Web lists-archives.com

[Samba] Samba4 on Ubuntu 18.04 Howto setup ADDC with bind9_DLZ


Yes yes, you did say you hate systemd.  :-) 
I had a hard(er)time on this one also but i got passed it. ;-) 

But you and everybody else on the list, please review this setup.
And a very big thank you Rowland for the start of it. 

This should be a good base to start with as howto for ubuntu 18.04 systemd based. 

Any suggestion additions please add them, below is also the order i configured and installed the server.
Normaly i dont do ubuntu, apparmor etc. but its all inhere. 
Note, apparmor may have to much rights now but it works, someone with good apparmor knowlidge correct it please.

The setup below is tested and works, i did not look at firewalling. 
Try it and tell us the result. 

Installing Ubuntu for a Dedicated Active Directory Domain Controller server.
- boot from CD
- Choose the base language, and press F6, choose EXPERT. 

-----Ubuntu Installer Menu  ---- 
choose you language and keyboard
( go throught the other options, keep the defaults )
load the preconfiguration

configure the network. 
- Auto-configure networking   (NO)
 and enter your ip. 
	IP   ( choose your own ip )
	GW       ( choose your own gateway)
	NS           ( any internet ip for DNS )

	( my test hostname/domain )
	set the hostname,	( ubuntu1804 )
	set the domainname, ( internal.example.com )

Set up users and passwords.
THe first two questions, the defaults are ok. 

The user, full name, what you want but NO username Administrator.
i preffer nixadmin 
( this is a user for maintaining the system. )

encrypt homedir, No.
configure clock.
	set the clock using NTP. (yes)
	You can keep the defaults ( for now )

Configure the disk.
what you want, a AD-DC only server, 10G is more than sufficient. ( for me ) 
My current Debian 9 shows : 
Size  Used Avail Use% Mounted on
6.0G  1.8G  3.9G  31% /

This ubuntu setup used ( finished ) 
Filesystem      Size  Used Avail Use% Mounted on
/dev/root       7.3G  1.8G  5.2G  26% /

So about the same.

The "use entire disk" option does not include the swap partition.
with 10Gb partition i set 2GB swap, rest is for the system. 
(tip, separating the log partition helps in less defragmentation )

--- Install the system
initrd, DONT select targeted, choose generic.
- package manager, use a mirror yes.

- DONT select backported software.
- DONT select partner repository, only if you need to.
- Dont select sources, its not needed.
keep other defaults.

- Select and install software.
	I preffer Install security updated automaticly, but you might not.

Now, an important part, 
Choose software to install. 
Select ONLY OpenSSH server.

- install grub. 
(keep the defaults)
Note, somethimes ubuntu detects you disk wrong if you install from usb.
use ALT-F2 goto and console, type df and check what your disk is.
/dev/sda or /dev/xvda  something like that. ( look for the /target disk )
ALT-F1 go back to the installer.
Finish the install

first check if you ip is up.
type: ip a
and what is your "interface name" for me its eth0.
All below is base on ETH0 so change this !! 

Now, you might find out that your network isnt working. 
lets configure a systemd static ip.

AGAIN: Please dont forget to change the ip and interfacename below!!

cat << EOF >> /etc/systemd/network/50-static.network
# /etc/systemd/network/50-static.network

systemctl enable systemd-networkd
systemctl start systemd-networkd
systemctl status systemd-networkd

Edit the systemd resolver.

nano /etc/systemd/resolv.conf
configure DNS and FallbackDNS ( for now, and google dns. )
NOTE set DNSSEC=no also because google does not support DNSSEC.

systemctl daemon-reload
systemctl restart systemd-resolved

and check if it works
nslookup www.google.com

-- Some Cleanup i did first.  ( optional, but the lesser on the server the better imo )
First, get rid of the "howto make you system slower..." command-not-found packages
but wait a bit because you might miss some packages... 
( remove if you dont use these. )
apt remove --purge lxd-client
apt remove --purge lxd lxd-client
apt remove --purge lxcfs 
apt remove --purge command-not-found command-not-found-data python3-commandnotfound
apt remove --purge snapd
apt remove --purge laptop-detect 
So, now this Ubuntu server performs almost as a Debian server. ;-) 

Optional, as i dont use LVM.  ( i snap shot my virtuals )
apt remove --purge lvm2 liblvm2app2.2 liblvm2cmd2.02 dmeventd

Optional, i dont like the check every login for security/load etc. 
It just slows down the server imo. 

Optional, remove cpu info at login.
rm  /etc/update-motd.d/50-landscape-sysinfo
run the command : landscape-sysinfo  to get the info or remove it: 
apt remove --purge landscap-sysinfo

Optional, disable the anoying motd messages. 
sudo systemctl disable motd
sudo systemctl mask motd
sudo chmod -R 0644 /etc/update-motd.d/ 
if you want you can enable some, just add the Execute bit. (755) back on a file.

#Optional(2) if you dont want any of above.
#apt remove --purge update-notifier-common
Adviced just chmod it. 

Results in a server with internet access and ssh. 


Login with ssh, and prepair for the real work for samba. 

Prepairing for samba.  
# the AD DC, with ntp bind one liner :  
apt install samba winbind libnss-winbind libpam-winbind ntp bind9 binutils ldb-tools krb5-user
# Note, i use the defaults for krb5-user ( Kerberos configuration )

#The separated parts. 
#apt install samba winbind krb5-user
#(optional must often used so install it. )
#apt install libnss-winbind  libpam-winbind

for the time sync in samba we need ntp or chrony. 
#Prepair time ( I preffer ntp.) 
#apt install ntp
#Prepair DNS ( I preffer bind9 )
#apt install bind9

# and add some tools you might need.
#apt install binutils ldb-tools smbclient 
#apt install libpam-krb5

systemctl disable nmbd smbd winbind 
systemctl stop nmbd smbd winbind 
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc

Setup NTP
cp /etc/ntp.conf{,.backup}
mkdir -p /var/lib/samba/ntp_signd/
chmod 750 /var/lib/samba/ntp_signd
chown root:ntp /var/lib/samba/ntp_signd

cat << EOF >> /etc/ntp.conf
######  Needed for Samba 4  ######
# extra info, in the restrict -4 or -6 added mssntp.
# Location of the samba ntp_signed directory
ntpsigndsocket /var/lib/samba/ntp_signd

# add the mssntp part.
sed -i 's/restrict -4 default kod notrap nomodify nopeer noquery limited/restrict -4 default kod notrap nomodify nopeer noquery limited mssntp/g' /etc/ntp.conf
sed -i 's/restrict -6 default kod notrap nomodify nopeer noquery limited/restrict -6 default kod notrap nomodify nopeer noquery limited mssntp/g' /etc/ntp.conf

systemctl restart ntp
systemctl status ntp
run : ntpq -p
and check the output, if ok, ntp is up now and syncing. 

Setup kerberos.
Backup the original version 
cp /etc/krb5.conf{,.backup}
cat /etc/krb5.conf | head -n2 > /etc/krb5.conf.new

echo "
; for Windows 2008 with AES
        default_tgs_enctypes =  aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
        default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
        permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
" >> /etc/krb5.conf.new
rm /etc/krb5.conf
mv /etc/krb5.conf.new /etc/krb5.conf

# Setup Samba 
Prepair for provisioning. 
rm /var/lib/samba/*.tdb
rm /var/cache/samba/*.tdb
rm /var/cache/samba/browse.dat

mv /etc/samba/smb.conf /etc/samba/smb.conf.orig

samba-tool domain provision --use-rfc2307 --realm=INTERNAL.EXAMPLE.COM --domain=INTERNAL --dns-backend=BIND9_DLZ
Admin password:        uP9B=H?H#%Mg@R6[H
Server Role:           active directory domain controller
Hostname:              ubuntu1804
NetBIOS Domain:        INTERNAL
DNS Domain:            internal.example.com
DOMAIN SID:            S-1-5-21-851884449-3694958272-1707027855

# Setup BIND
cp -r /etc/bind{,.backup}
# enable the forwarders. 
sed -i 's[// forwarders[forwarders[g' /etc/bind/named.conf.options
sed -i "s[// \t0.0.0.0;[;;[g" /etc/bind/named.conf.options
sed -i "s[// };[};[g" /etc/bind/named.conf.options
sed -i "/listen-on-v6/a \        tkey-gssapi-keytab \"/var/lib/samba/private/dns.keytab\";" /etc/bind/named.conf.options
sed -i "/tkey-gssapi-keytab/i \        // DNS dynamic updates via Kerberos "/var/lib/samba/private/dns.keytab";" /etc/bind/named.conf.options
sed -i "/listen-on-v6/a \        notify no;" /etc/bind/named.conf.options
sed -i "/notify no/a        empty-zones-enable no;" /etc/bind/named.conf.options

echo "// adding the Samba dlopen ( Bind DLZ ) module
include \"/var/lib/samba/private/named.conf\";" >> /etc/bind/named.conf.local

As of this part, apparmor, this might need more optimizing but this works.
echo "# Samba4 DLZ and Active Directory Zones (default source installation)
/var/lib/samba/lib/** rm,
/var/lib/samba/private/dns/** rwmk,
/var/lib/samba/private/dns.keytab r,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/usr/lib/**/samba/bind9/** rmk,
/usr/lib/**/samba/gensec/* rmk,
/usr/lib/**/samba/ldb/** rmk,
/usr/lib/**/ldb/modules/ldb/** rmk,
/var/tmp/** rwmk," >> /etc/apparmor.d/local/usr.sbin.named

# add the ntp part to apparmor
echo "# samba4 ntp signing socket
/var/lib/samba/ntp_signd/socket rw," >> /etc/apparmor.d/local/usr.sbin.ntpd

Correct the resolving. 

Now we link the lan interface to the systemd resolver. 
echo "

Domains=lan" >> /etc/systemd/network/eth0.network

and we change the systemd-resolved and point it to the IP ( NOT localhost ) of the server
now change the systemd-resolvd DNS.
sed "s/DNS=$(hostname -i)/g" /etc/systemd/resolved.conf 
# Note, the DNS=$(hostname -i)  that is the ip of the server. NOT 

systemctl daemon-reload
systemctl reload apparmor
systemctl restart systemd-networkd
systemctl restart systemd-resolved
systemctl restart bind9
systemctl restart ntp

and reboot.

now go testing.  ;-) 
Sofor i see no problems.. And .. 

I did not touch resolv.conf  ;-) 



To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba