Samba as an ADDC on Solaris 11.4
Introduction
When I first installed the Samba package on Solaris, it turned out that there was no ADDC role in this package. Long searches on the Internet have led me to the answers of this kind - the Samba package on Solaris does not support this role, and some have written that this role cannot be implemented on Solaris at all. Further research led me to the point that everything depends on the absence of Posix ACLs in zfs, as well as in python which is used in Solaris. To solve these problems, you must use a hard disk with the ufs file system, as well as build python (and also Samba) from the source code.
Training
All the actions I do in VMware ESXI, before installing the system, add one more hard disk to the virtual machine. Next, you need to download the source code of Python and Samba (to the root of the file system).
wget https://download.samba.org/pub/samba/stable/samba-4.8.8.tar.gz wget https://www.python.org/ftp/python/2.7.15/Python-2.7.15.tgz Extract archives and rename folders for more convenience.
gzip -d samba-4.8.8.tar.gz gzip -d Python-2.7.15.tgz tar -xvf Python-2.7.15.tar tar -xvf samba-4.8.8.tar mv Python-2.7.15 python mv samba-4.8.8 samba Next, you need to install gcc and some dependencies.
pkg install gcc pkg install pkgconfig pkg install automake pkg install autoconf Set variables for build x64 versions
export CPP="/usr/gcc/7/bin/gcc -E" export CC="/usr/gcc/7/bin/gcc" export CFLAGS="-m64 -std=gnu99 -fPIC -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64" export LDFLAGS="-m64 -L/usr/lib -R/usr/lib" export CXXFLAGS="-m64" Create a ufs file system on an additional hard disk (specify the name you use)
newfs /dev/dsk/c1t1d0s2 Next, you need to register this hard disk in the vfstab file (not a typo, in Solaris this file is called that way). Add this line to this file.
/dev/dsk/c1t1d0s2 /dev/dsk/c1t1d0s2 /ADDC ufs fsck yes - Create a mount directory and mount the hard disk in it
mkdir /ADDC mount /dev/dsk/c1t1d0s2 /ADDC Assembly and installation
You can start building Samba and Python. Navigate to the directory with the unpacked Solaris source code and build. Building Samba takes quite a long time.
cd /samba ./configure --prefix=/ADDC gmake gmake install No additional parameters are required to build python, the installation will be performed in the / usr / local directory
cd /python ./configure gmake gmake install After building python, you need to add the path to just that compiled python to the path variable
export PATH="/usr/local/bin:/usr/sbin:/usr/bin" IMPORTANT: In order for everything to work correctly, you must specify the PATH variable as indicated in this example, the path / usr / local / bin should be in the first place.
After these actions, using Samba as an ADDC will not be a problem, for this you need to run the samba-tool script
/ADDC/bin/samba-tool domain provision --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=office.virusslayer.su --domain=virusslayer --host-name=ad --host-ip=192.168.1.105 --function-level=2008_R2 --adminpass=Password123456 Specify the realm, domain, host-name that you need, and also the host-ip used by this host.
The next step is to configure kerberos, for this you need to change the following files
/etc/krb5/krb5.conf /etc/krb5/kdc.conf The krb5.conf file must be converted to
[libdefaults] default_realm = OFFICE.VIRUSSLAYER.SU dns_lookup_realm = false dns_lookup_kdc = true default_tgs_enctypes = aes256-cts-hmac-sha1-96 default_tkt_enctypes = aes256-cts-hmac-sha1-96 permitted_enctypes = aes256-cts-hmac-sha1-96 [realms] OFFICE.VIRUSSLAYER.SU = { kdc = kdc.office.virusslayer.su admin_server = kdc.office.virusslayer.su } kdc.conf
[realms] OFFICE.VIRUSSLAYER.SU = { profile = /etc/krb5/krb5.conf acl_file = /etc/krb5/kadm5.acl kadmind_port = 749 max_life = 8h 0m 0s max_renewable_life = 7d 0h 0m 0s default_principal_flags = +preauth } For autorun and shutdown, I had to write a simple bash script
#!/usr/bin/bash case $1 in start|-start) /ADDC/sbin/samba /ADDC/sbin/smbd /ADDC/sbin/nmbd ;; stop|-stop) rm /ADDC/var/run/*.pid pkill -15 samba pkill -15 smbd pkill -15 nmbd ;; v|-v) /ADDC/sbin/samba -V ;; config|-config) cat /ADDC/etc/smb.conf ;; restart|-restart) rm /ADDC/var/run/*.pid pkill -15 samba pkill -15 smbd pkill -15 nmbd /ADDC/sbin/samba /ADDC/sbin/smbd /ADDC/sbin/nmbd ;; esac Put this script into the file (having created it beforehand) / usr / bin / sambactl, make it executable and copy it to the rc3.d, rc0.d directories to autostart and stop Samba
touche /usr/bin/sambactl chmod +x /usr/bin/sambactl cp /usr/bin/sambactl /etc/rc3.d/Ssambactl cp /usr/bin/sambactl /etc/rc0.d/Ksambactl For further correct operation, you need to change the dns server of the system (the resolve.conf file does not need to be changed, the changes are saved only until the reboot), for this we edit the service and update the status (as the server, specify the ip address of the current system)
svccfg -s dns/client setprop config/nameserver="192.168.1.105" svcadm refresh dns/client After these manipulations, you can run Samba, as well as add dns entry
/usr/bin/sambactl /ADDC/bin/samba-tool dns add office.virusslayer.su -U administrator office.virusslayer.su kdc.office.virusslayer.su A 192.168.1.105 Check the work of kerberos
kinit administrator If everything is correct and the password is entered correctly, the ticket will be created in the / tmp / volatile-user / 0 directory
This is not the end of the kerberos setup, you also need to set up a time synchronization server. To do this, create the /etc/inet/ntp.conf file, start the time service and make the necessary changes to this file.
server 127.127.1.0 prefer server 0.europe.pool.ntp.org server 1.europe.pool.ntp.org server 2.europe.pool.ntp.org server 3.europe.pool.ntp.org driftfile /var/ntp/ntp.drift restrict 192.168.1.0 255.255.255.0 nomodify notrap In the restrict line specify the subnet which will be allowed access to the time server
Start and update service
svcadm enable ntp svcadm refresh ntp You can use remote administration tools (RSAT) to edit group policies, these tools can be downloaded from here.
Windows 8.1 https://www.microsoft.com/ru-ru/download/details.aspx?id=39296 Windows 10 https://www.microsoft.com/ru-RU/download/details.aspx?id=45520 Windows 7 https://www.microsoft.com/ru-ru/download/details.aspx?id=7887 After installing RSAT in Windows 7, these tools must be enabled in the control panel (Turning Windows components on and off). After the computer is entered into the domain, start the Group Policy Editor, in the Default Domain Policy edit the policy responsible for the time server
In this section, you must enable the option "Enable Windows NTP client", "Configure Windows NTP client", set the type to NTP, NtpServer, specify office.virusslayer.su
Additionally, you can configure the firewall, edit the file /etc/firewall/pf.conf (lead it to the following form).
set skip on lo0 pass quick on lo0 from any to any no state pass in quick on net0 proto {tcp,udp} from any to any port {22,53,123,135,137,464,389,515,636,631,445,139,88,3268,3269,49152:65535} flags S/SA modulate state pass out quick on net0 proto tcp from any to any port {80,443,21,20,53} flags S/SA modulate state pass out quick on net0 proto udp from any to any port=53 keep state pass out quick on net0 proto icmp from any to any block from any to any fragment block from any to any block all Start the service and specify the file with the rules
svcadm enable firewall pfctl -f /etc/firewall/pf.conf Conclusion
As you can see from this publication in Solaris, it is possible to use Samba as an ADDC, although it is much more complicated than any other operating system.
Source: https://habr.com/ru/post/438910/