Install Samba 4.7.6 AD DC – Ubuntu 18.04 – Bind 9.11 DNS – Backend AD RFC2307

Prerequisites

  • Samba 4.7.6
  • Ubuntu 18.04
  • Bind 9.11
Set your IP address

# sudo nano /etc/netplan/50-cloud-init.yaml
 network:
     network:
     ethernets:
         ens18:
             addresses:
             - 10.10.10.10/24
             dhcp4: false
             gateway4: 10.10.10.254
             nameservers:
                 addresses:
                 - 8.8.8.8
                 search: []
     version: 2

perl: warning: Falling back to a fallback locale (“en_US.UTF-8”).
locale: Cannot set LC_ALL to default locale: No such file or directory

If you got locale error, try this:
# sudo su
# export LANGUAGE=”en_US.UTF-8″
# echo ‘LANGUAGE=”en_US.UTF-8″‘ >> /etc/default/locale
# echo ‘LC_ALL=”en_US.UTF-8″‘ >> /etc/default/locale
# reboot


Get fresh sources
# sudo apt-get update

Get fresh updates
# sudo apt-get upgrade

Install Bind9

# sudo apt-get install bind9 bind9utils

Optional!! Downloading the DNS Root Servers List
# cd /etc/bind

Download the latest list of the DNS root servers to the /etc/bind/db.root file:
#  sudo wget -q -O /etc/bind/db.root https://www.internic.net/zones/named.root

Enable the BIND user to read the root servers list:
# sudo chown bind:bind /etc/bind/db.root
# sudo chmod 640 /etc/bind/db.root

Optionally, set up a Cron job to automatically update the file.

Install Samba, Kerberos, winbind, smbclient

# sudo apt -y install samba krb5-config winbind smbclient

Set Realm
Default Kerberos version 5 realm: DC.COM

Specify the hostname
Kerberos servers for your realm: addc.dc.com

Specify the hostname
Administrative server for your Kerberos realm: addc.dc.com

Configure Samba AD DC

Rename or remove the default config
# sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.initial

Setting up RFC2307 and NIS Extensions in a Samba AD
# sudo samba-tool domain provision --use-rfc2307 --interactive
--start--
Realm: DC.COM
Domain [DC]: DC
Server Role (dc, member, standalone) [dc]: dc
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ

A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf

Once the above files are installed, your Samba AD server will be ready to use

Server Role:           active directory domain controller
Hostname:              addc
NetBIOS Domain:        DC
DNS Domain:            dc.com
DOMAIN SID:            S-1-5-21-1314142769-2543882361-2372172498
--end--

Copy krb5.conf 
# sudo cp /var/lib/samba/private/krb5.conf /etc/

Stop system resolved, make etc/resolve.conf static.
# sudo systemctl stop smbd nmbd winbind systemd-resolved
# sudo systemctl disable smbd nmbd winbind systemd-resolved

Remove /etc/systemd/system/samba-ad-dc.service.
# sudo systemctl unmask samba-ad-dc

Set Hosts
# sudo nano /etc/hosts
 ---start---
 127.0.0.1       localhost.localdomain localhost
 10.10.10.10     addc.dc.com addc
 --end--

Remove the link of resolv.conf and create new one
# sudo ls -l /etc/resolv.conf
--start--
lrwxrwxrwx 1 root root 39 Jul 25 22:59 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
--end--
# sudo rm /etc/resolv.conf
# sudo nano /etc/resolv.conf

Replace the domain name to your own environment
--start--
domain dc.com
nameserver 127.0.0.1
--end--

Start & enable samba-ad-dc
# systemctl start samba-ad-dc
# systemctl enable samba-ad-dc

Configure Samba AD DC and Bind9_DLZ

There are 2 DNS Server type:
- Caching DNS Server
- Forwarding DNS Server
In my case, I will use Caching DNS Server, only hundreds of users, low workload.
BIND9_DLZ should be installed under the same root as ADDC, not in separate server, ADDC will access directly to DNS Server.

Configure the BIND9_DLZ back end as a Caching DNS Server
# sudo nano /etc/bind/named.conf
Delete all and use these!
--start--
 include "/etc/bind/named.conf.options";
 include "/etc/bind/named.conf.local";
 include "/etc/bind/named.conf.default-zones";
 include "/var/lib/samba/private/named.conf";
--end--

Edit /etc/bind/named.conf.options
# sudo nano /etc/bind/named.conf.options
Delete all and use these!
--start--
options {
         directory "/var/cache/bind";
         notify no;
         empty-zones-enable no;

         #Adding this Samba generated file will allow for automatic DDNS updates
         # To enable dynamic DNS updates using Kerberos 
         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

         # IP addresses and network ranges allowed to query the DNS server: 
         # allowed users from another segment
         allow-query {
                 10.10.20.0/24;
                 10.10.30.0/24;
                 localhost;
};

# IP addresses and network ranges allowed to run recursive queries:
# (Zones not served by this DNS server) 
         # allowed users from another segment
         allow-recursion {
                 10.10.20.0/24;
                 10.10.30.0/24;
                 localhost;
         };

# Forward queries that can not be answered from own zones
         # to these DNS servers: 
         forwarders {
                 8.8.8.8;
                 8.8.4.4;
         };

# Disable zone transfers
         allow-transfer {
                 none;
         };

dnssec-validation auto;

auth-nxdomain no; # conform to RFC1035
# If auth-nxdomain is 'yes' allows the server to answer authoritatively (the AA bit is set)
# when returning NXDOMAIN (domain does not exist) answers, if 'no' (the default) the 
# server will not answer authoritatively. 
listen-on-v6 { any; };

};
--end--

Edit /etc/bind/named.conf.local
Add zone for Samba ADDC
# sudo nano /etc/bind/named.conf.local

Delete all and use these
--start--
// 127.0.0. zone.
zone "0.0.127.in-addr.arpa" {
type master;
file "/etc/bind/db.0.0.127";
};
--end--

Check /etc/bind/named.conf.default-zones
Its already default, no need to change
# sudo nano /etc/bind/named.conf.default-zones
--start--
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
--end--

Creating the localhost Zone File, content of /etc/bind/named.conf.default-zones
# cd /etc/bind

Create the localhost forward zone in the /etc/bind/db.local file:
# sudo nano /etc/bind/db.local
--start--
$TTL 3D
$ORIGIN localhost.
@ 1D IN SOA @ root (
20190107 ; serial
8H ; refresh
2H ; retry
4W ; expiry
1D ; minimum
)
@ IN NS @
IN A 127.0.0.1
--end--

Enable the BIND user to read the zone file:
# sudo chown bind:bind /etc/bind/db.local
# sudo chmod 640 /etc/bind/db.local

Create the 0.0.127.in-addr.arpa reverse zone in the /etc/bind/db.0.0.127 file:
# sudo nano /etc/bind/db.0.0.127
--start--
$TTL 3D
 @       IN      SOA     localhost. root.localhost. (
                         20190107        ; Serial
                         8H              ; Refresh
                         2H              ; Retry
                         4W              ; Expire
                         1D              ; Minimum TTL
                         )
    IN      NS      localhost.
 1      IN      PTR     localhost.
--end--

Enable the BIND user to read the zone file:
# sudo chown bind:bind /etc/bind/db.0.0.127
# sudo chmod 640 /etc/bind/db.0.0.12

Configuring the BIND9_DLZ Module

The BIND9_DLZ module is a BIND9 plugin that accesses the Samba Active Directory (AD) database directly for registered zones. For this reason: - BIND must be installed on the same machine as the Samba AD domain controller (DC).
- BIND must not run in a changed root environment.
- Zones are stored and replicated within the directory. 

Display the BIND version:
# named -v
--start--
 BIND 9.11.3-1ubuntu1.2-Ubuntu (Extended Support Version) 
--end--

 Edit /var/lib/samba/private/named.conf
 # sudo nano /var/lib/samba/private/named.conf
--start--
 dlz "AD DNS Zone" {
     # For BIND 9.11.x
      database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
 };
--end--

Change the permissions on the private dns.keytab, readable by your bind group.

# sudo chgrp bind /var/lib/samba/private/dns.keytab
# sudo chmod g+r /var/lib/samba/private/dns.keytab

Add apparmor rules to the end of /etc/apparmor.d/usr.sbin.named inside the {..}
# sudo nano /etc/apparmor.d/usr.sbin.named
--start--
 /usr/lib/x86_64-linux-gnu/ldb/** rwmk,
   /usr/lib/x86_64-linux-gnu/samba/** rwmk,
 /var/lib/samba/private/dns/** rwmk,
   /var/lib/samba/private/named.conf r,
   /var/lib/samba/private/dns.keytab r,
 /var/tmp/* rw,
   /dev/urandom rw,
--end--

 # sudo nano /etc/apparmor.d/local/usr.sbin.named
--start--
 Samba4 DLZ and Active Directory Zones (default source installation)
 /usr/local/samba/lib/** rm,
 /usr/local/samba/private/dns.keytab r,
 /usr/local/samba/private/named.conf r,
 /usr/local/samba/private/dns/** rwk,
--end--

Reboot
# sudo reboot

Testing

# sudo samba-tool domain level show
--start--
Domain and forest function level for domain 'DC=bc,DC=com'
Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2
--end--

# smbclient -L localhost -U%
--start--
Sharename       Type      Comment ---------       ----      ------- netlogon        Disk       sysvol          Disk       IPC$            IPC       IPC Service (Samba 4.7.6-Ubuntu)
Reconnecting with SMB1 for workgroup listing.
Server               Comment ---------            ------- Workgroup            Master ---------            -------
     WORKGROUP            ADDC
--end--

# smbclient //localhost/netlogon -UAdministrator -c 'ls'
--start--
 Enter BC\Administrator's password: 
   .                                   D        0  Fri Oct 26 04:11:28 2018
   ..                                  D        0  Fri Oct 26 04:11:37 2018
         10252564 blocks of size 1024. 5360728 blocks available
--end--

# host -t SRV _ldap._tcp.dc.com.
--start--
 _ldap._tcp.dc.com has SRV record 0 100 389 addc.dc.com.
--end--

# host -t SRV _kerberos._udp.dc.com.
--start--
 _kerberos._udp.dc.com has SRV record 0 100 88 addc.dc.com.
--end--

 # host -t A addc.dc.com.
--start--
 addc.bc.com has address 10.10.10.10
--end--

# samba-tool dns query addc dc.com @ ALL -U administrator%#password#
--start--
 Name=, Records=3, Children=0
     SOA: serial=37, refresh=900, retry=600, expire=86400, minttl=3600, ns=addc.dc.com., email=hostmaster.dc.com. (flags=600000f0, serial=37, ttl=3600)
     NS: addc.dc.com. (flags=600000f0, serial=1, ttl=900)
     A: 10.10.10.10 (flags=600000f0, serial=1, ttl=900)
   Name=_msdcs, Records=0, Children=0
   Name=_sites, Records=0, Children=1
   Name=_tcp, Records=0, Children=4
   Name=_udp, Records=0, Children=2
   Name=addc, Records=1, Children=0
     A: 10.10.10.10 (flags=f0, serial=1, ttl=900)
   Name=DomainDnsZones, Records=0, Children=2
   Name=ForestDnsZones, Records=0, Children=2
--end--

Lookup from another PC
# nslookup
--start--
   server 10.10.10.10
   Default server: 10.10.10.10
   Address: 10.10.10.10#53
>  set type=SRV
>  _ldap._tcp.dc.com
   Server:        10.10.10.10
   Address:    10.10.10.10#53 
 _ldap._tcp.dc.com    service = 0 100 389 addc.dc.com.
 >
--end--

Now verify current samba settings by running the command below.
# testparm
or more complex parameter
# samba-tool testparm -v

ERROR!!
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
In order to make the necessary change permanent, I entered the following
line in “/etc/security/limits.conf”:
# sudo nano /etc/security/limits.conf
* – nofile 16384
# sudo reboot

Check again
# testparm
The warning previously given by “testparm” is now gone.

Check config:
# named-checkconf

Check Bind logs:
# tail -f /var/log/syslog

Start the BIND service
# sudo service bind9 start
# sudo service bind9 status

Start the Samba service
# sudo service samba-ad-dc start

Optional!. Adding a UPN @anotherdomain.com Suffix to Active Directory

- Select Active Directory Domains and Trusts from the Tools menu 
- In the Active Directory Domains and Trusts management console, right-click Active Directory Domains and Trusts in the left pane and select Properties from the menu.
- In the dialog box on the UPN Suffixes tab, type the name of the suffix that you would like to add to your AD forest in the Alternate UPN suffixes box. Click Add and then OK. 

Error permission Denied : /var/lib/samba/private/named.conf

Check Permission:
ls -la /var/lib/samba/private/named.conf
-rw-r–r– 1 root root 780 Oct 22 09:23 /var/lib/samba/private/named.conf
Change user bind:bind
sudo chown bind:bind /var/lib/samba/private/named.conf
sudo chmod 640 /var/lib/samba/private/named.conf

Error working directory ‘/’ is not writable

Obtaining root key for view _default from ‘/etc/bind/bind.keys’
loading configuration: permission denied
Make sure directory “/var/cache/bind”; di /etc/bind/named.conf.options
Not commented #

Basic User Management

# sudo su

Display domain users list
root@smb:~# samba-tool user list

Add a domain user
root@smb:~# samba-tool user create ubuntu

Delete a domain user
root@smb:~# samba-tool user delete ubuntu

Reset password for a user
root@smb:~# samba-tool user setpassword ubuntu

Set expiry for a user
root@smb:~# samba-tool user setexpiry ubuntu --days=7

Disable/Enable user account
root@smb:~# samba-tool user disable ubuntu

Display domain groups list
root@smb:~# samba-tool group list

Display members in a group
root@smb:~# samba-tool group listmembers "Domain Users"

Add a domain group
root@smb:~# samba-tool group add ServerWorld

Delete a domain group
root@smb:~# samba-tool group delete ServerWorld

Add a member from a domain group.
root@smb:~# samba-tool group addmembers ServerWorld ubuntu

Remove members to group ServerWorld
root@smb:~# samba-tool group removemembers ServerWorld ubuntu

Change Domain User Password
# sudo smbpasswd -a username
[sudo] password for admin:
New SMB password:
Retype new SMB password:

Samba AD DC Port Usage

Service Port Protocol
DNS * 53 tcp/udp
Kerberos 88 tcp/udp
ntp ** 123 udp
End Point Mapper (DCE/RPC Locator Service) 135 tcp
NetBIOS Name Service 137 udp
NetBIOS Datagram 138 udp
NetBIOS Session 139 tcp
LDAP 389 tcp/udp
SMB over TCP 445 tcp
Kerberos kpasswd 464 tcp/udp
LDAPS *** 636 tcp
Global Catalog 3268 tcp
Global Catalog SSL *** 3269 tcp
Dynamic RPC Ports **** 49152-65535 tcp

About AD Password

To see GPO info in windows client
gpresult /v

Samba Active Directory domain can be usually fully configured without any issues using RSAT, it seems that the password policy is one of these very few things where this doesn't work, or at least not in its entirety.

--complexity=COMPLEXITY
The password complexity (on | off | default). Defaultis 'on'
# sudo samba-tool domain passwordsettings set --complexity=off

--history-length=HISTORY_LENGTH
The password history length ( integer | default). Default is 24.
# sudo samba-tool domain passwordsettings set --history-length=0

--min-pwd-length=MIN_PWD_LENGTH
The minimum password length ( integer | default). Default is 7.
# sudo samba-tool domain passwordsettings set --min-pwd-length=3

--min-pwd-age=MIN_PWD_AGE
The minimum password age ( integer | default). Default is 1.
# sudo samba-tool domain passwordsettings set --min-pwd-age=0

--max-pwd-age=MAX_PWD_AGE
The maximum password age ( integer |default). Default is 43.
# sudo samba-tool domain passwordsettings set --max-pwd-age=0

Restart samba
# sudo /etc/init.d/smbd restart

Or reboot server
# sudo reboot

Windows side
# gpupdate /force

Restarted Samba, did a gpupdate /force on the windows workstation, and it worked. No need to set up a GPO (although that would sometimes be preferable).

See here, https://wiki.samba.org
That’s it, hope it helps.
Terry

2 Comments

  1. Hafiz September 12, 2019 Reply
    • Terry September 13, 2019 Reply

Leave a Reply