Joining Linux to Windows Domain and folder redirection to Samba server

Posted: June 12, 2015 in Linux

Today we will join linux machine (Fedora 21 server) to Windows Domain,configure share folder and configure folder redirection GPO to samba server.

I am using KVM linux host (Fedora server 21), IP Address 192.168.0.43

KVM guest server1.example.com (CENTOS 7, has DHCP and DNS services installed and configured) with IP 192.168.122.200

KVM guest localhost.example.com (Fedora server 2012),will be our samba server with IP192.168.122.10

Now i will install KVM guest Windows Server 2012,dc.example.com    IP adress 192.168.122,100

Installing Windows Domain Controler VM:

virt-install --cdrom /disk/Win_2012_64fre_server_eval_en-us-GRMSXEVAL_EN_DVD.iso --name "dc" --memory=4096 --file=/disk/dc.qcow2 --file-size=25 --vcpus=4 --os-type=windows

On terminal i typed command above,it will create virtual machine named dc,assign 4 GB of RAM,4 Core processors and

25 GB hard disk,installaton media would be ISO copied in /disk folder

After installation was completed,we can now configure WIndows server 2012:

First rename computer and restart (i used PowerShell commands):

Rename-computer dc -restart

After reboot,set Primary DNS suffix

netdom computername dc /add:dc.example.com
netdom computername dc /makeprimary:dc.example.com

Reboot again,

now we will set IP address,default gateway and primary DNS server (i will point DC to Linux DNS server,DNS role will not be installed on our Windows server)

New-NetIPAddress -interfacealias "ethernet" -ipaddress "192.168.122.100 -prefixlenght 24 -defaultgateway 192.168.122.1

Set-DNSClientServerAddres -interfacealias "ethernet" -ServerAddresses 192.168.122.200

Enable remote desktop connection and open firewall port

set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0

Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

On linux KVM host,open port 3389

firewall-cmd --add-port 3389 --permament

firewall-cmd --reload

I want to enable remote desktop connection to VM windows server,so i need to redirect all requests,received on KVM host’s port 3389 to windows server.

Strangely,firewall-cmd –add-forward-port command simply didn’t work,i couldn’t get port forwarding working

I seen on the internet someone also complained for same issue,it looks as a bug.

But IPTables commad works,at least until you,set another rule or restart computer,so do iptables-save>file_name

and after reboot reload rules iptables-reload<file_name

iptables -t nat -I PREROUTING -p tcp --dport 3389 -j DNAT --to-destination 192.168.122.100:3389

iptables -I FORWARD -m state -d 192.168.122.100/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT

I can now access Windows domain controller (192.168.122.100),hosted on 192.168.0.43 from my lap-top (192.168.0.41)

Untitled16

Now we  need to allow windows machine to write to example.com zone file on our linux dns server (server1.example.com)

Here i described how to install DNS and allow dynamic updates,i bold changes in /etc/named.conf file:

acl “allowed” {
192.168.122.0/24;
localhost;};

options {
listen-on port 53 { 192.168.122.200;127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
allow-query { allowed; };
forwarders {8.8.8.8;};

recursion yes;
allow-recursion {allowed;};

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file “/etc/named.iscdlv.key”;

managed-keys-directory “/var/named/dynamic”;

pid-file “/run/named/named.pid”;
session-keyfile “/run/named/session.key”;
};

logging {
channel default_debug {
file “data/named.run”;
severity dynamic;

};

};
key dhcp_updater {
algorithm hmac-md5;
secret “kfc1r6C2VwHGnKMi/NHt6w==”;
};

zone “.” IN {
type hint;
file “named.ca”;

};
include “/etc/named.rfc1912.zones”;
include “/etc/named.root.key”;
zone “122.168.192.in-addr.arpa” IN {
type master;
file “/var/named/chroot/etc/named/reverse.example.com.db”;

allow-update {key “dhcp_updater”;192.168.122.100;};
};

zone “example.com” IN {
type master;

file “/var/named/chroot/etc/named/example.com.db”;
allow-update {key “dhcp_updater“;192.168.122.100;};
};

Now Server 2012 can update zone file

Installing ADDS services:

In powershell prompt type:

Install-windowsfeature ad-domain-services -IncludeManagementTools
import-module addsdeployement
Install-ADDSForest -creatednsdelegation:$false -databasepath "c:\windows:\ntds" '
-domainmode "win2012r2" -domainname "example.com" -domainnetbiosname "EXAMPLE" -forestmode "win2012r2" -installdns:$false -logpath "c:\windows\ntds" '
-norebootoncompletion:$false -sysvolpath "c:\windows\sysvol" -force:$true

Untitled

During installation,dc writes lots of records in zone file,as you can see from /var/log/messages:

Untitled2

After our DC was restarted,check example.com zone file (example.com.db)

$ORIGIN .
$TTL 10800    ; 3 hours

example.com        IN SOA    server1.example.com. root.example.com. (

2015052644 ; serial

86400      ; refresh (1 day)
3600       ; retry (1 hour)

604800     ; expire (1 week)

10800      ; minimum (3 hours)
)

NS    server1.example.com.
$TTL 600    ;
10 minutes A    192.168.122.100
$TTL 10800    ; 3 hours
MX    10 server1.example.com.

$ORIGIN _msdcs.example.com.
$TTL 600    ; 10 minutes

5d11ccae-11e0-47ca-a9b0-998885292876 CNAME dc.example.com.

$ORIGIN _tcp.Default-First-Site-Name._sites.dc._msdcs.example.com.
_kerberos SRV    0 100 88 dc.example.com.
_ldap SRV    0 100 389
dc.example.com.
$ORIGIN _tcp.dc._msdcs.example.com.
_kerberos SRV    0 100 88
dc.example.com.
_ldap SRV 0 100 389
dc.example.com.
$ORIGIN _msdcs.example.com.
_ldap._tcp.18bb2267-243e-4394-821e-5406e4c7e256.domains SRV 0 100 389 dc.example.com.
$ORIGIN gc._msdcs.example.com.
_ldap._tcp.Default-First-Site-Name._sites SRV 0 100 3268 dc.example.com.
_ldap._tcp SRV    0 100 3268 dc.example.com.
$ORIGIN
_msdcs.example.com.
_ldap._tcp.pdc SRV0 100 389 dc.example.com.
$ORIGIN
_tcp.Default-First-Site-Name._sites.example.com.
_gc SRV    0 100 3268
dc.example.com.
_kerberos SRV    0 100 88 dc.example.com.
_ldap SRV 0 100 389
dc.example.com.
$ORIGIN _tcp.example.com.
_gc SRV    0 100 3268
dc.example.com.
_kerberos SRV 100 88
dc.example.com.
_kpasswd    SRV 0 100 464 dc.example.com.
_ldap SRV    0 100 389 dc.example.com.
$ORIGIN _udp.example.com.
_kerberos        SRV    0 100 88 dc.example.com.
_kpasswd        SRV    0 100 464 dc.example.com.
$ORIGIN example.com.
$TTL 1200    ; 20 minutes
dc            A    192.168.122.100
$TTL 300    ; 5 minutes
localhost        A    192.168.122.10
TXT    “31b3e25f324398b385f0fa3ce3a53b3ccb”
$TTL 10800    ; 3 hours
server1            A    192.168.122.200

AS you can see,although we are using Bind DNS,Windows Active Directory works great.

Check SRV record:

Untitled3

Joining to example.com domain

Now,go to localhost.example.com and join it to example.com domain

yum install samba* oddjob* ntp* sssd -y

synhronize time with DC
systemctl enable ntpd.service
ntpdate dc.example.com
systemctl start ntpd.service

systemctl enable oddjobd
systemctl start oddjobd
systmectl enable winbin
systemctl start winbind
systemctl start sssd

edit /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]

dns_lookup_realm = false
ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

rdns = false
default_ccache_name = KEYRING:persistent:%{uid}

default_realm = EXAMPLE.COM
dns_lookup_kdc = true

[realms]

EXAMPLE.COM = {
}

EXAMPLE.COM = {
kdc = dc.example.com
kdc = dc.example.com
kdc = dc.example.com
kdc = dc.example.com
}

[domain_realm]

example.com = EXAMPLE.COM

edit  /etc/samba/smb.conf

[global]
#–authconfig–start-line–

# Generated by authconfig on 2015/06/10 17:25:07
# DO NOT EDIT THIS SECTION (delimited by –start-line–/–end-line–)
# Any modification may be deleted or altered by authconfig in future

workgroup = EXAMPLE
password server = DC.EXAMPLE.COM
realm = EXAMPLE.COM
security = ads
idmap config * : range = 16777216-33554431
template shell = /bin/bash
kerberos method = secrets only
winbind use default domain = true
winbind offline logon = false

#–authconfig–end-line–

# ———————– Network-Related Options ————————-
#
# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP.
#
# server string = the equivalent of the Windows NT Description field.
#
# netbios name = used to specify a server name that is not tied to the hostname.
#
# interfaces = used to configure Samba to listen on multiple network interfaces.
# If you have multiple interfaces, you can use the “interfaces =” option to
# configure which of those interfaces Samba listens on. Never omit the localhost
# interface (lo).
#
# hosts allow = the hosts allowed to connect. This option can also be used on a
# per-share basis.
#
# hosts deny = the hosts not allowed to connect. This option can also be used on
# a per-share basis.
#
# max protocol = used to define the supported protocol. The default is NT1

#
; workgroup = MYGROUP
server string = Samba Server Version %v

; netbios name = MYSERVER

interfaces = lo ens3 192.168.12.2/24 192.168.13.2/24
hosts allow = 127. 192.168.122. 192.168.13.
i
; max protocol = SMB2

restart smb,winbind and oddjob services:

systemctl restart smb
systemctl restart oddjobd
systemctl restart winbind
open firwall ports:
firewall-cmd --add-port --service=samba --permanent
firewall-cmd --reload

join to the domain:

realm join –user=adminitrator@EXAMPLE.COM EXAMPLE.COM

You can avoid all this editing by simply typing
authconfig-gtk
and populating fields:
Untitled13

click join domain,enter domain admin username.password and click apply
You shouldn’t have any problems,if yes,check /var/log/messages and /var/log/samba/log.winbind-

type realm list

Untitled14

If You get this screen everything is fine

Switch now to Domain Controllers,OU,create user and group

new-adorganizationalunit “test”

new-adgroup -name “test group” -groupscope “Global” -Groupcategory “Security” -path “ou=test,dc=example,dc=com”

new-aduser -name “tex willer” -userpincipalname “tex.willer@example.com” -accountpassword (convertto-secure string “Passw0rd01” -asplaintxt -force) -changepasswordatlogon $false -path “ou=test,dc=example,dc=com” -enabled $true

add-adgroupmember -identity “test goup” -members “tex willer”

get-aduser ‘tex willer’ | select-object | fl

Untitled8

Now switch to samba server and type

wbinfo -u   # this command list AD users

wbinfo -g   #list AD groups

Untitled15

we can see now user tex willer and group “test group”

Let’s create shared folder now:

mkdir -p /srv/samba/Profiles/
chmod -R 770 /srv/samba/Profiles
chgrp "Domain Users" /srv/samba/Profiles

On the bottom on /etc/samba.smb.conf file add

[Profiles]
 path = /srv/samba/Profiles/
 read only = no
 store dos attributes = Yes   #prevent showing hidden files and folders
 browseable = yes
 writable = yes
 public = yes
 

Edit /etc/pam.d/system-auth (your uid may vary,general rule is to type uid bigger than your domain user usedid

to find out id,log user to linux terminal (su “tex willer”), then type id (see uid value)

Util i set this,Samba has been rejecting my windows username/password

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet_success
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 36777216 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
In order for SELinux to allow write to share folder we must type
chcon -t samba_share_t /srv/samba/Profiles

edit /etc/nsswitch.conf file to configure systemt for looking at winbind if user cannot be found in

/etc/passwd file:

passwd: files winbind
shadow: files winbind
group: files winbind
Restart again smb,winbind,sssd and oddjobd services and try to access share from Windows Server 2012,you should see Profiles folder

Untitled

Now and try to make folder/file.

Give Domain Users full control right to Profile folder (This folder only) and  List Folder/Read Data and Create Folders/Append Data (this folder only)
Domain Admins  security group should have Full Control of This Folder, Subfolders, and Files

Create GPO for folder redirection
User Configuration -> Policies -> Windows Settings -> Folder Redirection

Untitled10

Apply policy,log in as user,write create file/folder in Documents folder

Untitled11

And check Profiles folder:

Untitled12t

Great !!,on samba share, tex willer folder is automatically created and all in Document folder is redirected.

Advertisements
Comments
  1. If some one needs expert view regarding blogging
    afterward i recommend him/her to go to see this webpage, Keep up the pleasant job.

    Like

  2. gpo modipla says:

    I’m extremely impressed with your writing abilities and also with the format
    for your weblog. Is that this a paid theme or did you
    modify it your self? Either way keep up the excellent quality writing, it’s rare to see a great
    blog like this one today..

    Like

  3. “Great Blogpost! Hello Admin! Thanks for this article, very good information, I will be_ forwarding this to some friends, if you’re ok with that. Greetings from Germany!”

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s