For When You Can't Have The Real Thing
[ start | index | login ]
start > Fedora > Server > 30 > Samba AD Controller Notes

Samba AD Controller Notes

Created by dave. Last edited by dave, 13 days ago. Viewed 31 times. #4
[diff] [history] [edit] [rdf]
labels
attachments
(2019-11-25)

Backplot

At a new customer site, I inherited a Active Domain that was hosted on a Samba. The previous admin made some sketchy choices by picking a CentOS 7 platform for some third-party RPMs (becaues CentOS doesn't ship an AD-capable samba; the samba-dc package is basically a README that says "because of the kerberos choice of Red Hat, samba can't be built as a DC".)

This installation had some problems in that the previous admin could not get replication working properly. Also the version of Samba he'd been stuck with from this 3rd party repository predated working AD backup tools.

And.

For compatibility-with-dhcpd reasons, he'd chosen to use bind as the DNS back-end instead of the built-in Samba. So while all of his dhcp clients could self-register in DNS, AD couldn't add the required records automatically meaning that they all had to be determined and added manually.

For one last kick in the nuts, said 3rd-party repository had vanished by the time I got on the scene, meaning that there was no way to rebuild this thing if it failed.

IN MY, AND ONLY MY, OPINION, there's no way this was ready for a production environment. I presume that using the correct combination of libraries and OS platforms (which seems to mean "anything that isn't Red Hat family") the replication pieces would work properly; but the absence of a working backup tool should have been a deal breaker.

Choices I made

Right now my "master" server is running a version of 4.1.6 from the 3rd-party repository. I tried several times to copy the databases into another samba installation as a disaster recovery proof-of-concept; this never worked. The previous admin hadn't kept the RPMs used to do the installation either. Finally, the installation was running directly on metal, which made the prospect of a restore rather iffy.

To deal with this situation I made the choice to continue in the Red Hat family; however, I used Fedora Server 30 as the OS base. This OS does have a working samba-dc RPM (at install time, it was 2:4.10.10-0.fc30) due to a lot of hairy work by some volunteers. It obviously isn't considered "production" ready since RHEL has not adopted the work; but it will be good enough for our purposes. The downside of this choice is that to keep up to date, the version of Fedora is going to have to churn.

The second choice I made was to run this as a VM on a VMware ESXi server. This would let me prototype more quickly; it would also let me snapshot save points prior to OS upgrades so that I could revert quickly should something terrible happen.

The actual configuration of the DC is straight forward -- I followed >>the wiki instructions, with the following notes:

  • make sure Kerberos is working before you proceed
  • pay attention to the --use-rfc2307 settings; they are important
  • I had to manually add the required DNS entries; fortunately the previous admin had left the nsupdate scripts used on previous attempts, these scripts formed the basis of what you see below. This was an iterative process, especially when it came to the object-GUID CNAME entry.
  • I set up rsync-based sysvol replication, one-way from master to replica
  • After installation, you need to create a new domain user on the new DC (I believe to deal with uninitialized rid values). You can delete this user right away. If you don't do this, backups of this DC won't work.

What follows from here

...is a collection of useful commands which may help you in various scenarios. This is not a how-to.

Some of these commands are destructive -- take preservative actions prior to playing around. VM snapshots are your friend.

Check DRS replication

# samba-tool drs showrepl

Netbios name-to-IP

nmblookup [name]

List shares

smbclient -U name -L ip_address

Kerberos

Many samba-tool commands will accept -k yes or -k as a prompt to use existing kerberos ticket

DC server object GIDs

# export LDB_MODULES_PATH=/usr/lib64/samba/ldb	
# ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid
  • this gives you the object GID you need for the ?._msdcs.myadzone.net CNAME, below

NS Update

# nsupdate -v -k /etc/rndc.key < update-command-file
(this file shows the required pieces for a new DC:)
update add dc-05.myadzone.net 3600 a 10.25.0.4
update add dc._msdcs.myadzone.net 3600 a 10.25.0.4
update add gc._msdcs.myadzone.net 3600 a 10.25.0.4
update add _kerberos._tcp.dc._msdcs.myadzone.net 3600 srv 0 0 88 dc-05.myadzone.net
update add _ldap._tcp.dc._msdcs.myadzone.net 3600 srv 0 0 389 dc-05.myadzone.net
update add _ldap._tcp.gc._msdcs.myadzone.net 3600 srv 0 100 3268 dc-05.myadzone.net
update add _ldap._tcp.pdc._msdcs.myadzone.net 3600 srv 0 0 389 dc-05.myadzone.net
update add _kerberos._tcp.myadzone.net 3600 srv 0 100 88 dc-05.myadzone.net
update add _kpasswd._tcp.myadzone.net 3600 srv 0 100 464 dc-05.myadzone.net
update add _ldap._tcp.myadzone.net 3600 srv 0 100 389 dc-05.myadzone.net
update add _kerberos._udp.myadzone.net 3600 srv 0 100 88 dc-05.myadzone.net
update add _kpasswd._udp.myadzone.net 3600 srv 0 100 464 dc-05.myadzone.net
update add _ldap._tcp.DomainDnsZones.myadzone.net 3600 srv 0 100 389 dc-05.myadzone.net
update add _gc._tcp.myadzone.net 3600 srv 0 100 3268 dc-05.myadzone.net
update add _gc._tcp.myadzone.net 3600 a 10.25.0.4
update add gc._tcp.myadzone.net 3600 srv 0 100 3268 dc-05.myadzone.net
update add gc._tcp.myadzone.net 3600 a 10.25.0.4
update add edceab27-788f-427b-a169-a27bfbe7f60e._msdcs.myadzone.net 3600 cname dc-05.myadzone.net.
send
quit

Samba logging

  • /var/log/samba/log*
  • look at "log level=" in /etc/samba/smb.conf -- highest is 9 and is extremely verbose

Re-join DC to existing domain (on existing)

# tdbbackup -s .bak /var/lib/samba/private/idmap.ldb	      
	# scp /var/lib/samba/private/idmap.ldb.bak dc-05:
(on new)
# samba-tool domain join MYADZONE.NET DC -U"MYADZONEmyadmin"
	# cp idmap.ldb.bak /var/lib/samba/private/idmap.ldb
	# net cache flush
	# samba-tool ntacl sysvolreset
	# systemctl restart samba

New Kerberos ticket

# kinit myadmin@myadzone.net

Samba config on new DC:

/etc/samba/smb.conf:
# Global parameters
		[global]
		        netbios name = DC-05
		        realm = MYADZONE.NET
		        server role = active directory domain controller
		        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
		        workgroup = MYADZONE
		        idmap_ldb:use rfc2307  = yes
		        log level = 3
		        ntlm auth = yes
		        ldap server require strong auth = No
		        guest account = nobody
		        wins support = yes
		        min protocol = SMB2
		        dns forwarder = 10.25.0.3 10.25.0.2

[sysvol] path = /var/lib/samba/sysvol read only = No

[netlogon] path = /var/lib/samba/sysvol/myadzone.net/scripts read only = No

[gpo_drive] comment = GPO Drive Share path = /home/samba/gpo_drive public = yes writable = yes available = yes browsable = yes guest ok = yes create mask = 0777 directory mask = 0777

List Kerberos Ticket

# klist
		Ticket cache: FILE:/tmp/krb5cc_0
		Default principal: myadmin@MYADZONE.NET

Valid starting Expires Service principal 11/21/2019 13:02:49 11/21/2019 23:02:49 krbtgt/MYADZONE.NET@MYADZONE.NET renew until 11/22/2019 13:02:44 11/21/2019 13:02:52 11/21/2019 23:02:49 cifs/dc-02@MYADZONE.NET renew until 11/22/2019 13:02:44 11/21/2019 13:03:03 11/21/2019 23:02:49 cifs/dc-05@MYADZONE.NET renew until 11/22/2019 13:02:44

samba-tool logging

# samba-tool -d [0-9] ...
Turn up debug to 9 for extreme noise.

domain integrity

# samba-tool dbcheck	
# samba-tool dbcheck --cross-nc
Note:
  • items listed as NOTE: old (due to rename or delete) DN string component for lastKnownParent in object blah blah blah …are listing of objects in the deleted items folder; they don't have to be fixed. They will go away on their own in 180 days.

compare ldap databases

# samba-tool ldapcmp ldap://dc-05 ldap://dc-02 -k yes -d 0

Test ldap login

# ldbsearch -H ldap://dc-02 servicePrincipalName=ldap/DC-05.myadzone.net -Umyadmin
  • connects to dc-02 and demands a password for myadmin
  • you need to have LDB_MODULES_PATH set up -- for Fedora 30, it should be /usr/lib64/samba/ldb
  • this command will accept -k yes if you have a kerberos ticket; but that doesn't test login, it just proves the ticket you have actually works.

LDAP user list

# samba-tool user list -H ldap://dc-02

Domain backup

# samba-tool domain backup online --targetdir=/root/samba-backup/ --server=dc-05.myadzone.net -d 0
  • note: if the target (dc-05, in this case) is a newly-added DC, you need to add a temporary user before the first backup run. The backup run will not succeed until a new user account has been created on this DC. Once the user account is created, you can delete it immediately and backups should continue to work going forward.
  • this command does not appear to accept -k yes. Right now there's no easy way to automate this.
no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt