SAMBA4

From Stu2
Jump to navigation Jump to search

Useful Commands

hostnamectl set-hostname NAME
sudo getent group
wbinfo --ping-dc
chgrp root:"domain users" /data
sudo net ads testjoin
kinit Administrator
klist
ntpdate -q stu2labs.net
smbclient –L your_domain_controller –U%
smbclient –L \\adc1 –U%
sudo smbclient //adc/share_name -U domain_user

Intro

I have several samba shares on a unix server, which the users need to access. The standard samba installation is working great. But, I don't have a nice way for users to change their passwords. I'm not interested in writing a web script for this, so I decided to explore SAMBA4 and Active Directory. If this works, users will have the ability to change their password and I'll have the added benefit of Group Policy Objects to add additional security to the workstations.

In this environment, I also have many non-windows devices, such as raspberry pi and Sonos boxes. I really want dynamic DNS, which means I can't simply use the SAMBA Internal DNS. Automatic updates only work for those devices joining the domain. So - I have to use bind. I also wanted SAMBA to run on a VM so I could use the same computer to provide the NAS storage. The authors highly recommend running SAMBA4 and NAS on two different computers. https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

After many, many hours, I settled on the following:

  • SAMBA4 for AD
  • ISC DHCP for IPv4
  • ISC DHCP for IPv6 with Dynamic Updates
  • BIND - Stand alone
  • radvd - IPv6 router advertising

I tried everything to get the ISC service to update the DNS. It works - sort of. Only IPv4 OR IPv6 addresses were registered - not both. I found a mention of this in an old post about 7 years old. ISC DHCP 4.3.5 provides a 'standard' update-style, now, but still doesn't update both records. So I tried using the DLZ module with Samba, figuring that might solve the problem. Still, no go. My solution is to go with IPv6 only in the dynamic updates. Screw it. Now, all the DHCPv6 computers are registered.


Links I used:

IPv6 DHCP

I set up radvd for DHCPv6. I chose to set up SLAAC and Stateful DHCPv6. The idea is to do both so the devices that can't do DHCPv6 still get an address.

interface enp1s0
{
    AdvSendAdvert on;
    MinRtrAdvInterval 3;
    MaxRtrAdvInterval 10;
    # M Flag - on = dhcp
    AdvManagedFlag on;
    # O Flag - get info from dhcp
    AdvOtherConfigFlag on;

    prefix 2002:4000:FFFF:DEAD::/64
    {
      AdvOnLink on;
      # SLAAC = on
      AdvAutonomous on;
      # Send Interface address
      AdvRouterAddr on;
    };
};

DNS

I set up standard BIND9. Then added the microsoft SRV and various domain related records. This allows me to use a DNS decoupled from AD in case AD fails. Make sure the file smb.conf on the AD VM set dns forwarder to this box.

Use allow-update and the rndc key to allow transfers from the ISC DHCP program. Also add an IP address to allow for nsupdates. Once the DNS zone file starts to get complicated, it's best to use nsupdate.

allow-update { 192.168.1.2; key "rndc-key"; };

Use nsupdate to update the A and AAA records.

nsupdate
> update add www.example.com 86400 a 192.168.1.1
> send

List the records -

 host -l 'domain'

The records in memory are written to the zone file every 15 minutes. To write the manually:

rndc freeze 'domain'
rndc thaw 'domain'

DHCP

Follow the guides. Turn OFF dynamic updates for the IPv4 instance of dhcpd. Also, set 'deny client-updates' to tell the clients to shutup. Note, it was interesting to see that Windows 10 clients attempt a DNS Dynamic update correctly and routinely (observed via wireshark) whereas Windows 7 and Ubuntu did not. This could be a timing thing, but I never saw the DNS updates from Win7 or Ubuntu. So this is a good reason to have dhcpd handle the updates. This also increases the security.

AD Notes

The whole point of this exercise is to set up standard drive mappings. Under GPO Dpmain Default Policy go to User Configuration, Preferences, Windows Settings, Drive Maps.

Use RSAT to admin the domain.

Join the computer to the domain. Control Panel, System, Change

Logon as 'Other user', then use DOMAIN\user as the username. To use the computer without login on to the domain, switch users, other user, and use COMPUTERNAME\local user.