Samba 4.17 Active Domain Provision
Hey, want an Active Domain Controller on OmniOS?
Useful hints:
1) have a DNS server that can serve requests to the internet (this may be your Internet-Router). Samba will later use this DNS for requests to the internet. For your windows stations see: 2)
2) let your windows stations talk to the DNS built into samba itself and *not* to your DNS on the Internet-Router (this one doesn't know e.g. SRV records important to windows station to find the Active Domain Controller - and additionally the Internet-Router is most likely not a dynamic DNS - windows stations joined to the domain (authed!) are able to update their own records in samba DNS)
What is your default DNS domain at your local LAN?
With provisioning you'll add an Active Directory "realm" name (with dots) and a Netbios "domain" (no dots).
In the example I use for realm "ad.myhome.de" and for domain "ad". So the Windows Domain you know from the Active Directory login screen will be "AD" (AD\loginusername).
This keeps your old DNS domain separate from the DNS domain for the Active Directory.
beadm list | grep NR -> see your current booted BE and make a safety snapshot!
Example: omnios-151038-lts
create snapshot:
beadm create omnios-151038-lts@20230128-1922-00-pre-samba-domain-provision
pkg install samba417
Do not start the samba services now!
Do *not* create a smb.conf file now! (remove it)
(Later on, in case you want Roaming Profiles and Group Policies, you may have to ensure proper ACL handling on ZFS put into smb.conf. Instructions will follow in a later article.
Make sure, the samba binaries supplied by SFE are in the PATH:
export PATH=/usr/gnu/sbin:/usr/gnu/bin:$PATH
Provision the domain:
root@omnios:~# samba-tool domain provision --use-rfc2307 --interactive
Realm [myhome]: ad.myhome.de
Domain [ad]: ad
Server Role (dc, member, standalone) [dc]: (enter)
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: (enter)
DNS forwarder IP address (write 'none' to disable forwarding) [ip_read_in_from_resolv.conf]: (enter)
Administrator password: ********** #choose something with at lest one of: number, captial letter, lower letter, extra char like # or ! or ... and choose at least 6 or 7 chars. _Write_ it down before!
Retype password: **********
INFO 2023-01-28 18:49:27,447 pid:4352 /usr/gnu/lib/amd64/python3.9/site-packages/samba/samba/provision/__init__.py #2097: Look ing up IPv4 addresses
INFO 2023-01-28 18:49:27,447 pid:4352 /usr/gnu/lib/amd64/python3.9/site-packages/samba/samba/provision/__init__.py #2114: Look ing up IPv6 addresses
(some more messages, watch for errors!)
INFO 2023-01-28 18:49:43,836 pid:4352 /usr/gnu/lib/amd64/python3.9/site-packages/samba/samba/provision/__init__.py #2337: A Kerberos configuration suitable for Samba AD has been generated at /etc/samba/private/krb5.conf
INFO 2023-01-28 18:49:43,837 pid:4352 /usr/gnu/lib/amd64/python3.9/site-packages/samba/samba/provision/__init__.py #2339: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
INFO 2023-01-28 18:49:44,121 pid:4352 /usr/gnu/lib/amd64/python3.9/site-packages/samba/samba/provision/__init__.py #2071: Setting up fake yp server settings
INFO 2023-01-28 18:49:44,328 pid:4352 /usr/gnu/lib/amd64/python3.9/site-packages/samba/samba/provision/__init__.py #487: Oncethe above files are installed, your Samba AD server will be ready to use
INFO 2023-01-28 18:49:44,329 pid:4352 /usr/gnu/lib/amd64/python3.9/site-packages/samba/samba/provision/__init__.py #492: Server Role: active directory domain controller
INFO 2023-01-28 18:49:44,329 pid:4352 /usr/gnu/lib/amd64/python3.9/site-packages/samba/samba/provision/__init__.py #493: Hostname: omnios
INFO 2023-01-28 18:49:44,330 pid:4352 /usr/gnu/lib/amd64/python3.9/site-packages/samba/samba/provision/__init__.py #494: NetBIOS Domain: AD
INFO 2023-01-28 18:49:44,330 pid:4352 /usr/gnu/lib/amd64/python3.9/site-packages/samba/samba/provision/__init__.py #495: DNS Domain: ad.myhome.de
INFO 2023-01-28 18:49:44,330 pid:4352 /usr/gnu/lib/amd64/python3.9/site-packages/samba/samba/provision/__init__.py #496: DOMAIN SID: S-1-5-21-12345678-1011121314-1234567890
root@omnios:~/root-home-shared-directory# echo $?
0
Is the exit-code "0"? If yes, then continue.
Did you see the krb5.conf file that *NEEDS* to be merged with your existing krb5.conf?
Use vimdiff or a tool of your choice to merge the two files (in vimdiff Ctrl-W Ctrl-W in command mode switches between the two screen halves.)
If you ignore kerberos, you might not get a proper working Domain Controller and all sorts of troubles.
The example krb5.conf looks after the merge like this:
egrep -v "^#|^$" /etc/krb5/krb5.conf
[libdefaults]
default_realm = AD.MYHOME.DE
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
[domain_realm]
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
versions = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
Later on I'll post an update on how to test kerberos.
(kinit username@AD.MYHOME.DE. (asks for your password on that domain)
(klist. # lists a kerberos ticket created by the kinit from above)
Now enable the Samba service. Do *not* enable SMF "smbd" and "nmbd" and "winbindd" - they are integrated into the new samba Daemon!
svcadm enable samba417
Check your DNS created by the samba service!
dig @ip_of_your_samba _ldap._tcp.dc._msdcs.ad.myhone.de SRV
_ldap._tcp.dc._msdcs.ad.myhome.de. 900 IN SRV 0 100 389 omnios.ad.mayhome.de.
_msdcs.ad.myhome.de. 3600 IN SOA omnios.ad.myhome.de. hostmaster.admmyhome.de. 67 900 600 86400 3600
you can query _kerberos as well:
dig @ip_of_your_samba _kerberos._tcp.dc._msdcs.ad.myhone.de SRV
_kerberos._tcp.dc._msdcs.ad.myhome.de. 900 IN SRV 0 100 88 omnios.d.myhome.de.
On windows pre joining the Active Domain: (Networking: DNS is your_samba_ip and DNS search is ad.myhome.de
run CMD.exe
nslookup
> set type=SRV
>_ldap._tcp.dc._msdcs.ad.myhome.de
Server: omnios.myhome.de
Address: your_samba_ip_here
_ldap._tcp.dc._msdcs.ad.myhome.de SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = omnios.ad,myhome.de
_msdcs.ad.myhome.de
primary name server = omnios.ad.myhome.de
responsible mail addr = hostmaster.ad.myhome.de
...
Your windows station using the DNS of the samba Server IP should now be able to see the Domain Controller.
Try in Windows File Explorer in the Address line above: \\omnios.ad.myhome.de
It may ask for User/Password, then enter the Domain credentials: AD\Administrator and the Password from the Domain Provision
You can install from the Windows Apps Store / Extra Features: RSAT Tools
I use the Active Directory Domain Services, the DNS Server Tools, Group Policy Management - not all do work with samba.
https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11#remote-server-administration-tools-rsat
Editors note: This guide surely has errors and typo or is incomplete in this early stage. If so and you can provide help/input/corrections or better language, then please get in contact on sfepackages at g mail dot com. Thank you!
Regards
Thomas
PS: current struggles: 1) I cant get a kerbers ticket with "kinit" right now. Will see if that is a problem.