Samba as an ADDC on Solaris 11.4
Introduction
When I first installed the Samba package on Solaris, it turned out that there was no ADDC role in this package. Long searches on the Internet have led me to answers of this kind — the Samba package on Solaris does not support this role, and some have written that it is impossible to implement this role in Solaris at all. Further research led me to the point that everything depends on the absence of Posix ACLs in zfs, as well as in python which is used in Solaris. To solve these problems, you must use a hard disk with the ufs file system, as well as build python (and also Samba) from the source code.
Training
All the actions I do in VMware ESXI, before installing the system, add one more hard disk to the virtual machine. Next, you need to download the source code of Python and Samba (to the root of the file system).
wget https://download.samba.org/pub/samba/stable/samba-4.8.8.tar.gz
wget https://www.python.org/ftp/python/2.7.15/Python-2.7.15.tgz
Extract archives and rename folders for more convenience.
gzip -d samba-4.8.8.tar.gz
gzip -d Python-2.7.15.tgz
tar -xvf Python-2.7.15.tar
tar -xvf samba-4.8.8.tar
mv Python-2.7.15 python
mv samba-4.8.8 samba
Next, you need to install gcc and some dependencies.
pkg install gcc
pkg install pkgconfig
pkg install automake
pkg install autoconf
Set variables for build x64 versions
export CPP="/usr/gcc/7/bin/gcc -E"
export CC="/usr/gcc/7/bin/gcc"
export CFLAGS="-m64 -std=gnu99 -fPIC -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"
export LDFLAGS="-m64 -L/usr/lib -R/usr/lib"
export CXXFLAGS="-m64"
Create a ufs file system on an additional hard disk (specify the name you use)
newfs /dev/dsk/c1t1d0s2
Next, you need to register this hard disk in the vfstab file (not a typo, in Solaris this file is called that way). Add this line to this file.
/dev/dsk/c1t1d0s2 /dev/dsk/c1t1d0s2 /ADDC ufs fsck yes -
Create a mount directory and mount the hard disk in it
mkdir /ADDC
mount /dev/dsk/c1t1d0s2 /ADDC
Assembly and installation
You can start building Samba and Python. Navigate to the directory with the unpacked Solaris source code and build. Building Samba takes quite a long time.
cd /samba
./configure --prefix=/ADDC
gmake
gmake install
No additional parameters are required to build python, the installation will be performed in the / usr / local directory
cd /python
./configure
gmake
gmake install
After building python, you need to add the path to just that compiled python to the path variable
export PATH="/usr/local/bin:/usr/sbin:/usr/bin"
IMPORTANT: In order for everything to work correctly, you must specify the PATH variable as indicated in this example, the path / usr / local / bin should be in the first place.
After these actions, using Samba as an ADDC will not be a problem, for this you need to run the samba-tool script
/ADDC/bin/samba-tool domain provision --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=office.virusslayer.su --domain=virusslayer --host-name=ad --host-ip=192.168.1.105 --function-level=2008_R2 --adminpass=Password123456
Specify the realm, domain, host-name that you need, and also the host-ip used by this host.
The next step is to configure kerberos, for this you need to change the following files
/etc/krb5/krb5.conf
/etc/krb5/kdc.conf
The krb5.conf file must be converted to
[libdefaults]
default_realm = OFFICE.VIRUSSLAYER.SU
dns_lookup_realm = false
dns_lookup_kdc = true
default_tgs_enctypes = aes256-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96
[realms]
OFFICE.VIRUSSLAYER.SU = {
kdc = kdc.office.virusslayer.su
admin_server = kdc.office.virusslayer.su
}
kdc.conf
[realms]
OFFICE.VIRUSSLAYER.SU = {
profile = /etc/krb5/krb5.conf
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
}
For autorun and shutdown, I had to write a simple bash script
#!/usr/bin/bash
case $1 in
start|-start)
/ADDC/sbin/samba
/ADDC/sbin/smbd
/ADDC/sbin/nmbd
;;
stop|-stop)
rm /ADDC/var/run/*.pid
pkill -15 samba
pkill -15 smbd
pkill -15 nmbd
;;
v|-v)
/ADDC/sbin/samba -V
;;
config|-config)
cat /ADDC/etc/smb.conf
;;
restart|-restart)
rm /ADDC/var/run/*.pid
pkill -15 samba
pkill -15 smbd
pkill -15 nmbd
/ADDC/sbin/samba
/ADDC/sbin/smbd
/ADDC/sbin/nmbd
;;
esac
Put this script into the file (having created it beforehand) / usr / bin / sambactl, make it executable and copy it to the rc3.d, rc0.d directories to autostart and stop Samba
touche /usr/bin/sambactl
chmod +x /usr/bin/sambactl
cp /usr/bin/sambactl /etc/rc3.d/Ssambactl
cp /usr/bin/sambactl /etc/rc0.d/Ksambactl
For further correct work, you need to change the dns server of the system (the resolve.conf file does not need to be changed, the changes are saved only until the reboot), to do this, edit the service and update the status (as the server, specify the ip address of the current system)
svccfg -s dns/client setprop config/nameserver="192.168.1.105"
svcadm refresh dns/client
After these manipulations, you can run Samba, as well as add dns entry
/usr/bin/sambactl
/ADDC/bin/samba-tool dns add office.virusslayer.su -U administrator office.virusslayer.su kdc.office.virusslayer.su A 192.168.1.105
Check the work of kerberos
kinit administrator
If everything is correct and the password is entered correctly, the ticket will be created in the / tmp / volatile-user / 0 directory. The
kerberos configuration is not complete, you also need to configure the time synchronization server. To do this, create the /etc/inet/ntp.conf file, start the service time and make the necessary changes to this file.
server 127.127.1.0 prefer
server 0.europe.pool.ntp.org
server 1.europe.pool.ntp.org
server 2.europe.pool.ntp.org
server 3.europe.pool.ntp.org
driftfile /var/ntp/ntp.drift
restrict 192.168.1.0 255.255.255.0 nomodify notrap
In the restrict line specify the subnet that will be allowed access to the time server.
Start and update the service.
svcadm enable ntp
svcadm refresh ntp
You can use remote administration tools (RSAT) to edit group policies, these tools can be downloaded from here.
Windows 8.1
https://www.microsoft.com/ru-ru/download/details.aspx?id=39296
Windows 10
https://www.microsoft.com/ru-RU/download/details.aspx?id=45520
Windows 7
https://www.microsoft.com/ru-ru/download/details.aspx?id=7887
After installing RSAT in Windows 7, these tools must be enabled in the control panel (Turning Windows components on and off). After the computer is entered into the domain, start the Group Policy Editor, in the Default Domain Policy edit the policy responsible for the time server.
In this section, you must enable the option "Enable Windows NTP-client", "Configure Windows NTP-client", type NTP, NtpServer specify office.virusslayer.su
Additionally, you can configure the firewall, edit the file /etc/firewall/pf.conf (lead it to the following view).
set skip on lo0
pass quick on lo0 from any to any no state
pass in quick on net0 proto {tcp,udp} from any to any port {22,53,123,135,137,464,389,515,636,631,445,139,88,3268,3269,49152:65535} flags S/SA modulate state
pass out quick on net0 proto tcp from any to any port {80,443,21,20,53} flags S/SA modulate state
pass out quick on net0 proto udp from any to any port=53 keep state
pass out quick on net0 proto icmp from any to any
block from any to any fragment
block from any to any
block all
Start the service and specify the file with the rules
svcadm enable firewall
pfctl -f /etc/firewall/pf.conf
Conclusion
As you can see from this publication in Solaris, it is possible to use Samba as an ADDC, although it is much more complicated than any other operating system.