Samba4 Read-Only DC howto

Have you ever wanted to set up a Samba4-based Read-Only DC in a remote location? Here's how.

  • Apply preparations from the Linux Domain join howto (but don't actually join the domain just yet).

  • Make sure your firewall allows all traffic between your shiny new Read-Only DC and the primary DCs. (AD uses a whole bunch'a ports and I couldn't be bothered to figure out which ones are actually necessary.)

  • Open "Active Directory Sites and Services" on a Windows machine and create a site for your Read-Only DC. (Or use the default one. Doesn't matter, you just need to know its name in the next step.)

  • Install some stuff:

    apt-get install samba winbind krb5-user ldapscripts \
                    libsasl2-modules-gssapi-mit dnsutils
    
    systemctl stop    smbd nmbd winbind systemd-resolved
    systemctl disable smbd nmbd winbind systemd-resolved
    systemctl mask    smbd nmbd winbind
    
    rm /etc/samba/smb.conf
    

    Now we join the domain:

    samba-tool domain join local.lan RODC \
        -U"LOCALLAN\Administrator"        \
        --dns-backend=SAMBA_INTERNAL      \
        --site=Moon                       \
        [--server=primary-dc.local.lan]
    

    The --server parameter is optional, but can be helpful if it doesn't work when samba picks the wrong one for some reason.

    ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
    
    systemctl unmask samba-ad-dc
    systemctl enable samba-ad-dc
    systemctl start  samba-ad-dc
    
  • Now your Read-Only DC should be able to serve DNS requests already, which you can check using dig @127.0.0.1 something.local.lan.

  • To see if LDAP works, let's get a Kerberos ticket and query something:

    # kinit Svedrin
    Password for Svedrin@local.lan:
    # /usr/bin/ldapsearch -H ldap://read-only-dc.local.lan:3268  -D 'CN=Svedrin,OU=Users,DC=LOCAL,DC=LAN' -b 'dc=local,dc=lan' -Y GSSAPI sAMAccountName=Svedrin
    SASL/GSSAPI authentication started
    SASL username: Svedrin@LOCAL.LAN
    SASL SSF: 56
    SASL data security layer installed.
    # extended LDIF
    #
    # LDAPv3
    # base <dc=local,dc=lan> with scope subtree
    # filter: sAMAccountName=Svedrin
    # requesting: ALL
    #
    
    # svedrin, Users, local.lan
    dn: CN=svedrin,CN=Users,DC=local,DC=lan
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: user
    cn: svedrin
    instanceType: 4
    etc.
    

Hooray!