/ldb_modules/password_hash.c:2820
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 471, in run
    nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 2175, in provision
    skip_sysvolacl=skip_sysvolacl)
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1787, in provision_fill
    next_rid=next_rid, dc_rid=dc_rid)
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1447, in fill_samdb
    "KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le')) 
    ldb.add_ldif(data, controls)
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/__init__.py", line 225, in add_ldif
    self.add(msg, controls)

There will be some errors when we do the provisioning of the domain. To fix them, please comment out the below line in /etc/krb5.conf.

# vi /etc/krb5.conf
  #includedir /etc/krb5.conf.d/

Run the domain provisioning again and now the domain will get created without errors.

# /usr/local/samba/bin/samba-tool domain provision --use-rfc2307 --interactive

Output:

[[email protected] ~]# /usr/local/samba/bin/samba-tool domain provision --use-rfc2307 --interactive
 Realm [EXAMPLE.COM]:
 Domain [EXAMPLE]:
 Server Role (dc, member, standalone) [dc]:
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
 DNS forwarder IP address (write 'none' to disable forwarding) [10.100.1.1]:
 Administrator password:
 Retype password:
 Looking up IPv4 addresses
 Looking up IPv6 addresses
 No IPv6 address will be assigned
 Setting up secrets.ldb
 Setting up the registry
 Setting up the privileges database
 Setting up idmap db
 Setting up SAM db
 Setting up sam.ldb partitions and settings
 Setting up sam.ldb rootDSE
 Pre-loading the Samba 4 and AD schema
 Adding DomainDN: DC=example,DC=com
 Adding configuration container
 Setting up sam.ldb schema
 Setting up sam.ldb configuration data
 Setting up display specifiers
 Modifying display specifiers
 Adding users container
 Modifying users container
 Adding computers container
 Modifying computers container
 Setting up sam.ldb data
 Setting up well known security principals
 Setting up sam.ldb users and groups
 Setting up self join
 Adding DNS accounts
 Creating CN=MicrosoftDNS,CN=System,DC=example,DC=com
 Creating DomainDnsZones and ForestDnsZones partitions
 Populating DomainDnsZones and ForestDnsZones partitions
 Setting up sam.ldb rootDSE marking as synchronized
 Fixing provision GUIDs
 A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf
 Setting up fake yp server settings
 Once the above files are installed, your Samba4 server will be ready to use
 Server Role:           active directory domain controller
 Hostname:              samba4ad
 NetBIOS Domain:        EXAMPLE
 DNS Domain:            example.com
 DOMAIN SID:            S-1-5-21-3654876664-3143232209-2475194421

Make sure the ports are open in the firewall.

[[email protected]]# firewall-cmd --add-port=53/tcp --permanent;firewall-cmd 
--add-port=53/udp --permanent;firewall-cmd --add-port=88/tcp --permanent;
 firewall-cmd --add-port=88/udp --permanent; \firewall-cmd --add-port=135/tcp 
--permanent;firewall-cmd --add-port=137-138/udp --permanent;firewall-cmd 
--add-port=139/tcp --permanent; \firewall-cmd --add-port=389/tcp --permanent;
firewall-cmd --add-port=389/udp --permanent;firewall-cmd --add-port=445/tcp
 --permanent; \ firewall-cmd --add-port=464/tcp --permanent;firewall-cmd 
--add-port=464/udp --permanent;firewall-cmd --add-port=636/tcp --permanent;
 \firewall-cmd --add-port=1024-5000/tcp --permanent;firewall-cmd 
--add-port=3268-3269/tcp --permanent

Output:

Reload the firewall service:

# firewall-cmd --reload

Create a startup script to autostart the service during reboot.

# cat /etc/systemd/system/samba.service

You might get this error:

cat: /etc/systemd/system/samba.service: No such file or directory

Then you may have to add it manually.

# vi /etc/systemd/system/samba.service

[Unit] 
Description= Samba 4 Active Directory 
After=syslog.target 
After=network.target 

[Service] 
Type=forking 
PIDFile=/usr/local/samba/var/run/samba.pid 
ExecStart=/usr/local/samba/sbin/samba 


[Install] 
WantedBy=multi-user.target

Now start and enable samba service,

# systemctl enable samba
# systemctl start samba

Now add the Windows host to the domain

Make sure the host is on the same network and has the DNS IP as the samba4 server’s IP.

Now join the system into the domain,

Now for managing Samba4 from Windows, we need to have the Microsoft Remote Server Tools (RSAT) installed.

Download link

After the installation is complete, reboot the system. After reboot Open run and type dsa.msc.

Now click on the domain tab and create a new user. This way you can manage samba4 active directory from a windows client.

Conclusion:

So, guys, In this article I have use centos 7 to configure active directory using samba 4. I have tried my best to simplify things about the installation part and client part while joining to the domain, so that you can have a better understanding and user experience. Now it’s your turn to pay me back.

Now I am expecting your responses. If you like this content or even dislike,  just leave a comment. Your responses will motivate me to do better and deliver better. I will try my best to enrich my skill.

So thank you guys, Have a good day.