{"id":98,"date":"2015-12-21T06:00:46","date_gmt":"2015-12-21T14:00:46","guid":{"rendered":"http:\/\/andrewwippler.com\/?p=98"},"modified":"2015-12-21T06:30:28","modified_gmt":"2015-12-21T14:30:28","slug":"switching-from-active-directory-to-samba4","status":"publish","type":"post","link":"https:\/\/andrewwippler.com\/2015\/12\/21\/switching-from-active-directory-to-samba4\/","title":{"rendered":"Switching from Active Directory to Samba4"},"content":{"rendered":"<p>Active Directory is solid, secure, and stable platform for user, group, and computer management. I would go as far and say that it is probably the backbone of 99.9% of all organizations world wide. So why would anyone want to switch away from Active Directory? The answer to that question is varied, but the most common reason why are:<\/p>\n<ul>\n<li>Reduce licensing costs (per user\/device cals)<\/li>\n<li>Reduce Windows foot print<\/li>\n<li>Advanced features of AD are not needed<\/li>\n<li>Less than 5,000 users<\/li>\n<li>Because &lt;insert_favorite_software&gt; is greater than &lt;insert_hated_software&gt;<\/li>\n<\/ul>\n<p>Let us get started on switching to a Samba4 backend. <!--more--><\/p>\n<p>This guide assumes the following:<\/p>\n<ul>\n<li>You already have a domain environment<\/li>\n<li>The forest functional level is 2003 or greater<\/li>\n<li>The domain functional level is not greater than 2008 R2<\/li>\n<li>You are running CentOS\/RedHat 7 as your Samba4 host and it is a vanilla minimal install with no added repositories (i.e. you just installed it)<\/li>\n<li>Your domain is: AD.ANDREWWIPPLER.COM and your NETBIOS is AD.<\/li>\n<\/ul>\n<h2>Installing Samba4<\/h2>\n<p>The samba version that ships with CentOS is compiled in legacy NT4 emulation mode. In order to get the AD emulation, we will need to compile Samba4 (Don&#8217;t worry, it is very easy and compiles under 20 minutes with a 2 core processor.)<\/p>\n<pre><code class=\"prettyprint lang-bsh\">cd \/usr\/src\/\r\nwget https:\/\/download.samba.org\/pub\/samba\/stable\/samba-4.3.2.tar.gz\r\nsudo tar xf samba-4.3.2.tar.gz\r\ncd samba-4.3.2\/<\/code><\/pre>\n<p>Now we need to install the build tools. (The most updated list is located <a href=\"https:\/\/wiki.samba.org\/index.php\/Operating_system_requirements\/Dependencies_-_Libraries_and_programs#Red_Hat_Enterprise_Linux_.2F_CentOS_.2F_Scientific_Linux\" target=\"_blank\">here<\/a>)<\/p>\n<pre><code class=\"prettyprint lang-bsh\">sudo yum install perl gcc attr libacl-devel libblkid-devel \\\r\n    gnutls-devel readline-devel python-devel gdb pkgconfig \\\r\n    krb5-workstation zlib-devel setroubleshoot-server libaio-devel \\\r\n    setroubleshoot-plugins policycoreutils-python \\\r\n    libsemanage-python perl-ExtUtils-MakeMaker perl-Parse-Yapp \\\r\n    perl-Test-Base popt-devel libxml2-devel libattr-devel \\\r\n    keyutils-libs-devel cups-devel bind-utils libxslt \\\r\n    docbook-style-xsl openldap-devel autoconf python-crypto<\/code><\/pre>\n<p>The next step is to compile and run:<\/p>\n<pre><code class=\"prettyprint lang-bsh\">.\/configure\r\nmake -j 2\r\n# The number 2 should be relative to the number of cores on your machine\r\nsudo make install<\/code><\/pre>\n<p>This process should take less than 20 minutes. After it is done compiling, it will install to <code class=\"prettyprint lang-bsh\">\/usr\/local\/samba\/<\/code>. To make it easier to run the new commands, let us add the paths to our global path:<\/p>\n<pre><code class=\"prettyprint lang-bsh\">sudo cat &lt;&lt; EOF &gt; \/etc\/profile.d\/samba.sh\r\n##add samba to PATH\r\nexport PATH=\/usr\/local\/samba\/bin\/:\/usr\/local\/samba\/sbin\/:$PATH\r\nEOF\r\nsudo chmod 0644 \/etc\/profile.d\/samba.sh\r\n. \/etc\/profile<\/code><\/pre>\n<h2>Preparing the system to join AD<\/h2>\n<p>Now that Samba is installed, we need to configure our system to interact with Active Directory as well and set up BIND9.<\/p>\n<h3>Network related<\/h3>\n<p>A static IP as well as DNS must be configured properly for this to work. Ensure the appropriate settings are in <code class=\"prettyprint lang-bsh\">\/etc\/sysconfig\/network-scripts\/ifcfg-(iface-name)<\/code>. The DNS servers must be an Active Directory domain controller and you should be able to ping it. If modification is done to this file, you will need to restart NetworkManager for changes to take effect. The desired result is to have <code class=\"prettyprint lang-bsh\">\/etc\/resolv.conf<\/code> appear like the following:<\/p>\n<pre><code class=\"prettyprint lang-bsh\"># Generated by NetworkManager\r\nsearch ad.andrewwippler.com\r\nnameserver 192.168.1.201<\/code><\/pre>\n<p>In my lab, 192.168.1.201 is a Windows 2008 R2 server named DC1.<\/p>\n<h3>Hostname related<\/h3>\n<p>If you have not named your CentOS install, it is best to do it now. You will also need to verify that pinging your hostname works and it returns with the ip of the interface you set and not the loopback interface.<\/p>\n<pre><code class=\"prettyprint lang-bsh\">sudo hostname dc2.ad.andrewwippler.com\r\nsudo echo 'dc2.ad.andrewwippler.com' &gt; \/etc\/hostname\r\necho '192.168.1.202 dc2 dc2.ad.andrewwippler.com' &gt;&gt; \/etc\/hosts<\/code><\/pre>\n<h3>Kerberos related<\/h3>\n<p>Ensure <code class=\"prettyprint lang-bsh\">\/etc\/krb5.conf<\/code> has the following. The domain needs to be in all caps.<\/p>\n<pre><code class=\"prettyprint lang-bsh\">...\r\n[libdefaults]\r\n    ...\r\n    dns_lookup_realm = false\r\n    dns_lookup_kdc = true\r\n    default_realm = AD.ANDREWWIPPLER.COM\r\n...<\/code><\/pre>\n<h3>Testing<\/h3>\n<p>We can now test our DNS and Kerberos settings with two simple commands.<\/p>\n<pre><code class=\"prettyprint lang-bsh\">kinit administrator<\/code><\/pre>\n<p>This should ask you for the domain administrator&#8217;s password. Once entered you can verify everything is working with <code class=\"prettyprint lang-bsh\">klist<\/code>.<\/p>\n<h2>Joining Active Directory<\/h2>\n<p>At this point, we have not started Samba, nor do we need to until the very end. We can now issue the join command (with BIND9 support)<\/p>\n<pre><code class=\"prettyprint lang-bsh\">sudo samba-tool domain join ad.andrewwippler.com DC -Uadministrator --realm=AD.ANDREWWIPPLER.COM --dns-backend=BIND9_DLZ<\/code><\/pre>\n<p>Now we will have to configure bind. For convenience sake, I have included my <code class=\"prettyprint lang-bsh\">\/etc\/named.conf<\/code><\/p>\n<pre><code class=\"prettyprint lang-bsh\">\/\/\r\n\/\/ named.conf\r\n\/\/\r\n\r\noptions {\r\n\tlisten-on port 53 { any; };\r\n\tlisten-on-v6 port 53 { any; };\r\n\tdirectory \t\"\/var\/named\";\r\n\tdump-file \t\"\/var\/named\/data\/cache_dump.db\";\r\n\tstatistics-file \"\/var\/named\/data\/named_stats.txt\";\r\n\tmemstatistics-file \"\/var\/named\/data\/named_mem_stats.txt\";\r\n\tallow-query     { any; };\r\n\trecursion yes;\r\n\tdnssec-enable yes;\r\n\tdnssec-validation yes;\r\n\tdnssec-lookaside auto;\r\n\t\/* Path to ISC DLV key *\/\r\n\tbindkeys-file \"\/etc\/named.iscdlv.key\";\r\n\tmanaged-keys-directory \"\/var\/named\/dynamic\";\r\n\tpid-file \"\/run\/named\/named.pid\";\r\n\tsession-keyfile \"\/run\/named\/session.key\";\r\n\r\n        \/\/samba\r\n        tkey-gssapi-keytab \"\/usr\/local\/samba\/private\/dns.keytab\";\r\n};\r\n\r\nlogging {\r\n        channel default_debug {\r\n                file \"data\/named.run\";\r\n                severity dynamic;\r\n        };\r\n};\r\n\r\nzone \".\" IN {\r\n\ttype hint;\r\n\tfile \"named.ca\";\r\n};\r\n\r\ninclude \"\/etc\/named.rfc1912.zones\";\r\ninclude \"\/etc\/named.root.key\";\r\n\/\/samba\r\ninclude \"\/usr\/local\/samba\/private\/named.conf\";<\/code><\/pre>\n<h2>Allowing access<\/h2>\n<p>Now that we have a functioning samba server (even though it hasn&#8217;t started yet), we need to allow it through SELinux and the firewall. Below are the commands to do just that:<\/p>\n<h3>Firewall<\/h3>\n<pre><code class=\"prettyprint lang-bsh\">sudo firewall-cmd --add-port=389\/tcp --permanent\r\nsudo firewall-cmd --add-port=389\/udp --permanent\r\nsudo firewall-cmd --add-port=636\/tcp --permanent\r\nsudo firewall-cmd --add-port=53\/tcp --permanent\r\nsudo firewall-cmd --add-port=53\/udp --permanent\r\nsudo firewall-cmd --add-port=88\/tcp --permanent\r\nsudo firewall-cmd --add-port=88\/udp --permanent\r\nsudo firewall-cmd --add-port=464\/tcp --permanent\r\nsudo firewall-cmd --add-port=464\/udp --permanent\r\nsudo firewall-cmd --add-port=135\/tcp --permanent\r\nsudo firewall-cmd --add-port=137\/udp --permanent\r\nsudo firewall-cmd --add-port=139\/tcp --permanent\r\nsudo firewall-cmd --add-port=138\/udp --permanent\r\nsudo firewall-cmd --add-port=445\/tcp --permanent\r\nsudo firewall-cmd --add-port=3268\/tcp --permanent\r\nsudo firewall-cmd --reload<\/code><\/pre>\n<h3>SELinux<\/h3>\n<pre><code class=\"prettyprint lang-bsh\">sudo chown named:named \/usr\/local\/samba\/private\/dns\r\nsudo chgrp named \/usr\/local\/samba\/private\/dns.keytab\r\nsudo chmod g+r \/usr\/local\/samba\/private\/dns.keytab\r\nsudo chmod 775 \/usr\/local\/samba\/private\/dns\r\nsudo chown named:named \/usr\/local\/samba\/lib\/bind9\/dlz_bind9_9.so\r\nsudo chcon -t named_conf_t \/usr\/local\/samba\/private\/dns.keytab\r\nsudo chcon -t named_conf_t \/usr\/local\/samba\/private\/named.conf.update\r\nsudo chcon -t named_var_run_t \/usr\/local\/samba\/private\/dns\r\nsudo chcon -t named_var_run_t \/usr\/local\/samba\/lib\/bind9\/dlz_bind9_9.so\r\nsudo semanage fcontext -a -t named_conf_t \/usr\/local\/samba\/private\/dns.keytab\r\nsudo semanage fcontext -a -t named_conf_t \/usr\/local\/samba\/private\/named.conf\r\nsudo semanage fcontext -a -t named_conf_t \/usr\/local\/samba\/private\/named.conf.update\r\nsudo semanage fcontext -a -t named_var_run_t \/usr\/local\/samba\/private\/dns\r\nsudo semanage fcontext -a -t named_var_run_t \/usr\/local\/samba\/lib\/bind9\/dlz_bind9_9.so\r\n<\/code><\/pre>\n<p>Now we need to run SELinux in permissive mode and add the policy.<\/p>\n<pre><code class=\"prettyprint lang-bsh\">sudo setenforce 0\r\nsudo systemctl restart named\r\nsleep 60\r\nsudo systemctl stop named\r\ncd ~\r\nsudo grep named \/var\/log\/audit\/audit.log | audit2allow -M named &gt; named.te\r\nsudo semodule -i named.pp \r\nsudo setenforce 1\r\nsudo systemctl start named<\/code><\/pre>\n<h2>Init files<\/h2>\n<p>Samba does not ship with an init file so we will have to create one and enable it to start at boot.<\/p>\n<pre><code class=\"prettyprint lang-bsh\">sudo cat &lt;&lt; EOF &gt; \/etc\/init.d\/samba\r\n#!\/bin\/bash\r\n#\r\n# samba4        This shell script takes care of starting and stopping\r\n#               samba4 daemons.\r\n#\r\n# chkconfig: - 58 74\r\n# description: Samba 4.0 will be the next version of the Samba suite\r\n# and incorporates all the technology found in both the Samba4 alpha\r\n# series and the stable 3.x series. The primary additional features\r\n# over Samba 3.6 are support for the Active Directory logon protocols\r\n# used by Windows 2000 and above.\r\n\r\n### BEGIN INIT INFO\r\n# Provides: samba4\r\n# Required-Start: $network $local_fs $remote_fs\r\n# Required-Stop: $network $local_fs $remote_fs\r\n# Should-Start: $syslog $named\r\n# Should-Stop: $syslog $named\r\n# Short-Description: start and stop samba4\r\n# Description: Samba 4.0 will be the next version of the Samba suite\r\n# and incorporates all the technology found in both the Samba4 alpha\r\n# series and the stable 3.x series. The primary additional features\r\n# over Samba 3.6 are support for the Active Directory logon protocols\r\n# used by Windows 2000 and above.\r\n### END INIT INFO\r\n\r\n# Source function library.\r\n. \/etc\/init.d\/functions\r\n\r\n# Source networking configuration.\r\n. \/etc\/sysconfig\/network\r\n\r\nprog=samba\r\nprog_dir=\/usr\/local\/samba\/sbin\/\r\nlockfile=\/var\/lock\/subsys\/$prog\r\n\r\nstart() {\r\n        [ \"$NETWORKING\" = \"no\" ] &amp;&amp; exit 1\r\n#       [ -x \/usr\/sbin\/ntpd ] || exit 5\r\n                # Start daemons.\r\n                echo -n $\"Starting samba4: \"\r\n                daemon $prog_dir\/$prog -D\r\n        RETVAL=$?\r\n                echo\r\n        [ $RETVAL -eq 0 ] &amp;&amp; touch $lockfile\r\n        return $RETVAL\r\n}\r\n\r\nstop() {\r\n        [ \"$EUID\" != \"0\" ] &amp;&amp; exit 4\r\n                echo -n $\"Shutting down samba4: \"\r\n        killproc $prog_dir\/$prog\r\n        RETVAL=$?\r\n                echo\r\n        [ $RETVAL -eq 0 ] &amp;&amp; rm -f $lockfile\r\n        return $RETVAL\r\n}\r\n\r\n# See how we were called.\r\ncase \"$1\" in\r\nstart)\r\n        start\r\n        ;;\r\nstop)\r\n        stop\r\n        ;;\r\nstatus)\r\n        status $prog\r\n        ;;\r\nrestart)\r\n        stop\r\n        start\r\n        ;;\r\n*)\r\n        echo $\"Usage: $0 {start|stop|status|restart}\"\r\n        exit 2\r\nesac\r\nEOF\r\nsudo chmod +x \/etc\/init.d\/samba\r\nsudo chkconfig samba on<\/code><\/pre>\n<h2>Flipping the switch<\/h2>\n<p>You are now ready to either restart the system or start samba. The next steps to fully migrate to a Samba4 AD backend would be to migrate the FSMO roles to this server. Managing this AD instance is done by loading the Remote Server Administration Tools (RSAT) on a windows client.<\/p>\n<h2>Sources<\/h2>\n<p>Here are the list of sources and references to compile this tutorial:<\/p>\n<ul>\n<li>https:\/\/wiki.samba.org\/index.php\/Join_an_additional_Samba_DC_to_an_existing_Active_Directory<\/li>\n<li>https:\/\/wiki.samba.org\/index.php\/Build_Samba_from_source<\/li>\n<li>https:\/\/wiki.samba.org\/index.php\/Samba4\/InitScript<\/li>\n<li>https:\/\/wiki.samba.org\/index.php\/Configure_BIND_as_backend_for_Samba_AD<\/li>\n<li>https:\/\/lists.samba.org\/archive\/samba\/2013-March\/172397.html (Thanks <b>Thomas Simmons<\/b>)<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Active Directory is solid, secure, and stable platform for user, group, and computer management. I would go as far and say that it is probably the backbone of 99.9% of all organizations world wide. So why would anyone want to switch away from Active Directory? The answer to that question is varied, but the most [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[6,36],"tags":[37,5,29,28],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/posts\/98"}],"collection":[{"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/comments?post=98"}],"version-history":[{"count":6,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/posts\/98\/revisions"}],"predecessor-version":[{"id":104,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/posts\/98\/revisions\/104"}],"wp:attachment":[{"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/media?parent=98"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/categories?post=98"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/tags?post=98"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}