Setup Process

Clean Installation of samba & dependencies

The domain controller dc0.v.ucc.asn.au is based off a clone of samurai, cleaned up and configured using the steps below. dc1.v.ucc.asn.au was set up as a fresh install based on Debian 9.5.0 (netinst).

A fresh domain controller can probably be set up using the same steps; Note: These instructions are valid for Samba 4.7 and 4.8.5, older versions of Samba may be missing important configuration options and newer ones may behave slightly differently.

  • Configure name resolution
    • Edit /etc/hosts

      127.0.0.1       localhost
      192.168.9.2     dc0.v.ucc.asn.au        dc0
      192.168.9.3     dc1.v.ucc.asn.au        dc1
    • Edit /etc/resolv.conf

      search ad.v.ucc.asn.au
      search v.ucc.asn.au
      search ucc.asn.au
      # This is configured to forward ad.* queries back to us and also deals with other DNS magic, so use it instead of ourselves as primary nameserver
      nameserver 192.168.9.35
  • Purge existing configs and packages:

    apt-get -y purge samba* libpam-sss libnss-sss libgpgme11 krb5-* sssd-* libsss-* winbind
    rm -rf /etc/samba /etc/krb5.conf /etc/krb5.keytab /var/run/samba/ /var/lib/samba/ /var/cache/samba/ /var/lib/sss
  • Configure the apt repositories and preferences
    • Edit /etc/apt/preferences.d/80-ucc-samba, add the following:

      Package: *
      Pin: release a=stable
      Pin-Priority: 900
      
      Package: *
      Pin: release a=stable-backports
      Pin-Priority: 800
      
      Package: *
      Pin: release a=testing
      Pin-Priority: 99
      
      Package: *
      Pin: release a=unstable
      Pin-Priority: 98
    • Edit /etc/apt/sources.list.d/debian-unstable.list:

      # Testing repository - main, contrib and non-free branches
      deb http://mirror.waia.asn.au/debian testing main non-free contrib
      deb-src http://mirror.waia.asn.au/debian testing main non-free contrib
      
      # Testing security updates repository
      deb http://security.debian.org/ testing/updates main contrib non-free
      deb-src http://security.debian.org/ testing/updates main contrib non-free
      
      # Unstable repo main, contrib and non-free branches, no security updates here
      deb http://mirror.waia.asn.au/debian unstable main non-free contrib
      deb-src http://mirror.waia.asn.au/debian unstable main non-free contrib
  • Install packages:

    apt-get update && apt-get -y upgrade
    apt-get -y -t testing install samba sssd-ad sssd-tools sssd-krb5 krb5-user libpam-krb5 libpam-sss libnss-sss libgpgme11 smbclient winbind
    apt-get -y install net-tools vim less molly-guard chrony rsync csync2 nfs-common finger sudo zsh git dnsutils mlocate

The rest of these instructions are based off the official Samba AD setup guide.

  • Disable the systemd units for the non-DC setup & default configuration:

    systemctl stop smbd
    systemctl stop nmbd
    systemctl stop winbind
    systemctl disable smbd
    systemctl disable nmbd
    systemctl disable winbind
  • Remove all Samba database and config files, such as *.tdb and *.ldb files, so we can start with a clean installation. (note: when installing the packages, some of these files may have been recreated since the purge step above, so don't skip this step.

    rm -fv /etc/samba/smb.conf /etc/krb5.conf /etc/krb5.keytab
    find /var/run/samba/ /var/lib/samba/ /var/cache/samba/ | grep -e tdb -e ldb | xargs rm -f

Provisioning a new AD Domain

Make sure you start with a clean installation. Note: Don't do this unless you want to set up a fresh domain, in which case you will need to change all the settings below to appropriate values.

  • Provision the new domain:

    samba-tool domain provision --use-rfc2307 --realm=ad.v.ucc.asn.au --domain=VUCC --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass=$PASSWORD
  • Copy /var/lib/samba/private/krb5.conf to /etc/krb5.conf:

    cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
    • Make sure /etc/krb5.conf looks something like this, add lines where necessary.

      [libdefaults]
              default_realm = AD.V.UCC.ASN.AU
              dns_lookup_realm = false
              dns_lookup_kdc = true
              rdns = false
              forwardable = yes
  • Export the domain's keytab

    samba-tool domain exportkeytab /etc/krb5.keytab
  • Edit /etc/nsswitch.conf

    # /etc/nsswitch.conf
    # See http://wiki.ucc.asn.au/ActiveDirectoryNew
    
    passwd:         files sss
    group:          files sss
    shadow:         files
    gshadow:        files
    
    hosts:          files dns
    networks:       files
    
    protocols:      db files
    services:       db files sss
    ethers:         db files
    rpc:            db files
    
    netgroup:       nis sss
    sudoers:        files
  • and /etc/sssd/sssd.conf

    [sssd]
    config_file_version = 2
    domains = ad.v.ucc.asn.au
    services = nss, pam, pac
    
    [domain/AD.V.UCC.ASN.AU]
    enumerate = true
    id_provider = ad
    auth_provider = ad
    chpass_provider = ad
    access_provider = ad
    ldap_id_mapping = false
  • fix sssd.conf permissions

    chmod 600 /etc/sssd/sssd.conf
  • enable sssd auth in pam via pam-auth-update

  • Start the samba service:

    systemctl unmask samba-ad-dc
    systemctl enable samba-ad-dc
    systemctl restart samba-ad-dc
    systemctl enable sssd
    systemctl restart sssd
  • DO NOT use winbind on a domain controller, it sucks for multiple reasons. Note that winbindd will still run for internal use by samba - it just isn't being used for nss.

  • Make it restart automatically if something crashes: systemctl edit samba-ad-dc

    # this will end up in /etc/systemd/system/samba-ad-dc.service.d/override.conf when it gets saved
    [Service]
    Restart=on-failure

Joining a new DC to an existing AD domain

Make sure you start with a clean installation.

  • Copy /etc/sssd/sssd.conf, /etc/krb5.conf, /etc/nsswitch.conf from an existing domain controller.

  • verify kerberos with: kinit <username>

  • join the domain with: samba-tool domain join ad.v.ucc.asn.au DC -U"VUCC\Administrator" --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes'

    • You may see an error saying something about DNS not being configured, you can probably ignore it.
  • replicate the SYSVOL directory to the new DC, then fix the permissions with: samba-tool ntacl sysvolreset

  • start the samba service, the service may have a different name depending on the samba version used.
  • samba-tool domain exportkeytab /etc/krb5.keytab
    chmod 600 /etc/sssd/sssd.conf
    systemctl unmask samba-ad-dc
    systemctl enable samba-ad-dc
    systemctl restart samba-ad-dc
    systemctl enable sssd
    systemctl restart sssd
  • enable sssd auth in pam via pam-auth-update

Sysvol replication

Samba doesn't support sysvol replication and probably never will, but they have some (old) suggested workarounds. At the most basic level, the directory /var/lib/samba/sysvol must be synchronised between DCs to keep things working smoothly. Unfortunately the filesystem needs to support xattr and POSIX ACLs so using a simple NFS share isn't possible, and rsync is painful when it comes to two-way synchronisation.

Fortunately csync2 does exactly what we want (minus ACLs/xattr, but those can be fixed using samba-tool ntacl sysvolreset). Here's how you can set it up.

  • put the following into /etc/csync2.cfg (and update with the correct domain controller hostnames): see the documentation

    #### csync2 configuration
    # disable 
    nossl dc[01] dc[01];
    group vucc-domain-controllers
    {
            host dc0 dc1;
            key /etc/csync2.key-vucc;
            include /var/lib/samba/sysvol;
    
            # restart samba-ad-dc if changes to the configuration file /etc/samba/smb.conf are synced
            action
            {
                    pattern /etc/samba/smb.conf;
                    exec "/bin/systemctl samba-ad-dc reload";
                    do-local;
            }
    
            # fix xattrs on files when they are updated
            action
            {
                    pattern /var/lib/samba/sysvol;
                    exec "/usr/bin/samba-tool ntacl sysvolreset";
                    do-local;
            }
    
            # Store backups (with logical names) somewhere reasonable
            backup-directory /var/lib/samba/sysvol-backups;
            backup-generations 3;
    
            # automatically resolve conflicts by overwriting older files with newer ones
            auto younger;
    }
  • edit the crontab on one node:

    dc0# crontab -e
    # sync every minute
    * * * * * /usr/sbin/csync2 -x
  • csync2 is run as an inetd service, so you can check that the following line is present in /etc/inetd.conf on all servers in the cluster

    csync2          stream  tcp     nowait  root    /usr/sbin/csync2        csync2 -i -l
  • generate a csync2 pre-shared key (PSK) and copy it and /etc/csync2.cfg to all the DCs in the cluster:

    csync2 -k /etc/csync2.key-vucc
    scp /etc/csync2.key-vucc /etc/csync2.cfg dc1:/etc dc2:/etc dc3:/etc ...
  • make sure the directory /var/lib/samba/sysvol-backups exists on all nodes of the cluster

  • Done! It should work now.

To manually replicate the sysvol directories between DCs:

dc0# scp -ar /var/lib/samba/sysvol dc1:/var/lib/samba/sysvol
dc1# samba-tool ntacl sysvolreset

Diagnostics

Sometimes group memberships don't seem to be updated, this can often be fixed by clearing the cache:

  • sss_cache -E if using sssd

  • net cache flush if using winbind

  • Or if the above fails to have an effect, try rejoining to the domain using the instructions below.

Sometimes, everything may break rather catastrophically. This may be due to the keytabs at /etc/krb5.keytab and /var/lib/samba/private/secrets.keytab becoming out of sync.

  • The current solution (on samson) is to symlink the keytabs as follows:

    # ln -s /etc/krb5.keytab /var/lib/samba/private/secrets.keytab
    # ls -l /etc/krb5.keytab
    lrwxrwxrwx 1 root root 37 Nov 26 16:51 /etc/krb5.keytab -> /var/lib/samba/private/secrets.keytab
  • Verify that the host principal is present in the keytab:

    # klist -k | grep -i $(hostname)
       3 [email protected]
  • The same principal and variations including the same hostname may appear multiple times. This is normal (and maybe necessary?).