We will be setting up a CentOS Server as Domain Controller using Samba4 and then using a Windows client to authenticate against it.

This is a alternative to Microsoft's Active Directory.

In the following setup I will reference the DC as the Domain Controller, which we wil be setting up. Below is the rest of the referenced information:

Host: dc

IP: 192.168.1.2

Domain: lan.bekkers.co.za

DNS Forwarder: 192.168.1.1

Dependencies:

$ yum update -y $ rpm -Uvh ftp://195.220.108.108/linux/dag/redhat/el6/en/x86_64/dag/RPMS/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm $ yum install glibc glibc-devel gcc libacl-devel krb5-workstation krb5-libs pam_krb5 python-devel gnutls gnutls-devel -y $ rpm -qa | grep -i samba $ yum install git-core -y $ cd /opt/; git clone git://git.samba.org/samba.git samba-master $ reboot

Setup Samba4:

$ cd /opt/samba-master/ $ ./configure --enable-debug --enable-selftest $ make $ make install

Provision the domain:

$ /usr/local/samba/bin/samba-tool domain provision

Output:

Realm [LAN.BEKKERS.CO.ZA]: Domain [LAN]: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: DNS forwarder IP address (write 'none' to disable forwarding) [192.168.1.1]: Administrator password: Retype password: Looking up IPv4 addresses Looking up IPv6 addresses Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=lan,DC=bekkers,DC=co,DC=za Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=lan,DC=bekkers,DC=co,DC=za Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: dc NetBIOS Domain: LAN DNS Domain: lan.bekkers.co.za DOMAIN SID: S-1-5-21-172256615-2240083043-11205357

Reboot the server:

$ reboot

Start Samba and add to startup:

Start the DC:

$ /usr/local/samba/sbin/samba

Append on startup:

$ echo '/usr/local/samba/sbin/samba' >> /etc/rc.d/rc.local

Verify versions:

$ /usr/local/samba/sbin/samba -V Version 4.5.0pre1-GIT-937d60f $ /usr/local/samba/bin/smbclient --version Version 4.5.0pre1-GIT-937d60f

List shares:

$ /usr/local/samba/bin/smbclient -L localhost -U% Domain=[LAN] OS=[Windows 6.1] Server=[Samba 4.5.0pre1-GIT-937d60f] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.5.0pre1-GIT-937d60f) Domain=[LAN] OS=[Windows 6.1] Server=[Samba 4.5.0pre1-GIT-937d60f] Server Comment --------- ------- Workgroup Master --------- -------

Verify smb.conf:

$ cat /usr/local/samba/etc/smb.conf

Output:

# Global parameters [global] netbios name = DC realm = LAN.BEKKERS.CO.ZA workgroup = LAN dns forwarder = 192.168.1.1 server role = active directory domain controller [netlogon] path = /usr/local/samba/var/locks/sysvol/lan.bekkers.co.za/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No

Network/DNS Configuration

Edit /etc/resolv.conf and configure our domain and nameserver to point to our current setup:

domain lan.bekkers.co.za nameserver 192.168.1.2

For static network configuration, edit /etc/sysconfig/network-scripts/ifcfg-eth0 below is an example:

DEVICE="eth0" BOOTPROTO="none" DEFROUTE="yes" DNS1="192.168.1.2" GATEWAY="192.168.1.1" HWADDR="86:C4:C1:0D:29:AD" IPADDR="192.168.1.2" IPV4_FAILURE_FATAL="yes" IPV6INIT="no" NAME="System eth0" NM_CONTROLLED="yes" ONBOOT="yes" PREFIX="24" TYPE="Ethernet"

Then reboot:

$ reboot

Testing DNS:

$ host -t SRV _ldap._tcp.lan.bekkers.co.za _ldap._tcp.lan.bekkers.co.za has SRV record 0 100 389 dc.lan.bekkers.co.za.

$ host -t SRV _kerberos._udp.lan.bekkers.co.za _kerberos._udp.lan.bekkers.co.za has SRV record 0 100 88 dc.lan.bekkers.co.za.

$ host -t A dc.lan.bekkers.co.za dc.lan.bekkers.co.za has address 192.168.1.2

Firewall Changes:

For the sake of this guide, I will be disabling the firewall:

$ service iptables stop $ chkconfig iptables off

Kerberos Configuration:

$ mv /etc/krb5.conf /etc/krb.old $ cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf $ vi /etc/krb5.conf

[libdefaults] default_realm = LAN.BEKKERS.CO.ZA dns_lookup_realm = false dns_lookup_kdc = true

Test Kerberos:

$ kinit administrator@LAN.BEKKERS.CO.ZA Password for administrator@LAN.BEKKERS.CO.ZA: Warning: Your password will expire in 41 days on Sat Apr 16 20:23:38 2016

Verify if ticket received:

$ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@LAN.BEKKERS.CO.ZA Valid starting Expires Service principal 03/05/16 20:36:13 03/06/16 06:36:13 krbtgt/LAN.BEKKERS.CO.ZA@LAN.BEKKERS.CO.ZA renew until 03/06/16 20:36:10

NTP:

$ yum install ntp -y $ /etc/init.d/ntpd start $ chkconfig ntpd on

From the Windows host/client, set time to sync to our server and join the windows host to the domain.

Samba Domain Contoller Usage:

Creating users:

$ cd /usr/local/samba/sbin/ $ ./samba-tool user add john New Password: Retype Password: User 'john' created successfully

Verify Users:

$ ./wbinfo --name-to-sid john S-1-5-21-172256615-2240083043-11205357-1104 SID_USER (1) $ ./wbinfo --sid-to-uid S-1-5-21-172256615-2240083043-11205357-1104 3000019

Listing Users:

$ ./wbinfo -u LAN\administrator LAN\krbtgt

Listing Groups:

$ ./wbinfo -g enterprise admins domain computers

Samba Password Policies:

$ samba-tool domain passwordsettings set --complexity=off $ samba-tool domain passwordsettings set --min-pwd-age=0 $ samba-tool domain passwordsettings set --max-pwd-age=0

Verify all processes are running:

To verify that all processes are running, try running the following:

$ ps axf | egrep "samba|smbd|nmbd|winbindd"

References:

Sources:

WebUI's: