Samba AD DC

Samba Active Directory

---

Samba Active Directory (Samba AD) stands as a compelling open-source alternative to Microsoft’s Active Directory, particularly suitable for small to medium-sized companies aiming to optimize costs and streamline their IT infrastructure. Samba AD facilitates the creation and management of domains, users, groups, and network resources in a manner akin to Microsoft’s Active Directory, all while offering the adaptability and cost-effectiveness inherent in open-source software.

Pros:

1. Cost-effectiveness: For small to medium-sized enterprises seeking to trim expenses, Samba AD provides a cost-effective solution compared to proprietary offerings like Microsoft Active Directory. By sidestepping licensing fees, organizations can allocate resources more efficiently.
2. Cross-platform compatibility: Samba AD seamlessly integrates with diverse operating systems such as Windows, Linux, and macOS. This ensures smooth interoperability across the organization’s IT ecosystem, promoting productivity and reducing compatibility concerns.
3. Feature-rich: Samba AD boasts a robust feature set encompassing user and group management, centralized authentication, DNS services, Group Policy support, and file sharing. This comprehensive suite empowers organizations with versatile tools for effective network administration.
4. Scalability: Designed to accommodate deployments of varying sizes, Samba AD scales effortlessly from small to large-scale environments. This scalability makes it an ideal fit for growing businesses, ensuring adaptability to evolving user needs without incurring additional costs.
5. Active development community: Benefiting from a vibrant and engaged open-source community, Samba AD enjoys regular updates, bug fixes, and enhancements. This ensures ongoing support and the incorporation of new features, enhancing its reliability and functionality over time.

Cons:

1. Lack of Native ADCS Integration: Samba AD DC does not include native support for Active Directory Certificate Services (ADCS) functionality. ADCS provides services for issuing and managing digital certificates, including certificate authorities (CAs), certificate enrollment, and certificate revocation. While Samba AD DC supports integration with third-party certificate authorities (CAs), such as Microsoft’s ADCS, the integration process may require additional configuration and setup.
2. Limited Certificate Services: Without native ADCS support, Samba AD DC may have limitations in providing advanced certificate services, such as autoenrollment, certificate templates, and certificate revocation lists (CRLs). Organizations requiring these features may need to deploy separate certificate authorities or utilize third-party solutions for certificate management.
3. Compatibility Challenges: Integrating third-party certificate authorities with Samba AD DC may introduce compatibility challenges or limitations compared to native ADCS integration with Microsoft Active Directory. Compatibility issues may arise with certain certificate enrollment protocols, certificate templates, or management tools that are optimized for Microsoft ADCS environments.
4. Reduced Functionality: Samba AD DC’s lack of native ADCS support may result in reduced functionality or features compared to Microsoft Active Directory environments. Organizations relying heavily on ADCS-specific features for secure communication, authentication, or encryption may find Samba AD DC less suitable for their requirements.
5. Configuration Complexity: Configuring and managing certificate services integration with Samba AD DC may be more complex compared to native ADCS deployment in Microsoft Active Directory environments. Additional configuration steps, compatibility testing, and troubleshooting may be required to ensure proper functionality and security.

In summary, Samba AD offers small to medium-sized companies a cost-effective, feature-rich alternative to the proprietary Active Directory solutions, enabling efficient network management and scalability. While it demands careful planning and expertise for successful implementation, its flexibility and compatibility make it a compelling choice for organizations seeking to optimize their IT investments and drive growth.

In the following sections, I will be demonstrating the barebone configurations and deployment of Samba AD

Underlying OS Installation

---

PS C:\Users\tacticalgator\Downloads> iwr -Uri https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-12.5.0-amd64-netinst.iso -Outfile .\debian-12.5.0-amd64-netinst.iso

I will first grab the latest copy of Debian ISO image The underlying OS here doesn’t need to be Debian as we are mostly working with Samba. You may opt out to use RHEL-based distros, such as RHEL or CentOS. Debian is used here for ease of demonstration

I am using an older version VMware’s Workstation Pro for this lab session

Going through creation of a VM, I will assign a small amount system resource to this instance Another good thing about Samba AD is that it significantly reduces the amount of system resource required generally speaking, compared to the proprietary Active Directory solutions

Installation

---

Once booted up, I can go ahead and start the installation process

Hostname

---

I will set the hostname to samba-dc01

Domain Name

---

It initially prompts for a domain name. Domain name can be assigned at this point, but not necessary because this will be prompted again during the provisioning stage of Samba AD. I will skip it out for now

Credentials

---

You are not supposed to setup a root password or enable the account for best security practice I will leave it empty and create a regular user to become root via sudo

I will create a regular user, superuser, with a super secure password; qwe123 This user account will, by default, have a sudo privilege to be the root user as the root user is effectively disable by not setting up a password in the previous step

Setting up a time zone

Disk Configuration / Partitioning

---

Partitioning and configuring the disk. You may adjust around here to suit your need (bare-metal installation, RAID, other filesystems). For this lab session, I will be using the entire disk (20GB) with the default ext4, and dump everything to a single partition I have personally configured the RAID-Z setup with the ZFS filesystem on OpenBSD for a number of clients. That setup is an excellent choice for high-availability and redundancy.

The auto-provision process will initialize and go through a number of additional configurations(apt setup, proxy, mirror location, etc)

tasksel

---

tasksel will then initialize to configure the system. It will be an headless installation as there is no need for a GUI. I will just check the SSH server for ease of management

Grub

---

Next, installation process prompts for configuring GRUB Bootloader. This is mostly for dual-boot or enterprise policies and standards. No such for a lab session, so I will install it to the primary drive. You may adjust it to suit your need.

After about 10 seconds or so, the installation is finally finished. I will remove the installation media (ISO image) as advised and reboot into the newly installed Debian instance

Rebooted. Now I will click the I Finished Installing button at the bottom to let the Hypervisor know that VMware Tools are ready

SSH

---

PS C:\Users\tacticalgator> ssh superuser@10.1.1.23
The authenticity of host '10.1.1.23 (10.1.1.23)' can't be established.
ED25519 key fingerprint is SHA256:fLcT/7/BKGF3bzZbB+9CAFIAYWDEW+TLBbOqv8vdMfo.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.1.1.23' (ED25519) to the list of known hosts.
superuser@10.1.1.23's password:
Linux samba-dc01 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64
 
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Mar  9 06:25:23 2024
superuser@samba-dc01:~$ whoami
superuser
superuser@samba-dc01:~$ hostname
samba-dc01
superuser@samba-dc01:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:50:ee:9a brd ff:ff:ff:ff:ff:ff
    altname enp2s1
    inet 10.1.1.23/24 brd 10.1.1.255 scope global dynamic ens33
       valid_lft 1616sec preferred_lft 1616sec
    inet6 fe80::20c:29ff:fe50:ee9a/64 scope link
       valid_lft forever preferred_lft forever

Now I can just ssh into the newly installed Debian instance

Snapshot

---

For those utilizing a hypervisor, a helpful practice is to promptly create a snapshot immediately after completing a fresh installation. This precautionary measure can significantly expedite recovery efforts in the event of unforeseen complications or the need to revert to the initial setup.

This concludes installation and configuration of the underlying operating system.

Network Configuration

---

superuser@samba-dc01:~$ sudo su root
[sudo] password for superuser:
root@samba-dc01:/home/superuser# cd
root@samba-dc01:~# id
uid=0(root) gid=0(root) groups=0(root)

First, we need to become the root user Following up with the configuration made during the installation, we would need to use sudo to become the root user

Let’s take a look at the current network configuration

root@samba-dc01:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:50:ee:9a brd ff:ff:ff:ff:ff:ff
    altname enp2s1
    inet 10.1.1.23/24 brd 10.1.1.255 scope global dynamic ens33
       valid_lft 1114sec preferred_lft 1114sec
    inet6 fe80::20c:29ff:fe50:ee9a/64 scope link
       valid_lft forever preferred_lft forever
       
root@samba-dc01:~# ip route
default via 10.1.1.254 dev ens33
10.1.1.0/24 dev ens33 proto kernel scope link src 10.1.1.23

Aside from the lo(localhost), the ens33 interface serves as the primary network device responsible for the current network configuration. It operates within the NAT network framework provided by the underlying hypervisor, VMware Workstation Pro.

Static IP

---

root@samba-dc01:~# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
 
source /etc/network/interfaces.d/*
 
# The loopback network interface
auto lo
iface lo inet loopback
 
# The primary network interface
allow-hotplug ens33
iface ens33 inet dhcp

And IP address(10.1.1.23) of the ens33 device is assigned through DHCP. This needs a change as we want a DC host with a static IP address.

I have changed it to the configuration above. The ens33 device will have a static IP address of 10.1.1.100/24 with its nameserver pointing to itself and 1.1.1.1 as a fallback

root@samba-dc01:~# systemctl restart networking

Restarting the networking service is required for the change to take effect. This will kick me out of the current SSH session.

PS C:\Users\tacticalgator> ssh superuser@10.1.1.100
The authenticity of host '10.1.1.100 (10.1.1.100)' can't be established.
ED25519 key fingerprint is SHA256:fLcT/7/BKGF3bzZbB+9CAFIAYWDEW+TLBbOqv8vdMfo.
This host key is known by the following other names/addresses:
    C:\Users\tacticalgator/.ssh/known_hosts:62: 10.1.1.23
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.1.1.100' (ED25519) to the list of known hosts.
superuser@10.1.1.100's password:
Linux samba-dc01 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64
 
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Mar  9 06:45:02 2024 from 10.1.1.1
superuser@samba-dc01:~$ ip a | grep -i ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 10.1.1.100/24 brd 10.1.1.255 scope global ens33

I can then re-establishing a SSH connection Now that the network configuration is complete, I can start provisioning Samba AD

Samba AD Provisioning

---

The following packages are required for provisioning Samba AD:

• samba
  • The samba package is the core Samba software suite. It provides functionality for file and print services, authentication, and interoperability with Windows-based systems. This package includes the smbd (SMB daemon), nmbd (NetBIOS daemon), and other essential components necessary for Samba to function as a file and print server, as well as an Active Directory domain controller.
• smbclient
  • smbclient is a command-line utility included in the Samba suite that allows users to access and interact with SMB/CIFS shares on remote servers. It provides similar functionality to a traditional FTP client but for accessing Windows file shares.
• winbind
  • The winbind package is part of Samba and provides integration with Windows authentication mechanisms. It enables Samba to authenticate users against a Windows domain, allowing Linux systems to participate in a Windows domain environment. Winbind facilitates single sign-on (SSO) capabilities and user/group resolution.
• krb5-config
  • krb5-config is a utility used for configuring Kerberos-related settings. Kerberos is an authentication protocol commonly used in Active Directory environments. This package provide tools or scripts to assist in configuring Kerberos settings required for Samba AD integration.
• krb5-user
  • The krb5-user package includes utilities for interacting with Kerberos authentication services. It typically provides command-line tools for obtaining Kerberos tickets, authenticating users, and troubleshooting Kerberos-related issues. This package may be necessary for configuring Kerberos authentication in Samba AD environments.
• acl
  • The acl package provides support for Access Control Lists (ACLs) in Linux filesystems. ACLs allow for more granular control over file and directory permissions beyond the standard Unix file permissions. Samba utilizes ACLs to maintain Windows-compatible file permission settings when sharing files with Windows clients.
• net-tools
  • net-tools is a package that includes a collection of networking utilities commonly used for network configuration and troubleshooting. Although newer Linux distributions often use iproute2 utilities instead, net-tools includes familiar commands such as ifconfig, route, and netstat, which can still be useful in managing network interfaces and monitoring network connections.

Installation

---

root@samba-dc01:~# apt update -y && apt install -y samba smbclient winbind krb5-config krb5-user acl net-tools

Updating the repository and installing the required packages

Kerberos Configuration

---

The installation of Kerberos-related packages, such as krb5-config and krb5-user, initiates a configuration prompt for establishing the Kerberos realm. It is imperative to input the desired domain name in uppercase. In the context of this lab session, an arbitrary domain, namely CONTOSO.COM, will be utilized.

Subsequently, the setup process requests information regarding the Kerberos servers or Domain Controller (DC) hosts. If you already have an existing domain and want to incorporate all the DC hosts, you may provide them here. It must be FQDN

The third prompt requests the hostname of the administrative server responsible for password changes within the Kerberos realm. “Administrative Server” mentioned in the context of Kerberos configuration, typically refers to the Key Distribution Center (KDC) that manages password changes within the Kerberos realm.

In a Kerberos environment, the KDC consists of two components: the Authentication Server (AS) and the Ticket Granting Server (TGS). The administrative server role often pertains to the TGS component, which handles authentication and ticket granting processes, including password changes. Therefore, when configuring Kerberos, specifying the administrative server typically means designating the hostname of the server responsible for managing password changes within the realm.

In essence, it’s possible to designate other DC hosts for the administrative server role or the current Samba ADDC host can serve as a load balancer or provide redundancy, but these roles are distinct from the administrative server function in Kerberos.

As that is out of scope for the current lab session, I will go with the Samba ADDC being the administrative server (KDC)

The installation of required packages is complete

smb.conf

---

root@samba-dc01:~# mv /etc/samba/smb.conf /etc/samba/smb.conf.original

Saving the pre-existing smb.cof file by changing its name because the pre-existing smb.conf file may lead to unexpected behavior and interfere with provisioning process

Provisioning

---

root@samba-dc01:~# samba-tool domain provision --use-rfc2307 --interactive
Realm:  CONTOSO.COM
Domain [CONTOSO]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [10.1.1.254]:  1.1.1.1
Administrator password: Qwer1234
Retype password: Qwer1234
INFO 2024-03-09 07:26:56,768 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2108: Looking up IPv4 addresses
WARNING 2024-03-09 07:26:56,769 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2113: More than one IPv4 address found. Using 10.1.1.23
INFO 2024-03-09 07:26:56,769 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2125: Looking up IPv6 addresses
WARNING 2024-03-09 07:26:56,769 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2132: No IPv6 address will be assigned
INFO 2024-03-09 07:26:56,876 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2274: Setting up share.ldb
INFO 2024-03-09 07:26:56,883 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2278: Setting up secrets.ldb
INFO 2024-03-09 07:26:56,887 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2283: Setting up the registry
INFO 2024-03-09 07:26:56,899 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2286: Setting up the privileges database
INFO 2024-03-09 07:26:56,905 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2289: Setting up idmap db
INFO 2024-03-09 07:26:56,909 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2296: Setting up SAM db
INFO 2024-03-09 07:26:56,911 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #880: Setting up sam.ldb partitions and settings
INFO 2024-03-09 07:26:56,911 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #892: Setting up sam.ldb rootDSE
INFO 2024-03-09 07:26:56,912 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1305: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
 
INFO 2024-03-09 07:26:56,924 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1383: Adding DomainDN: DC=contoso,DC=com
INFO 2024-03-09 07:26:56,927 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1415: Adding configuration container
INFO 2024-03-09 07:26:56,932 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1430: Setting up sam.ldb schema
INFO 2024-03-09 07:26:58,003 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1448: Setting up sam.ldb configuration data
INFO 2024-03-09 07:26:58,054 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1489: Setting up display specifiers
INFO 2024-03-09 07:26:58,747 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1497: Modifying display specifiers and extended rights
INFO 2024-03-09 07:26:58,760 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1504: Adding users container
INFO 2024-03-09 07:26:58,761 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1510: Modifying users container
INFO 2024-03-09 07:26:58,762 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1513: Adding computers container
INFO 2024-03-09 07:26:58,762 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1519: Modifying computers container
INFO 2024-03-09 07:26:58,763 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1523: Setting up sam.ldb data
INFO 2024-03-09 07:26:58,808 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1553: Setting up well known security principals
INFO 2024-03-09 07:26:58,824 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1567: Setting up sam.ldb users and groups
INFO 2024-03-09 07:26:58,905 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1575: Setting up self join
Repacking database from v1 to v2 format (first record CN=ShadowMin,CN=Schema,CN=Configuration,DC=contoso,DC=com)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record CN=nTFRSSubscriptions-Display,CN=419,CN=DisplaySpecifiers,CN=Configuration,DC=contoso,DC=com)
Repacking database from v1 to v2 format (first record CN=User,CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=contoso,DC=com)
INFO 2024-03-09 07:26:59,360 pid:3070 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1198: Adding DNS accounts
INFO 2024-03-09 07:26:59,367 pid:3070 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1232: Creating CN=MicrosoftDNS,CN=System,DC=contoso,DC=com
INFO 2024-03-09 07:26:59,373 pid:3070 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1245: Creating DomainDnsZones and ForestDnsZones partitions
INFO 2024-03-09 07:26:59,388 pid:3070 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1250: Populating DomainDnsZones and ForestDnsZones partitions
Repacking database from v1 to v2 format (first record CN=MicrosoftDNS,DC=DomainDnsZones,DC=contoso,DC=com)
Repacking database from v1 to v2 format (first record CN=Infrastructure,DC=ForestDnsZones,DC=contoso,DC=com)
INFO 2024-03-09 07:26:59,463 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2012: Setting up sam.ldb rootDSE marking as synchronized
INFO 2024-03-09 07:26:59,466 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2017: Fixing provision GUIDs
INFO 2024-03-09 07:26:59,831 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2348: A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
INFO 2024-03-09 07:26:59,831 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2350: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
INFO 2024-03-09 07:26:59,871 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2082: Setting up fake yp server settings
INFO 2024-03-09 07:26:59,903 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #487: Once the above files are installed, your Samba AD server will be ready to use
INFO 2024-03-09 07:26:59,903 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #492: Server Role:           active directory domain controller
INFO 2024-03-09 07:26:59,903 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #493: Hostname:              samba-dc01
INFO 2024-03-09 07:26:59,903 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #494: NetBIOS Domain:        CONTOSO
INFO 2024-03-09 07:26:59,903 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #495: DNS Domain:            contoso.com
INFO 2024-03-09 07:26:59,903 pid:3070 /usr/lib/python3/dist-packages/samba/provision/__init__.py #496: DOMAIN SID:            S-1-5-21-3380397836-1154231693-3537418295

Using the samba-tool command-line utility along with domain provision arguments, domain provision can be initialized. The --use-rfc2307 flag is provided for RFC2307, defining a schema for storing Unix user and group information within the LDAP directory service provided by Samba. It allows Samba ADDC to manage Unix-like accounts and groups alongside Windows-based accounts, facilitating interoperability between Unix-based systems and Windows environments

Additionally, the Administrator user is created with a password set to Letmein0!

There are so many options (DNS, Server Role, forest, trust) available for this process, and you may explore them to suit your need.

krb5.conf

---

root@samba-dc01:~# cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
root@samba-dc01:~# cat /etc/krb5.conf
[libdefaults]
        default_realm = CONTOSO.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true
 
[realms]
CONTOSO.COM = {
        default_domain = contoso.com
}
 
[domain_realm]
        samba-dc01 = CONTOSO.COM

The previous provisioning step generated the krb5.conf file in the /var/lib/samba/private directory. This will replace the existing /etc/krb5.conf file, which is generated by default from the installation of the krb5-user package

DNS Resolution

---

root@samba-dc01:~# cat /etc/resolv.conf
nameserver 10.1.1.100
options edns0 trust-ad
search contoso.com

The /etc/resolv.conf file must be modified accordingly as well

Disabling unnecessary services

---

root@samba-dc01:~# systemctl disable --now smbd nmbd winbind
Synchronizing state of smbd.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable smbd
Synchronizing state of nmbd.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable nmbd
Synchronizing state of winbind.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable winbind

I will now then disable unnecessary services that may interfere with the samba-ad-dc.service

samba-ad-dc.service

---

root@samba-dc01:~# systemctl unmask samba-ad-dc.service

I will first try to “unmask” the samba-ad-dc.service, so that the service can be either be enabled or started

root@samba-dc01:~# systemctl status samba-ad-dc.service
○ samba-ad-dc.service - Samba AD Daemon
     Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled; preset: enabled)
     Active: inactive (dead) (Result: exec-condition) since Sat 2024-03-09 07:00:00 EST; 43min ago
  Condition: start condition failed at Sat 2024-03-09 07:00:00 EST; 43min ago
       Docs: man:samba(8)
             man:samba(7)
             man:smb.conf(5)
        CPU: 59ms
 
Mar 09 07:00:00 samba-dc01 systemd[1]: Starting samba-ad-dc.service - Samba AD Daemon...
Mar 09 07:00:00 samba-dc01 systemd[1]: samba-ad-dc.service: Skipped due to 'exec-condition'.
Mar 09 07:00:00 samba-dc01 systemd[1]: Condition check resulted in samba-ad-dc.service - Samba AD Daemon being skipped.

The samba-ad-dc.service is inactive, but currently enabled. This would mean that we just need to reboot the system and systemd will start the service

root@samba-dc01:~# systemctl status samba-ad-dc.service
● samba-ad-dc.service - Samba AD Daemon
     Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled; preset: enabled)
     Active: active (running) since Sat 2024-03-09 07:48:14 EST; 20s ago
       Docs: man:samba(8)
             man:samba(7)
             man:smb.conf(5)
    Process: 572 ExecCondition=/usr/share/samba/is-configured samba (code=exited, status=0/SUCCESS)
   Main PID: 583 (samba)
     Status: "samba: ready to serve connections..."
      Tasks: 59 (limit: 2265)
     Memory: 236.7M
        CPU: 1.677s
     CGroup: /system.slice/samba-ad-dc.service
             ├─583 "samba: root process"
             ├─588 "samba: tfork waiter process(589)"
             ├─589 "samba: task[s3fs] pre-fork master"
             ├─590 "samba: tfork waiter process(592)"
             ├─591 "samba: tfork waiter process(593)"
             ├─592 "samba: task[rpc] pre-fork master"
             ├─593 /usr/sbin/smbd -D "--option=server role check:inhibit=yes" --foreground
             ├─594 "samba: tfork waiter process(595)"
             ├─595 "samba: task[nbt] pre-fork master"
             ├─596 "samba: tfork waiter process(598)"
             ├─597 "samba: tfork waiter process(602)"
             ├─598 "samba: task[wrepl] pre-fork master"
             ├─599 "samba: tfork waiter process(600)"
             ├─600 "samba: task[ldap] pre-fork master"
             ├─601 "samba: tfork waiter process(604)"
             ├─602 "samba: task[rpc] pre-forked worker(0)"
             ├─603 "samba: tfork waiter process(606)"
             ├─604 "samba: task[cldap] pre-fork master"
             ├─605 "samba: tfork waiter process(608)"
             ├─606 "samba: task[rpc] pre-forked worker(1)"
             ├─607 "samba: tfork waiter process(610)"
             ├─608 "samba: task[kdc] pre-fork master"
             ├─609 "samba: tfork waiter process(611)"
             ├─610 "samba: task[rpc] pre-forked worker(2)"
             ├─611 "samba: task[drepl] pre-fork master"
             ├─612 "samba: tfork waiter process(615)"
             ├─613 "samba: tfork waiter process(617)"
             ├─614 "samba: tfork waiter process(616)"
             ├─615 "samba: task[rpc] pre-forked worker(3)"
             ├─616 "samba: task[kdc] pre-forked worker(0)"
             ├─617 "samba: task[winbindd] pre-fork master"
             ├─618 "samba: tfork waiter process(620)"
             ├─619 "samba: tfork waiter process(623)"
             ├─620 "samba: task[kdc] pre-forked worker(1)"
             ├─621 "samba: tfork waiter process(628)"
             ├─622 "samba: tfork waiter process(625)"
             ├─623 "samba: task[ntp_signd] pre-fork master"
             ├─624 "samba: tfork waiter process(626)"
             ├─625 /usr/sbin/winbindd -D "--option=server role check:inhibit=yes" --foreground
             ├─626 "samba: task[kcc] pre-fork master"
             ├─627 "samba: tfork waiter process(630)"
             ├─628 "samba: task[kdc] pre-forked worker(2)"
             ├─629 "samba: tfork waiter process(632)"
             ├─630 "samba: task[dnsupdate] pre-fork master"
             ├─631 "samba: tfork waiter process(634)"
             ├─632 "samba: task[kdc] pre-forked worker(3)"
             ├─634 "samba: task[dns] pre-fork master"
             ├─641 "samba: tfork waiter process(642)"
             ├─642 "samba: task[ldap] pre-forked worker(0)"
             ├─643 "samba: tfork waiter process(644)"
             ├─644 "samba: task[ldap] pre-forked worker(1)"
             ├─645 "samba: tfork waiter process(646)"
             ├─646 "samba: task[ldap] pre-forked worker(2)"
             ├─647 "samba: tfork waiter process(648)"
             ├─648 "samba: task[ldap] pre-forked worker(3)"
             ├─649 /usr/sbin/smbd -D "--option=server role check:inhibit=yes" --foreground
             ├─650 /usr/sbin/smbd -D "--option=server role check:inhibit=yes" --foreground
             ├─651 "winbindd: domain child [CONTOSO]"
             └─652 "winbindd: idmap child"

After rebooting, checking the samba-ad-dc.service through systemctl reveals that the service is up and running.

This concludes the provisioning of Samba ADDC

Joining the domain

---

Alongside the DC host(samba-dc01), I have already created a Windows VM (win10), to join the newly created CONTOSO.COM domain

Clicking into the Connect button prompts for a Microsoft account, but we want an alternative action below; Join this device to a local Active Directory domain

DNS issue

---

This won’t initially work, because the current DNS server of win10 host is set to the NAT host at 10.1.1.254, so the DNS query for CONTOSO will be made to public internet, therefore missing out our domain; CONTOSO.

Static IP address

---

Since Windows 10 doesn’t support DHCP with a custom DNS server, we would need to change it all together to static. I will have a static IP address of 10.1.1.101 with its DNS server pointing to the samba-dc01 host at 10.1.1.100

Validation

---

The win10 host is now able to resolve samba-dc01 host to the correct IP address; 10.1.1.100

Joining

---

Joining the domain now prompts for a credential I will provide the credential of the Administrator user created during the provisioning step

I will skip out this process

Restarting the PC now will go through a provisioning process for win10 host to be part of the CONTOSO.COM domain

Back to the DC host, samba-dc01, we can confirm that the win10 host is now part of the domain

New Domain User

---

root@samba-dc01:~# samba-tool user add john.doe Password123 --must-change-at-next-login
User 'john.doe' added successfully
 
root@samba-dc01:~# samba-tool user list
krbtgt
Guest
john.doe
Administrator

Additionally, I will create a domain user for testing; john.doe This user account will be used to authenticate to the newly added host; win10

Authentication

---

Back to the win10 host, the provisioning is complete and the machine rebooted. I can attempt to login with the newly created domain user account; john.doe

Password Reset

---

It works! As I provided the --must-change-at-next-login flag during the user creation process, it prompts me to change the password

I will do just that; Password12

Complete!

Administration / Management

---

Managing and administering a Samba AD offers a multitude of advantages over conventional solutions. Leveraging the Linux platform, administrators can utilize scripting and automation tools to configure and harden the domain, enhancing security posture and operational efficiency. Additionally, Samba AD’s open-source nature fosters a vibrant community of users and developers, providing access to a wealth of knowledge and resources for ongoing support and collaboration. Organizations benefit from seamless integration with existing Linux infrastructure, customization options, and extensibility, allowing them to tailor the solution to meet specific requirements and scale effortlessly. Moreover, Samba AD provides granular control over security and privacy settings, cross-platform authentication, and high availability features, enabling organizations to achieve greater flexibility, reliability, and performance in managing their IT infrastructure.

root@samba-dc01:~# samba-tool
Usage: samba-tool <subcommand>
 
Main samba administration tool.
 
 
Options:
  -h, --help       show this help message and exit
 
  Version Options:
    -V, --version  Display version number
 
 
Available subcommands:
  computer    - Computer management.
  contact     - Contact management.
  dbcheck     - Check local AD database for errors.
  delegation  - Delegation management.
  dns         - Domain Name Service (DNS) management.
  domain      - Domain management.
  drs         - Directory Replication Services (DRS) management.
  dsacl       - DS ACLs manipulation.
  forest      - Forest management.
  fsmo        - Flexible Single Master Operations (FSMO) roles management.
  gpo         - Group Policy Object (GPO) management.
  group       - Group management.
  ldapcmp     - Compare two ldap databases.
  ntacl       - NT ACLs manipulation.
  ou          - Organizational Units (OU) management.
  processes   - List processes (to aid debugging on systems without setproctitle).
  rodc        - Read-Only Domain Controller (RODC) management.
  schema      - Schema querying and management.
  sites       - Sites management.
  spn         - Service Principal Name (SPN) management.
  testparm    - Syntax check the configuration file.
  time        - Retrieve the time on a server.
  user        - User management.
  visualize   - Produces graphical representations of Samba network state.
For more help on a specific subcommand, please type: samba-tool <subcommand> (-h|--help)

Much like the Microsoft’s ActiveDirectory PowerShell module, all the management tasks can be conducted through the dedicated command-line utility, samba-tool, it supports many features such as delegations, group policies, acls, forest, replications, etc

There are also limits that cannot be done with Samba AD, such as ADCS

root@samba-dc01:~# samba-tool group create testingGroup
Added group testingGroup
root@samba-dc01:~# samba-tool group addmembers testingGroup john.doe
Added members to group testingGroup

For instance, I can create a group object, testingGroup, and add the john.doe user to it

This can be confirmed

From Windows

---

From a Windows host, MMC can be utilized to “natively” administer the domain as well

While not all snap-ins are supported as Samba AD has the domain functional level of Windows Server 2008 R2, majority of AD features are supported. Additionally, those limited features can still be worked around.

Active Directory Users and Computers

---

Active Directory Users and Computers works perfectly

I can add another user; jane.doe

I can also add the john.doe user to the testingOU OU

Computer Management

---

Computer Management is very much limited

DNS

---

Administering DNS is supported

SMB

---

SMB shares

root@samba-dc01:~# sudo -u superuser mkdir -p /home/superuser/secure
root@samba-dc01:~# echo "Can you see me?" > /home/superuser/secure/gp.txt

I can create an arbitrary directory, /home/superuser/secure, and share it over SMB

It’s available

Group Policy Management

---

Group Policy Management is also well supported

Creating a GPO, Secure Share, under the CONTOSO.COM domain

I will then map the //samba-dc01.contoso.com/secure share to theE drive as secure

The newly created GPO, Secure Share, is linked to the domain, effecting everyone in the Authenticated Users group

Updating

The secure is now mapped and available via GPO

root@samba-dc01:~# samba-tool gpo listall
GPO          : {6AC1786C-016F-11D2-945F-00C04FB984F9}
display name : Default Domain Controllers Policy
path         : \\contoso.com\sysvol\contoso.com\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}
dn           : CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=contoso,DC=com
version      : 0
flags        : NONE
 
GPO          : {BAF99B8A-97D5-4255-A1C0-F3D7E874F7F0}
display name : Secure Share
path         : \\contoso.com\SysVol\contoso.com\Policies\{BAF99B8A-97D5-4255-A1C0-F3D7E874F7F0}
dn           : CN={BAF99B8A-97D5-4255-A1C0-F3D7E874F7F0},CN=Policies,CN=System,DC=contoso,DC=com
version      : 393216
flags        : NONE
 
GPO          : {31B2F340-016D-11D2-945F-00C04FB984F9}
display name : Default Domain Policy
path         : \\contoso.com\sysvol\contoso.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
dn           : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=contoso,DC=com
version      : 0
flags        : NONE

It can also be queried through the samba-tool

Updating again

As the GPO is being enforced, the john.doe user is unable to open the control panel

Same goes for add or remove programs, the user cannot launch the setting

Trust

---

Limited support for Domain Trust

Sites and Services

---

Sites and Services is also supported

Conclusion

---

Following the thorough exploration and demonstration of Samba AD as a viable alternative to proprietary solutions like Microsoft’s Active Directory, it’s evident that Samba AD offers small to medium-sized enterprises a cost-effective(FREE) and feature-rich platform for efficient network management and scalability. Through the installation, configuration, and deployment of a Samba AD DC instance, along with the integration of a Windows machine, various AD features were showcased, highlighting its versatility and compatibility across different operating systems.

Despite its numerous advantages, including cost-effectiveness, cross-platform compatibility, and an active development community, it’s important to acknowledge certain limitations of Samba AD, such as the lack of native integration with Active Directory Certificate Services (ADCS), resulting in reduced functionality for advanced certificate management. Additionally, configuration complexity and compatibility challenges with third-party certificate authorities may pose hurdles for organizations with specific security requirements.

Nevertheless, Samba AD remains a compelling choice for organizations seeking to optimize their IT investments, streamline infrastructure management, and drive growth at free of charge. By leveraging the flexibility and adaptability of open-source software, businesses can overcome limitations and tailor Samba AD to suit their unique needs, ultimately enhancing network efficiency and productivity.

In conclusion, Samba AD stands as a robust and cost-effective solution for directory services, offering a balance of features, scalability, and compatibility. By understanding its capabilities and limitations, organizations can make informed decisions regarding its deployment and maximize the benefits of open-source technology in their IT environments.