Networking

Hardware

Software

Consultation

 

Samba Active Directory with Bind DNS Backend on Ubuntu 14.04.

 
 

Samba 4 enabled Active Directory system with Bind DLZ dynamic zones, dynamic DNS updates from Windows clients.

If you have an existing Bind installation and would like to switch to Samba AD, you can't use the internal DNS server. This tutorial discribes the installation and configuration of a working Samba AD with a Bind DNS Backend.

Start by installing Ubuntu 14.04LTS

Or have a working installation of Ubuntu 14.04LTS.

There will NOT be a Ubuntu 14.04TLS installation tutorial...



Assumptions

PLEASE, change to suit your own needs. (Changes will be reflected throughout the tutorial.)

Username:			
Password:				# --adminpass=
Domain:				
Network:
	Hostname:			# --host-name=
	Address:		
	Mask:			
	Default Route:		
Samba/Kerberos Perameters:
	Realm:				# --realm=
	Server:			
	Admin Server:		
	NetBios Name:			# --domain=
	Server Role:			# --server-role=
	DNS Backend:			# --dns-backend=
	Function Level:			# --function-level=

Added to ease cutting and pasting

samba-tool domain provision --host-name=adserv01 --realm=UBUNTU.LOCAL --domain=UBUNTUDOM --server-role='dc' --adminpass=P@55W0rd --dns-backend=BIND9_DLZ --function-level=2008_R2 --use-rfc2307

Important

The domain must NOT be the same as an existing domain within bind. It may be a subdomain of an existing domain (addc.example.com), but if bind has an existing zone file, the dlz_bind driver WILL fail. I would suggest a ADDC sub-domain (addc.example.com), which is what I use, but .local (example.local) will work just as well.

Please see Domain Name best practice for more info.

This entire tutorial requires that you be logged on as root, or a healthy use of the sudo command. I prefer the former.

You can get a root shell a number of ways, this is how I normally do it:

sudo su
	password: P@55W0rd
	password: P@55W0rd

Then run:

aptitude update && aptitude –y full-upgrade && reboot

This will reboot the computer when done.

Next we have to add some packages:

You will be asked some questions regarding the Kerberos, the file created will NOT be used so the answers are not important. (I always answer as I would if I installing it alone, just in case I actually do.)

aptitude -y install samba smbclient bind9 build-essential libacl1-dev libattr1-dev libblkid-dev \
	libgnutls-dev libreadline-dev python-dev libpam0g-dev python-dnspython gdb pkg-config \
	libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl \
	python-xattr ncurses-devlibpam-smbpass libssl-dev libssl-doc

Move the original samba directory:

mv samba{,.dist}

Run the following:

samba-tool domain provision --host-name=adserv01 --realm=UBUNTU.LOCAL --domain=UBUNTUDOM --server-role='dc' \
 --adminpass=P@55W0rd --dns-backend=BIND9_DLZ  --function-level=2008_R2 --use-rfc2307

If anything goes wrong and you have to restart, run the following first:

rm –rf /etc/samba
rm –rf /var/lib/samba/private/*

If everything goes right you should be greeted with something like:

Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=ubuntu,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=ubuntu,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
See /var/lib/samba/private/named.conf for an example configuration include file for BIND
and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role:		active directory domain controller
Hostname:		adserv01
NetBIOS Domain:	UBUNTUDOM
DNS Domain:		ubuntu.local
DOMAIN SID:		S-1-5-21-3234291160-432321697-3401650481

Please note the highlighted portions.

Starting with:

/var/lib/samba/private/named.conf

# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include "/var/lib/samba/private/named.conf";

#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
	# For BIND 9.8.0
	database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";

	# For BIND 9.9.0
	# database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
};

And:

/var/lib/samba/private/named.txt

# If you are running a capable version of BIND and you wish to support
# secure GSS-TSIG updates, you must make the following configuration
# changes:

#
# Steps for BIND 9.8.x and 9.9.x -----------------------------------------
#

# 1. Insert following lines into the options {} section of your named.conf
#	file:
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

#
# Common Steps for BIND 9.x.x --------------------------------------------
#

# 2. Set appropriate ownership and permissions on the dns.keytab file.
#	Note that the most distributions have BIND configured to run under a
#	non-root user account.  For example, Fedora 9 runs BIND as the user
#	"named" once the daemon relinquishes its rights.  Therefore, the file
#	dns.keytab must be readable by the user that BIND run as.  If BIND
#	is running as a non-root user, the "dns.keytab" file must have its
#	permissions altered to allow the daemon to read it.  Under Fedora 9,
#	execute the following commands:
chgrp named /var/lib/samba/private/dns.keytab
chmod g+r /var/lib/samba/private/dns.keytab

# 3. Ensure the BIND zone file(s) that will be dynamically updated are in
#	a directory where the BIND daemon can write.  When BIND performs
#	dynamic updates, it not only needs to update the zone file itself but
#	it must also create a journal (.jnl) file to track the dynamic updates
#	as they occur.  Under Fedora 9, the /var/named directory can not be
#	written to by the "named" user.  However, the directory /var/named/dynamic
#	directory does provide write access.  Therefore the zone files were
#	placed under the /var/named/dynamic directory.  The file directives in
#	both example zone statements at the beginning of this file were changed
#	by prepending the directory "dynamic/".

# 4. If SELinux is enabled, ensure that all files have the appropriate
#	SELinux file contexts.  The dns.keytab file must be accessible by the
#	BIND daemon and should have a SELinux type of named_conf_t.  This can be
#	set with the following command:
chcon -t named_conf_t /var/lib/samba/private/dns.keytab

Finally:

/var/lib/samba/private/krb5.conf

[libdefaults]
	default_realm = UBUNTU.LOCAL
	dns_lookup_realm = false
	dns_lookup_kdc = true

Let’s turn off password expiration, and complexity:

samba-tool domain passwordsettings set --complexity=off --min-pwd-length=6 --max-pwd-age=0

We’ll start by adjusting the krb5 file:

mv /etc/krb5.conf{,.dist}
ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf

Next lets check what version of Bind we are running:

named -V

This should reply with:

root@adserv01:~# named -V
BIND 9.9.5-3-Ubuntu (Extended Support Version)  built by make
with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads'
'--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static'
'--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr'
'--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa'
'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'


compiled by GCC 4.8.2

using OpenSSL version: OpenSSL 1.0.1f 6 Jan 2014

using libxml2 version: 2.9.1

Which means we have to change /var/lib/samba/private/named.conf to reflect the Bind version, it should look like:

/var/lib/samba/private/named.conf

# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include "/var/lib/samba/private/named.conf";

#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
	# For BIND 9.8.0
	#database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";
	
	# For BIND 9.9.0
	database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
};

The changed lines are highlighted, the difference is the ‘#’ at the beginning.

Now let’s edit the Bind installation.  First let’s add the Samba lines to the appropriate files.

First the options file:

/etc/bind/named.conf.options

options {
	directory "/var/cache/bind";

	// If there is a firewall between you and nameservers you want
	// to talk to, you may need to fix the firewall to allow multiple
	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113

	// If your ISP provided one or more IP addresses for stable
	// nameservers, you probably want to use them as forwarders.
	// Uncomment the following block, and insert the addresses replacing
	// the all-0's placeholder.

	// forwarders {
	//		0.0.0.0;
	// };

	//========================================================================
	// If BIND logs error messages about the root key being expired,
	// you will need to update your keys.  See https://www.isc.org/bind-keys
	//========================================================================
	dnssec-validation auto;

	auth-nxdomain no;	# conform to RFC1035 listen-on-v6 { any; };

	tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

};

Then run:

chgrp bind /var/lib/samba/private/dns.keytab
chmod g+r /var/lib/samba/private/dns.keytab

This is the first part of letting bind read the file

Now add the appropriate zone definitions to named.conf.local:

/etc/bind/named.conf.local

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

include "/var/lib/samba/private/named.conf";

This it for that file.

we also have to add some rules to /etc/apparmor.d/usr.sbin.named.

...

# Site-specific additions and overrides. See local/README for details.
#include "local/usr.sbin.named"
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns.keytab r,
/usr/lib/x86_64-linux-gnu/samba/** m,
/var/lib/samba/private/krb5.conf r,
/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** m,
/var/lib/samba/private/dns/** rwk,

...
service apparmor restart

Check you resolv.conf file:

cat /etc/resolv.conf

Which should get you:

root@adserv01:~# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#	 DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1
search UBUNTU.LOCAL

The "nameserver" portion must say 127.0.0.1. Update it as necessary.

If you’re going to use a dynamic IP address with resolveconfig, consider making the following changes to dhcpclient.conf in the /etc/dhcp/ directory.

/etc/dhcp/dhcpclient.conf

...
supersede domain-name "UBUNTU.LOCAL";
prepend domain-name-servers 127.0.0.1;

#request subnet-mask, broadcast-address, time-offset, routers,
#		domain-name, domain-name-servers, domain-search, host-name,
#		dhcp6.name-servers, dhcp6.domain-search,
#		netbios-name-servers, netbios-scope, interface-mtu,
#		rfc3442-classless-static-routes, ntp-servers,
#		dhcp6.fqdn, dhcp6.sntp-servers;

##  Add the following after commenting out the above ##
## ----%<----------------------------------------------------##
request subnet-mask, broadcast-address, time-offset, routers,
	netbios-scope, interface-mtu,
	rfc3442-classless-static-routes, ntp-servers;
## ----%<----------------------------------------------------##
...

Otherwise you will get a:

/usr/sbin/samba_dnsupdate: RuntimeError: kinit for adserv01$@UBUNTU.LOCAL failed (Cannot contact any KDC for requested realm)

Error.

This is because the resolv.conf file has been changed to your ISP’s domain-name, domain-name-servers, domain-search, host-name, which is not what we want.

Testing

Check that the service records are being provided by Bind.

Run the following:

host -t SRV _ldap._tcp.UBUNTU.LOCAL.
host -t SRV _kerberos._udp.UBUNTU.LOCAL.
host -t A adserv01.UBUNTU.LOCAL.

You should get something like the following:

root@adserv01:~# host -t SRV _ldap._tcp.UBUNTU.LOCAL.
_ldap._tcp.UBUNTU.LOCAL has SRV record # ### ### adserv01.UBUNTU.LOCAL.

root@adserv01:~# host -t SRV _kerberos._udp.UBUNTU.LOCAL.
_kerberos._udp.UBUNTU.LOCAL has SRV record # ### ### adserv01.UBUNTU.LOCAL.

root@adserv01:~# host -t A adserv01.UBUNTU.LOCAL.
adserv01.UBUNTU.LOCAL has address 192.168.0.10

Check if Samba provides the Active Directory Domain Controller default shares "netlogon" and "sysvol".

They should be created in smb.conf ,in the /etc/samba directory, during provisioning.

On the server run the following:

smbclient -L localhost -U%

Result:

root@adserv01:~# smbclient -L localhost -U%
Domain=[UBUNTUDOM] OS=[Unix] Server=[Samba 4.x.y]

		Sharename		Type		Comment
		---------		----		-------
		netlogon		Disk		
		sysvol			Disk		
		IPC$			IPC		IPC Service (Samba 4.x.y)
Domain=[UBUNTUDOM] OS=[Unix] Server=[Samba 4.x.y]

		Server				Comment
		---------			-------

		Workgroup			Master
		---------			-------

Try to connect to the "netlogon" share, using the Domain Administrator account:

smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter Administrator's password: P@55W0rd

Result

root@adserv01:~# smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter Administrator's password: P@55W0rd
Domain=[UBUNTUDOM] OS=[Unix] Server=[Samba 4.x.y]
 .							D		0  Sat Jul  5 08:40:00 2014
 ..							D		0  Sat Jul  5 08:40:00 2014

				49386 blocks of size 524288. 42093 blocks available

"If the tests fail, check out the Samba AD DC Troubleshooting page."

DONE!!!