Rebasing home

Last modified by Mitchell on 2022/01/26 02:41

As obliquely referenced previously, I've switched away from using Active Directory to manage my domain to using Samba instead, largely to keep things simpler and also because minimal server is no longer supported. I'm quite used to Linux, so it's not that I object to using a command line - it's more that there's considerably more risk if PowerShell is something I only use occasionally, as I end up needing to essentially relearn things every time I want to make a change. So back to Linux it is, I suppose!

Setting up Samba as a domain controller on Alpine Linux is quite straightforward (I was running on Ubuntu for a few months, and that was probably harder to set up). Setting up a domain controller is pretty straightforward (I won't go into setting up the domain in the first place, although Samba provides quite a bit of documentation on that process). After setting up a standard Alpine Linux system (or during the process, if you prefer) is a remix of Samba's domain controller documentation. First, install the appropriate packages:

$ apk add krb5 samba-dc

Then, set up the Kerberos configuration file:

/etc/krb5.conf
[libdefaults]
        
default_realm = <domain>
        
dns_lookup_realm = false
        
dns_lookup_kdc = true

And then join the domain:

$ kinit administrator
$ rm /etc/samba/smb.conf
$ samba-tool domain join <domain> DC -k yes

After this, the system should now be a member of the domain as a domain controller. Next up is adding some additional configuration. First off, the start up configuration:

/etc/conf.d/samba
daemon_list="samba

The Samba config can look something like this:

/etc/samba/smb.conf
[global]
        
dns forwarder = 1.1.1.1
        
netbios name = <name>
        
realm = <domain>
        
server role = active directory domain controller
        
workgroup = <domain short name>
        
idmap_ldb:use rfc2307 = yes

        
client signing = yes
        
client use spnego = yes
        
kerberos method = secrets and keytab

        
tls enabled = yes
        
tls keyfile = /etc/samba/tls/key.pem
        
tls certfile = /etc/samba/tls/cert.pem
        
tls cafile =

        
ntlm auth = mschapv2-and-ntlmv2-only

[sysvol]
...

[netlogon]
...

A few notes on the config:

  • dns forwarder lets the DNS server handle external requests as well.
  • The tls entries enable LDAPS. tls keyfile specifies the certificate private key, while tls certfile specifies the public certificate chain, both of which should be generated for the domain controller.
  • ntlm auth is set as such to enable MSCHAPv2 authentication for FreeRADIUS.

And then enabling the daemon:

$ rc-service samba start
$ rc-update add samba

Once Samba is up and running, the new domain controller can use itself for LDAP(S) queries for NSLCD.