Have you ever wanted to set up a Samba4-based Read-Only DC in a remote location? Here’s how.
Apply preparations from the Linux Domain join howto (but don’t actually join the domain just yet).
Make sure your firewall allows all traffic between your shiny new Read-Only DC and the primary DCs. (AD uses a whole bunch’a ports and I couldn’t be bothered to figure out which ones are actually necessary.)
Open “Active Directory Sites and Services” on a Windows machine and create a site for your Read-Only DC. (Or use the default one. Doesn’t matter, you just need to know its name in the next step.)
Install some stuff:
apt-get install samba winbind krb5-user ldapscripts \ libsasl2-modules-gssapi-mit dnsutils systemctl stop smbd nmbd winbind systemd-resolved systemctl disable smbd nmbd winbind systemd-resolved systemctl mask smbd nmbd winbind rm /etc/samba/smb.conf
Now we join the domain:
samba-tool domain join local.lan RODC \ -U"LOCALLAN\Administrator" \ --dns-backend=SAMBA_INTERNAL \ --site=Moon \ [--server=primary-dc.local.lan]
--serverparameter is optional, but can be helpful if it doesn’t work when samba picks the wrong one for some reason.
ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf systemctl unmask samba-ad-dc systemctl enable samba-ad-dc systemctl start samba-ad-dc
Now your Read-Only DC should be able to serve DNS requests already, which you can check using
dig @127.0.0.1 something.local.lan.
To see if LDAP works, let’s get a Kerberos ticket and query something:
# kinit Svedrin Password for Svedrin@local.lan: # /usr/bin/ldapsearch -H ldap://read-only-dc.local.lan:3268 -D 'CN=Svedrin,OU=Users,DC=LOCAL,DC=LAN' -b 'dc=local,dc=lan' -Y GSSAPI sAMAccountName=Svedrin SASL/GSSAPI authentication started SASL username: Svedrin@LOCAL.LAN SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=local,dc=lan> with scope subtree # filter: sAMAccountName=Svedrin # requesting: ALL # # svedrin, Users, local.lan dn: CN=svedrin,CN=Users,DC=local,DC=lan objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: svedrin instanceType: 4 etc.
If you want to be able to resolve external DNS domains using your RODC as a DNS server, add these two lines to
/etc/samba/smb.conf in the
recursive queries = yes dns forwarder = 126.96.36.199
If you want to use Bind as the DNS backend, here’s how.