Samba ad dc ( active directory domain controller )

HI,
Has anyone successfully installed samba ad dc ( active directory domain controller ) in Rocky linux?
If so, what does it take? Red Hat briefly mentions that samba ad dc is not supported.
Thanks for your help

From what I see, samba-ad-dc.service doesn’t exist, so unlike Debian/Ubuntu howto’s, it looks like doing a package install from the Rocky repos is not going to allow you to do it. Unless I am mistaken.

Searching for example centos samba active directory gives you this: 15 steps to setup Samba Active Directory DC CentOS 8 | GoLinuxCloud which is doing a lot of stuff from source to get it installed and running.

So unless there is some third-party repository which has the samba packages available, that looks like your only route by doing it from source.

Thank you. I managed using the link you provided.

Is this to do with RedHat pushing people to use their IDM alternative?

That’s not the full truth. The issue is MIT vs Heimdal kerberos. Red Hat compiles against MIT kerberos. In Fedora land, it is possible to install samba and get the AD functionality, but it’s experimental, not recommended, and missing general functionality to run a functioning AD forest.

I rebuilt the Samba stack with AD DC enabled for testing purposes:
https://copr.fedorainfracloud.org/coprs/ligenix/enterprise-samba-AD-DC/

It looks like you built Samba with MIT, if so, why ?
Did you miss the word ‘experimental’ in the ‘–with-experimental-mit-ad-dc’ configure switch ?

As I wrote, this is for testing purposes.

Anyway there is only a dc bcond for --without-ad-dc option, that I set to off for EL and tag the release with _?AD, so –with-experimental-mit-ad-dc is activated by default in Fedora/CentOS Stream/RHEL.

This may be relevant: cve-details

The samba package as shipped with Red Hat Enterprise Linux 6, 7, 8 and 9 and Red Hat Gluster is not affected by this issue as Red Hat doesn’t provide the AD domain controller capability with it.

That’s why you need to recompile samba from scratch if you want it to be a DC.

CVE-2023-0225 samba: AD DC “dnsHostname”

Fixed In Version: samba 4.18.1, samba 4.17.7, samba 4.16.10

The rebuild is currently samba 4.18.5 with DC enabled.

Thanks for reporting.

I know this is a little bit of an old post, but I created a script that will build all the requirements for samba, download samba-latest, configure the system and at the end, provide you a fully functional samba AD-DC server. You don’t have to worry about all the building… the script will do it for you… All you have to do is answer a couple questions (servicing ntp clients, providing your realm, etc.) If anyone is interested, here is the github link . GitHub - fumatchu/RADS: Rocky Active Directory Install Script to build Samba AD Servers If you look at the EASY INSTALL file, there is a small set of commands to run, then the installer will grab the scripts from github and get you going. This is not a set of compiled RPMS. This is a full script that will get you everything you need and build it. So literally, install Rocky minimal, set your static IP, and set the FQDN (in the Rocky installer) to the domain you want to provisoin as AD. You don’t need to update or anything. The rest will be done for you. From scratch… Takes about 20 mins. Feedback is also welcome

First bit of feedback:

• Why would you change the default NTP pool? The ntp pool provided by chrony is from ntp.org already.
• I see no evidence of static addressing being detected and warning if it’s not.
• You are asking the user to disable selinux, an absolutely critical security component of the operating system. Not a good idea.
• You are disabling the firewall. Not a good idea. firewall-cmd --add-service=samba-dc and then --permanent is sufficient in that regard.

In the end, compiling by hand will always lead to issues for the user down the road. That means the user would have to take care of recompiling, security issues, and dealing with library changes that happens on each point release in Rocky Linux, by hand. This is why in my opinion, the best way will always be building an RPM based on what’s in the current repositories, keeping selinux enabled, and properly managing the firewall. This means the process will always be clean each and every time, including for updates.

# Initial build
% dnf install epel-release createrepo -y
% crb enable
% dnf install mock -y
% dnf download samba --source
% mock -r rocky-9-x86_64 --enablerepo=devel --define 'dist .el9_3.dc' --with dc samba-4.18.6-101.el9_3.src.rpm
% mkdir /root/samba
% cp /var/lib/mock/rocky-9-x86_64/result/*.rpm /root/samba
% createrepo /root/samba
% dnf install samba-dc samba-client krb5-workstation samba \
  --repofrompath=samba,/root/samba \
  --enablerepo=samba

Configure the system.

# Set the hostname
% hostnamectl set-hostname dc01.example.com

# Set selinux contexts
% setsebool -P samba_create_home_dirs=on \
  samba_domain_controller=on \
  samba_enable_home_dirs=on \
  samba_portmapper=on \
  use_samba_home_dirs=on

# Setup the firewall
% firewall-cmd --add-service=samba-dc --permanent
% firewall-cmd --complete-reload

# Backup the original samba configuration just in case
% mv /etc/samba/smb.conf /etc/samba/smb.backup

# Tell your system to have a static address.
% nmcli con mod ens192 ipv4.address 10.100.0.20/24
% nmcli con mod ens192 ipv4.gateway 10.100.0.1
% nmcli con mod ens192 ipv4.method manual
% nmcli con mod ens192 ipv4.dns-search example.com
% nmcli con mod ens192 ipv4.dns 127.0.0.1
% nmcli con up ens192

Provision the domain.

# Begin provisioning the domain
% samba-tool domain provision \
  --server-role=dc \
  --use-rfc2307 \
  --dns-backend=SAMBA_INTERNAL \
  --realm=EXAMPLE.COM \
  --domain=example.com \
  --adminpass=Blu3Onyx!

# Optionally configure DNS forwarders
% vi /etc/samba/smb.conf
[global]
. . .
    dns forwarder = 1.1.1.1

# Verify the contents of /etc/krb5.conf. If this file does not specify your domain
# you will need to change it yourself.
% cp /usr/share/samba/setup/krb5.conf /etc/krb5.conf.d/samba-dc
% vi /etc/krb5.conf.d/samba-dc
[libdefaults]
  default_realm = EXAMPLE.COM
  dns_lookup_realm = false
  dns_lookup_kdc = true

[realms]
EXAMPLE.COM = {
  default_domain = EXAMPLE
}

[domain_realm]
  dc01.example.com = EXAMPLE.COM

% systemctl enable samba --now
# Test functionality as desired.
% smbclient //localhost/netlogon -UAdministrator -c 'ls'
% dig @localhost dc01.example.com A
% kinit administrator

In the event a samba update arrives from Rocky Linux, rebuilding and updating is also easy.

# delete all packages
% rm -rf /root/samba/*.rpm
% dnf download samba --source
% mock -r rocky-9-x86_64 --enablerepo=devel --define 'dist .el9_3.dc' --with dc samba-...src.rpm 
% cp /var/lib/mock/rocky-9-x86_64/result/*.rpm /root/samba
% createrepo /root/samba
% dnf update --repofrompath=samba,/root/samba

With all of that said, I have submitted this as a package request to SIG/FastTrack.

Thank you for the feedback. In no way was I trying to mis-represent. I appreciate your input and the time you took replying, I took it to heart and will further work on my idea. Thank you. So In the meantime, for those of us that do want to use Rocky as an AD server, what are the options? Thank you again

I know you weren’t trying to misrepresenting anyone or anything. I’ve just seen over the years some configurations or processes that may be problematic down the road for the user that does them, since they sometimes miss things such as updates and the like. A lot of guides/scripts out there are one-shot and expect the user to be “in the know”.

I think if you want to maintain your scripts, you absolutely should and try to make some important tweaks in there. And I also believe you could probably put in a mechanism that helps a user to perform updates on it, should you continue pulling from samba latest.

As for the users who want a samba AD running on Rocky in some easy way, it’s unfortunately manual as you’ve noticed. It’s either:

1. Manual compilation (which we recommend against generally)
2. Rebuilding a source RPM via mock using --define dc and installing the necessary packages (this is semi-automatic)
3. Getting the compiled RPMs from elsewhere (e.g. copr or perhaps a paid source)

Part of why I put in the ticket for SIG/FastTrack is that this is a fairly common thing I see pop up from time to time. The storage SIG from CentOS that packages up newer versions of samba also do not turn on the dc components. And I don’t think users want to run Fedora just for samba AD, and I completely understand the many reasons why.

I am taking your suggestions and starting to build a different script…I wasn’t aware I could do this with mock. Thank you so much for sharing these examples… This is really helpful.

As you are rewriting your scripts, I thought I should comment on the @nazunalika comments. These are mostly correct, but I would change a few things:

If you give your potential DC a fixed IP (and you should) and its nameserver (before the provision) points to an external nameserver that can resolve the internet, then there should be no need to change the ‘dns forwarder’ after provision, Samba will do it for you (provided you use the default internal Samba dns server and if you don’t, you do not have that parameter in smb.conf).

It was advised to backup the existing smb.conf ‘just in case’, no, you have to move it out of the way, or the provision will fail.

When it comes to the provision command, whilst it is technically correct, you do not actually need the first three parameters, ‘server-role’, ‘use-rfc2307’ and ‘dns-backend’. the first and third are defaults, the second is only required if you are going to use ADUC (along with the Unix Attributes tabs, which no longer exist) and require to use uidNumber & gidNumber attributes on the DC (these are not defaults, you will have to add them).

It was recommended to copy the krb5.conf from /usr/share/samba/setup/ , that is the wrong one. When Samba provisions a domain, it uses that file to create a correct version in /var/lib/samba/private/krb5.conf , that is the file to copy to /etc/

Finally, can I suggest you read up on bash here documents, rather than all those ‘echo’ lines.

Doesn’t this potentially introduce a vulnerability? The scenario I’m thinking is

• Redhat Source rpm for package X has a bug
• Binary for package X is not vulnerable because functionality not enabled
• RedHat do not update source because it’s not vulnerable in their builds
• User rebuilds package from RedHat source rpm with functionality enabled
• User has now introduced the vulnerability that wasn’t previously there

So before someone builds from the source rpm with new options, wouldn’t they need to ensure the code has been updated with the fixes?

(Of course if RedHat has since updated the source for other reasons and included the patch then it’s not a problem).

Thank you, Rowland. I did not know this in regards to the provisioning options… Thank you also for the “bash here” recommendation. I will use those examples to clean up the lines and echos…Thank you everyone for providing me a better way to do this. I am listening and will modify appropriately. I do appreciate the community and would love to give back to it.

I wanted to thank you everyone again for their input and suggestions. I think I have a much cleaner, one file install script now. The one thing I am a little stuck on is how to detect a change in the version of samba source rpm (new samba version). I thought maybe having a cron job that runs daily with dnf provides samba, and comparing that to the local repository we built from. if that doesn’t match then put an announcement via motd (so when someone logs in they can see it), and after the (rebuild)script has been run, sed the motd to remove the announcement? that’s the most elegant way I can think of to keep the system up to date… If there are any thoughts I would appreciate it… Thank you…Something like this:
dnf makecache
dnflocal=(dnf provides samba |grep Provide | sed ‘s/.dc//’| sed ‘1d’)
dnfremote=(dnf provides samba |grep Provide | sed ‘s/.dc//’| sed ‘$d’)

if [ “$dnflocal” == “$dnfremote” ]
etc… etc…

Process worked on a test VM running a fresh install of 9.3, but fails on 8.9:

[root@localhost build]# mock -r rocky-8-x86_64 --enablerepo=devel --define 'dist .el8_9.dc' --with dc samba-4.18.6-2.el8_9.src.rpm
(...)
sh: /usr/bin/perl: No such file or directory
sh: /usr/bin/perl: No such file or directory
sh: /usr/bin/perl: No such file or directory
Building target platforms: x86_64
Building for target x86_64
Wrote: /builddir/build/SRPMS/samba-4.18.6-2.el8_9.dc.src.rpm
No matches found for the following disable plugin patterns: local, spacewalk, versionlock
Rocky Linux 8 - BaseOS                                                                   11 kB/s | 4.3 kB     00:00
Rocky Linux 8 - AppStream                                                                14 kB/s | 4.8 kB     00:00
Rocky Linux 8 - PowerTools                                                               20 kB/s | 4.8 kB     00:00
Rocky Linux 8 - Extras                                                                  561  B/s | 3.1 kB     00:05
Rocky Linux 8 - Devel (WARNING: UNSUPPORTED - FOR BUILDROOT USE ONLY!)                   20 kB/s | 3.6 kB     00:00
Package gawk-4.2.1-4.el8.x86_64 is already installed.
Package gcc-8.5.0-20.el8.x86_64 is already installed.
Package glibc-gconv-extra-2.28-236.el8_9.7.x86_64 is already installed.
Package gnupg2-2.2.20-3.el8_6.x86_64 is already installed.
Package make-1:4.2.1-11.el8.x86_64 is already installed.
No matching package to install: 'python3-pyasn1 >= 0.4.8'
No matching package to install: 'python3-setproctitle'
Package sed-4.5-5.el8.x86_64 is already installed.
Package xz-5.2.4-4.el8_6.x86_64 is already installed.
Not all dependencies satisfied
Error: Some packages could not be found.
Finish: build setup for samba-4.18.6-2.el8_9.src.rpm
Finish: build phase for samba-4.18.6-2.el8_9.src.rpm
ERROR: Exception(samba-4.18.6-2.el8_9.src.rpm) Config(rocky-8-x86_64) 0 minutes 22 seconds
INFO: Results and/or logs in: /var/lib/mock/rocky-8-x86_64/result
ERROR: Command failed:
 # /usr/bin/systemd-nspawn -q -M 3b01798a02f645e08c88eb4ecbdf2d31 -D /var/lib/mock/rocky-8-x86_64-bootstrap/root -a --capability=cap_ipc_lock --bind=/tmp/mock-resolv.n4y6kojw:/etc/resolv.conf --setenv=TERM=vt100 --setenv=SHELL=/bin/bash --setenv=HOME=/var/lib/mock/rocky-8-x86_64/root/installation-homedir --setenv=HOSTNAME=mock --setenv=PATH=/usr/bin:/bin:/usr/sbin:/sbin '--setenv=PROMPT_COMMAND=printf "\033]0;<mock-chroot>\007"' '--setenv=PS1=<mock-chroot> \s-\v\$ ' --setenv=LANG=C.UTF-8 --setenv=LC_MESSAGES=C.UTF-8 --resolv-conf=off /usr/bin/dnf-3 builddep --installroot /var/lib/mock/rocky-8-x86_64/root/ --releasever 8 --enablerepo devel --setopt=deltarpm=False --setopt=allow_vendor_change=yes --allowerasing --disableplugin=local --disableplugin=spacewalk --disableplugin=versionlock /var/lib/mock/rocky-8-x86_64/root//builddir/build/SRPMS/samba-4.18.6-2.el8_9.dc.src.rpm --setopt=tsflags=nocontexts
No matches found for the following disable plugin patterns: local, spacewalk, versionlock
Rocky Linux 8 - BaseOS                                                                   11 kB/s | 4.3 kB     00:00
Rocky Linux 8 - AppStream                                                                14 kB/s | 4.8 kB     00:00
Rocky Linux 8 - PowerTools                                                               20 kB/s | 4.8 kB     00:00
Rocky Linux 8 - Extras                                                                  561  B/s | 3.1 kB     00:05
Rocky Linux 8 - Devel (WARNING: UNSUPPORTED - FOR BUILDROOT USE ONLY!)                   20 kB/s | 3.6 kB     00:00
Package gawk-4.2.1-4.el8.x86_64 is already installed.
Package gcc-8.5.0-20.el8.x86_64 is already installed.
Package glibc-gconv-extra-2.28-236.el8_9.7.x86_64 is already installed.
Package gnupg2-2.2.20-3.el8_6.x86_64 is already installed.
Package make-1:4.2.1-11.el8.x86_64 is already installed.
No matching package to install: 'python3-pyasn1 >= 0.4.8'
No matching package to install: 'python3-setproctitle'
Package sed-4.5-5.el8.x86_64 is already installed.
Package xz-5.2.4-4.el8_6.x86_64 is already installed.
Not all dependencies satisfied
Error: Some packages could not be found.

Thoughts?