oO.o's Fedora 30 Samba AD DC Guide

Wikis & How-to Guides
,
1

This was originally for Fedora 31, but there are too many issues with it, so I’m falling back to 30 for now. In general, it’s probably a good idea to stay one version behind for this.

Working in 31 now.

Prerequisites

It is assumed that:

  1. The server was configured according to my CentOS 8 guide. Despite the guide being for CentOS 8, it works for Fedora with a couple minor caveats I list in the comments.

  2. The FQDN of the server is resolving to the IP address that will be used for domain services.

Prepare for DC Provisioning

# install and enable samba ad dc
sudo dnf -yq install samba samba-dc samba-dc-bind-dlz krb5-workstation
sudo systemctl enable samba
sudo systemctl enable named

### FEDORA 31
#  update samba to testing branch
# this will not be necessary after this bug fix is merged to stable
# https://bugzilla.redhat.com/show_bug.cgi?id=1757071#c25
# sudo dnf -yq update samba samba-dc samba-dc-bind-dlz --enablerepo updates-testing

# update selinux policy for use of `samba-tool`
sudo setsebool -P domain_can_mmap_files 1

# configure network
AD_IF="$(nmcli -g GENERAL.DEVICE,IP4.ADDRESS d show | grep -B 1 "$(host -4 -t A "$(hostname -f)" | awk '{ print $NF }')" | head -n 1)" #assumes dns is resolving for this machine

# convert dhcp to static (if necessary)
sudo nmcli con mod "${AD_IF}" \
  ip4 "$(host "$(hostname -f)" | awk '{ printf $NF }')"/24 \
  gw4 "$(ip r | grep default | awk '{ printf $3 }')" \
  ipv4.method "manual"

# change dns entries for this machine to become a dc
# provision will fail if the fqdn is already resolving
sudo nmcli con mod "${AD_IF}" \
  ipv4.dns "$(nmcli -g IP4.ADDRESS d show "${AD_IF}" | cut -d '/' -f 1)"

# restart interface
sudo nmcli con down ${AD_IF} ; sudo nmcli con up ${AD_IF}

# archive smb.conf
sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.default~

Provision the DC

# generate random password for Administrator
ADMIN_PW="$(openssl rand -base64 $(($(($RANDOM%17))+23)))"

# provision
sudo samba-tool domain provision \
  --realm="$(hostname -d | tr [a-z] [A-Z])" \
  --domain="$(hostname -d | cut -d '.' -f 1 | tr [a-z] [A-Z])" \
  --server-role=dc \
  --dns-backend=BIND9_DLZ \
  --site="$(hostname -d | cut -d '.' -f 2 | tr [a-z] [A-Z])" \
  --use-rfc2307 \
  --adminpass="${ADMIN_PW}" #\
#  --option="interfaces=lo ${AD_IF}" \
#  --option="bind interfaces only=yes" \
# https://bugzilla.redhat.com/show_bug.cgi?id=1768656

# print admin password
echo "Administrator's password is: ${ADMIN_PW}"
unset ADMIN_PW

# install kerberos config
sudo install -m 644 /var/lib/samba/private/krb5.conf /etc/

Configure DNS

# configure `bind`
sudo cp -a /etc/named.conf /etc/named.conf.default~

# fix permissions
sudo chmod 644 /etc/samba/smb.conf
sudo chgrp named /var/lib/samba/
sudo chgrp named /var/lib/samba/bind-dns/named.conf

sudo sed -i -E "s/(listen-on ).*/\1port 53 \{ 127.0.0.1; $(nmcli -g IP4.ADDRESS c s "${AD_IF}" | sed 's/\//\\\//'); \};/" /etc/named.conf
sudo sed -i -E "s/([[:space:]]*)(allow-query[[:space:]]*).*/\1\2\{ 127.0.0.1; 10.0.0.0\/8; 172.16.0.0\/12; 192.168.0.0\/16; \};\
%%%\1forwarders      \{ $(nmcli -g IP4.GATEWAY c s "${AD_IF}"); \};\
%%%\1tkey-gssapi-keytab \"\/var\/lib\/samba\/bind-dns\/dns.keytab\";/" /etc/named.conf
sudo sed -i 's/%%%/\
/g' /etc/named.conf
echo 'include "/var/lib/samba/bind-dns/named.conf";' | sudo tee -a /etc/named.conf >/dev/null

Start and Configure Samba

# start samba
sudo systemctl start samba
sudo systemctl start named

# authenticate
kinit Administrator
# enter password

# add missing service records
samba-tool dns add 127.0.0.1 _msdcs."$(hostname -d)" _kerberos._udp.dc SRV "$(hostname -f) 88 0 100"
samba-tool dns add 127.0.0.1 _msdcs."$(hostname -d)" _kerberos._udp."$(hostname -d | cut -d '.' -f 2 | tr [a-z] [A-Z])"._sites.dc SRV "$(hostname -f) 88 0 100"

# configure password policy
sudo samba-tool domain passwordsettings set \
  --min-pwd-age=0 \
  --max-pwd-age=0 \
  --min-pwd-length=10

# configure firewall
ZONE="$(sudo firewall-cmd --get-active-zones | grep -B 1 "${AD_IF}" | head -n 1)"

# https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage
sudo firewall-cmd --zone="${ZONE}" --add-service={dns,kerberos,kpasswd,ldap,ldaps,samba} --permanent
sudo firewall-cmd --zone="${ZONE}" --add-port={135/tcp,137-138/udp,139/tcp,3268-3269/tcp,49152-65535/tcp} --permanent
sudo firewall-cmd --reload

### FEDORA 31
# `/etc/issue` gets messed up at some point in this process, so we need to reset it
# echo "
# WARNING: Unauthorized access to this information system will be prosecuted to the fullest extent of the law.
# " | sudo tee /etc/issue >/dev/null

# clean up
unset AD_IF ZONE
history -c

Make Yourself a Domain Admin

DOMADM= #your.name
sudo samba-tool user create "${DOMADM}"
# type your password
sudo samba-tool group addmembers "Domain Admins"
14 Likes