DNS: with Bind9 / DHCP “Ubuntu 14.04 and *Ubuntu 18.

04 LTS”

 Domain info

 server hostname: dcsrv

 search-domain abc.lan

 Domain Realm mydc“for the next tutorial setting up samba4”

Edit host file: nano /etc/hosts/

127.0.0.1 localhost

127.0.0.1 dcsrv.adc.lan dcsrv

10.0.2.99 ns.abc.lan ns

10.0.2.99 mydc.acb.lan mydc

 Setup static IP:  /etc/network/interfaces

auto eth0

iface eth0 inet static

address 10.1.200.3

gateway 10.1.200.1

netmask 255.255.255.0

dns-nameservers 8.8.8.8

Update your system, then reboot.

sudo apt-get update

sudo apt-get dist-upgrade

sudo reboot

Install Bind9 and DHCP.

sudo apt-get install isc-dhcp-server bind9

 Configuring DNS

sudo nano /etc/bind/named.conf.options

acl internals {

localhost;

localnets;

};

 
options {

directory "/var/cache/bind";

// If there is a firewall between you and nameservers you want

// to talk to, you may need to fix the firewall to allow multiple

// ports to talk. See http://www.kb.cert.org/vuls/id/800113

// If your ISP provided one or more IP addresses for stable

// nameservers, you probably want to use them as forwarders.

// Uncomment the following block, and insert the addresses replacing

// the all-0's placeholder.

forwarders {

// DNS to the internet you could also add the DNS servers from your ISP

8.8.8.8;

};

allow-query {

internals;

};

// restrict recursion

allow-recursion {

internals;

};

allow-transfer {

internals;

};

//========================================================================

// If BIND logs error messages about the root key being expired,

// you will need to update your keys. See https://www.isc.org/bind-keys

//========================================================================

// turn off zone encryption. The auto flag still generates warnings in the log file
 dnssec-enable no;

// dnssec-validation auto;

listen-on-v6 { any; };

auth-nxdomain no; # conform to RFC1035

};

The installation process creates the crypto file needed when the new DHCP server communicates
with the DNS server. The command below creates a file /etc/bind/rndc.key which replaces the file
generated by the install process.

To view current rndc-key file created during the install:

nano /etc/bind/rndc.key

Example of rndc-key below:

key "rndc-key" {

algorithm hmac-md5;

secret "wrhfunsh45k/wodkqtfhsnv==";

};

Recommend to change key using this command:

sudo /usr/sbin/rndc-confgen -a

Set permissions on key to keep it safe.

sudo chown root:bind /etc/bind/rndc.key

sudo chmod 640 /etc/bind/rndc.key

Adding DNS Zones

sudo nano /etc/bind/named.conf.local

//

// Do any local configuration here

//

include "/etc/bind/rndc.key";

zone "abc.lan" {

type master;

file "/var/lib/bind/abc.lan.zone";

allow-update { key rndc-key; };

};

zone "2.0.10.in-addr.arpa" {

type master;

file "/var/lib/bind/abc.lan.rev.zone";

allow-update { key rndc-key; };

};

// Consider adding the 1918 zones here, if they are not used in your

// organization

//include "/etc/bind/zones.rfc1918";

sudo nano /var/lib/bind/abc.lan.zone

$ORIGIN .

$TTL 907200 ; 1 week 3 days 12 hours

abc.lan IN SOA ns.abc.lan. admin.abc.lan. (

2014071403 ; serial

28800 ; refresh (8 hours)

3600 ; retry (1 hour)

604800 ; expire (1 week)

38400 ; minimum (10 hours 40 minutes)

NS ns.abc.lan.

$ORIGIN abc.lan.

router01 A 10.0.2.1

ns A 10.0.2.99

dnsserver CNAME ns

mydc CNAME ns

Reverse lookup zone:

sudo nano /var/lib/bind/abc.lan.rev.zone

$ORIGIN .
$TTL 907200 ; 1 week 3 days 12 hours

2.0.10.in-addr.arpa IN SOA ns.abc.lan. admin.abc.lan. (

2014071402 ; serial

28800 ; refresh (8 hours)

604800 ; retry (1 week)

604800 ; expire (1 week)

86400 ; minimum (1 day)

NS ns.abc.lan.

$ORIGIN 2.0.10.in-addr.arpa.

1 PTR router01.abc.lan.

3 PTR mydc.abc.lan

3 PTR dnsserver.abc.lan

PTR abc.lan

Change the permissions on the two new zone files that were created.

sudo chown root:bind /var/lib/bind/*zone

sudo service bind9 restart

DHCP Configuration

sudo nano /etc/dhcp/dhcpd.conf

Remove your current information in the dhcp.conf and add the

information below; then modify to your needs.

ddns-updates on;

ddns-update-style interim;

update-static-leases on;

authoritative;

include "/etc/dhcp/ddns-keys/rndc.key";

allow unknown-clients;

use-host-decl-names on;

default-lease-time 86400; #24 hours

max-lease-time 86400; #21 hours

log-facility local7;
 

# abd.lan DNS zones

zone abc.lan. {

primary 127.0.0.1; # This server is the primary DNS server for the zone

key rndc-key; # Use the key we defined earlier for dynamic updates

zone 2.0.10.in-addr.arpa. {

primary 127.0.0.1; # This server is the primary reverse DNS server for the zone

key rndc-key; # Use the key we defined earlier for dynamic updates

# abc.lan LAN range

subnet 10.0.2.0 netmask 255.255.255.0 {

range 10.0.2.100 10.0.2.200;

option subnet-mask 255.255.255.0;

option routers 10.0.2.1;

option domain-name-servers 10.0.2.99;

option domain-name "abc.lan";

ddns-domainname "abc.lan.";

ddns-rev-domainname "2.0.10.in-addr.arpa.";

Apply these commands to create some links and set permissions:

sudo ln /etc/bind/rndc.key /etc/dhcp/ddns-keys/rndc.key

sudo ls -l /etc/dhcp/ddns-keys/rndc.key

sudo chown root:bind /etc/dhcp/ddns-keys/rndc.key

 restart services

 sudo service bind9 restart

 sudo service isc-dhcp-server restart

Samba 4 Active Directory Domain
Controller on Ubuntu 18.04 Server
6 minute read

This post will outline how to install an Active Directory(AD) Domain Controller on Ubuntu
Server 18.04. Yes, that’s right…Active Directory on a linux host. Not a backup domain
controller but a functional AD that you can create users with, join computers to, and set up
group policy.

Network configurationPermalink
Hostname Domain IP Address
dc1 ad.ricosharp.com 192.168.122.70

Configure networkingPermalink
Configure system hostname

~]$ sudo hostnamectl set-hostname dc1

Edit the hosts files so the hostname resolves to its IP address

~]$ sudo nano /etc/hosts

# Add this line to /etc/hosts so that dc1 resolves to 192.168.122.70
192.168.122.70 dc1 dc1.ad.ricosharp.com

Note that Ubuntu 18.04 is now using netplan to configure IP addresses on systems. I will
outline a basic configuration in a future post

Update system and install required packagesPermalink

Update and reboot the system

~]$ sudo apt update -y

~]$ sudo apt upgrade -y
~]$ sudo reboot

Install relevant samba, winbind, and kerberos packages. The installation will prompt for
kerberos settings and will give an error at the end of installation. Ignore this for now and
accept the defaults. This will be configured properly later as part of the AD installation.

~]$ sudo apt install samba smbclient winbind libpam-winbind libnss-winbind

krb5-kdc libpam-krb5 -y

Rename samba and kerberos files. You need to start from a clean environment when starting
the samba AD setup.
~]$ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
~]$ sudo mv /etc/krb5.conf /etc/krb5.conf.orig

Run the samba AD setupPermalink

All the default settings are fine. The only change I make is to set the DNS forwarder to
8.8.8.8. You can also use a different DNS backend. But this is out of the scope of this post for
a simple setup.

~]$ sudo samba-tool domain provision --use-rfc2307 --interactive

Realm [AD.RICOSHARP.COM]:
Domain [AD]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE)
[SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding)
[127.0.0.53]: 8.8.8.8
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=ad,DC=ricosharp,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=ad,DC=ricosharp,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba AD has been generated at
/var/lib/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba AD server will be ready to
use
Server Role: active directory domain controller
Hostname: dc1
NetBIOS Domain: AD
DNS Domain: ad.ricosharp.com
DOMAIN SID: S-1-5-21-2060062981-3252955935-809771608

Copy the provisioned kerberos configuration file to the kerberos configuration file location

~]$ sudo cp /var/lib/samba/private/krb5.conf /etc

Test the configurationPermalink

Samba can now be run. But before setting up with systemd, start samba and run some tests
with DNS.

~]$ sudo samba

Test DNS

~]$ host -t SRV _ldap._tcp.ad.ricosharp.com

Host _ldap._tcp.ad.ricosharp.com not found: 3(NXDOMAIN)
~]$ host -t SRV _kerberos._udp.ad.ricosharp.com
Host _kerberos._udp.ad.ricosharp.com not found: 3(NXDOMAIN)
~]$ host -t A dc1.ad.ricosharp.com
dc1.ad.ricosharp.com has address 192.168.122.70

This is not good as without DNS, AD will fail to run properly. If we run netstat to see what
processes are listening on port 53, we can see that systemd-resolve is running in addition to
samba.

~]$ sudo netstat -tulpn | grep :53

tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
688/systemd-resolve
tcp6 0 0 :::53 :::* LISTEN
4368/samba
udp 0 0 127.0.0.53:53 0.0.0.0:*
688/systemd-resolve
udp6 0 0 :::53 :::*
4368/samba

A quick and dirty way to make sure that samba is the only process listening to DNS queries is
to disable the systemd-resolved service.

~]$ sudo systemctl stop systemd-resolved

~]$ sudo systemctl disable systemd-resolved
~]$ sudo unlink /etc/resolv.conf
~]$ sudo nano /etc/resolv.conf
nameserver 192.168.122.70
search ad.ricosharp.com
~]$ sudo reboot

Test DNS again. It looks like everything is now working.

~]$ sudo samba

~]$ host -t SRV _ldap._tcp.ad.ricosharp.com
_ldap._tcp.ad.ricosharp.com has SRV record 0 100 389 dc1.ad.ricosharp.com.
~]$ host -t SRV _kerberos.udp.ad.ricosharp.com
Host _kerberos.udp.ad.ricosharp.com not found: 3(NXDOMAIN)
~]$ host -t A dc1.ad.ricosharp.com
dc1.ad.ricosharp.com has address 192.168.122.70

Let’s also go ahead and test kerberos authentication. Everything here looks in order.

~]$ kinit Administrator

Password for Administrator@AD.RICOSHARP.COM:
Warning: Your password will expire in 41 days on Sat 05 Oct 2019 04:12:28
PM UTC
~]$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: Administrator@AD.RICOSHARP.COM

Valid starting Expires Service principal

08/24/2019 16:42:07 08/25/2019 02:42:07
krbtgt/AD.RICOSHARP.COM@AD.RICOSHARP.COM
renew until 08/25/2019 16:42:04

Configure samba AD to start with systemdPermalink

Now that this is running, kill samba again so we can begin the process using systemd

~]$ sudo ps -aux | grep samba

root 1134 0.0 2.1 542992 44676 ? Ss 16:34 0:00 samba
root 1135 0.0 1.2 542992 25568 ? S 16:34 0:00 samba
root 1136 0.0 1.8 547144 37744 ? S 16:34 0:00 samba
root 1137 0.0 1.1 542996 22948 ? S 16:34 0:00 samba
root 1138 0.0 1.4 542992 28740 ? S 16:34 0:00 samba
root 1140 0.0 1.2 542992 25104 ? S 16:34 0:00 samba
root 1141 0.5 1.5 542992 32564 ? S 16:34 0:01 samba
root 1142 0.0 1.2 542992 25708 ? S 16:34 0:00 samba
root 1143 0.0 1.4 542992 29244 ? S 16:34 0:00 samba
root 1144 0.0 1.4 542992 28820 ? S 16:34 0:00 samba
root 1145 0.0 1.2 542992 25568 ? S 16:34 0:00 samba
root 1146 0.0 1.2 542992 25044 ? S 16:34 0:00 samba
root 1147 0.0 1.8 542992 38052 ? S 16:34 0:00 samba
root 1148 0.0 1.3 542992 27584 ? S 16:34 0:00 samba
root 1149 0.0 1.5 543412 31340 ? S 16:34 0:00 samba
root 1150 0.0 1.1 542996 22948 ? S 16:34 0:00 samba
rico 1198 0.0 0.0 13136 1004 pts/0 S+ 16:38 0:00 grep
--color=auto samba

~]$ sudo kill 1134

~]$ sudo ps -aux | grep samba
rico 1203 0.0 0.0 13136 1152 pts/0 S+ 16:38 0:00 grep
--color=auto samba

Mask the smbd, nmbd, winbind services and unmask the samba-ad-dc service

~]$ sudo systemctl mask smbd nmbd winbind

~]$ sudo systemctl disable smbd nmbd winbind
~]$ sudo systemctl stop smbd nmbd winbind
~]$ sudo systemctl unmask samba-ad-dc
~]$ sudo systemctl start samba-ad-dc
~]$ sudo systemctl enable samba-ad-dc

Reboot and test

~]$ sudo reboot
~]$ sudo systemctl status samba-ad-dc

Join a computer to the domainPermalink

To join the domain on a Windows 10 computer, do the following:

Note: Make sure that your DNS is pointing to dc1 (192.168.122.70)

1. Go to Start > Settings

2. Click Accounts
3. Access Work or School
4. Click Connect
5. Click Join this device to a local Active Directory domain
6. Type ad.ricosharp.com and enter the Administrator username/password for the domain
7. Select Skip to Add an account
8. Select Restart Now

An alternative way, and the way that I’m most used to is this:

1. Open the File Explorer

2. Right click This PC > Properties
3. Select Change settings under the Computer name, domain, and workgroup settings
section
4. Click the Change button
5. Select Domain and enter ad.ricosharp.com
6. Click ok, enter an Administrator username/password for the domain and reboot

Create a user accountPermalink

There are two ways you can manage user accounts. Firstly, you can use samba-tool. For
example, to create a new user called user1, issue the following command:

~]$ sudo samba-tool user create user1