Samba4 Read-Only DC howto

Have you ever wanted to set up a Samba4-based Read-Only DC in a remote location? Here’s how.

  • Apply preparations from the Linux Domain join howto (but don’t actually join the domain just yet).

  • Make sure your firewall allows all traffic between your shiny new Read-Only DC and the primary DCs. (AD uses a whole bunch’a ports and I couldn’t be bothered to figure out which ones are actually necessary.)

  • Open “Active Directory Sites and Services” on a Windows machine and create a site for your Read-Only DC. (Or use the default one. Doesn’t matter, you just need to know its name in the next step.)

  • Install some stuff:

      apt-get install samba winbind krb5-user ldapscripts \
                      libsasl2-modules-gssapi-mit dnsutils
    
      systemctl stop    smbd nmbd winbind systemd-resolved
      systemctl disable smbd nmbd winbind systemd-resolved
      systemctl mask    smbd nmbd winbind
    
      rm /etc/samba/smb.conf

    Now we join the domain:

      samba-tool domain join local.lan RODC \
          -U"LOCALLAN\Administrator"        \
          --dns-backend=SAMBA_INTERNAL      \
          --site=Moon                       \
          [--server=primary-dc.local.lan]

    The --server parameter is optional, but can be helpful if it doesn’t work when samba picks the wrong one for some reason.

      ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
    
      systemctl unmask samba-ad-dc
      systemctl enable samba-ad-dc
      systemctl start  samba-ad-dc
  • Now your Read-Only DC should be able to serve DNS requests already, which you can check using dig @127.0.0.1 something.local.lan.

  • To see if LDAP works, let’s get a Kerberos ticket and query something:

      # kinit Svedrin
      Password for Svedrin@local.lan:
      # /usr/bin/ldapsearch -H ldap://read-only-dc.local.lan:3268  -D 'CN=Svedrin,OU=Users,DC=LOCAL,DC=LAN' -b 'dc=local,dc=lan' -Y GSSAPI sAMAccountName=Svedrin
      SASL/GSSAPI authentication started
      SASL username: Svedrin@LOCAL.LAN
      SASL SSF: 56
      SASL data security layer installed.
      # extended LDIF
      #
      # LDAPv3
      # base <dc=local,dc=lan> with scope subtree
      # filter: sAMAccountName=Svedrin
      # requesting: ALL
      #
    
      # svedrin, Users, local.lan
      dn: CN=svedrin,CN=Users,DC=local,DC=lan
      objectClass: top
      objectClass: person
      objectClass: organizationalPerson
      objectClass: user
      cn: svedrin
      instanceType: 4
      etc.

Hooray!

Update:

If you want to be able to resolve external DNS domains using your RODC as a DNS server, add these two lines to /etc/samba/smb.conf in the [global] section:

recursive queries = yes
dns forwarder = 8.8.8.8

Update:

If you want to use Bind as the DNS backend, here’s how.