Unfortunately RHEL 7 and RHEL 8 do not support running Samba as an Active Directory Domain Controller (AD DC):
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/assembly_using-samba-as-a-server_deploying-different-types-of-servers
Therefore you need to download the samba sources and compile them yourself.
https://download.samba.org/pub/samba/stable
In this example we use the following settings:
- Server names:
- server1.example.com: 192.168.10.1/24
- server2.example.com: 192.168.10.2/24
- Domain name:
DOM1 - External DNS server:
8.8.8.8
Samba 4 must use it’s own builtin DNS server for local domain names (e.g. client1.example.com). Unfortunately there is no option to specify a separate DNS server. You may define a forwarder DNS for all non-local domain names (e.g. http://www.microsoft.com). In this example we use the public Google DNS server 8.8.8.8 as a forwarder, but you may use any other DNS server to resolve non-local names.
1. Install necessary packages sudo dnf install gcc libacl-devel libblkid-devel gnutls-devel readline-devel python36-devel gdb krb5-workstation zlib-devel setroubleshoot-server libaio-devel setroubleshoot-plugins python3-policycoreutils python3-libsemanage python3-setools popt-devel libpcap-devel sqlite-devel libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils libxslt docbook-style-xsl openldap-devel pam-devel bzip2 lmdb-devel perl-Parse-Yapp jansson-devel libarchive-devel python3-iso8601 python3-pyasn1 python3-markdown python3-dns rpcgen libtirpc-devel
2. Download tarball curl -O https://download.samba.org/pub/samba/stable/samba-4.14.6.tar.gz tar -xzvf samba-4.14.6.tar.gz cd samba-4.14.6
3. Patch source code vim source3/include/includes.h Comment lines 359-367 so that the code block looks like this: /* #ifdef TRUE #undef TRUE #endif #define TRUE __ERROR__XX__DONT_USE_TRUE #ifdef FALSE #undef FALSE #endif #define FALSE __ERROR__XX__DONT_USE_FALSE */
4. Run configure, make and make install ./configure --enable-debug --enable-selftest --with-ads --with-systemd --with-winbind --without-gpgme --with-shared-modules='!vfs_snap per' make sudo make install
5. Edit system configuration files /etc/hosts:192.168.10.1 SERVER1.dom1.example.com SERVER1
192.168.10.2 SERVER2.dom1.example.com SERVER
2 /etc/profile: PATH=$PATH:/usr/local/samba/bin export PATH /etc/resolv.conf: options timeout:2 nameserver 192.168.10.1 nameserver 192.168.10.2 /etc/logrotate.d/samba: /usr/local/samba/var/log.samba /usr/local/samba/var/log.smbd /usr/local/samba/var/log.wb-BUILTIN /usr/local/samba/var/wb-DOM1 /usr/local/samba/var/log.winbindd /usr/local/samba/var/log.winbindd-idmap { weekly maxsize 200M missingok notifempty sharedscripts rotate 4 compress delaycompress postrotate /bin/kill -HUP `cat /usr/local/samba/var/run/samba.pid 2>/dev/null` 2> /dev/null || true endscript } /etc/init.d/samba: #!/bin/bash # # samba-ad-dc This shell script takes care of starting and stopping # samba AD daemons. # # chkconfig: - 58 74 # description: Samba Active Directory Domain Controller ### BEGIN INIT INFO # Provides: samba # Required-Start: $network $local_fs $remote_fs # Required-Stop: $network $local_fs $remote_fs # Should-Start: $syslog $named # Should-Stop: $syslog $named # Short-Description: start and stop samba # Description: Samba Active Directory Domain Controller ### END INIT INFO # Source function library. . /etc/init.d/functions # Source networking configuration. . /etc/sysconfig/network prog=samba prog_dir=/usr/local/samba/sbin/ lockfile=/var/lock/subsys/$prog start() { [ "$NETWORKING" = "no" ] && exit 1 echo -n $"Starting Samba AD DC: " daemon $prog_dir/$prog -D RETVAL=$? echo [ $RETVAL -eq 0 ] && touch $lockfile return $RETVAL } stop() { [ "$EUID" != "0" ] && exit 4 echo -n $"Shutting down Samba AD DC: " killproc $prog_dir/$prog RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f $lockfile return $RETVAL } case "$1" in start) start ;; stop) stop ;; status) status $prog ;; restart) stop start ;; *) echo $"Usage: $0 {start|stop|status|restart}" exit 2 esac
6. Open ports on firewall Standard ports: samba, ldap, ldaps, kerberos, kpasswd, dns, ntp Additional ports: 389/udp, 135/tcp, 1024-65535/tcp
7. Edit samba configuration files /usr/local/samba/etc/samba.conf: [global] dns forwarder = 8.8.8.8 netbios name = SERVER1 realm = DOM1.EXAMPLE.COM server role = active directory domain controller workgroup = DOM1 idmap_ldb:use rfc2307 = yes logging = syslog@3 log level = 1 auth_audit:3 [netlogon] path = /usr/local/samba/var/locks/sysvol/server1.example.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No /etc/krb5.conf includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt # default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM
8. Create domain sudo samba-tool domain provision --use-rfc2307 --interactive Realm [DOM1.EXAMPLE.COM]: Domain [DOM1]: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]: Administrator password: yourpasswordhere Retype password: yourpasswordhere
9. Set password restrictions (optional) samba-tool domain passwordsettings set --min-pwd-age=0 samba-tool domain passwordsettings set --max-pwd-age=180 samba-tool domain passwordsettings set --account-lockout-threshold=10 samba-tool domain passwordsettings set --account-lockout-duration=10 samba-tool domain passwordsettings set --history-length=10 samba-tool domain passwordsettings set --min-pwd-length=12 samba-tool domain passwordsettings show samba-tool domain passwordsettings pso create admin 10 --account-lockout-duration=5 --history-length=5 --min-pwd-length=20 samba-tool domain passwordsettings pso create system 20 --account-lockout-duration=5 --history-length=4 --min-pwd-length=20 --max-pwd-age=365 samba-tool domain passwordsettings pso list samba-tool domain passwordsettings pso apply system Administrator
10. Start samba on server1 sudo systemctl daemon-reload sudo systemctl start samba Alternatively you may start samba directly: sudo /usr/local/samba/sbin/samba &
11. Add the second DC to the domain (run all commands on server2) /etc/krb5.conf: [libdefaults] dns_lookup_realm = false dns_lookup_kdc = true default_realm = DOM1.EXAMPLE.COM /usr/local/samba/etc/samba.conf: [global] dns forwarder = 8.8.8.8 netbios name = SERVER2 realm = DOM1.EXAMPLE.COM server role = active directory domain controller workgroup = DOM1 idmap_ldb:use rfc2307 = yes logging = syslog@3 log level = 1 auth_audit:3 [netlogon] path = /usr/local/samba/var/locks/sysvol/dom1.example.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No Add server2 to domain samba-tool domain join dom1.example.com DC -U"DOM1\administrator" --option='idmap_ldb:use rfc2307 = yes' ... Password for [DOM1\administrator]: yourpasswordhere Change krb5.conf again to make server2 a fully standalone DC /etc/krb5.conf: # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false dns_lookup_kdc = false default_realm = DOM1.EXAMPLE.COM ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt # default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] DOM1.EXAMPLE.COM = { kdc = SERVER2.example.com admin_server = SERVER2.example.com } # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM Start samba on server2 sudo systemctl daemon-reload sudo systemctl start samba
12. Check replication status (run command on both servers) sudo samba-tool drs showrepl