Hero Image

dc01

First DC (PDC) server DC01

On fabric server:

sudo virt-install --virt-type kvm --name dc01 \
  --location \
  https://deb.debian.org/debian/dists/bullseye/main/installer-amd64/ \
  --memory 1024 \
  --vcpus 1 \
  --disk pool=vmdisks,size=25,format=qcow2 \
  --network bridge=br0 \
  --hvm \
  --graphics none \
  --console pty,target_type=serial \
  --extra-args "console=ttyS0"

Configure Debian

Edit nano /etc/network/interfaces and set a static IP address:

# /etc/network/interfaces
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
allow-hotplug ens2
iface ens2 inet static
  address 10.115.100.4/24
  gateway 10.115.100.1
# /etc/resolv.conf
search yourdomain.com
nameserver 1.1.1.1

Set the system language to English to make it easier to find problems in the logs:

apt install locales-all
localectl set-locale LANG=en_US.utf8
localectl status

Update Debian and install the necessary administration tools:

apt update
apt install wget sudo screen nmap telnet tcpdump rsync net-tools dnsutils htop \
apt-transport-https vim gnupg lsb-release

Create nano /etc/sudoers.d/10-nopasswd and add:

%emir ALL=(ALL) NOPASSWD: ALL

Configure VIM

Open nano /etc/vim/vimrc and replace all its contents with:

runtime! debian.vim
syntax on
set background=dark
au BufReadPost * if line("'\"") > 1 && line("'\"") <= line("$") | exe "normal! g'\"" | endif
filetype plugin indent on
set encoding=utf-8
set nobackup
set nowritebackup
set showcmd
set updatetime=300
set showmatch
set ignorecase
set smartcase
set incsearch
set tabstop=2
set softtabstop=2
set shiftwidth=2
set expandtab
if filereadable("/etc/vim/vimrc.local")
  source /etc/vim/vimrc.local
endif

Create users vim config file nano ~/.vimrcand add:

set mouse=
set nocompatible
set cursorline
set nocursorcolumn
set nowrap
set showmode
set hlsearch
set wildmenu
set wildmode=list:longest
set wildignore=*.docx,*.jpg,*.png,*.gif,*.pdf,*.pyc,*.exe,*.flv,*.img,*.xlsx

Reboot system and logon as regular user

In my case emir.

Set same vim user preferences as above for current user.

Samba AD

To make installation and configuration easier switch to root user sudo su

If You have Windows 11 22H2 or later clients You must upgrade samba to latest version. Edit vim /etc/apt/sources.list and add att bottom of file:

deb http://deb.debian.org/debian bullseye-backports main
sudo su
export DEBIAN_FRONTEND=noninteractive
apt update
apt -t bullseye-backports install acl attr samba winbind libnss-winbind krb5-user smbclient \
ldb-tools python3-cryptography ldap-utils samba-dsdb-modules samba-vfs-modules \
libpam-krb5 krb5-config
unset DEBIAN_FRONTEND

Modify the file vim /etc/krb5.conf and replace all its contents by the following 4 lines by specifying the Active Directory domain of your organization. The default_realm must absolutely be written in UPPER CASE LETTERS!!

[libdefaults]
  default_realm = YOURDOMAIN.COM
  dns_lookup_kdc = true
  dns_lookup_realm = false

Delete the file rm -f /etc/samba/smb.conf if it has already been generated (it will be regenerated by the instantiation command)

samba-tool domain provision --realm=YOURDOMAIN.COM --domain YOURDOMAIN --server-role=dc

Reset the administrator password:

samba-tool user setpassword administrator

Check the line dns forwarder = xxx.xxx.xxx in your file /etc/samba/smb.conf. It must point to a valid DNS server, e.g.:

dns forwarder = 1.1.1.1

Reconfigure the DNS resolution for the local machine. In the network interface file /etc/resolv.conf, replace the following line with the following line:

# /etc/resolv.conf
search yourdomain.com
nameserver 127.0.0.1

The Samba domain creation script creates an unnecessary /var/lib/samba/private/krb5.conf file. It must be removed and replaced by a symbolic link to the /etc/krb5.conf file:

rm -f /var/lib/samba/private/krb5.conf
ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf

Activate Samba so that it starts automatically at the next reboot:

systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl disable samba winbind nmbd smbd
systemctl mask samba winbind nmbd smbd

Reboot the machine

After rebooting, ensure that kerberos is properly configured and that you get a TGT:

kinit administrator
klist

Test the DNS

dig @localhost google.fr
dig @localhost dc01.yourdomain.com
dig -t SRV @localhost _ldap._tcp.yourdomain.com

Install and configure NTP for Samba-AD

Install the packages NTP and choose a time server on the Internet:

apt install chrony
echo 'server 0.pool.ntp.org iburst' > /etc/chrony/sources.d/org-ntp-server.sources
echo 'server 1.pool.ntp.org iburst' >> /etc/chrony/sources.d/org-ntp-server.sources
echo 'server 2.pool.ntp.org iburst' >> /etc/chrony/sources.d/org-ntp-server.sources
echo 'allow 10.115.100.0/24' > /etc/chrony/conf.d/ad-dc.conf
echo 'ntpsigndsocket  /var/lib/samba/ntp_signd' >> /etc/chrony/conf.d/ad-dc.conf
echo 'hwclockfile /etc/adjtime' >> /etc/chrony/conf.d/ad-dc.conf
chronyc reload sources

Change the owner of the directory containing the samba socket used to authenticate the NTP service and restart NTP:

chgrp -R _chrony /var/lib/samba/ntp_signd
systemctl restart chrony

Bind-DLZ

Although Samba-AD comes by default with its own internal DNS server, it's recommended to use Bind-DLZ.

Install bind

For simplivity do sudo su

sudo apt install bind9 bind9utils

Edit sudo vim /etc/bind/named.conf and add include "/var/lib/samba/bind-dns/named.conf";

Modify the options section of the file vim /etc/bind/named.conf.options (remember to modify the forwarder):

options {
  directory "/var/cache/bind";

  forwarders {
    172.31.1.13;
    172.31.1.15;
    172.31.1.44;
  };
  allow-transfer {
    172.31.1.13;
    172.31.1.15;
    172.31.1.44;
  };
  also-notify {
    172.31.1.13;
    172.31.1.15;
    172.31.1.44;
  };

  allow-query { any; };

  dnssec-validation no;

  auth-nxdomain no;    # conform to RFC1035
  listen-on-v6 { any; };

  tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";

  minimal-responses yes;
};

Disable IPv6 bind on the local network in vim /etc/default/named:

# run resolvconf?
RESOLVCONF=no

# startup options for the server
OPTIONS="-4 -u bind"

In vim /etc/samba/smb.conf, add the following line and comment the line dns forwarders:

# Global parameters
[global]
# dns forwarder = 172.31.1.13
  server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
  idmap_ldb:use rfc2307 = yes
  dns zone transfer clients allow = 172.31.1.13, 172.31.1.15, 172.31.1.44
  netbios name = DC01
  realm = YOURDOMAIN.COM
  server role = active directory domain controller
  workgroup = YOURDOMAIN

[sysvol]
  path = /var/lib/samba/sysvol
  read only = No

[netlogon]
  path = /var/lib/samba/sysvol/yourdomain.com/scripts
  read only = No

Create two directories in /var/lib/samba:

sudo mkdir -p /var/lib/samba/bind-dns/dns
sudo chmod 770 /var/lib/samba/bind-dns
sudo chown -R root:bind /var/lib/samba/bind-dns
sudo chmod -R g+w /var/lib/samba/bind-dns

Configure dynamic updates of DNS entries and restart the samba and bind services:

samba_upgradedns --dns-backend=BIND9_DLZ

Check named version named -v

BIND 9.16.37-Debian (Extended Support Version)

Edit the sudo vim /var/lib/samba/bind-dns/named.conf file and uncomment the module for your BIND version. In my case it is:

database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_16.so";
systemctl restart samba-ad-dc
systemctl restart bind9

Ensure that it is the Bind server listening on port 53:

netstat -tapn | grep 53
  tcp     0    0 10.115.100.4:53    0.0.0.0:*    LISTEN      5291/named

Test local and recursive queries:

dig @localhost microsoft.com
dig @localhost srvads.mydomain.lan
dig -t SRV @localhost _ldap._tcp.mydomain.lan

TLS

Move certificates that we previously generated and copied from the CA server:

sudo mv ca.crt dc01.* /etc/samba/tls/
sudo chown root:root /etc/samba/tls/*
sudo cp /etc/samba/tls/ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

Edit vim /etc/samba/smb.conf and add:

[global]
  ...
  tls enabled  = yes
  tls keyfile  = /etc/samba/tls/dc01.key
  tls certfile = /etc/samba/tls/dc01.crt
  tls cafile   = /etc/samba/tls/ca.crt
  ...

Restart Samba and check tls:

sudo systemctl restart samba-ad-dc.service
sudo openssl s_client -showcerts -connect dc01.yourdomain.com:636 -CAfile /etc/samba/tls/ca.crt

Create AD (LDAP) your structure

Create new ldif file vim ous.ldif

dn: OU=System Accounts,DC=yourdomain,DC=com
changetype: add
objectClass: top
objectClass: OrganizationalUnit

dn: OU=Corporate,DC=yourdomain,DC=com
changetype: add
objectClass: top
objectClass: OrganizationalUnit

dn: OU=External Users,DC=yourdomain,DC=com
changetype: add
objectClass: top
objectClass: OrganizationalUnit

dn: OU=Users,OU=Corporate,DC=yourdomain,DC=com
changetype: add
objectClass: top
objectClass: OrganizationalUnit

dn: OU=Groups,OU=Corporate,DC=yourdomain,DC=com
changetype: add
objectClass: top
objectClass: OrganizationalUnit

dn: OU=Computers,OU=Corporate,DC=yourdomain,DC=com
changetype: add
objectClass: top
objectClass: OrganizationalUnit

Import ldif to LDAP:

sudo ldbadd -H /var/lib/samba/private/sam.ldb ous.ldif

Administration

Users and Groups

sudo samba-tool user create --userou='OU=Users,OU=Corporate' \
  --mail-address=emir@yourdomain.com --given-name=Emir --surname=Tucek \
  --initials=ET --nis-domain=yourdomain.com --uid-number=10000 \
  --login-shell=/bin/bash --unix-home=/home/emir --gid-number=10000 emir
sudo samba-tool group add --groupou='OU=Groups,OU=Corporate' \
  --description="Employees" --mail-address=employees@yourdomain.com employees
sudo samba-tool group addmembers employees emir
sudo samba-tool group addmembers "Domain Admins" emir
samba-tool user setpassword emir
sudo samba-tool user setexpiry emir --noexpir
samba-tool group listmembers  "Domain Admins"
sudo samba-tool  user create vmail --userou='OU=System Accounts' \
  --description="Unprivileged user for mail server"
sudo samba-tool user setexpiry vmail --noexpir

Test vmail user

ldapsearch -H ldaps://dc01.yourdomain.com:636 -x -D "cn=vmail,ou=System Accounts,dc=yourdomain,dc=com" -W -s base -b "" supportedSASLMechanisms
ldapsearch -H ldaps://dc01.yourdomain.com:636 -x -D 'vmail@yourdomain.com' -W -b 'ou=Corporate,dc=yourdomain,dc=com'

DNS

It is suggested that you use, wherever possible, one of the RFC 1918 zones, these are:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
PTR zones
samba-tool dns zonecreate dc01.yourdomain.com 168.192.in-addr.arpa
samba-tool dns zonecreate dc01.yourdomain.com 16.172.in-addr.arpa
samba-tool dns zonecreate dc01.yourdomain.com 10.in-addr.arpa
Creating records
samba-tool dns add dc01.yourdomain.com yourdomain.com mail A 10.115.100.6
samba-tool dns add dc01.yourdomain.com 10.in-addr.arpa 5.100.115 PTR dc01.yourdomain.com
samba-tool dns delete dc01.yourdomain.com 10.in-addr.arpa 5.100.115 PTR dc01.yourdomain.com
samba-tool dns add dc01.yourdomain.com 10.in-addr.arpa 4.100.115 PTR dc01.yourdomain.com
samba-tool dns add dc01.yourdomain.com 10.in-addr.arpa 5.100.115 PTR dc02.yourdomain.com

Listing zone

samba-tool dns query dc01.yourdomain.com yourdomain.com @ ALL

Samba AD DC tries to start and fails on reboot

Create directory sudo mkdir /etc/systemd/system/samba-ad-dc.service.d

Run sudo systemctl edit samba-ad-dc and add:

# /etc/systemd/system/samba-ad-dc.service.d/override.conf
[Unit]
After=network.target network-online.target bind9.service