{"id":77,"date":"2023-07-13T20:29:03","date_gmt":"2023-07-14T03:29:03","guid":{"rendered":"http:\/\/thejonas.net\/?page_id=77"},"modified":"2023-07-13T20:29:19","modified_gmt":"2023-07-14T03:29:19","slug":"smb4-ad-and-bind","status":"publish","type":"page","link":"https:\/\/www.thejonas.net\/?page_id=77","title":{"rendered":"SMB4 AD and Bind"},"content":{"rendered":"\n<p>SMB4 AD and Bind<\/p>\n\n\n\n<h1 class=\"wp-block-heading\"><strong><em>\u201cUbuntu 14.04<\/em>&nbsp;<em>LTS\u201d<\/em><\/strong><\/h1>\n\n\n\n<p>See DNS\/DHCP page for domain info.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><strong>sudo apt-get update\nsudo apt-get update &amp;&amp; sudo apt-get upgrade<\/strong><\/pre>\n\n\n\n<p>Install the&nbsp;<strong>acl<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><strong>sudo apt-get install acl attr<\/strong><\/pre>\n\n\n\n<p>Configure&nbsp;<strong>acl<\/strong>&nbsp;in the \/etc\/fstab<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><strong>sudo nano \/etc\/fstab<\/strong><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><strong>\/dev\/mapper\/vg0-lv_data   \/   ext4 user_xattr,acl,barrier=1,noatime  0  0\n<\/strong><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><strong>mount -a<\/strong><\/pre>\n\n\n\n<p><strong>Reboot<\/strong><\/p>\n\n\n\n<p>Installing Samba software<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo apt-get install samba smbclient  build-essential libacl1-dev libattr1-dev \\\n   libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev \\\n   python-dnspython gdb pkg-config libpopt-dev libldap2-dev \\\n   dnsutils libbsd-dev krb5-user docbook-xsl libcups2-dev ldb-tools<\/pre>\n\n\n\n<p>During the installation process you will be asked some questions:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Kerberos Authentication:&nbsp;<strong>MYDC.ABC.LAN<\/strong><\/li>\n\n\n\n<li>hostname of Kerberos server:&nbsp;<strong>dcsrv.abc.lan<\/strong><\/li>\n\n\n\n<li>hostname of the Administrative:&nbsp;<strong>dcsrv.abc.lan<\/strong><\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">Remove your old smb.conf<strong>\nsudo rm \/etc\/samba\/smb.conf<\/strong><\/pre>\n\n\n\n<p>Provision&nbsp; AD:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><strong>sudo samba-tool domain provision --use-rfc2307 --interactive<\/strong><\/pre>\n\n\n\n<p>Input the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Realm:&nbsp;<strong>MYDC.ABC.LAN<\/strong><\/li>\n\n\n\n<li>DNS Backend:&nbsp;<strong>BIND9_DLZ<\/strong><\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">Realm: <strong>MYDC.ABC.LAN<\/strong>\n Domain [MYDC]: \n Server Role (dc, member, standalone) [dc]: \n DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ\nAdministrator password: \nRetype password: \nLooking up IPv4 addresses\nLooking up IPv6 addresses\nNo IPv6 address will be assigned\nSetting up share.ldb\nSetting up secrets.ldb\nSetting up the registry\nSetting up the privileges database\nSetting up idmap db\nSetting up SAM db\nSetting up sam.ldb partitions and settings\nSetting up sam.ldb rootDSE\nPre-loading the Samba 4 and AD schema\nAdding DomainDN: DC=mydc,DC=abc,DC=lan\nAdding configuration container\nSetting up sam.ldb schema\nSetting up sam.ldb configuration data\nSetting up display specifiers\nModifying display specifiers\nAdding users container\nModifying users container\nAdding computers container\nModifying computers container\nSetting up sam.ldb data\nSetting up well known security principals\nSetting up sam.ldb users and groups\nSetting up self join\nAdding DNS accounts\nCreating CN=MicrosoftDNS,CN=System,DC=mydc,DC=abc,DC=lan\nCreating DomainDnsZones and ForestDnsZones partitions\nPopulating DomainDnsZones and ForestDnsZones partitions\nSee \/var\/lib\/samba\/private\/named.conf for an example configuration include file for BIND\nand \/var\/lib\/samba\/private\/named.txt for further documentation required for secure DNS updates\nSetting up sam.ldb rootDSE marking as synchronized\nFixing provision GUIDs\nA Kerberos configuration suitable for Samba 4 has been generated at \/var\/lib\/samba\/private\/krb5.conf\nSetting up fake yp server settings\nOnce the above files are installed, your Samba4 server will be ready to use\nServer Role: active directory domain controller\nHostname: dcsrv\nNetBIOS Domain: MYDC\nDNS Domain: mydc.abc.lan\nDOMAIN SID: S-1-5-21-416587768-2115368124-2463890298\n<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Disable Domain administrator pasword from expiring.&nbsp;<strong>Note: its two dashes on noexpiry<\/strong><\/h2>\n\n\n\n<p>sudo samba-tool user setexpiry Administrator \u2013noexpiry<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Configuring Samba and Bind.<\/h2>\n\n\n\n<p>Edit the file \/etc\/samba\/smb.conf and add the following lines to the end of the [global] section.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><strong>sudo nano \/etc\/samba\/smb.conf<\/strong><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><strong>       allow dns updates = nonsecure and secure \n       dns forwarder = 10.0.2.99\n       printing = CUPS\n       printcap name = \/dev\/null<\/strong><\/pre>\n\n\n\n<p>Add the following to \/etc\/bind\/named.conf.options at the end of the options. You may need to remove any duplicate existing lines.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><strong>sudo nano \/etc\/bind\/named.conf.options<\/strong><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><strong>   auth-nxdomain yes;  \n   empty-zones-enable no;\n   tkey-gssapi-keytab \"\/var\/lib\/samba\/private\/dns.keytab\";<\/strong><\/pre>\n\n\n\n<p>Choose your version of BIND by removing comment (see example below).<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><strong>sudo nano \/var\/lib\/samba\/private\/named.conf<\/strong><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><strong>dlz \"AD DNS Zone\" {\n    # For BIND 9.8.0\n#    database \"dlopen \/usr\/lib\/x86_64-linux-gnu\/samba\/bind9\/dlz_bind9.so\";\n&nbsp;\n    # For BIND 9.9.0\n     database \"dlopen \/usr\/lib\/x86_64-linux-gnu\/samba\/bind9\/dlz_bind9_9.so\";\n};<\/strong><\/pre>\n\n\n\n<p>Add the following to \/etc\/bind\/named.conf as the second line in the included section.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><strong>sudo nano \/etc\/bind\/named.conf<\/strong><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><strong>include \"\/var\/lib\/samba\/private\/named.conf\";<\/strong><\/pre>\n\n\n\n<p>Add the following apparmor rules to the end of \/etc\/apparmor.d\/usr.sbin.named inside the { }<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><strong>sudo nano \/etc\/apparmor.d\/usr.sbin.named<\/strong><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><strong>   \/usr\/lib\/x86_64-linux-gnu\/samba\/** rwmk,\n   \/usr\/lib\/x86_64-linux-gnu\/ldb\/** rwmk,\n   \/var\/lib\/samba\/private\/dns\/** rwmk,\n   \/var\/lib\/samba\/private\/named.conf r,\n   \/var\/lib\/samba\/private\/dns.keytab rk,\n&nbsp;\n   \/dev\/urandom rw,<\/strong><\/pre>\n\n\n\n<p>Static IP should be set from the DNS\/DHCP tutorial.&nbsp; You will need to change the DNS name server to localhost 127.0.0.1<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">auto eth0\niface eth0 inet static\n   address 10.1.200.3\n   gateway 10.1.200.1\n   netmask 255.255.255.0\n   <em><strong>dns-nameservers 127.0.0.1<\/strong><\/em>\n   dns-search abc.lan\n\nreboot\n<\/pre>\n\n\n\n<p>Done.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>SMB4 AD and Bind \u201cUbuntu 14.04&nbsp;LTS\u201d See DNS\/DHCP page for domain info. sudo apt-get update sudo apt-get update &amp;&amp; sudo apt-get upgrade Install the&nbsp;acl sudo apt-get install acl attr Configure&nbsp;acl&nbsp;in the \/etc\/fstab sudo nano \/etc\/fstab \/dev\/mapper\/vg0-lv_data \/ ext4 user_xattr,acl,barrier=1,noatime 0 &hellip; <a href=\"https:\/\/www.thejonas.net\/?page_id=77\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"parent":37,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-77","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/www.thejonas.net\/index.php?rest_route=\/wp\/v2\/pages\/77","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thejonas.net\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.thejonas.net\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.thejonas.net\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thejonas.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=77"}],"version-history":[{"count":1,"href":"https:\/\/www.thejonas.net\/index.php?rest_route=\/wp\/v2\/pages\/77\/revisions"}],"predecessor-version":[{"id":79,"href":"https:\/\/www.thejonas.net\/index.php?rest_route=\/wp\/v2\/pages\/77\/revisions\/79"}],"up":[{"embeddable":true,"href":"https:\/\/www.thejonas.net\/index.php?rest_route=\/wp\/v2\/pages\/37"}],"wp:attachment":[{"href":"https:\/\/www.thejonas.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=77"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}