Samba as an ADDC on Solaris 11.4

    Introduction


    When I first installed the Samba package on Solaris, it turned out that there was no ADDC role in this package. Long searches on the Internet have led me to answers of this kind — the Samba package on Solaris does not support this role, and some have written that it is impossible to implement this role in Solaris at all. Further research led me to the point that everything depends on the absence of Posix ACLs in zfs, as well as in python which is used in Solaris. To solve these problems, you must use a hard disk with the ufs file system, as well as build python (and also Samba) from the source code.

    Training


    All the actions I do in VMware ESXI, before installing the system, add one more hard disk to the virtual machine. Next, you need to download the source code of Python and Samba (to the root of the file system).

    wget https://download.samba.org/pub/samba/stable/samba-4.8.8.tar.gz
    wget https://www.python.org/ftp/python/2.7.15/Python-2.7.15.tgz
    

    Extract archives and rename folders for more convenience.

    gzip -d samba-4.8.8.tar.gz
    gzip -d Python-2.7.15.tgz
    tar -xvf Python-2.7.15.tar
    tar -xvf samba-4.8.8.tar
    mv Python-2.7.15 python
    mv samba-4.8.8 samba
    

    Next, you need to install gcc and some dependencies.

    pkg install gcc
    pkg install pkgconfig
    pkg install automake
    pkg install autoconf
    

    Set variables for build x64 versions

    export CPP="/usr/gcc/7/bin/gcc -E"
    export CC="/usr/gcc/7/bin/gcc"
    export CFLAGS="-m64 -std=gnu99 -fPIC -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"
    export LDFLAGS="-m64 -L/usr/lib -R/usr/lib"
    export CXXFLAGS="-m64"
    

    Create a ufs file system on an additional hard disk (specify the name you use)

    newfs /dev/dsk/c1t1d0s2
    

    Next, you need to register this hard disk in the vfstab file (not a typo, in Solaris this file is called that way). Add this line to this file.

    /dev/dsk/c1t1d0s2       /dev/dsk/c1t1d0s2       /ADDC   ufs     fsck    yes     -
    

    Create a mount directory and mount the hard disk in it

    mkdir /ADDC
    mount /dev/dsk/c1t1d0s2 /ADDC
    

    Assembly and installation


    You can start building Samba and Python. Navigate to the directory with the unpacked Solaris source code and build. Building Samba takes quite a long time.

    cd /samba
    ./configure --prefix=/ADDC
    gmake
    gmake install
    

    No additional parameters are required to build python, the installation will be performed in the / usr / local directory

    cd /python
    ./configure
    gmake
    gmake install
    

    After building python, you need to add the path to just that compiled python to the path variable

    export PATH="/usr/local/bin:/usr/sbin:/usr/bin"
    

    IMPORTANT: In order for everything to work correctly, you must specify the PATH variable as indicated in this example, the path / usr / local / bin should be in the first place.
    After these actions, using Samba as an ADDC will not be a problem, for this you need to run the samba-tool script

    /ADDC/bin/samba-tool domain provision --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=office.virusslayer.su --domain=virusslayer --host-name=ad --host-ip=192.168.1.105 --function-level=2008_R2 --adminpass=Password123456
    

    Specify the realm, domain, host-name that you need, and also the host-ip used by this host.

    The next step is to configure kerberos, for this you need to change the following files

    /etc/krb5/krb5.conf
    /etc/krb5/kdc.conf
    

    The krb5.conf file must be converted to

    [libdefaults]
            default_realm = OFFICE.VIRUSSLAYER.SU
            dns_lookup_realm = false
            dns_lookup_kdc = true
            default_tgs_enctypes = aes256-cts-hmac-sha1-96
            default_tkt_enctypes = aes256-cts-hmac-sha1-96
            permitted_enctypes = aes256-cts-hmac-sha1-96
    [realms]
    OFFICE.VIRUSSLAYER.SU = {
                  kdc = kdc.office.virusslayer.su
                  admin_server = kdc.office.virusslayer.su
          }
    

    kdc.conf

    [realms]
            OFFICE.VIRUSSLAYER.SU = {
                    profile = /etc/krb5/krb5.conf
                    acl_file = /etc/krb5/kadm5.acl
                    kadmind_port = 749
                    max_life = 8h 0m 0s
                    max_renewable_life = 7d 0h 0m 0s
                    default_principal_flags = +preauth
            }
    

    For autorun and shutdown, I had to write a simple bash script

    #!/usr/bin/bash
    case $1 in
        start|-start)
            /ADDC/sbin/samba
            /ADDC/sbin/smbd
            /ADDC/sbin/nmbd
            ;;
        stop|-stop)
            rm /ADDC/var/run/*.pid
            pkill -15 samba
            pkill -15 smbd
            pkill -15 nmbd
            ;;
        v|-v)
            /ADDC/sbin/samba -V
            ;;
        config|-config)
            cat /ADDC/etc/smb.conf
            ;;
        restart|-restart)
            rm /ADDC/var/run/*.pid
            pkill -15 samba
            pkill -15 smbd
            pkill -15 nmbd
            /ADDC/sbin/samba
            /ADDC/sbin/smbd
            /ADDC/sbin/nmbd
            ;;
    esac
    

    Put this script into the file (having created it beforehand) / usr / bin / sambactl, make it executable and copy it to the rc3.d, rc0.d directories to autostart and stop Samba

    touche /usr/bin/sambactl
    chmod +x /usr/bin/sambactl
    cp /usr/bin/sambactl /etc/rc3.d/Ssambactl
    cp /usr/bin/sambactl /etc/rc0.d/Ksambactl
    

    For further correct work, you need to change the dns server of the system (the resolve.conf file does not need to be changed, the changes are saved only until the reboot), to do this, edit the service and update the status (as the server, specify the ip address of the current system)

    svccfg -s dns/client setprop config/nameserver="192.168.1.105"
    svcadm refresh dns/client
    

    After these manipulations, you can run Samba, as well as add dns entry

    /usr/bin/sambactl
    /ADDC/bin/samba-tool dns add office.virusslayer.su -U administrator office.virusslayer.su kdc.office.virusslayer.su A 192.168.1.105
    

    Check the work of kerberos

    kinit administrator
    

    If everything is correct and the password is entered correctly, the ticket will be created in the / tmp / volatile-user / 0 directory. The
    kerberos configuration is not complete, you also need to configure the time synchronization server. To do this, create the /etc/inet/ntp.conf file, start the service time and make the necessary changes to this file.

    server 127.127.1.0 prefer
    server 0.europe.pool.ntp.org
    server 1.europe.pool.ntp.org
    server 2.europe.pool.ntp.org
    server 3.europe.pool.ntp.org
    driftfile /var/ntp/ntp.drift
    restrict 192.168.1.0 255.255.255.0 nomodify notrap
    

    In the restrict line specify the subnet that will be allowed access to the time server.

    Start and update the service.

    svcadm enable ntp
    svcadm refresh ntp
    

    You can use remote administration tools (RSAT) to edit group policies, these tools can be downloaded from here.

    Windows 8.1
    https://www.microsoft.com/ru-ru/download/details.aspx?id=39296
    Windows 10
    https://www.microsoft.com/ru-RU/download/details.aspx?id=45520
    Windows 7
    https://www.microsoft.com/ru-ru/download/details.aspx?id=7887
    

    After installing RSAT in Windows 7, these tools must be enabled in the control panel (Turning Windows components on and off). After the computer is entered into the domain, start the Group Policy Editor, in the Default Domain Policy edit the policy responsible for the time server.

    image

    In this section, you must enable the option "Enable Windows NTP-client", "Configure Windows NTP-client", type NTP, NtpServer specify office.virusslayer.su

    Additionally, you can configure the firewall, edit the file /etc/firewall/pf.conf (lead it to the following view).

    set skip on lo0
    pass quick on lo0 from any to any no state
    pass in quick on net0 proto {tcp,udp} from any to any port {22,53,123,135,137,464,389,515,636,631,445,139,88,3268,3269,49152:65535} flags S/SA modulate state
    pass out quick on net0 proto tcp from any to any port {80,443,21,20,53} flags S/SA modulate state
    pass out quick on net0 proto udp from any to any port=53 keep state
    pass out quick on net0 proto icmp from any to any
    block from any to any fragment
    block from any to any
    block all
    

    Start the service and specify the file with the rules

    svcadm enable firewall
    pfctl -f /etc/firewall/pf.conf
    

    Conclusion


    As you can see from this publication in Solaris, it is possible to use Samba as an ADDC, although it is much more complicated than any other operating system.

    Also popular now: