oO.o's Fedora 30 Samba AD DC Guide

This was originally for Fedora 31, but there are too many issues with it, so I’m falling back to 30 for now. In general, it’s probably a good idea to stay one version behind for this.

Working in 31 now.


It is assumed that:

  1. The server was configured according to my CentOS 8 guide. Despite the guide being for CentOS 8, it works for Fedora with a couple minor caveats I list in the comments.

  2. The FQDN of the server is resolving to the IP address that will be used for domain services.

Prepare for DC Provisioning

# install and enable samba ad dc
sudo dnf -yq install samba samba-dc samba-dc-bind-dlz krb5-workstation
sudo systemctl enable samba
sudo systemctl enable named

### FEDORA 31
#  update samba to testing branch
# this will not be necessary after this bug fix is merged to stable
# https://bugzilla.redhat.com/show_bug.cgi?id=1757071#c25
# sudo dnf -yq update samba samba-dc samba-dc-bind-dlz --enablerepo updates-testing

# update selinux policy for use of `samba-tool`
sudo setsebool -P domain_can_mmap_files 1

# configure network
AD_IF="$(nmcli -g GENERAL.DEVICE,IP4.ADDRESS d show | grep -B 1 "$(host -4 -t A "$(hostname -f)" | awk '{ print $NF }')" | head -n 1)" #assumes dns is resolving for this machine

# convert dhcp to static (if necessary)
sudo nmcli con mod "${AD_IF}" \
  ip4 "$(host "$(hostname -f)" | awk '{ printf $NF }')"/24 \
  gw4 "$(ip r | grep default | awk '{ printf $3 }')" \
  ipv4.method "manual"

# change dns entries for this machine to become a dc
# provision will fail if the fqdn is already resolving
sudo nmcli con mod "${AD_IF}" \
  ipv4.dns "$(nmcli -g IP4.ADDRESS d show "${AD_IF}" | cut -d '/' -f 1)"

# restart interface
sudo nmcli con down ${AD_IF} ; sudo nmcli con up ${AD_IF}

# archive smb.conf
sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.default~

Provision the DC

# generate random password for Administrator
ADMIN_PW="$(openssl rand -base64 $(($(($RANDOM%17))+23)))"

# provision
sudo samba-tool domain provision \
  --realm="$(hostname -d | tr [a-z] [A-Z])" \
  --domain="$(hostname -d | cut -d '.' -f 1 | tr [a-z] [A-Z])" \
  --server-role=dc \
  --dns-backend=BIND9_DLZ \
  --site="$(hostname -d | cut -d '.' -f 2 | tr [a-z] [A-Z])" \
  --use-rfc2307 \
  --adminpass="${ADMIN_PW}" #\
#  --option="interfaces=lo ${AD_IF}" \
#  --option="bind interfaces only=yes" \
# https://bugzilla.redhat.com/show_bug.cgi?id=1768656

# print admin password
echo "Administrator's password is: ${ADMIN_PW}"
unset ADMIN_PW

# install kerberos config
sudo install -m 644 /var/lib/samba/private/krb5.conf /etc/

Configure DNS

# configure `bind`
sudo cp -a /etc/named.conf /etc/named.conf.default~

# fix permissions
sudo chmod 644 /etc/samba/smb.conf
sudo chgrp named /var/lib/samba/
sudo chgrp named /var/lib/samba/bind-dns/named.conf

sudo sed -i -E "s/(listen-on ).*/\1port 53 \{; $(nmcli -g IP4.ADDRESS c s "${AD_IF}" | sed 's/\//\\\//'); \};/" /etc/named.conf
sudo sed -i -E "s/([[:space:]]*)(allow-query[[:space:]]*).*/\1\2\{;\/8;\/12;\/16; \};\
%%%\1forwarders      \{ $(nmcli -g IP4.GATEWAY c s "${AD_IF}"); \};\
%%%\1tkey-gssapi-keytab \"\/var\/lib\/samba\/bind-dns\/dns.keytab\";/" /etc/named.conf
sudo sed -i 's/%%%/\
/g' /etc/named.conf
echo 'include "/var/lib/samba/bind-dns/named.conf";' | sudo tee -a /etc/named.conf >/dev/null

Start and Configure Samba

# start samba
sudo systemctl start samba
sudo systemctl start named

# authenticate
kinit Administrator
# enter password

# add missing service records
samba-tool dns add _msdcs."$(hostname -d)" _kerberos._udp.dc SRV "$(hostname -f) 88 0 100"
samba-tool dns add _msdcs."$(hostname -d)" _kerberos._udp."$(hostname -d | cut -d '.' -f 2 | tr [a-z] [A-Z])"._sites.dc SRV "$(hostname -f) 88 0 100"

# configure password policy
sudo samba-tool domain passwordsettings set \
  --min-pwd-age=0 \
  --max-pwd-age=0 \

# configure firewall
ZONE="$(sudo firewall-cmd --get-active-zones | grep -B 1 "${AD_IF}" | head -n 1)"

# https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage
sudo firewall-cmd --zone="${ZONE}" --add-service={dns,kerberos,kpasswd,ldap,ldaps,samba} --permanent
sudo firewall-cmd --zone="${ZONE}" --add-port={135/tcp,137-138/udp,139/tcp,3268-3269/tcp,49152-65535/tcp} --permanent
sudo firewall-cmd --reload

### FEDORA 31
# `/etc/issue` gets messed up at some point in this process, so we need to reset it
# echo "
# WARNING: Unauthorized access to this information system will be prosecuted to the fullest extent of the law.
# " | sudo tee /etc/issue >/dev/null

# clean up
unset AD_IF ZONE
history -c

Make Yourself a Domain Admin

DOMADM= #your.name
sudo samba-tool user create "${DOMADM}"
# type your password
sudo samba-tool group addmembers "Domain Admins"