We use Windows Server 2012/2016/2019 in our environment.
Some of those servers are NOT in Active Directory.
We would like to include them into AD
and install a Linux server playing the role of AD domain controller.
By using IPFire, we try to combine AD domain controller, firewall and VPN sever into one server.
Is this possible?
If yes, how to do it?
Thanks.
Hi @sysadmin-pg
Welcome to the IPFire community
In the IPFire wiki there is a section in the samba material about setting up a Samba PDC
Samba as PDC
IPFire version: 2.27
CPU arch: x86_64
SAMBA
Name: samba
ProgVersion: 4.15.5
Release: 83
Manual: https://wiki.ipfire.org/addons/samba/config/pdc
I install IPFire into a VM having 2 network interfaces.
Network configuration type: GREEN + RED
Address settings
GREEN
IP address: 192.168.110.9
Network mask: 255.255.255.0
RED
Static
Hostname: ipfire
IP address: 10.14.16.9
Network mask: 255.255.255.0
Gateway: 10.14.16.1
DHCP server: Disabled
When I login to the web user interface at https://192.168.110.9:444/
and I go to menu IPFire -> Pakfire
and choosing from "Available Addons" choose "samba"
then the package installs with its dependencies without any problem.
When I check status of SAMBA via menu IPFire -> Samba
then I see the the services are running.
When I try to configure SAMBA as PDC by following the manual
and I go to "Security Options -> Security"
then the available options are
- Standalone
- Domain Member
The manual shows a completely different screenshot.
This is the problem.
There is no "Security: User".
Okay, had a search through the IPFire blog and found that in Core Update 152 (July 2020) Samba was updated from Samba 3 to Samba 4 and at the same time some aspects of Samba were removed due to lack of use. Using Samba on IPFire as a Primary Domain Controller for Windows NT domains was one of them.
https://blog.ipfire.org/post/ipfire-2-25-core-update-152-released#windows-file-sharing-services
So I am sorry but you will not be able to use Samba on IPFire as a Domain Controller.
The wiki needs to be updated to remove that whole section about Primary Domain Controller.
Hi,
indeed, I vaguely recall this decision back then.
Samba is a very powerful and versatile beast, and to the best of my knowledge, nobody in the core developer team really uses it (though we do have some users running Samba against their AD), so it was a bit difficult to keep track on all the functionality it provided over time.
Generally, domain controllers are so sensitive that they should not run as an additional service on a firewall, since that greatly increases the attack surface. Please consider running the domain controller on a dedidcated machine, and have robust firewall and IPS configurations in place.
Sorry to disappoint, and best regards,
Peter Müller
What has been removed is the usage of Samba as a Domain Controller for Windows computers.
File sharing via Samba shares is still able to be done.
https://wiki.ipfire.org/addons/samba/config#create-a-samba-share
So you can still have a samba share defined to hold the pxe boot files that are required and you can install a tftpd server to support the booting via pxe. The wiki page describes an example with Suse using an nfs server share. You would need to change this to using a samba share.
https://wiki.ipfire.org/addons/tftpd
More details than are in the samba or tftpd wiki pages I can’t help with as I don’t use either of those addons myself.
Yes, I agree with Peter.
Not a good idea and you wont necessarily have all the right bits to do it anyhow.
The active directory function will require Kerberos libs which may not be present.
If you are to build a server best to go with a debian distrubution as this will make the seup a lot easier.
Redhat versions will not include all that is necessary in their packages and you will have to build the samba packages by hand. Not for the faint hearted.
In order to align your sids/uid’s you will need to pay close attention to the idmaps.
Something like:-
workgroup = SAMDOM
realm = SAMDOM.EXAMPLE.COM
log file = /var/log/samba/%m.log
log level = 1
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the SAMDOM domain
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 10000-999999
idmap config SAMDOM:unix_nss_info = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
check here for a good write up:-
HTH
Best regards
Joe.