Installing Samba AD

[Dohakor]

Hello everyone

I want to install a Samba AD server on a Raspberry Pi. This is to learn more about managing Active Directory.

However, the installation is not working.

Context :

To do this I have a Raspberry Pi 3 B+ running Raspbian Buster Lite.

My network is managed by my Orange box (Router, DNS, etc...)

The Raspberry Pi's OS is clean (new installation).

I connect to the Raspberry Pi via SSH (before: 192.168.1.19 / after: 192.168.1.150).

Setting :

Here is the content of the files:

/etc/hostname :

Code: Select all

127.0.0.1       localhost
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

127.0.1.1               raspberrypi
192.168.1.150           srvads.dohakor.lan      srvads

/etc/hostname :

Code: Select all

srvads.dohakor.lan

For the IP address, I used the file instead /etc/dhcpcd.conf :

Code: Select all

# A sample configuration for dhcpcd.
# See dhcpcd.conf(5) for details.

# Allow users of this group to interact with dhcpcd via the control socket.
#controlgroup wheel

# Inform the DHCP server of our hostname for DDNS.
hostname

# Use the hardware address of the interface for the Client ID.
clientid
# or
# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as per RFC4361.
# Some non-RFC compliant DHCP servers do not reply with this set.
# In this case, comment out duid and enable clientid above.
#duid

# Persist interface configuration when dhcpcd exits.
persistent

# Rapid commit support.
# Safe to enable by default because it requires the equivalent option set
# on the server to actually work.
option rapid_commit

# A list of options to request from the DHCP server.
option domain_name_servers, domain_name, domain_search, host_name
option classless_static_routes
# Respect the network MTU. This is applied to DHCP routes.
option interface_mtu

# Most distributions have NTP support.
#option ntp_servers

# A ServerID is required by RFC2131.
require dhcp_server_identifier

# Generate SLAAC address using the Hardware Address of the interface
#slaac hwaddr
# OR generate Stable Private IPv6 Addresses based from the DUID
slaac private

# Example static IP configuration:
interface eth0
static ip_address=192.168.1.150/24
#static ip6_address=fd51:42f8:caae:d92e::ff/64
static routers=192.168.1.1
static domain_name_servers=192.168.1.150 8.8.8.8

# It is possible to fall back to a static IP if DHCP fails:
# define static profile
#profile static_eth0
#static ip_address=192.168.1.23/24
#static routers=192.168.1.1
#static domain_name_servers=192.168.1.1

# fallback to static profile on eth0
#interface eth0
#fallback static_eth0

But what I changed is this:

Code: Select all

# Example static IP configuration:
interface eth0
static ip_address=192.168.1.150/24
#static ip6_address=fd51:42f8:caae:d92e::ff/64
static routers=192.168.1.1
static domain_name_servers=192.168.1.150 8.8.8.8

/etc/krb5.conf :

Code: Select all

[libdefaults]
  default_realm = DOHAKOR.LAN
  dns_lookup_kdc = true
  dns_lookup_realm = false

/etc/samba/smb.conf :

Code: Select all

# Global parameters
[global]
        dns forwarder = 192.168.1.150
        netbios name = SRVADS
        realm = DOHAKOR.LAN
        server role = active directory domain controller
        workgroup = DOHAKOR

[netlogon]
        path = /var/lib/samba/sysvol/dohakor.lan/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
/etc/samba/smb.conf

Regarding the file /etc/resolv.confI add the following lines:

Code: Select all

search dohakor.lan
nameserver 127.0.0.1

However, after a reboot, my changes are gone :/

Finally, my problem is this: when I run the command kinit administrator Or sudo kinit administrator Here's what I get:

Code: Select all

kinit: Cannot find KDC for realm "DOHAKOR.LAN" while getting initial credentials

And after a dig @localhost srvads.dohakor.lan :

Code: Select all

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> @localhost srvads.dohakor.lan
; (2 servers found)
;; global options: +cmd
;; connection timed out; no servers could be reached

If anyone can help me, that would be really great. I've been working on this problem for several days now and I can't figure out what's causing it.

Thank you in advance

[vcardon]

I want to install a Samba AD server on a Raspberry Pi. This is to learn more about managing Active Directory.

However, the installation isn't working.

I have a Raspberry Pi 3 B+ running Raspbian Buster Lite.

Hello, if this is your first time doing Samba-AD, I advise you to start on a distribution supported in the documentation.

This will eliminate that initial uncertainty from your search scope.

Even an old second-hand PC for less than 50EUR will allow you to run CentOS or Debian and get some practice.

Your approach is intriguing, and we'd be interested to see you achieve your goal. I'm just afraid you won't have much help beyond implementing this first piece of advice.

Sincerely.

Vincent

[Dohakor]

Hello

. Very well. I do indeed have an old PC on which I can install Debian.
I'll try it on that.

I wanted to try it first on a local installation and I thought it would work on a Raspberry Pi.

I also have a server at OVH (Starter plan, 1 vCore - 2 GB of RAM) but I'm a little worried about the security of my server.

[vcardon]

I also have a server at OVH (Starter offer 1 vCore - 2 GB of RAM) but I am a little worried about the security of my server.

Storing your passwords close to home is a good habit

Vincent

[Dohakor]

I started trying to install it on a Debian 10 VM but I'm already having some problems.

After adding the apt repository, when I run `apt-get update` I get the following:

Code: Select all

root@srvads:/home/jbwittner# apt-get update
Hit:1 http://security.debian.org/debian-security buster/updates InRelease
Ign:2 https://samba.tranquil.it/debian/samba-4.10 buster InRelease
Err:3 https://samba.tranquil.it/debian/samba-4.10 buster Release
  404  Not Found [IP: 195.154.18.18 443]
Hit:4 http://deb.debian.org/debian buster InRelease
Hit:5 http://deb.debian.org/debian buster-updates InRelease
Reading package lists... Done
E: The repository 'https://samba.tranquil.it/debian/samba-4.10 buster Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

[Dohakor]

Initially, I did a small installation on a VM.

I'm still having the problem with the command kinit administrator :

Code: Select all

kinit: Cannot find KDC for realm "DOHAKOR.LAN" while getting initial credentials

However, I get better results for the DNS test part:

dig @localhost google.fr :

Code: Select all

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> @localhost google.fr
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38950
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.fr.                     IN      A

;; ANSWER SECTION:
google.fr.              67      IN      A       172.217.22.131

;; Query time: 12 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu May 14 20:48:09 CEST 2020
;; MSG SIZE  rcvd: 43

dig @localhost srvads.dohakor.lan

Code: Select all

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> @localhost srvads.dohakor.lan
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23041
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;srvads.dohakor.lan.            IN      A

;; ANSWER SECTION:
srvads.dohakor.lan.     900     IN      A       192.168.1.150

;; AUTHORITY SECTION:
dohakor.lan.            3600    IN      SOA     srvads.dohakor.lan. hostmaster.dohakor.lan. 1 900 600 86400 3600

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu May 14 20:48:21 CEST 2020
;; MSG SIZE  rcvd: 99

dig -t SRV @localhost _ldap._tcp.dohakor.lan

Code: Select all

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> -t SRV @localhost _ldap._tcp.dohakor.lan
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46905
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;_ldap._tcp.dohakor.lan.                IN      SRV

;; ANSWER SECTION:
_ldap._tcp.dohakor.lan. 900     IN      SRV     0 100 389 srvads.dohakor.lan.

;; AUTHORITY SECTION:
dohakor.lan.            3600    IN      SOA     srvads.dohakor.lan. hostmaster.dohakor.lan. 1 900 600 86400 3600

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu May 14 20:50:31 CEST 2020
;; MSG SIZE  rcvd: 114

I think the difference is that I haven't changed the DNS and I'm leaving it pointing to my router:

/etc/network/interfaces

Code: Select all

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto enp0s3
iface enp0s3 inet static
    address 192.168.1.150/24
    gateway 192.168.1.1

# This is an autoconfigured IPv6 interface
iface enp0s3 inet6 auto

/etc/samba/smb.conf

Code: Select all

# Global parameters
[global]
        dns forwarder = 192.168.1.1
        netbios name = SRVADS
        realm = DOHAKOR.LAN
        server role = active directory domain controller
        workgroup = DOHAKOR

[netlogon]
        path = /var/lib/samba/sysvol/dohakor.lan/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[Dohakor]

After attempting an installation under Debian 9 (VM), I am still encountering the same error.

[dcardon]

A domain controller should not be configured with DHCP. The TIS documentation clearly states to assign it a static IP address. Your resolv configuration is being overwritten by dhclient. While it's possible to configure dhclient to prevent this, it's strongly discouraged on an Active Directory server.

Regards,

Denis

[Dohakor]

Good morning,

Thank you for your response .

That's exactly what I did on my VMs, I do have a static IP address:

Code: Select all

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto enp0s3
iface enp0s3 inet static
    address 192.168.1.150/24
    gateway 192.168.1.1

# This is an autoconfigured IPv6 interface
iface enp0s3 inet6 auto

[dcardon]

Oddly enough, most of the time it's dhclient that overwrites the /etc/resolv.conf file.

Two other potential culprits are resolvconf (the program with its conf in /etc/resolvconf/resolv.conf.d/) and NetworkManager.

You can try adding something like that to /etc/network/interfaces

Code: Select all

    dns-search example.com
    dns-nameservers 127.0.0.1

Your installation is a clean install, but is it a minimal install? The documentation on https://dev.tranquil.it/samba/fr/index.html It is based on a minimalist installation with only ssh enabled.

Sincerely,

Denis