NethServer Samba Domain Controller (obsolete)

This document is obsolete. The nethserver-dc package performs 
the configuration steps below automatically from the server-manager UI.

The nethserver-dc package runs a systemd-nspawn container with a vanilla Samba 4.3.4 inside of it. It downloads, installs, configures and runs the nsdc “machine”. It configures and provision an Active Directory domain controller based on Samba 4.3.4.

Random notes

Install nethserver-dc on a clean NethServer 7 alpha2

yum install --enablerepo=nethserver-testing nethserver-dc nethserver-base nethserver-sssd 

Configure a green bridge, say br0.

When started, the nsdc container will be bounded to that bridge. Other networking settings are available from nsdc configuration key.

# config show nsdc
nsdc=service
    IpAddress=192.168.122.55
    IpMask=255.255.255.0
    status=disabled
    
# config show DomainName 
DomainName=dpnet.nethesis.it

In my configuration the default value for Domain is DPNET and the Realm is dpnet.nethesis.it. Default Domain and Realm should be good for most cases. Now I assign an IP address to the nsdc container and start it.

config setprop nsdc status enabled IpAddress 192.168.122.55 IpMask 255.255.255.0
config setprop sssd Provider ad
signal-event nethserver-dc-save

The event expands the container network configuration and spawns a samba-tool domain provision process. Parameters are read from /var/lib/machines/nsdc/etc/sysconfig/samba-provision. Default password for the domain controller administrator account is Nethesis,1234.

After a few minutes the domain controller becomes responsive.

    host -t SRV _ldap._tcp.`config get DomainName` 
_ldap._tcp.dpnet.nethesis.it has SRV record 0 100 389 nsdc-vm8.dpnet.nethesis.it.

Here nsdc-vm8.dpnet.nethesis.it is the container host name. It is derived from the machine host name, by adding nsdc- prefix.

The nethserver-dc package also configures the dnsmasq service to forward DNS requests for the AD realm to the nsdc container.

journalctl -M nsdc

Add -f to follow the journal.

To join the Active Directory domain install realmd:

> /etc/sssd/sssd.conf
realm join `config get DomainName`
expand-template /etc/sssd/sssd.conf

Provide DC administrator's password

Nethesis,1234

If everything goes well

     getent passwd administrator@`config get DomainName`
administrator@dpnet.nethesis.it:*:261600500:261600513:Administrator:/home/administrator@dpnet.nethesis.it:/bin/bash   

Realmd writes a lot of informations on the system journal. See journalctl command.

Manipulate users with net command:

yum --enablerepo=nethserver-testing install nethserver-samba
config setprop smb ServerRole ADS
expand-template /etc/samba/smb.conf

net ads  info
net ads user add giacomo -U Administrator%Nethesis,1234
net ads password giacomo -U Administrator%Nethesis,1234

Enable the user:

systemd-run -M nsdc -t /bin/bash
samba-tool user enable giacomo

Install the latest nethserver-dc package

yum update nethserver-dc

Stop the nsdc container

systemctl stop nsdc

Install RPM updates

yum -y --installroot=/var/lib/machines/nsdc update /usr/lib/nethserver-dc/ns-samba-*.ns7.x86_64.rpm  \*

Start the container

systemctl start nsdc