Samba as an ADDC on Solaris 11.4


    When I first installed the Samba package on Solaris, it turned out that there was no ADDC role in this package. Long searches on the Internet have led me to answers of this kind — the Samba package on Solaris does not support this role, and some have written that it is impossible to implement this role in Solaris at all. Further research led me to the point that everything depends on the absence of Posix ACLs in zfs, as well as in python which is used in Solaris. To solve these problems, you must use a hard disk with the ufs file system, as well as build python (and also Samba) from the source code.


    All the actions I do in VMware ESXI, before installing the system, add one more hard disk to the virtual machine. Next, you need to download the source code of Python and Samba (to the root of the file system).


    Extract archives and rename folders for more convenience.

    gzip -d samba-4.8.8.tar.gz
    gzip -d Python-2.7.15.tgz
    tar -xvf Python-2.7.15.tar
    tar -xvf samba-4.8.8.tar
    mv Python-2.7.15 python
    mv samba-4.8.8 samba

    Next, you need to install gcc and some dependencies.

    pkg install gcc
    pkg install pkgconfig
    pkg install automake
    pkg install autoconf

    Set variables for build x64 versions

    export CPP="/usr/gcc/7/bin/gcc -E"
    export CC="/usr/gcc/7/bin/gcc"
    export CFLAGS="-m64 -std=gnu99 -fPIC -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"
    export LDFLAGS="-m64 -L/usr/lib -R/usr/lib"
    export CXXFLAGS="-m64"

    Create a ufs file system on an additional hard disk (specify the name you use)

    newfs /dev/dsk/c1t1d0s2

    Next, you need to register this hard disk in the vfstab file (not a typo, in Solaris this file is called that way). Add this line to this file.

    /dev/dsk/c1t1d0s2       /dev/dsk/c1t1d0s2       /ADDC   ufs     fsck    yes     -

    Create a mount directory and mount the hard disk in it

    mkdir /ADDC
    mount /dev/dsk/c1t1d0s2 /ADDC

    Assembly and installation

    You can start building Samba and Python. Navigate to the directory with the unpacked Solaris source code and build. Building Samba takes quite a long time.

    cd /samba
    ./configure --prefix=/ADDC
    gmake install

    No additional parameters are required to build python, the installation will be performed in the / usr / local directory

    cd /python
    gmake install

    After building python, you need to add the path to just that compiled python to the path variable

    export PATH="/usr/local/bin:/usr/sbin:/usr/bin"

    IMPORTANT: In order for everything to work correctly, you must specify the PATH variable as indicated in this example, the path / usr / local / bin should be in the first place.
    After these actions, using Samba as an ADDC will not be a problem, for this you need to run the samba-tool script

    /ADDC/bin/samba-tool domain provision --use-rfc2307 --dns-backend=SAMBA_INTERNAL --domain=virusslayer --host-name=ad --host-ip= --function-level=2008_R2 --adminpass=Password123456

    Specify the realm, domain, host-name that you need, and also the host-ip used by this host.

    The next step is to configure kerberos, for this you need to change the following files


    The krb5.conf file must be converted to

            default_realm = OFFICE.VIRUSSLAYER.SU
            dns_lookup_realm = false
            dns_lookup_kdc = true
            default_tgs_enctypes = aes256-cts-hmac-sha1-96
            default_tkt_enctypes = aes256-cts-hmac-sha1-96
            permitted_enctypes = aes256-cts-hmac-sha1-96
                  kdc =
                  admin_server =


                    profile = /etc/krb5/krb5.conf
                    acl_file = /etc/krb5/kadm5.acl
                    kadmind_port = 749
                    max_life = 8h 0m 0s
                    max_renewable_life = 7d 0h 0m 0s
                    default_principal_flags = +preauth

    For autorun and shutdown, I had to write a simple bash script

    case $1 in
            rm /ADDC/var/run/*.pid
            pkill -15 samba
            pkill -15 smbd
            pkill -15 nmbd
            /ADDC/sbin/samba -V
            cat /ADDC/etc/smb.conf
            rm /ADDC/var/run/*.pid
            pkill -15 samba
            pkill -15 smbd
            pkill -15 nmbd

    Put this script into the file (having created it beforehand) / usr / bin / sambactl, make it executable and copy it to the rc3.d, rc0.d directories to autostart and stop Samba

    touche /usr/bin/sambactl
    chmod +x /usr/bin/sambactl
    cp /usr/bin/sambactl /etc/rc3.d/Ssambactl
    cp /usr/bin/sambactl /etc/rc0.d/Ksambactl

    For further correct work, you need to change the dns server of the system (the resolve.conf file does not need to be changed, the changes are saved only until the reboot), to do this, edit the service and update the status (as the server, specify the ip address of the current system)

    svccfg -s dns/client setprop config/nameserver=""
    svcadm refresh dns/client

    After these manipulations, you can run Samba, as well as add dns entry

    /ADDC/bin/samba-tool dns add -U administrator A

    Check the work of kerberos

    kinit administrator

    If everything is correct and the password is entered correctly, the ticket will be created in the / tmp / volatile-user / 0 directory. The
    kerberos configuration is not complete, you also need to configure the time synchronization server. To do this, create the /etc/inet/ntp.conf file, start the service time and make the necessary changes to this file.

    server prefer
    driftfile /var/ntp/ntp.drift
    restrict nomodify notrap

    In the restrict line specify the subnet that will be allowed access to the time server.

    Start and update the service.

    svcadm enable ntp
    svcadm refresh ntp

    You can use remote administration tools (RSAT) to edit group policies, these tools can be downloaded from here.

    Windows 8.1
    Windows 10
    Windows 7

    After installing RSAT in Windows 7, these tools must be enabled in the control panel (Turning Windows components on and off). After the computer is entered into the domain, start the Group Policy Editor, in the Default Domain Policy edit the policy responsible for the time server.


    In this section, you must enable the option "Enable Windows NTP-client", "Configure Windows NTP-client", type NTP, NtpServer specify

    Additionally, you can configure the firewall, edit the file /etc/firewall/pf.conf (lead it to the following view).

    set skip on lo0
    pass quick on lo0 from any to any no state
    pass in quick on net0 proto {tcp,udp} from any to any port {22,53,123,135,137,464,389,515,636,631,445,139,88,3268,3269,49152:65535} flags S/SA modulate state
    pass out quick on net0 proto tcp from any to any port {80,443,21,20,53} flags S/SA modulate state
    pass out quick on net0 proto udp from any to any port=53 keep state
    pass out quick on net0 proto icmp from any to any
    block from any to any fragment
    block from any to any
    block all

    Start the service and specify the file with the rules

    svcadm enable firewall
    pfctl -f /etc/firewall/pf.conf


    As you can see from this publication in Solaris, it is possible to use Samba as an ADDC, although it is much more complicated than any other operating system.

    Also popular now: