# Generated by NetworkManager\r\nsearch ad.andrewwippler.com\r\nnameserver 192.168.1.201<\/code><\/pre>\nIn my lab, 192.168.1.201 is a Windows 2008 R2 server named DC1.<\/p>\n
Hostname related<\/h3>\n
If you have not named your CentOS install, it is best to do it now. You will also need to verify that pinging your hostname works and it returns with the ip of the interface you set and not the loopback interface.<\/p>\n
sudo hostname dc2.ad.andrewwippler.com\r\nsudo echo 'dc2.ad.andrewwippler.com' > \/etc\/hostname\r\necho '192.168.1.202 dc2 dc2.ad.andrewwippler.com' >> \/etc\/hosts<\/code><\/pre>\nKerberos related<\/h3>\n
Ensure \/etc\/krb5.conf<\/code> has the following. The domain needs to be in all caps.<\/p>\n...\r\n[libdefaults]\r\n ...\r\n dns_lookup_realm = false\r\n dns_lookup_kdc = true\r\n default_realm = AD.ANDREWWIPPLER.COM\r\n...<\/code><\/pre>\nTesting<\/h3>\n
We can now test our DNS and Kerberos settings with two simple commands.<\/p>\n
kinit administrator<\/code><\/pre>\nThis should ask you for the domain administrator’s password. Once entered you can verify everything is working with klist<\/code>.<\/p>\nJoining Active Directory<\/h2>\n
At this point, we have not started Samba, nor do we need to until the very end. We can now issue the join command (with BIND9 support)<\/p>\n
sudo samba-tool domain join ad.andrewwippler.com DC -Uadministrator --realm=AD.ANDREWWIPPLER.COM --dns-backend=BIND9_DLZ<\/code><\/pre>\nNow we will have to configure bind. For convenience sake, I have included my \/etc\/named.conf<\/code><\/p>\n\/\/\r\n\/\/ named.conf\r\n\/\/\r\n\r\noptions {\r\n\tlisten-on port 53 { any; };\r\n\tlisten-on-v6 port 53 { any; };\r\n\tdirectory \t\"\/var\/named\";\r\n\tdump-file \t\"\/var\/named\/data\/cache_dump.db\";\r\n\tstatistics-file \"\/var\/named\/data\/named_stats.txt\";\r\n\tmemstatistics-file \"\/var\/named\/data\/named_mem_stats.txt\";\r\n\tallow-query { any; };\r\n\trecursion yes;\r\n\tdnssec-enable yes;\r\n\tdnssec-validation yes;\r\n\tdnssec-lookaside auto;\r\n\t\/* Path to ISC DLV key *\/\r\n\tbindkeys-file \"\/etc\/named.iscdlv.key\";\r\n\tmanaged-keys-directory \"\/var\/named\/dynamic\";\r\n\tpid-file \"\/run\/named\/named.pid\";\r\n\tsession-keyfile \"\/run\/named\/session.key\";\r\n\r\n \/\/samba\r\n tkey-gssapi-keytab \"\/usr\/local\/samba\/private\/dns.keytab\";\r\n};\r\n\r\nlogging {\r\n channel default_debug {\r\n file \"data\/named.run\";\r\n severity dynamic;\r\n };\r\n};\r\n\r\nzone \".\" IN {\r\n\ttype hint;\r\n\tfile \"named.ca\";\r\n};\r\n\r\ninclude \"\/etc\/named.rfc1912.zones\";\r\ninclude \"\/etc\/named.root.key\";\r\n\/\/samba\r\ninclude \"\/usr\/local\/samba\/private\/named.conf\";<\/code><\/pre>\nAllowing access<\/h2>\n
Now that we have a functioning samba server (even though it hasn’t started yet), we need to allow it through SELinux and the firewall. Below are the commands to do just that:<\/p>\n
Firewall<\/h3>\nsudo firewall-cmd --add-port=389\/tcp --permanent\r\nsudo firewall-cmd --add-port=389\/udp --permanent\r\nsudo firewall-cmd --add-port=636\/tcp --permanent\r\nsudo firewall-cmd --add-port=53\/tcp --permanent\r\nsudo firewall-cmd --add-port=53\/udp --permanent\r\nsudo firewall-cmd --add-port=88\/tcp --permanent\r\nsudo firewall-cmd --add-port=88\/udp --permanent\r\nsudo firewall-cmd --add-port=464\/tcp --permanent\r\nsudo firewall-cmd --add-port=464\/udp --permanent\r\nsudo firewall-cmd --add-port=135\/tcp --permanent\r\nsudo firewall-cmd --add-port=137\/udp --permanent\r\nsudo firewall-cmd --add-port=139\/tcp --permanent\r\nsudo firewall-cmd --add-port=138\/udp --permanent\r\nsudo firewall-cmd --add-port=445\/tcp --permanent\r\nsudo firewall-cmd --add-port=3268\/tcp --permanent\r\nsudo firewall-cmd --reload<\/code><\/pre>\nSELinux<\/h3>\nsudo chown named:named \/usr\/local\/samba\/private\/dns\r\nsudo chgrp named \/usr\/local\/samba\/private\/dns.keytab\r\nsudo chmod g+r \/usr\/local\/samba\/private\/dns.keytab\r\nsudo chmod 775 \/usr\/local\/samba\/private\/dns\r\nsudo chown named:named \/usr\/local\/samba\/lib\/bind9\/dlz_bind9_9.so\r\nsudo chcon -t named_conf_t \/usr\/local\/samba\/private\/dns.keytab\r\nsudo chcon -t named_conf_t \/usr\/local\/samba\/private\/named.conf.update\r\nsudo chcon -t named_var_run_t \/usr\/local\/samba\/private\/dns\r\nsudo chcon -t named_var_run_t \/usr\/local\/samba\/lib\/bind9\/dlz_bind9_9.so\r\nsudo semanage fcontext -a -t named_conf_t \/usr\/local\/samba\/private\/dns.keytab\r\nsudo semanage fcontext -a -t named_conf_t \/usr\/local\/samba\/private\/named.conf\r\nsudo semanage fcontext -a -t named_conf_t \/usr\/local\/samba\/private\/named.conf.update\r\nsudo semanage fcontext -a -t named_var_run_t \/usr\/local\/samba\/private\/dns\r\nsudo semanage fcontext -a -t named_var_run_t \/usr\/local\/samba\/lib\/bind9\/dlz_bind9_9.so\r\n<\/code><\/pre>\nNow we need to run SELinux in permissive mode and add the policy.<\/p>\n
sudo setenforce 0\r\nsudo systemctl restart named\r\nsleep 60\r\nsudo systemctl stop named\r\ncd ~\r\nsudo grep named \/var\/log\/audit\/audit.log | audit2allow -M named > named.te\r\nsudo semodule -i named.pp \r\nsudo setenforce 1\r\nsudo systemctl start named<\/code><\/pre>\nInit files<\/h2>\n
Samba does not ship with an init file so we will have to create one and enable it to start at boot.<\/p>\n
sudo cat << EOF > \/etc\/init.d\/samba\r\n#!\/bin\/bash\r\n#\r\n# samba4 This shell script takes care of starting and stopping\r\n# samba4 daemons.\r\n#\r\n# chkconfig: - 58 74\r\n# description: Samba 4.0 will be the next version of the Samba suite\r\n# and incorporates all the technology found in both the Samba4 alpha\r\n# series and the stable 3.x series. The primary additional features\r\n# over Samba 3.6 are support for the Active Directory logon protocols\r\n# used by Windows 2000 and above.\r\n\r\n### BEGIN INIT INFO\r\n# Provides: samba4\r\n# Required-Start: $network $local_fs $remote_fs\r\n# Required-Stop: $network $local_fs $remote_fs\r\n# Should-Start: $syslog $named\r\n# Should-Stop: $syslog $named\r\n# Short-Description: start and stop samba4\r\n# Description: Samba 4.0 will be the next version of the Samba suite\r\n# and incorporates all the technology found in both the Samba4 alpha\r\n# series and the stable 3.x series. The primary additional features\r\n# over Samba 3.6 are support for the Active Directory logon protocols\r\n# used by Windows 2000 and above.\r\n### END INIT INFO\r\n\r\n# Source function library.\r\n. \/etc\/init.d\/functions\r\n\r\n# Source networking configuration.\r\n. \/etc\/sysconfig\/network\r\n\r\nprog=samba\r\nprog_dir=\/usr\/local\/samba\/sbin\/\r\nlockfile=\/var\/lock\/subsys\/$prog\r\n\r\nstart() {\r\n [ \"$NETWORKING\" = \"no\" ] && exit 1\r\n# [ -x \/usr\/sbin\/ntpd ] || exit 5\r\n # Start daemons.\r\n echo -n $\"Starting samba4: \"\r\n daemon $prog_dir\/$prog -D\r\n RETVAL=$?\r\n echo\r\n [ $RETVAL -eq 0 ] && touch $lockfile\r\n return $RETVAL\r\n}\r\n\r\nstop() {\r\n [ \"$EUID\" != \"0\" ] && exit 4\r\n echo -n $\"Shutting down samba4: \"\r\n killproc $prog_dir\/$prog\r\n RETVAL=$?\r\n echo\r\n [ $RETVAL -eq 0 ] && rm -f $lockfile\r\n return $RETVAL\r\n}\r\n\r\n# See how we were called.\r\ncase \"$1\" in\r\nstart)\r\n start\r\n ;;\r\nstop)\r\n stop\r\n ;;\r\nstatus)\r\n status $prog\r\n ;;\r\nrestart)\r\n stop\r\n start\r\n ;;\r\n*)\r\n echo $\"Usage: $0 {start|stop|status|restart}\"\r\n exit 2\r\nesac\r\nEOF\r\nsudo chmod +x \/etc\/init.d\/samba\r\nsudo chkconfig samba on<\/code><\/pre>\nFlipping the switch<\/h2>\n
You are now ready to either restart the system or start samba. The next steps to fully migrate to a Samba4 AD backend would be to migrate the FSMO roles to this server. Managing this AD instance is done by loading the Remote Server Administration Tools (RSAT) on a windows client.<\/p>\n
Sources<\/h2>\n
Here are the list of sources and references to compile this tutorial:<\/p>\n
\n- https:\/\/wiki.samba.org\/index.php\/Join_an_additional_Samba_DC_to_an_existing_Active_Directory<\/li>\n
- https:\/\/wiki.samba.org\/index.php\/Build_Samba_from_source<\/li>\n
- https:\/\/wiki.samba.org\/index.php\/Samba4\/InitScript<\/li>\n
- https:\/\/wiki.samba.org\/index.php\/Configure_BIND_as_backend_for_Samba_AD<\/li>\n
- https:\/\/lists.samba.org\/archive\/samba\/2013-March\/172397.html (Thanks Thomas Simmons<\/b>)<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
Active Directory is solid, secure, and stable platform for user, group, and computer management. I would go as far and say that it is probably the backbone of 99.9% of all organizations world wide. So why would anyone want to switch away from Active Directory? The answer to that question is varied, but the most […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[6,36],"tags":[37,5,29,28],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/posts\/98"}],"collection":[{"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/comments?post=98"}],"version-history":[{"count":6,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/posts\/98\/revisions"}],"predecessor-version":[{"id":104,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/posts\/98\/revisions\/104"}],"wp:attachment":[{"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/media?parent=98"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/categories?post=98"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/tags?post=98"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}