Photo by Zachary Nelson on Unsplash

Photo by Zachary Nelson on Unsplash

Samba domain controller in a heterogeneous environment

Shake a Leg

Article from ADMIN 72/2022
By
The open source Samba service can act as an Active Directory domain controller in a heterogeneous environment.

An Active Directory (AD) domain controller (DC) serves as a central logon server in heterogeneous networks with Windows, Linux, and macOS clients. This task does not necessarily have to be handled by a Windows server. The open source Samba service can also act as a DC.

Heterogeneous networks with servers and clients running both Linux and Windows need a centralized management server for the user directory and a standardized protocol for network shares. Windows systems naturally prefer Active Directory for this purpose, but technologies such as Kerberos and Lightweight Directory Access Protocol (LDAP) for securing user and access rights are open source. The obvious choice would seem to be the open source FreeIPA directory server. However, FreeIPA mainly targets Linux systems and user and group management.

FreeIPA lacks some features needed to act as a DC that a Windows system provides over the Server Message Block (SMB) and Common Internet File System (CIFS) protocols. Version 4 of the well-known open source Samba file service, on the other hand, provides a complete DC implementation.

The Samba project has been around for some 30 years now. It started life as a free Unix client for DEC Pathworks, which was partly based on the technology of the IBM OS/2 LAN Server and Microsoft LAN Manager. In the 1990s and early 2000s, the open source project initially fell foul of Microsoft, with repeated disputes. When Microsoft revamped its "Linux is cancer" (Steve Balmer) stance to "Microsoft loves Linux" (Satya Nadella), the software giant's relationship to the open source project changed. Microsoft employees have been part of the Samba development team since 2011. Additionally, Microsoft has now openly documented the SMB protocol, which helps Samba developers.

Since Windows Server 2003, a Samba server can become a member of an existing AD forest. However, this setup always required a Windows server as the domain controller. In version 4, Samba itself could assume the domain controller role. The implementation also supports mixed operation of Windows and Linux servers as DCs. Of course, users with an existing Windows server infrastructure will not want to swap their systems for Samba servers. Rather, the solution is recommended for environments that use Windows, macOS, and Linux on the client side but run their server services on Linux systems. In this scenario, a Samba server serves as a central directory service for Windows, macOS, and Linux systems, as well as a file server for all.

Installing Samba 4

A directory server hosts a whole range of services and protocols such as domain name system (DNS), Kerberos, and LDAP. Samba integrates all services to ensure they work together optimally in the Active Directory Service (ADS) DC. Other products such as FreeIPA, for example, are made up of various components such as MIT Kerberos, OpenLDAP, and Bind9. However, complete integration of the libraries into the Samba ADS package causes problems for various distributions.

The Fedora and Enterprise Linux (EL) distributions rely on MIT Kerberos and ship with its packages in place. ("EL" includes all Linux distributions that are clones of Red Hat Enterprise Linux, such as Alma or Rocky Linux and CentOS Stream.) Unfortunately, this approach still does not work correctly in ADS mode. A TechPreview build of the Samba server that includes MIT Kerberos is not currently considered stable. Samba prefers the "Heimdal" implementation of Kerberos for the AD service. A Samba ADS can only be set up on Fedora and EL distributions if you use workarounds that require either third-party repositories or a Samba build from source code.

For this reason, I used two Debian variants in the test setup: the current Debian 11 on a virtual machine and an ARM CubieTruck single-board computer with Armbian 5.9, which is based on Debian 10. In smaller environments, a single-board computer of this class (ARM V7 dual core, 2GB of RAM) is fine as an ADS. In preparation, the machines need a standard Debian (Armbian) minimal setup with a static IP address and the correct configuration of /etc/hostname and /etc/hosts. The first computer with ADS also assumes the role of the DNS server. If you already have a Dynamic Host Configuration Protocol (DHCP) service running on the local area network (LAN), it must point to the IP address of the ADS as the DNS (DHCP option 6) and transmit the domain name (DHCP option 15).

During the install, the primary ADS node must be able to access your existing DNS server, but you can change the DNS setup after the initial setup (Figure 1). As with all other services that use encryption, the correct system time is essential. On an ADS network, the domain controller also acts as a time source for its clients. Before the install, first make sure that the server's system time and time zone match and that a service such as Network Time Protocol (NTP) or Chrony ensures automatic time synchronization with the Internet. This detail is especially important in a setup with an ARM single-board computer because systems like a Raspberry Pi or CubieTruck do not have a hardware clock.

Figure 1: Use the standard AD tools on Windows to customize the domain settings of the Linux DC.

If you want your Samba server to manage advanced access authorizations (access control lists, ACLs), the server's filesystem must allow extended attributes, which are always enabled on modern Linux installations with XFS or Btrfs. This setup is now also the standard for ext4 filesystems. If you are using ext4, you can check /boot/config-<current kernel> to make sure the required settings are in place before you install:

CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_EXT4_FS_SECURITY=y

Now set up the required packages on your Debian server:

apt install samba samba-vfs-modules samba-dsdb-modules
smbclient winbind libpam-winbind libnss-winbind
krb5-kdc libpam-krb5 -y

The basic Samba installation comes with a configuration file as a template. However, the ADS setup creates a new one, so you need to remove the old one by typing

rm /etc/samba/smb.conf

before you proceed with the setup. The Samba tool then guides you through the AD setup with:

samba-tool domain-provision --interactive

Without any further parameters, the Samba tool relies on Samba's internal services for all required services (DNS, Kerberos). When prompted, enter the domain and realm name information. Another important item to enter is your existing DNS server as the forwarder (Figure 2). Finally, the setup creates the appropriate configuration files and a registry. The smb.conf file immediately creates the setup in the correct directory. The Kerberos configuration, on the other hand, needs to be copied manually to the correct directory by typing

cp /var/lib/samba/ private/krb5.conf /etc/
Figure 2: The Windows DNS Manager manages the DNS zones of the forest. The Linux DC servers synchronize their settings.

Samba provides a separate binary for AD operation. To prevent the regular Samba services from running or being started accidentally, enter:

systemctl stop smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl mask smbd nmbd winbind

and, instead, use the AD server service:

systemctl unmask samba-ad-dc
systemctl start samba-ad-dc
systemctl enable samba-ad-dc

which integrates all services.

Checking the DNS Service

Once the Samba AD server is running, it assumes the DNS role for the network. On the DC system itself, you now need to configure local DNS resolution. The Samba tool has added your existing DNS server to the configuration in /etc/samba/smb.conf:

[global]
   dns forwarder = <DNS IP address>
...

The local DNS resolver therefore also needs to point to the local system. Modern distributions use the systemd-resolved service, which detects network changes and dynamically adjusts the DNS configuration by overwriting the /etc/resolv.conf file as needed. This service is needed by users on clients that frequently switch LANs or establish VPN connections. The domain controller in this example, on the other hand, requires a static DNS configuration, which you can achieve by turning off the systemd-resolved service and unlinking the resolv.conf file:

systemctl stop systemd-resolved
systemctl disable systemd-resolved
cd /etc
unlink resolv.conf

In an editor of your choice, create a new /etc/resolv.conf with only two entries:

nameserver <IP address of the DC>
search <domain name>

Next, check that both a local and forwarded DNS request work. The command

host -t SRV _ldap._tcp.<Domain Name>

must respond with has SRV record 0 0 389 <FQDN of the DC> , whereas a regular DNS request to the Internet is answered by the forwarder with, for example, www.admin-magazine.com has address <IP-Address> .

Errors in the DNS are some of the most common causes of directory setup problems. Whatever else happens, this service must work correctly in your environment.

ADS Management at the Command Line

The Samba tool used previously can do more than just guide you interactively through the AD setup. It also acts as a command line interface (CLI) for AD management that manages users and group memberships easily. Before you can work with the Samba tool, you first need to log in as an administrator and manage the directory:

init Administrator
samba-tool user create hammer IamAgenius
samba-tool group addmembers ncc1701 hammer

The practical thing about the CLI method is that standard tasks can be handled by script. A simple Bash script could read the DNS configuration of an existing /etc/hosts file and transfer these hosts to the AD-integrated DNS with samba-tool dns add.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus