Wednesday, October 16, 2013

Setup Linux as a Microsoft Domain Controller

Setup Linux box as a Microsoft Domain Controller


In this short blog I will use three main components to setup a Centos Linux Distro as a Microsoft Domain Controller. With the last version of samba 4 comes with Active directory logon and administration protocols, including typical active directory support and full interoperability with Microsoft Active Directory servers.

To make this happen we need to setup 3 services on a Centos Linux:
  • Samba4  (also can be used for file sharing)
  • NTP server
  • Bind database (to host the AD DNS Zone)
First we must setup the Hostname of the Centos Domain Controller:

nano /etc/sysconfig/network
HOSTNAME=centos-dc

Because of a smaller and complicated setup we should disable the SeLinux capabilities:

nano /etc/sysconfig/selinux
SELINUX=disabled
setenforce 0

To tune this up we should install Dependencies on a Linux box if they are not already installed:

yum -y install gcc make wget python-devel gnutls-devel openssl-devel libacl-devel krb5-server krb5-libs krb5-workstation bind bind-libs bind-utils

Next step is to download the Samba 4 package , compile it and install it:

wget http://ftp.samba.org/pub/samba/samba-latest.tar.gz
tar -xzvf samba-latest.tar.gz
cd samba-latest/
./configure --enable-selftest
make
make install

With the new Samba4 comes the Samba-Tool to provision and configure a new domain name and to bind it with the database service:

/usr/local/samba/bin/samba-tool domain provision --realm=frogman.local --domain=FROGMAN --adminpass 'P@ssw0rd' --server-role=dc --dns-backend=BIND9_DLZ


The dns backend BIND9_DLZ uses samba4 AD to store zone information.
Edit named configuration:

rndc-confgen -a -r /dev/urandom


To allow AD queries from every machine in the LAN , we should define the port 53 available to every machine. In the named.conf forwarder must be configured to resolve remote DNS queries.

nano /etc/named.conf
options {
listen-on port 53 { any; };
forwarders {172.16.1.1; };
allow-query { any; };
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";

include "/usr/local/samba/private/named.conf";

DNS can be configured to point to the localhost address and to define the local domain:

nano /etc/resolv.conf
nameserver 127.0.0.1
domain frogman.local

The next step is to enable the Kerberos authentification:

nano /etc/krb5.conf
[libdefaults]
default_realm = FROGMAN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true

Configuration and installation of the NTP service follows:

wgethttp://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.6p5.tar.gz
tar -xzvf ntp-4.2.6p5.tar.gz
cd ntp-4.2.6p5
./configure --enable-ntp-signd
make
make install

We must then configure permissions for the DNS zone and the associated files:

chown named:named /usr/local/samba/private/dns
chown named:named /usr/local/samba/private/dns.keytab
chmod 775 /usr/local/samba/private/dns
chmod 755 /etc/init.d/samba4
chmod 755 /etc/init.d/ntp

chkconfig --levels 235 samba4 on
chkconfig --levels 235 ntp on
chkconfig --levels 235 named on

Now we have defined all the services to start at startup. Now you can reboot the server and look if the services are all up. Myself had a problem with the namedi service. This error manifested in the /var/log as an Bind loading error.

dlz_dlopen failed to open library /usr/local/samba/modules/bind9/dlz_bind9.so'

I fixed this error assigning appropriate perrmission to the dlz_bind9.so file:

chmod 775 /usr/local/samba/modules/bind9/dlz_bind9.so


After another reboot I choose a Windows Box to test , and to add to the newly fresh created domain controller using the free Linux machine. 


And we have a Microsoft Box joined to a domain with a Linux Domain controller :D

Feel free to comment.

No comments:

Post a Comment