LinuxQuestions.org - Experimenting with Samba 4 AD DC

- Slackware (https://www.linuxquestions.org/questions/slackware-14/)

- - Experimenting with Samba 4 AD DC (https://www.linuxquestions.org/questions/slackware-14/experimenting-with-samba-4-ad-dc-4175526437/)

Experimenting with Samba 4 AD DC

Hi,

I'm currently experimenting with Samba 4, to use it for central authentication. I'm using the following documentation:

https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

According to that page, Samba has its own LDAP and Kerberos implementation.

Here's what I got so far on a sandbox Slackware server.

Interactively provision a new domain:

Code:

[root@amandine:~] # samba-tool domain provision --use-rfc2307 --interactive

Realm [MICROLINUX.LAN]: 

 Domain [MICROLINUX]: 

 Server Role (dc, member, standalone) [dc]: 

 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: 

 DNS forwarder IP address (write 'none' to disable forwarding) [192.168.2.1]: 

Administrator password: 

Retype password: 

Looking up IPv4 addresses

Looking up IPv6 addresses

No IPv6 address will be assigned

Setting up secrets.ldb

Setting up the registry

Setting up the privileges database

Setting up idmap db

Setting up SAM db

Setting up sam.ldb partitions and settings

Setting up sam.ldb rootDSE

Pre-loading the Samba 4 and AD schema

Adding DomainDN: DC=microlinux,DC=lan

Adding configuration container

Setting up sam.ldb schema

Setting up sam.ldb configuration data

Setting up display specifiers

Modifying display specifiers

Adding users container

Modifying users container

Adding computers container

Modifying computers container

Setting up sam.ldb data

Setting up well known security principals

Setting up sam.ldb users and groups

Setting up self join

Adding DNS accounts

Creating CN=MicrosoftDNS,CN=System,DC=microlinux,DC=lan

Creating DomainDnsZones and ForestDnsZones partitions

Populating DomainDnsZones and ForestDnsZones partitions

Setting up sam.ldb rootDSE marking as synchronized

Fixing provision GUIDs

A Kerberos configuration suitable for Samba 4 has been generated at /etc/samba/private/krb5.conf

Setting up fake yp server settings

Once the above files are installed, your Samba4 server will be ready to use

Server Role:          active directory domain controller

Hostname:              amandine

NetBIOS Domain:        MICROLINUX

DNS Domain:            microlinux.lan

DOMAIN SID:            S-1-5-21-1598316374-2034909463-922794607

Start Samba in standard mode:

Code:

[root@amandine:~] # samba

Check if Samba provides the default shares:

Code:

[root@amandine:~] # smbclient -L localhost -U%

Domain=[MICROLINUX] OS=[Unix] Server=[Samba 4.1.11]



        Sharename      Type      Comment

        ---------      ----      -------

        netlogon        Disk      

        sysvol          Disk      

        IPC$            IPC      IPC Service (Samba 4.1.11)

Domain=[MICROLINUX] OS=[Unix] Server=[Samba 4.1.11]



        Server              Comment

        ---------            -------



        Workgroup            Master

        ---------            -------

Test if authentication is working:

Code:

[root@amandine:~] # smbclient //localhost/netlogon -UAdministrator -c 'ls'

Enter Administrator's password: 

Domain=[MICROLINUX] OS=[Unix] Server=[Samba 4.1.11]

  .                                  D        0  Tue Nov 25 10:48:36 2014

  ..                                  D        0  Tue Nov 25 10:48:48 2014



                36475 blocks of size 2097152. 31931 blocks available

Now I'm stuck at testing Kerberos. I created a symlink as suggested:

Code:

[root@amandine:~] # ls -l /etc/krb5.conf 

lrwxrwxrwx 1 root root 28 nov.  25 12:12 /etc/krb5.conf -> /etc/samba/private/krb5.conf

Now the documentation suggests to use 'kinit' to obtain a Kerberos ticket. The problem is:

Code:

[root@amandine:~] # which kinit

which: no kinit in (/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/usr/games:/usr/lib64/qt/bin:/usr/share/texmf/bin)

Now what?

Side note: I've been using Samba 3.x in more or less simple setups for quite some time. But the new functionalities of Samba 4 like integrated LDAP and Kerberos are completely new to me, and I discover this while I try to make sense of the documentation.

Cheers,

Niki

kinit is in the krb5 package from SBo (/usr/kerberos/bin/kinit) but that's the end of my knowledge :(

I think you don't strictly need a local kerberos client: you can also join the domain with a windows machine (or any linux machine like, for example, debian/ubuntu with kerberos stuff installed) and try to obtain a kerberos ticket from there.

but if you want to build one you can do it: look at krb5 or heimdal (samba4 kerberos implementation is based on this later one).

P.S. ops, David beated me! ;)
P.P.S. for best results, be sure the time of the server is in sync with the clients.

Ok Matteo, but quality takes more time, and I might need this stuff soon, so thanks to you and Niki for the discussion -- heimdal looks good.

I haven't tried this myself, but would this help?

https://www.archlinux.org/packages/extra/i686/kinit/

You can access the sources and build your own packages for either x86 or x86_64.

As far as I can tell, the next logical step would be to do a bit of RTFM on Kerberos, since I know nothing at all about this subject. Any good docs to recommend? Caveats?

The Samba 4 documentation is a bit of a treasure hunt. There's a fairly incomplete wiki on the official Samba site, and then some bits of information scattered all over the Internet. Right now I guess I have two more general questions.

1. At the moment I'm using the NFS/NIS couple for setting up central authentication and roaming user profiles in networks with a Slackware server and 100 % Slackware client desktops. I've been using this solution since around 2010 in several networks here. It's robust and never gives me any trouble, though it's not exactly "industrial grade". Can I do the same thing with Samba 4?

2. The main reason I'm investigating Samba 4 is the possibility of setting up central authentication and roaming user profiles for mixed networks, e. g. networks composed of Slackware desktop clients and Windows 7 clients. Again, I wonder if this is possible (without jumping through burning loops).

Are there any good books (paper) on this subject? I wonder how it comes that such a central piece of software is so poorly documented.

From Samba Wiki !

Quote:

The easiest way to administrate a Samba Domain and Active Directory is using Microsofts RSAT

https://wiki.samba.org/index.php/Ins..._AD_Management

Enjoy

Quote:

Originally Posted by kikinovak (Post 5275214)

Samba4 seemed to work fine as an alternative to Active Directory in the tests I had done some time ago (at the time it was still at alpha14, if I remember well), but I gotta say that I never used it in production (but I'm planning to do it in the near future): besides that, I think you should be ok for creating an authentication and roaming profiles infrastructure with it.
The problem you may face, as you probably already know, is that Slackware as provided with its full install is not ready for joining Active Directory domains: you need some stuff that just isn't in it (PAM, ldap, kerberos, etc.) and maintaining it outside of the tree can be done but may also be painful.
IMHO, either you got lot of time to dedicate to it (but from what I read in some of your previous posts, you don't), or the only viable solution is to switch to another kind of linux clients to use with AD.

Quote:

Are there any good books (paper) on this subject? I wonder how it comes that such a central piece of software is so poorly documented.

maybe because it's not widely used yet (it's still young): in the meantime I personally refer to the wiki.

Quote:

Originally Posted by kikinovak (Post 5275214)

Again, I wonder if this is possible (without jumping through burning loops).

It's a joke, isn't it. ;)

You can't expect an OS that hasn't changed since about 1994 to simply work in a modern environment.

I admire your enthusiasm in deploying Slackware commercially but something tells me that once you have to setup an industrial grade network with several hundred users on several locations you'll face a tough choice: Abandon Slackware or fork it.

The Slackware upstream doesn't seem to care about your user case anyway.

Cheers

Quote:

Originally Posted by ivandi (Post 5275680)

The Slackware upstream doesn't seem to care about your user case anyway.

sorry but a personal consideration comes to mind: why should a single person, dedicated to developing a whole distribution alone, should support, along with all the others, enterprise needs free of charge?

Quote:

Originally Posted by ponce (Post 5275231)

IMHO, either you got lot of time to dedicate to it (but from what I read in some of your previous posts, you don't), or the only viable solution is to switch to another kind of linux clients to use with AD.

ah, thinking about above, I forgot an alternative: you pay someone who adds, maintains and supports the needed stuff for you.

Quote:

Originally Posted by ivandi (Post 5275680)

You can't expect an OS that hasn't changed since about 1994 to simply work in a modern environment.

I admire your enthusiasm in deploying Slackware commercially but something tells me that once you have to setup an industrial grade network with several hundred users on several locations you'll face a tough choice: Abandon Slackware or fork it.

My appreciation of Slackware comes close to Winston Churchill's definition of democracy. I'd say that Slackware is indeed the worst Linux distribution... except for all the others.

I like the definition the Slackware maintainer himself gives of his distribution, in another thread in this forum: "Slackware is [...] intended to be Linux for anyone that appreciates the traditional UNIX-like ways of doing things, isn't afraid of the command line, wants the supplied packages to be as unmodified as possible, and likes to be able to expand the system through source code without tossing a wrench into the package manager."

As far as I'm concerned, there's only one thing dearly missing: PAM. Currently I'm burying my nose in the LFS/BLFS documentation to learn about this animal. All the other things (Postfix, Dovecot, ...) I can easily add.

So yes, Slackware is some sort of lesser evil to me, which I've actually grown quite fond of, even if some things make me want to pull my hair out.

Edit: let's take a short look at the alternatives.

1. CentOS. Starting with 7.0 it only comes in 64-bit, which is a showstopper, since I have to deal with a lot of existing 32-bit hardware. I loved CentOS 5.x though and used it almost exclusively for a few years.

2. Debian. This would be my second choice, and I know it very well. What I don't like about Debian is its support cycle (too short) and its Taliban-like community here in France.

3. openSUSE. I actually like openSUSE on the desktop. Unfortunately they cut down the support cycle to 18 months, and I don't know what to think of the Evergreen project. Plus, it's not very good on old hardware.

4. Ubuntu. The LTS releases are OK as far as support time is concerned, but I've recently been bitten by Ubuntu. Too many bugs under the hood, too many unexplainable weird dysfunctions. No sense for the fine details.

5. Gentoo. I like Gentoo, I even used it for some time back in 2002 when it was an adventure. But you can only really use it on powerful hardware, otherwise you go insane.

6. FreeBSD. I'd love to use it, but it supports less hardware than Linux, which is a showstopper for me.

Conclusion: Slackware it is.

Light up the loops :D

Cheers

Quote:

Originally Posted by ponce (Post 5275753)

Why free of charge ?!?

Slackware is a company. The distribution is not community driven.

Cheers