Tyler's Site

Abstract

Running a Windows server to have a domain controller with things like Active Directory are great, however, it requires dealing with Windows and actually activating a Windows server in one method or another. A better solution would be to run something that is free not only as in beer, but as in speech as well. This blog post is going to explore the trials and tribulations of running a Samba 4 domain controller.

Setting up and getting started

I decided to use Parabola GNU/Linux for this project. There wasn’t really a particular reason for that, other than I just wanted to get a bit more familiar with Parabola; the main concepts in this blog post should stay the same, just replace some of the distro specific commands with the equivalent of your distro (for example pacman -Sy samba on an Arch based distro would be apt install samba on a Debian based distro, also doas is interchangeable with sudo in this case).

I am not going to cover the installation as it is fairly straightforward from just following the installation guide and getting to the installed system. From there, I just setup a few basic quality of life things (neovim, doas, sshd, etc).

$ doas pacman -Sy python-markdown samba
$ doas samba-tool domain provision --server-role=dc -use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=GALAXY.FOXIDE.LOCAL --domain=GALAXY --adminpass=S3curePW

Note: the python-markdown package is required (at least when I tried it) to actually get the domain to finish provisioning. If the package is not installed, the provisioning will fail saying that it is missing the required markdown packages.

The next step is getting authentication to work as expected. To do that, simply copy the krb5.conf example file included with Samba (located at /usr/share/samba/setup/krb5.conf on my system, but mileage may vary) to /etc/krb5.conf:

$ doas cp /usr/share/samba/setup/krb5.conf /etc/krb5.conf
$ doas nvim /etc/krb5.conf

Then edit the /etc/krb5.conf to match the provisioned domain settings.

[libdefaults]
    default_realm = GALAXY.FOXIDE.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = true

[realms]
GALAXY = {
    default_domain = FOXIDE.LOCAL
}

[domain_realm]
    DC01 = FOXIDE.LOCAL

Then, we need to enable and start Samba as a service, then finally check that the authentication is working properly:

$ doas systemctl enable samba
$ doas systemctl start samba
$ kinit Administrator
Password for Administraotr@GALAXY.FOXIDE.LOCAL:
S3curePW
Warning: Your password will expire....

If you received the warning about the password expiring for the account, than the authentication has passed and is working on the domain. The kinit command can also be used to check authentication for other users as well.

Adding users

While it is not strictly necessary, it is usually a good idea to create a separate admin account that is only used for privilege escalation. The idea behind that is that stolen user credentials are less dangerous than stolen admin credentials; though ideally credentials do not get stolen in the first place.

$ doas samba-tool user create tyler
$ doas samba-tool user create tyler.admin
$ doas samba-tool group addmembers "Domain Admins" tyler.admin
$ doas samba-tool group addmembers "Administrators"

I added my admin account to both the Administrators and the Domain Admins group to give myself both global admin access, as well as the ability to mange computers on the domain. If your admin account is not part of the Domain Admins group, than it will not be able to escalate past the User Account Control (UAC) prompt in Winodws.

There are some other options that have to be set for users on Unix machines that is documented here, however, this article is mostly focused on Windows clients for the domain as that is what I am most familiar with currently. I will likely make another post specifically about Unix users and workstations on a Samba domain as it looks slightly more complex (or possibly just unfamiliar) than a Window enviornment.

Joining Windows Computer to Domain

I am only going to be covering how to do this in Windows 11, as that is what I am testing with; and really what you should be using at this point. If you would like a less bloated version of Windows or have problems with the hardware requirements, check out tiny11builder. I also did a previous post about making a smaller, more trimmed down version of Windows 11, if you would like to read that explaining the process.

Settings -> Accounts -> Access work or school -> Connect -> Join this device to a Local Active Directory domain Then enter the domain realm, and provide administrative credentials for the domain to join the device. Here is an article with more information and diagrams if you are having trouble.

Managing Domain with Windows

The Windows Remote Server Administration Tools (RSAT) are the standard tools used to manage an Active Directory domain from a Winodws workstation. There is also the other option of using Winodws Admin Center, however, this post is not about all the differnet methods of managing a domain, so I am not going to cover that here.

I installed the RSAT tools in PowerShell as installing them under the Windows feature menu didn’t work for me. To do that, open PowerShell as an administrator and run the following command:

Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability –Online

You can do something a bit more cleaver than installing all of them, but that took a bit more effort than I thought it was worth; however, if you are only wanting specific tools you can follow this guide.

This will give some familiar tools such as Active Directory Users and Group and Group Policy Management that will allow for managing different aspects of the domain. From here, many Windows system administrators should see some semblance of familiarity with managing groups, users, and computers. As far as setting up shared printers, Samba can do that as well, however, I am not covering that in this particular blog post; if that is a use-case that is interesting to you, there is this page that documents the process.

Resources

These are some of the resources that I used to get started with this project. The Samba documentation was great, but Matei Cezar’s blog post really helped filling in the gaps on using the samba-tool utility. Alternatively, just typing in samba-tool on the command line will bring up the various things that can be done with it, and some documentation will be provided from typing in samba-tool followed by the specific area of interest. For example, if I wanted to learn more about the DNS section of samba-tool, I could type samba-tool dns and it would spit out the available commands.

https://www.tecmint.com/manage-samba4-active-directory-linux-command-line/ https://wiki.samba.org/index.php/Adding_users_with_samba_tool https://wiki.samba.org/index.php/Group_Policy