SAMBA As AD DC

Home » CentOS » SAMBA As AD DC
CentOS 23 Comments

Hi folks: Is able SAMBA on CentOS 7 to work as Active Directory Domain Controller? If it’s not, what is the recommended way of doing? Compiling from sources? Install packages from SerNet?

Thanks in advance!

23 thoughts on - SAMBA As AD DC

  • Hmmmm perhaps I don’t explain myself enough.

    I already know that Samba “capable of working as a AD domain controller and more”.

    I’m asking about the official packages of CentOS, I mean from official repo’s.

    Thanks in advance

    2014-09-06 18:01 GMT-03:00 Aly Khimji :

  • It would appear the samba4 DC isn’t available for C7 just yet.

    “As Fedora and RHEL are using MIT Kerberos implementation as its Kerberos infrastructure of choice, the Samba Active Directory Domain Controller implementation is not available with MIT Kereberos at the moment.”

    Ref:
    http://community.spiceworks.com/topic/535153-CentOS-7-samba-domain-controller

    HTH

    Aly Hmmmm perhaps I don’t explain myself enough.

    I already know that Samba “capable of working as a AD domain controller and more”.

    I’m asking about the official packages of CentOS, I mean from official repo’s.

    Thanks in advance

    2014-09-06 18:01 GMT-03:00 Aly Khimji :

  • Aly Khimji wrote:

    IMO there is _lot_ of Fedora/RHEL/CentOS users (including me) which does not use FreeIPA or other Kerberos-based stuff, but want use Samba4 with AD enabled. For them it is not important whether they use MIT or Heimdal Kerberos implementation. Then logical question:
    Are somewhere for these distribution available (unofficial) Samba4
    RPMs packages with Heimdal Kerberos?

    I’m rather skeptic about near implementation MIT Kerberos in Samba4, because this work has been going on for many years and still without success (maybe nor any clear roadmap for it).

    Franta Hanzlik

  • James Hogarth wrote:

    Hi James, thanks for reply. It seems as at SerNet’s site have packages for RHEL6/CentOS6 only, not for RHEL7/CentOS7 or any Fedora versions, at least this.

    Regarding to Samba4 with MIT in 4.2/4.3 – as I know, 4.2 still is not even in rc, thus final release can be perhaps at the turn of the year. And when time between releases is approx. 9 month, then we can wait around for year… I’ll keep my fingers crossed, that it happen in 4.2

    Franta Hanzlik

  • On 8 Sep 2014 17:00, “Frantisek Hanzlik” wrote …

    Indeed but fortunately EL6 has many years ahead of it yet.

    The rc is due Sep 15th last I heard.

    Andrew Bartlett has expressed an opinion on the samba technical list that he’d be in favour of a very short 4.2 cycle if it means getting these sort of updates out.

  • Frantisek Hanzlik wrote:
    I am trying to build some – as I want them, too.

    See http://rghost.net/57999078 for a xompressed tarball with the mock result (i. e. srpm, rpm and build logs).

    The package is working, but there is one problem I need help to fix it:

    Starting samba by “systemctl start samba.service” or “service start samba” seems to start samba, but if you try to join a domain from a windows client, it will fail reproting that the rpc server is not available.

    If you start samba by running “/usr/sbin/samba” from a console where root is logged in, samba is working as expected: Windows clients can join the domain.

    Any idea how to fix that issue?

    Thanks + Greetings from Germany

    Markus Steinborn

  • Would this be due to not starting the nmb service? Samba provide two services smb AND nmb, you want to ensure both are running. HTH

  • Hi Rob,

    Rob Kampen wrote:
    Well, for AC DC mode, starting samb and/or nmbd ussues an error saying you would have to start “samba” instead – in this mode smbd and nmbd are not supposed to be started directly.

    And “ps xa” shows identical process lists for the working variant
    “startet by “/usr/sbin/samba” and for the non working variant “/service samba start”.

    But I also had an idea what to check: Turning selinux off did fix the samba started by systemd. So it is a selinux issue.

    Greetings

    Markus Steinborn

  • There’s no ‘need’ to be on C7 right now …

    If your requirement is “runs sernet samba for AD services” then C7 does not meet that requirement at this time …

    C6 is supported till 2020 … there’s no hurry here.

  • As someone said before, you don’t need to use “the latest and greatest” to run a functional service… On a production environment that is even often undesirable until things settle down…

    Anyway, Sernet also provides a source rpm. Why not build up from that base?

  • +1 However, the init scripts from the built RPMs may not be compatible with C7 (systemd). I believe the OP is having problems with starting the daemons not building the Samba4.

    The Sernet Samba4 packages work like a champ on C6.5.

    — Arun Khan

  • Hi Miguel,

    Miguel Medalha wrote:
    CentOS 7 is using systemd – that would cause problems.

    And anyway, I’ve used the package samba from CentOS-7 as base. This way, incmpatibilites with base samba4 are minimized (same paths etc.).

    I’ve already written in this thread: It has turned out that selinux is the problem – turning off selinux helps.. But that is not really what you want to…And since the problem is selinux, I am not sure if Sernet’s source would have anything changed.

    Anyway, I do not think that my package is broken anymore since selinux configuration is a different thing.

    Greetings

    Markus

  • Hi Daniel,

    Daniel J Walsh wrote:
    Policy has been “enforcing” – and I see the folloqwing AVCs at the end of my audit log – but those repeated several times:

    type=AVC msg=audit(1410628837.928:422): avc: denied { connectto } for
    pid#30 comm=”smbd” path=”/run/samba/winbindd/pipe”
    scontext=system_u:system_r:smbd_t:s0
    tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1410628852.301:430): avc: denied { connectto } for
    pid#92 comm=”smbd” path=”/run/samba/ncalrpc/np/netlogon”
    scontext=system_u:system_r:smbd_t:s0
    tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket

    Greetings

    Markus

  • This looks like you have something running as init_t that is listening on “/run/samba/winbindd/pipe”

    ps -eZ | grep init_t

  • Il giorno ven, 11/09/2015 alle 14.25 +0200, Oscar Osta Pueyo ha scritto:

    Ok, thanks for reply.

    I read from last message of discussion:

    This means that that never will be a samba-ad for redhat/CentOS.

    Then, if I as I understand the reply, with CentOS7 + Samba 4 in old NT4
    -DC mode + Kerberos + FreeIPA ( I do not know what it is FreeIPA) it’s possible setup a Linux PDC working with all versions of Windows client, without changing the registry into win7/8 to join to domain?

    I’m not a guru of Linux, someone can point me to the right way?

    Many thanks Dario

  • I have been building a Samba4 AD on CentOS7 (actually C7-armv7 beta)
    using the sernet rpms.

    https://portal.enterprisesamba.com/

    Though we had to build an armv7 distro from sernet sources:

    http://repo.shivaserv.fr/CentOS/7/

    This is Samba 4.2. It includes their Kerberos, ldap, and internal DNS.
    You MUST use their Kerberos and strongly recommend their ldap. I am using the Bind 9.9 that comes with C7; not to hard to integrate. I am also using the C& dhcpd.

    WRT Samba 4.3 and MIT Kerberos. Samba 4.3 has shipped. But MIT
    Kerberos support did not make it into the initial release. Sernet has not released a 4.3 ver to date.

    There is pretty good help on the Samba list:

    https://lists.samba.org/mailman/options/samba

    The wiki is quite good. Particularly as I have been asking lots of newbie questions and Marc has been busy incorporating the obvious answers into the wiki :)

    https://wiki.samba.org/index.php/User_Documentation