Howto install NethServer as Samba AD domain controller v0.2

Installation guide NethServer
Samba 4 AD server role

V 0.1 - initial version
V 0.2 - automated NSDC container cert renewal
V 0.21- added note about installing nano instead of vi

This manual explains how to boot the NethServer installation ISO and install NethServer with the Samba4 AD role. No special attention will be given to disk-layout or backup strategies. A vitual environment is assumed. If you will install NethServer on bare metal, you will need to rethink partitioning and backup strategies. A few common pitfalls will be discussed where applicable and feedback is welcome. After following this document, you should have an Active Directory compatible domain which can replace a native Microsoft AD for most pratical purposes.

Getting started

Prerequirements

  1. Download the latest .ISO from
    http://www.nethserver.org/getting-started-with-nethserver/
  2. Prepare a virtual machine with the (absolute) minimum following specs:
    Number of cores: 1
    Memory: 4Gb
    Diskspace: 8Gb
    1 NIC
    (optional) Internet access
    mount the downloaded .ISO as CD and make sure the VM is set to boot from it

Basic installation

After power-on you should be greeted by the following screen, from where you can start the interactive installation. The other installation methods will not be discussed in this document.

afbeelding

After pressing enter and waiting a bit, you will get to the installation summary page, where a couple of defaults will be automatically selected for you. Things you will have to set are date & time and keyboard layout, but we will also make sure our networking settings will be ok, as well as the domain we will use later for our AD.
Below is a screenshot of the Installation Summary page, and we will work through the items listed there in the order provided by the red numbers.
Note: I had mixed results when using just any order to set these values, so my advice is to adhere to the order listed.

Set the correct date and time or, as per this example, use NTP for that, as is the default. You do need to set the Region and City. Click Done in the upper left corner once ready and continue to the Keyboard layout. Set it to whatever you prefer and again, click Done.
We can now continue to the networking settings and the hostname.


We will assume the following settings for network and domain:

Domain: mydomain.com
Servername: adserver
IP address: 10.0.2.5/24
Gateway: 10.0.2.2
DNS: 8.8.8.8

First enter the FQDN of the server as shown below, and apply it. Next configure the IP settings. We will only be configuring IPv4 and use google’s DNS server for now. To this end, set IPv4 settings to Manual, enter the IP settings and click Save. See below illustrations, and finally, click Done.


Now we can continue with the installtion. Please note that this setup is ONLY adviced in a cirtual environment, where it doesnt matter on which drive stuff resides. Depending on your needs, you could mount another virtual drive on /var/lib/nethserver to make sure all things important get saved on that drive which could then easily be moved between servers when needed. This could be handy when you want the data stored independant of the server OS. I see no real benefit for that in a virtual environment and thus skipped this otherwise best-practice recommendation. Click Begin installation in the lower right corner, and wait.

Once we clicked the Begin installation option, the next screen will show the progress, as well as provide an option to change the root password (and add users). We will only set the root password here, and then wait for the installation to finish. The server should reboot automatically and from then you can configure the server with the webinterface on https://10.0.2.5:980
You will need to accept the self-signed certificate to access the servermanager.
My screenshots will show https://192.168.50.34:980 as serveraddress, this is due to a NAT-config for the creation of this document.

Configuring the AD account provider

After the reboot, and entering the provided link in your browser, you should get a certificate warning. After accepting the exception, you should be greeted by the login screen as shown below. Enter your just configured root account, and login.

You will then be greeted by the final setup, which is mainly a next next next continue at this point. I will provide screenshots of every step below, but really, you can accept the defaults here.


Starting screen, nothing to do here. Click Next.

If you are migrating a server, this is interesting, for now, click Next.

Nothing to do here but check it is indeed as we specified earlier. Click Next.

As above.

Alter the default port for added security and click Next.

Leave the box unchecked and click Next.

Choose what to do here, and … next

Apply the settings and we’re done.

After a little bit you will be presented with the servermanager:

Most configuration tasks are worked into pages that can be accessed from the servermanager, depending on the packages installed. In order to make sure that we will not be building on bugs, or reinventing the wheel, we will first update the installation to the latest and greatest version.


Click the ‘Updates’ tab and click Download and Install, and wait a bit.


Reload the page, and finally reboot the server from the Shutdown menu.

Once the server has rebooted, we can continue with installing the AD role.

Open the account provider menu and click the Active Directory option.

Select the option to create a new domain and fill out the required fields as listed below:
DNS Domain name: mydomain.com (NOTE: I ommit the subdomain AD here)
NetBIOS domain name: mydomain
Domain Controller IP: 10.0.2.6


It should look like this. Click Create Domain, wait a bit and you should be looking at this:


Note: I have had multiple times that the previous step resulted in an error about sssd.conf … just re-press Create Domain in that case, it should pass.

The final step is setting passwords on the local admin and domain admin users, which can be done by going to the Users and Groups page. Please note that users will be created in the AD. Most AD fields will NOT be populated. You WILL need MSADUC to properly configure users and fields.

For now, click the Enable admin user link on top of the page, and edit the password of both listed users.


Note the key icons being gone afterwards:

We now have a working Active Directory and can connect to it with the usual tools on the IP 10.0.2.6

The DNS server we will be distributing to the clients NEEDS to be the AD container on 10.0.2.6. This also means that the DNS page of the NethServer server manager, WILL NOT BE USED!
This page will feed the local DNS server on 10.0.2.5, and this will create issues for AD users.

The next step will make sure that java and other more strict apps can connect to the AD and use it:
Connect with SSH to your server, and enter the following commands, as root:

If you prefer using nano, install it using:
yum install nano

Commands for vi (always present, my recommendation is to learn it’s basic commands)
pressing ‘i’ will enter insert mode
pressing esc will exit insert mode
pressing ‘:’ will enter command mode
entering ‘wq’ in command mode will save and quit
entering ‘q!’ in command mode will quit, discarding changes

touch /etc/e-smith/events/certificate-update/nsdc-cert
vi /etc/e-smith/events/certificate-update/nsdc-cert

Copy (that is, type) this in:

#!/bin/bash
cp -f /etc/pki/tls/private/localhost.key /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
cp -f /etc/pki/tls/certs/localhost.crt /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
chmod 600 /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
chmod 644 /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem

Save the file and enter the last command:

chmod ug+x /etc/e-smith/events/certificate-update/nsdc-cert

As a final step we will configure a LetsEncrypt certificate on the Nethserver host.

There is a prerequirement for this to work, and that is that Let’s Encrypt requires DNS verification to reach the host. Your PUBLIC DNS needs to be aware of ‘mydomain.com’ and when it tries to connect to adserver.mydomain.com or nsdc-adserver.mydomain.com those names need to resolve to an IP you own, and port 80 needs to be forwarded to the machine you are trying to give a certificate.
When this is done, go to the Server Certificate page, and request a Let’s Encrypt certificate.



There is an error on the next page in the labels used. It talks about domains, it should mention FQDN’s. The FQDN of our NethServer host is adserver.mydomain.com but the AD container has a different name. Since we are going to use this certificate for the AD container as well, we will add it’s FQDN to the ‘Domains’ list as shown below:

There is no way for me to complete this step on mydomain.com, as I do not own it, so the rest of this step will be skipped.

Reboot the server, and you should no longer get security exceptions on the servermanager or when connecting with Java apps to the AD.

From this point on, there is not much to do on the NethServer servermanager, and you should add a Windows workstation to the newly created domain, and install Microsoft AD tools on it to further configure your server as per normal.

This will not be part of the scope of this document, it is presumed you know what you are doing on the AD side of things. Things to configure: reverse DNS, internal DNS records for the services that should be available on the LAN, populate the AD.

This is the first of several how-to’s that together form a pretty basic setup with an AD server, an FTPES and Samba fileserver, a Webserver, and a SOGo mailserver.

Feel free to add to this guide as needed, and please notify me so I can edit this post.

22 Likes

Reserved for future additions

1 Like

Also, I am aware there is already a guide for this. Due to that one being geared toward people that are comfortable on the commandprompt, I think this is not a waste of space, and I will also be building on this howto for the rest of the servers. For reference, I need this :slight_smile:

1 Like

ALERT! This guide contained an error in the step that claimed to copy the LetsEncrypt certs to the Samba container. This has been corrected. Sorry for any inconvenience caused.

2 Likes

@planet_jeroen a little hint: nano is far easier to use than vi . Yes, i know, i’m still a linux n00b, but maybe writing the “nano version” of file editing could be easier to do than the “vi version”. Skilled people will use favorite text editor.
nano should be installed with yum install nano

2 Likes

Could you please tell us a bit more abt this?

Hey @pike, thanks for the feedback. I am aware that nano is easier, but myself prefer to only install the bare minimum, and vi will always be available.

I will add a little note about nano for those that prefer ease of use in this scenario. Thanks!

What exactly would you want me to elaborate on @fausp ?

1 Like

What tools do you mean with - Microsoft AD tools - Is it RSAT?
What can RSAT do for us on/with NethServer?
HowTo’s would be great of course…

1 Like

Agree on that. My routine after installing NethServer:
yum update -y
yum install nano

:wink:

That would be RSAT, yes, but any other tool that operates on AD should work too, as long as the schema is correct. When you choose AD account provider, you should not understand that as a compatability layer to make windows happy … you are quite litteraly running an AD.

How you should configure your AD is something that I can not be expected to cram into a couple of forum posts to amend a server installation document. I will add some basic stuff about groups, configuring DNS, and I still need to add a couple of little things on the windows side anyway. If you have specific questions I will do my best, but I think this is neither the topic nor the place to discuss Microsoft AD architecture and design decisions and/or post howto’s for common windows administration tasks.

1 Like

May I suggest LDAP account manager? :grinning:

2 Likes

You can configure your Nethserver domain in the same way you do it at a windows server.
But you have to use a windows client for it.
For linux-clients have a look at @davidep’s post.

1 Like

Amazing job man :slight_smile: that’s a super guide! 15 likes so far show that people appreciated your effort.
Keep it up!

1 Like

…my collegue will like it as well … this is the first bit of documentation I wrote :open_mouth: :smiley:

4 Likes

Was that error the one discussed on Procedure to join AD domain with NS7 ?

Yes, it was. I havent seen it lately in my last 3 installs. I would be happy to check again, or test a scenario if some testing needs to be done.

Just for the record, that bug was fixed

2 Likes

Heya @MrE

Your scenario is my scenario pretty much. My users are a 15 person software development company with no regards for past 20 years of development in any but our own software.

I have a opted for the following:

1x supermicro server with 2x 10 dualcores = 40 cores for virtualization and 256GB of memory, and a disk to boot from and store the config.
1x TrueNAS (or equivalent) Z20 with raid 10 over 10 disks, giving me 40TB to play with on a ZFS storage layer, exported with NFS to that supermicro proxmox server.

On top of that is running 9x NethServer, 1 as in this guide, a SOGo mailserver that connects to this one, a SAMBA File and VSFTPD FTPES server, various webservices on their own dedicated virtual server, and like 30 Windows 10 clients, mostly for VPN connections. I can virtualize most of our company without running out of resources, and am a verry happy camper.

Netserver can fill all these roles you mention, and even help with transitioning, as it is easy to set up and at no cost but resources on the virtual environment, you get to try a lot without much consequences.

A FreeNAS would be equally good, or the other one people promote lately… just make sure you have at least 10 drives in it, and use RAID10. Nothing worse then slow disk performance on a VM environment.

Use the cache options as well … we have SSD’s for cache, and otherwise just spinning rust, and outperform most VMware solutions we encounter at customers, while those cost a multiple of our environment.

So yeah, Nethserver can help you out, and I am writing the mailserver guide at a slow pace atm, but it will be there, and we run it in production already :slight_smile:

Dragged you here cuz the threat would be derailed by this answer :wink:

From

4 Likes

Also,l read this as: DO NOT use virtualisation WITHOUT investing in these at least 10 disks, to get RAID10. You will pay dearly in speed penalty if you do. If you have users with on average 10GB mailboxes, and they start syncing while you boot a windows client and someone tries to cpy their pictures over, you will get a ringing phone.

1 Like

Agreed on getting as many spindels as possible. It will increase I/O drasticly (and you will need it)