How to configure a Active Directory domain name

[antoniovalos]

I installed gentoo to make a samba file server to windows workstations as clients. I already installed samba and configured it. The shares are working, and I can access them from windows. I can also define restrictions distributed users. When the server user and the windows users differs, I need to put the server credentials to access the shares, when the server user and the windows user have the same name and passwors, i can access the shares automatically.

I want to be able to login on windows with a server user by adding windows to a domain. How can I configure a domain name on gentoo to be able to add a Active Directory domain?

[hdcg]

Hi antoniovalos,

you are looking for a Samba 4 Active Directory setup:
https://wiki.samba.org/index.php/Settin ... Controller
viewtopic-t-1068402-start-0.html

After successfully setting up Samba as an ADC you can join your Windows box to the Domain and login with your Domain credentials in a SSO style. If Winbind is configured you can also use your Domain credentials as your Linux credentials.

Beware, this is not an easy setup and involves several services (Samba, DNS, Kerberos).

Best Regards,
Holger

[antoniovalos]

I am reading the article, and it tells me to use "samba-tools", but in my samba installation I do not have such application. I installed samba by:

Code: Select all

# emerge --ask --noreplace net-fs/samba

Without any USE flag

What different I need to do to have this application available in my system?

[Hu]

I am reading the article, and it tells me to use "samba-tools"

Where does it say that? Setting up Samba as an Active Directory Domain Controller references bind-tools, but not samba-tools. Setting_up_Samba_as_an_Active_Directory_Domain_Controller only mentions tools as regards to other programs you should disable.

[hdcg]

I am using the following use flags for net-fs/samba:

Code: Select all

# emerge -pv1 net-fs/samba

These are the packages that would be merged, in order:

[ebuild   R    ] net-fs/samba-4.18.0::gentoo  USE="acl addc ads client json ldap pam python regedit syslog winbind zeroconf -ceph -cluster -cups -debug (-fam) -glusterfs -gpg -iprint -llvm-libunwind -profiling-data -quota (-selinux) -snapper -spotlight (-system-heimdal) -system-mitkrb5 -systemd (-test) -unwind" CPU_FLAGS_X86="aes" PYTHON_SINGLE_TARGET="python3_11 -python3_9 -python3_10" 0 KiB

This installed samba-tool as well. The latter is the main tool to setup and maintain a Samba DC.
To provision Samba as a Domain Controller, I used (in 2019) the following samba-tool call:

Code: Select all

samba-tool domain provision \
        --realm=$REALM \
        --domain=$DOMAIN \
        --server-role=dc \
        --dns-backend=BIND9_DLZ \
        --host-ip=$HOSTIP \
        --host-ip6=$HOSTIP6 \
        --function-level=2008_R2 \
        --use-rfc2307

(with all the variables set accordingly).

Especially for the DNS setup there are other options, depending on your overall system setup.

[antoniovalos]

I tried the command:

Code: Select all

# samba-tool domain provision --use-rfc2307 --interactive 

I got this warning during the interactive configuration:

Code: Select all

Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs

I tried to restart samba:

Code: Select all

~# eselect rc restart samba
Restarting init script
setterm: terminal xterm does not support --blank
 * samba -> start: smbd ...
 * start-stop-daemon: failed to start `/usr/sbin/smbd'                    [ !! ]
 * samba -> start: nmbd ...
 * start-stop-daemon: failed to start `/usr/sbin/nmbd'                    [ !! ]
 * Error: starting services (see system logs)
 * samba -> stop: smbd ...
 * start-stop-daemon: no matching processes found                         [ ok ]
 * samba -> stop: nmbd ...
 * start-stop-daemon: no matching processes found                         [ ok ]
 * ERROR: samba failed to start

Log messages:

Code: Select all

[2023/04/11 13:37:53.739473,  0] ../../source3/smbd/server.c:1741(main)
  smbd version 4.16.9 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2022
[2023/04/11 13:37:53.745364,  0] ../../source3/smbd/server.c:1798(main)
  main: server role = 'active directory domain controller' not compatible with running smbd standalone.
  You should start 'samba' instead, and it will control starting smbd if required

[hdcg]

Please have a look at "/etc/conf.d/samba". Should look like this.

Code: Select all

# Add "winbind" to the daemon_list if you also want winbind to start.
# Replace "smbd nmbd" by "samba4" if you want the active directory domain controller part or the ntvfs
# file server part or the rpc proxy to start.
# Note that samba4 controls 'smbd' by itself, thus it can't be started manually. You can, however,
# tweak the behaviour of a samba4-controlled smbd by modifying your '/etc/samba/smb.conf' file
# accordingly.
daemon_list="samba4"
...

[antoniovalos]

I made this change, and now samba is working. I tried to join a windows workstation to the domain and I have a trouble.

on smb.conf I add an entry on global:
admin users = adminserv

and added this user and password

I made a typo and the message of inforrect password or invalid user

When I typed it right, the message says that was not possible join to the domain because of the name of the computer, I tried another names, but the error persists [access denied]

[hdcg]

For joining a workstation to the Domain, I suggest to use the vanilla admin account created during DC setup (Administrator). No need to configure additional ones.
Btw. users have to be created in the DC database (samba-tool user ...).

How does your DNS setup look like and how is the workstation resolved?
If DC is dc.dom.mydomain.net a workstation WS should have the name ws.dom.mycomain.net.
Ideally the reverse lookup of the corresponding IPs leads to the same name. My experience is, that mismatches here lead to all kind of obscure errors.

[antoniovalos]

I tried to add the user this way:

Code: Select all

~# samba-tool user add adminserver

And I tried th join the workstation to the domain using the login creted by this way.

To add the domainname, I used a simgle word like "MYSERVER".

When creating the smbconf file on interactive mode I've got this warning:

Code: Select all

Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs

[hdcg]

Please post the output of the following commands, executed on the Domain Controller:

Code: Select all

samba-tool group listmembers Administrators

samba-tool user getgroups adminserver

The user used to register the workstation must be in the Administrators group.

Code: Select all

host <name of DC>

host MYSERVER

host <IP address of MYSERVER>

What DNS backend do you use for Samba?

[antoniovalos]

The outputs:

Code: Select all

~# samba-tool group listmembers Administrators
Enterprise Admins
Domain Admins
Administrator

Code: Select all

~# samba-tool user getgroups adminserver
Domain Users

DNS Backend: SAMBA_INTERNAL

[hdcg]

The user adminserver is not part of the Administrators group and therefore cannot be used for joining the Workstation.
Anyway I strongly suggest to use the Administrator account for that to keep it simple.
The steps to join a Windows Workstation to the Samba Domain are described here: https://wiki.samba.org/index.php/Joinin ... o_a_Domain

The important parts are:

• Use a local admin account to login into your Windows Workstation, as joining requires admin privileges for the Workstation.
• As soon as asked for the Domain Account to use for joining the Workstation, enter Administrator and the password you have set during Domain provisioning.

If the join operation succeeds, the Workstation will restart and afterwards you will be able to login into your Workstation using e.g. user name "<Your Domain Name>\adminserver" (or any other user you created via samba-tool user add ...). Please note, that this will be a new user profile on your Workstation. I am not aware of any way to convert a local user profile into a Domain user profile. However there are tools available to copy data and settings from one profile to another.

[antoniovalos]

I used this tutorial to configure the active directory:
https://wiki.samba.org/index.php/Settin ... Controller
and I got this warning message during the interative configuration, but the domain is working fine, and I already joided the PC to the domain:

Code: Select all

Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs

I can just ignore this message, or this is something I need to worry about?
How can I determine a custom administrator user?

[hdcg]

Regarding

Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs

Yes, you can ignore this message.

Regarding the Admin user. Simply add your user to the Administrators Group. See your previous post regarding the available options:

~# samba-tool group listmembers Administrators
Enterprise Admins
Domain Admins
Administrator

~# samba-tool user getgroups adminserver
Domain Users

So

Code: Select all

samba-tool group addmembers Administrators adminserver

should do the trick.

[antoniovalos]

Is it possible to acess my samba server remotely without the necessity of making a configuration in anywhere else, only configuring the server?
*the server has internet access
I want to acess the samba server from a configured windows workstation remotely.
Is this possible?

[hdcg]

Possible, yes. Simply use google to find the port you have to expose.
From a security point of view this is not advisable.
You would have to harden the Samba configuration to not expose any known design flaws of the protocol. And even then, only a simple password authentication protects your data.

Either use a VPN or a web based file access with proper MFA in front.

[antoniovalos]

I was looking for a solution to acess the samba from home, I saw "IPsec" vpn on the web interface, I become interested on it, and I was looking for a configuration that stands on the server and in the client, but only if here is a safe way to do this.

In the office we have this configuration:

Internet -> router1 -> router2 -> server

I want to connect the clients on the router2, the client must be able to acess internet and the server, the server woult not have network acess and clients connected to the router1 can't be able to acess the server.

How can I do this?