Setting up a samba-ad-dc: Difference between revisions

From Alpine Linux
(Consolidated Notes & Caveats under Notes section and corrected information related to chrony supporting MS-SNTP)
m (Mention the problem which a lack of MS-SNTP support in the NTP server will cause)
Line 11: Line 11:
AD Domain time sync requires MS-SNTP signing support, so be sure to check whether the NTP server you choose to deploy, does support it.
AD Domain time sync requires MS-SNTP signing support, so be sure to check whether the NTP server you choose to deploy, does support it.


<span style="color:red">Some of the NTP server versions available in the Alpine repositories (chrony, openntpd, busybox) do not currently support it.</span>
<span style="color:red">Some of the NTP server versions available in the Alpine repositories (chrony, openntpd, busybox) do not currently support it. This will cause time sync issues for the domain, so be forewarned.</span>


NTP implementations which do support MS-SNTP signing:
NTP implementations which do support MS-SNTP signing:

Revision as of 13:18, 25 October 2017

Notes

Active Directory Naming

In all examples below, replace EXAMPLE with your NetBIOS domain name in caps, example.com with your DNS domain name, HOSTNAME with your system's host name in caps, and hostname with your system's host name.

Refer to the Active Directory naming FAQ before choosing your domain name.

MS-SNTP signing support

AD Domain time sync requires MS-SNTP signing support, so be sure to check whether the NTP server you choose to deploy, does support it.

Some of the NTP server versions available in the Alpine repositories (chrony, openntpd, busybox) do not currently support it. This will cause time sync issues for the domain, so be forewarned.

NTP implementations which do support MS-SNTP signing:

Installation

Install packages:

apk add samba-dc krb5

Edit hosts file

You need to modify your /etc/hosts file to look similar to this. 

127.0.0.1       localhost.localdomain localhost
10.1.1.10       hostname.example.com hostname

Create smb.conf

Alpine doesn't provide an example configuration file in the package so you'll need to create one at /etc/samba/smb.conf. 

[global]
        server role = domain controller
        workgroup = EXAMPLE
        realm = example.com
        netbios name = HOSTNAME
        passdb backend = samba4
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /var/lib/samba/sysvol/example.com/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

Provision your Samba domain

Answer the questions with your domain information:

samba-tool domain provision --use-rfc2307 --interactive

Use the SAMBA_INTERNAL DNS option. When asked for a forwarder IP, choose your internet DNS server. You can use your ISP or other public services (like Google) here.

Configure resolv.conf

Modify your /etc/resolv.conf to include your new domain as a search domain and point to itself as the first nameserver. 

search example.com
nameserver 10.1.1.10

Configure Kerberos

You need to replace krb5.conf with a link to the one generated by samba.

ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf

Install new init script

As of 3/31/2016 and Alpine 3.3.3, the included samba init script doesn't support starting it as a domain controller. Modify your /etc/init.d/samba script like the one below. 

#!/sbin/openrc-run

extra_started_commands="reload"

DAEMON=${SVCNAME#samba.}
SERVER_ROLE=`samba-tool testparm --parameter-name="server role"  2>/dev/null | tail -1`
if [ "$SERVER_ROLE" = "active directory domain controller" ]; then
        daemon_list="samba"
elif [ "$DAEMON" != "samba" ]; then
        daemon_list=$DAEMON
fi

depend() {
        need net
        after firewall
}


start_samba() {
        mkdir -p /var/run/samba
        start-stop-daemon --start --quiet --exec /usr/sbin/samba --
}

stop_samba() {
        start-stop-daemon --stop --quiet --pidfile /var/run/samba/samba.pid
}


start_smbd() {
        start-stop-daemon --start --quiet --exec /usr/sbin/smbd -- \
                ${smbd_options:-"-D"}
}

stop_smbd() {
        start-stop-daemon --stop --quiet --pidfile /var/run/samba/smbd.pid
}

start_nmbd() {
        start-stop-daemon --start --quiet --exec /usr/sbin/nmbd -- \
                ${nmbd_options:-"-D"}
}

stop_nmbd() {
        start-stop-daemon --stop --quiet --pidfile /var/run/samba/nmbd.pid
}

start_winbindd() {
        start-stop-daemon --start --quiet --exec /usr/sbin/winbindd -- \
                $winbindd_options
}

stop_winbindd() {
        start-stop-daemon --stop --quiet --pidfile /var/run/samba/winbindd.pid
}

start() {
        for i in $daemon_list; do
                ebegin "Starting $i"
                start_$i
                eend $?
        done
}

stop() {
        for i in $daemon_list; do
                ebegin "Stopping $i"
                stop_$i
                eend $?
        done
}

reload() {
        for i in $daemon_list; do
                ebegin "Reloading $i"
                killall -HUP $i
                eend $?
        done
}

Configure the Samba service

Run this command to start the service on boot.

rc-update add samba

Run this command to start the service right now.

rc-service samba start

Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=Setting_up_a_samba-ad-dc&oldid=14103"