NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Install samba4 on readynasos6 for ad domain controller
Hi
After a unique "opportunity" (ie. multiple disk failure), I upgraded my Ultra 4 to ReadyNAS OS 6 and have built an AD domain controller on it. Instructions follow below to get the software installed. If they're useful for anyone let me know - I plan on making a few other "modifications" to my device which may or may not include:
- setting up an 802.1x authenticator (backend would be samba/AD)
- authenticating proxy (probably squid)
- I might install some kind of log viewer as well - logstash / elasticsearch or splunk free
- And if i'm feeling very excited I might set up the second interface as an IDS listener (eg. BroIDS / Suricata)
Caveats:
- You will definitely make SMB unmanageable from the ReadyOS console.
- You need to watch disk usage once you install the log packages. Use a reasonable logrotate configuration
- User management for your domain will need to be done with samba-tool or ADUC. The ReadyNASOS console manages local users/groups only.
- You are very unlikely to be able to do upgrades normally. I haven't tried doing an upgrade.
- This doesn't configure local authentication (ie. sshd or the readynasos console). I'm not even entirely sure if the console can be configured to use a local AD domain - I haven't looked into it. sshd can be by configuring PAM appropriately; follow the instructions on wiki.samba.org.
DNS
Edit /lib/systemd/system/connman.service and append —nodnsproxy to the ExecStart line
You need to do this so the samba DNS daemon will start.
Install packages from Wheezy:
Don’t worry about configuring krb5-user at this stage. You do this as part of the samba config.
Configure Apt
Add to /etc/apt/sources.conf:
Pin the samba backports packages by running this as root:
Remove old packages and install new ones:
Restart connmand:
Done!
At this point you should be able to create an AD Domain using the procedure at wiki.samba.org
My domain works reasonably well at this stage. Many components need to be managed from the host rather than using the AD tools - ADUC and DNS being the exception.
If you're unhappy with the outcome, you should be able to unwind the changes above by performing them in reverse.
Happy to answer questions.
After a unique "opportunity" (ie. multiple disk failure), I upgraded my Ultra 4 to ReadyNAS OS 6 and have built an AD domain controller on it. Instructions follow below to get the software installed. If they're useful for anyone let me know - I plan on making a few other "modifications" to my device which may or may not include:
- setting up an 802.1x authenticator (backend would be samba/AD)
- authenticating proxy (probably squid)
- I might install some kind of log viewer as well - logstash / elasticsearch or splunk free
- And if i'm feeling very excited I might set up the second interface as an IDS listener (eg. BroIDS / Suricata)
Caveats:
- You will definitely make SMB unmanageable from the ReadyOS console.
- You need to watch disk usage once you install the log packages. Use a reasonable logrotate configuration
- User management for your domain will need to be done with samba-tool or ADUC. The ReadyNASOS console manages local users/groups only.
- You are very unlikely to be able to do upgrades normally. I haven't tried doing an upgrade.
- This doesn't configure local authentication (ie. sshd or the readynasos console). I'm not even entirely sure if the console can be configured to use a local AD domain - I haven't looked into it. sshd can be by configuring PAM appropriately; follow the instructions on wiki.samba.org.
DNS
Edit /lib/systemd/system/connman.service and append —nodnsproxy to the ExecStart line
You need to do this so the samba DNS daemon will start.
Install packages from Wheezy:
apt-get install rsyslog logrotate dialog apt-utils krb5-user python sudo
Don’t worry about configuring krb5-user at this stage. You do this as part of the samba config.
Configure Apt
Add to /etc/apt/sources.conf:
deb http://<your-backports-mirror>/debian wheezy-backports main
Pin the samba backports packages by running this as root:
cat <<EOF >/etc/apt/preferences.d/samba-backports
Package: samba* smbclient libsmbclient python-samba libwbclient0
Pin: origin <your-backports-mirror>
Pin-Priority: 1000
EOF
Remove old packages and install new ones:
apt-get remove libdcerpc0 libgensec0 libndr-standard0 libndr0 libsamba-credentials0 libsamba-hostconfig0 libsamba-util0 libsamdb0 libsmbclient-raw0
apt-get install samba samba-common samba-common-bin python-samba samba-dsdb-modules samba-libs smbclient libsmbclient libwbclient0 samba-vfs-modules
Restart connmand:
/etc/init.d/connman restart
Done!
At this point you should be able to create an AD Domain using the procedure at wiki.samba.org
My domain works reasonably well at this stage. Many components need to be managed from the host rather than using the AD tools - ADUC and DNS being the exception.
If you're unhappy with the outcome, you should be able to unwind the changes above by performing them in reverse.
Happy to answer questions.
1 Reply
Replies have been turned off for this discussion
- A quick howto for getting your Samba domain working.
Networking
* You'll need to ensure your interface has a static address.
* After you've installed the domain you need to repoint your local DNS resolver at the samba instance.
* Your hosts file needs to be correct.
Just configure the IP address from the readynas web console as part of the initial config.
To update hosts file, open it in an editor eg. vi and add the hostname of the NAS after "localhost". In vi you can just do this: "1,$s/localhost/localhost <nasname>/"
Resolver config we'll leave till after Samba is ready.
Samba setup
Mostly you can use the instructions on the Samba wiki but there are a few extra steps you're likely to want to perform if you want to do other things eg. proxy/website auth, etc.
Make sure your old samba instance is stopped and remove the old config:/etc/init.d/samba stop
rm /etc/samba/smb.conf
Now run the samba-tool domain provisioning:samba-tool domain provision --use-rfc2307 --function-level=2008_R2 --interactive
You'll be asked for your realm; it's taking about the kerberos realm, so its like a domain name. If you own your own, then you can use that but otherwise use something ending with .local so you don't have resolution issues. It needs to be uppercase.
Leave "Domain", "Server role", "DNS backend" at defaults. Set DNS forwarder to whatever your external DNS resolver is.
Next you'll get asked to set the admin password. Record it.
Realm: <YOUR-DOMAIN>.LOCAL
Domain [<YOUR-DOMAIN>]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [192.168.1.1]:
Administrator password:
Retype password:
Next update the host kerberos config:
rm /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf
Now we'll fix local dns resolution. Normally you could just update resolv.conf but since the readynas uses connman you'll need to configure that instead. Use connmanctl (as root), which gives you an interactive shell to configure it. The DNS domain you set here needs to be the same as the realm (but lowercase) (or if you went with a non-default option, then use that)
# connmanctl
connmanctl> config —nameservers 127.0.0.1 —domains <your DNS domain name>
connmanctl> quit
#
Now set up reverse dns resolution and a reverse entry for your nas. My network is 192.168/16 and nas at 192.168.1.25; i'll just use that in the example. If you have something else then use that instead.
samba-tool dns zonecreate <yournasname> 168.192.in-addr.arpa
samba-tool dns add <yournasname> 168.192.in-addr.arpa 25.1 PTR yournas.yourdomain
At that point you should definitely have no issue joining machines, running services on your domain, etc.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
