This was originally for Fedora 31, but there are too many issues with it, so I’m falling back to 30 for now. In general, it’s probably a good idea to stay one version behind for this.
Working in 31 now.
Prerequisites
It is assumed that:
-
The server was configured according to my CentOS 8 guide. Despite the guide being for CentOS 8, it works for Fedora with a couple minor caveats I list in the comments.
-
The FQDN of the server is resolving to the IP address that will be used for domain services.
Prepare for DC Provisioning
# install and enable samba ad dc
sudo dnf -yq install samba samba-dc samba-dc-bind-dlz krb5-workstation
sudo systemctl enable samba
sudo systemctl enable named
### FEDORA 31
# update samba to testing branch
# this will not be necessary after this bug fix is merged to stable
# https://bugzilla.redhat.com/show_bug.cgi?id=1757071#c25
# sudo dnf -yq update samba samba-dc samba-dc-bind-dlz --enablerepo updates-testing
# update selinux policy for use of `samba-tool`
sudo setsebool -P domain_can_mmap_files 1
# configure network
AD_IF="$(nmcli -g GENERAL.DEVICE,IP4.ADDRESS d show | grep -B 1 "$(host -4 -t A "$(hostname -f)" | awk '{ print $NF }')" | head -n 1)" #assumes dns is resolving for this machine
# convert dhcp to static (if necessary)
sudo nmcli con mod "${AD_IF}" \
ip4 "$(host "$(hostname -f)" | awk '{ printf $NF }')"/24 \
gw4 "$(ip r | grep default | awk '{ printf $3 }')" \
ipv4.method "manual"
# change dns entries for this machine to become a dc
# provision will fail if the fqdn is already resolving
sudo nmcli con mod "${AD_IF}" \
ipv4.dns "$(nmcli -g IP4.ADDRESS d show "${AD_IF}" | cut -d '/' -f 1)"
# restart interface
sudo nmcli con down ${AD_IF} ; sudo nmcli con up ${AD_IF}
# archive smb.conf
sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.default~
Provision the DC
# generate random password for Administrator
ADMIN_PW="$(openssl rand -base64 $(($(($RANDOM%17))+23)))"
# provision
sudo samba-tool domain provision \
--realm="$(hostname -d | tr [a-z] [A-Z])" \
--domain="$(hostname -d | cut -d '.' -f 1 | tr [a-z] [A-Z])" \
--server-role=dc \
--dns-backend=BIND9_DLZ \
--site="$(hostname -d | cut -d '.' -f 2 | tr [a-z] [A-Z])" \
--use-rfc2307 \
--adminpass="${ADMIN_PW}" #\
# --option="interfaces=lo ${AD_IF}" \
# --option="bind interfaces only=yes" \
# https://bugzilla.redhat.com/show_bug.cgi?id=1768656
# print admin password
echo "Administrator's password is: ${ADMIN_PW}"
unset ADMIN_PW
# install kerberos config
sudo install -m 644 /var/lib/samba/private/krb5.conf /etc/
Configure DNS
# configure `bind`
sudo cp -a /etc/named.conf /etc/named.conf.default~
# fix permissions
sudo chmod 644 /etc/samba/smb.conf
sudo chgrp named /var/lib/samba/
sudo chgrp named /var/lib/samba/bind-dns/named.conf
sudo sed -i -E "s/(listen-on ).*/\1port 53 \{ 127.0.0.1; $(nmcli -g IP4.ADDRESS c s "${AD_IF}" | sed 's/\//\\\//'); \};/" /etc/named.conf
sudo sed -i -E "s/([[:space:]]*)(allow-query[[:space:]]*).*/\1\2\{ 127.0.0.1; 10.0.0.0\/8; 172.16.0.0\/12; 192.168.0.0\/16; \};\
%%%\1forwarders \{ $(nmcli -g IP4.GATEWAY c s "${AD_IF}"); \};\
%%%\1tkey-gssapi-keytab \"\/var\/lib\/samba\/bind-dns\/dns.keytab\";/" /etc/named.conf
sudo sed -i 's/%%%/\
/g' /etc/named.conf
echo 'include "/var/lib/samba/bind-dns/named.conf";' | sudo tee -a /etc/named.conf >/dev/null
Start and Configure Samba
# start samba
sudo systemctl start samba
sudo systemctl start named
# authenticate
kinit Administrator
# enter password
# add missing service records
samba-tool dns add 127.0.0.1 _msdcs."$(hostname -d)" _kerberos._udp.dc SRV "$(hostname -f) 88 0 100"
samba-tool dns add 127.0.0.1 _msdcs."$(hostname -d)" _kerberos._udp."$(hostname -d | cut -d '.' -f 2 | tr [a-z] [A-Z])"._sites.dc SRV "$(hostname -f) 88 0 100"
# configure password policy
sudo samba-tool domain passwordsettings set \
--min-pwd-age=0 \
--max-pwd-age=0 \
--min-pwd-length=10
# configure firewall
ZONE="$(sudo firewall-cmd --get-active-zones | grep -B 1 "${AD_IF}" | head -n 1)"
# https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage
sudo firewall-cmd --zone="${ZONE}" --add-service={dns,kerberos,kpasswd,ldap,ldaps,samba} --permanent
sudo firewall-cmd --zone="${ZONE}" --add-port={135/tcp,137-138/udp,139/tcp,3268-3269/tcp,49152-65535/tcp} --permanent
sudo firewall-cmd --reload
### FEDORA 31
# `/etc/issue` gets messed up at some point in this process, so we need to reset it
# echo "
# WARNING: Unauthorized access to this information system will be prosecuted to the fullest extent of the law.
# " | sudo tee /etc/issue >/dev/null
# clean up
unset AD_IF ZONE
history -c
Make Yourself a Domain Admin
DOMADM= #your.name
sudo samba-tool user create "${DOMADM}"
# type your password
sudo samba-tool group addmembers "Domain Admins"