Apr 27

AD Test Network

Tag: Ted @ 10:08 am

I am setting up an Active Directory test network with VirtualBox. It will consist of the following components. Links are provided showing configuration information I referenced.

VirtualBox

Use these Network settings for all machines:

  • Adapter 1: Enabled
  • Attached to: NAT Network
  • Name: NatNetwork  (10.0.2.0/24 – DHCP & IPv6 disabled)
  • Adapter 2: Enabled
  • Attached to: Host-only Adapter
  • Name: VirtualBox Host-Only Ethernet Adapter (10.0.5.0/24)
  • DHCP Server: Enabled
  • DHCP Lower Address Bound: 10.0.5.20

Active Directory Domain Controller

Download Debian installation image and create the server in VirtualBox:

  • Name: DC1.samdom.example.com
  • Type: Linux
  • Version: Debian (64-bit)
  • RAM: 1024 MB
  • Virtual HD: 8.00 GB
  • HD Type: VDI, dynamically allocated

Change the Network settings to the NAT Network.

Attach the installation image to the server’s Optical Drive and start the server.

  • Hostname: DC1.samdom.example.com
  • Leave the root password blank.
  • Enter the desired user name and password for the admin (sudo) account.
  • Make your disk partition selections and write changes to disk.
  • Software selection: Only “SSH server” and “standard system utilities”.
  • Install the GRUB boot loader on /dev/sda
  • Finish the installation and reboot.

Login as the admin user and switch to root. Change to use static IP address. A second adapter will be enabled on Linux machines to enable SSH logins from the host machine. Make these changes to /etc/network/interfaces

# The primary network interface
allow-hotplug enp0s3
iface enp0s3 inet static
address 10.0.2.5
netmask 255.255.255.0
gateway 10.0.2.1
# This is the IPv6 address
#iface enp0s3 inet6 static
#address fe80::a00:27ff:fe35:1624
#netmask 64
#gateway
#
# The secondary network interface
allow-hotplug enp0s8
iface enp0s8 inet static
address 10.0.5.5
netmask 255.255.255.0

Make these changes for resolving DNS names to /etc/resolv.conf

domain samdom.example.com
search samdom.example.com
nameserver 8.8.8.8

Make these changes for resolving the local host name to /etc/hosts

127.0.0.1 localhost
10.0.2.5 DC1.samdom.example.com DC1

Reboot the machine to switch to the static IP address.

Install Samba and packages needed for an AD DC. Use the FQDN for the server in the Kerberos setup. Also install some utility programs:

  • apt update
  • apt install samba attr winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user
  • apt install smbclient net-tools dnsutils

Stop and disable all Samba processes,  and remove the default smb.conf file

  • systemctl stop smbd nmbd winbind
  • systemctl disable smbd nmbd winbind
  • rm /etc/samba/smb.conf

Provision the Samba AD:

samba-tool domain provision --use-rfc2307 --interactive
Realm=SAMDOM.EXAMPLE.COM
Domain=SAMDOM
Server Role=dc
DNS backend=SAMBA_INTERNAL
DNS forwarder IP address=8.8.8.8
Administrator password=Passw0rd

Make these changes for resolving DNS names to /etc/resolv.conf

domain samdom.example.com
search samdom.example.com
nameserver 10.0.2.5

Add these lines to the [global] section of /etc/samba/smb.conf

template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = yes
winbind offline logon = yes
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes

Use the Samba created Kerberos configuration file for your DC, enable the correct Samba services, and reboot to make sure everything works:

  • cp /var/lib/samba/private/krb5.conf /etc/
  • systemctl unmask samba-ad-dc
  • systemctl start samba-ad-dc
  • systemctl enable samba-ad-dc
  • reboot

Verify the File Server shares provided by the DC:

smbclient -L localhost -U%

Verify the DNS configuration works correctly:

  • host -t SRV _ldap._tcp.samdom.example.com.
  • host -t SRV _kerberos._udp.samdom.example.com.
  • host -t A dc1.samdom.example.com.

Verify Kerberos:

  • kinit administrator
  • klist

Install NTP Time Synchronization

apt install ntp

Configure NTP by editing these two lines in /etc/ntp.conf

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
restrict 10.0.2.0 mask 255.255.255.0 notrust

# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
broadcast 10.0.2.255

Restart the NTP service and verify it is syncing with other servers

systemctl restart ntp.service
ntpq -p

Add an AD account for yourself:

samba-tool user create ted

Add it to the “Domain Admins” group:

samba-tool group addmembers "Domain Admins" ted

Verify the domain users are shown by both commands:

wbinfo -u
getent passwd

Verify the domain groups are shown by both commands:

wbinfo -g
getent group

Verify the domain ownership on a test file:

touch /tmp/testfile
chown chown ted:"Domain Admins" /tmp/testfile
ls -l /tmp/testfile

Install DHCP Service

Install the server:

apt install isc-dhcp-server

Just use IPv4 on the NatNetwork with these edits to the /etc/default/isc-dhcp-server configuration file:

# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="enp0s3"
#INTERFACESv6=""

Edit the /etc/dhcp/dhcpd.conf configuration file:

# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
#
# option definitions common to all supported networks...
option domain-name "samdom.example.com";
option domain-name-servers DC1.samdom.example.com;
#
default-lease-time 600;
max-lease-time 7200;
#
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
#
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
#
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
#log-facility local7;
#
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
#
subnet 10.0.5.0 netmask 255.255.255.0 {
}
#
# This is a very basic subnet declaration.
#
subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.50 10.0.2.100;
option routers 10.0.2.1;
}

Desktop Member Server

Download Ubuntu 18.04 LTS Desktop installation image and create the server in VirtualBox:

  • Name: UBUNTU.samdom.example.com
  • Type: Linux
  • Version: Ubuntu (64-bit)
  • RAM: 2048 MB
  • Virtual HD: 10.00 GB
  • HD Type: VDI, dynamically allocated

Change the Network settings for Adapter 1 to the NAT Network And Adapter 2 to the Host-only Adapter.

Attach the installation image to the server’s Optical Drive and start the server.

  • Hostname: UBUNTU.samdom.example.com
  • Leave the root password blank.
  • Enter the desired user name and password for the admin (sudo) account.
  • Make your disk partition selections and write changes to disk.
  • Install the GRUB boot loader on /dev/sda
  • Finish the installation and reboot.

Login as the admin user. Change to use static IP address on the second adapter to enable SSH logins from the host machine. Make these changes to enp0s8

address 10.0.5.6
netmask 255.255.255.0

Install the openssh server:

  • apt update
  • apt install openssh-server

Reboot the machine to switch to the static IP address.

Install ntpdate package, query and sync time with the AD DC by issuing the below commands as root:

apt install ntpdate
ntpdate -q samdom.example.com
ntpdate samdom.example.com

Install the software required by Ubuntu machine to be fully integrated into the domain by running the command:

apt install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind

After all packages finish installing, test Kerberos authentication against an AD administrative account and list the ticket by issuing the commands:

kinit administrator
klist

Join Ubuntu to Samba4 AD DC

Backup the default configuration file of Samba, and create a new one:

mv /etc/samba/smb.conf /etc/samba/smb.conf.initial
nano /etc/samba/smb.conf

Add these lines to the new Samba configuration file and save it:

[global]
workgroup = SAMDOM
realm = SAMDOM.EXAMPLE.COM
security = ADS
dns forwarder = 10.0.2.1
idmap config * : backend = tdb
idmap config *:range = 50000-1000000
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes

Stop all Samba daemons, join the domain, and restart the daemons:

systemctl stop smbd nmbd winbind
net ads join -U administrator
systemctl start smbd nmbd winbind

Configure AD Accounts Authentication

Add winbind value for passwd and group lines in the /etc/nsswitch.conf configuration file:

passwd: compat winbind systemd
group: compat winbind systemd

Edit the file /usr/share/pam-configs/mkhomedir

Name: Create home directory on login
Default: yes
Priority: 900
Session-Type: Additional
Session-Interactive-Only: yes
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel

Enable  entries required for winbind service to automatically create home directories for each domain account at the first login:

pam-auth-update