Turnkey linux domain controller

Notes for TurnKey Domain-Controller v15.x/v16.x/v17.x

Note: at the time of writing, v17.0 is still under development so the full feature set is as yet unconfirmed.

Recent versions of TurnKey’s Domain-Controller (DC) appliance uses Samba4 to provide a Microsoft Active Directory domain.

However, it should be noted that the current appliance is a fairly bare-bones AD server. It is provided as a «better starting point» for those that wish to use Samba4 as an AD DC but is far from being feature complete.

Compatibility with Windows Server

Please note that Samba4 is not compatible with the latest Windows Server AD Schema. This should not be a problem if all your Domain Controllers use Samba. However, if you wish to join to an existing AD domain, please check the Windows AD schema to confirm it is compatible with Samba. TurnKey Linux uses the version of Samba packaged by Debian. In v16.x that is 4.9 and in v17.x will be 4.13.

Windows 2008R2 AD schema (or below) should be supported out of the box (although there may be some 2008R2 related edge case bugs still apparent in v16.x). However, you may be able to upgrade to Windows Server 2012 AD schema support (should be possible in TurnKey v17.x — unconfirmed in v16.x) or perhaps even higher (requires specific workaround).

If you try this, please be sure to post feedback (either confirming that it works, or the issues that you hit if it doesn’t) in the TurnKey Forums.

Steps that need to be taken when first launched:

  • Set a static IP on your domain-controller
    • If running on AWS (e.g. TurnKey Hub) then connect an «Elastic IP» (AWS equivalent of a static IP).
    • Otherwise; easiest via confconsole
    • if not using the DHCP assigned IP please re-run the domain provision inithook — copy/paste the following into commandline:
    /usr/lib/inithooks/bin/domain-controller.py
    # Substitute $ADMIN_PASS for the administrator password # the 1.168.192 is from the "network IP" (backwards) i.e. this example is for 192.168.1.x samba-tool dns zonecreate dc1 1.168.192.in-addr.arpa \ --username=administrator --password="$ADMIN_PASS" # as above but 50 is from the IP i.e. 192.168.1.50 samba-tool dns add dom-controller 1.168.192.in-addr.arpa 192.168.1.50 PTR dc1.domain.lan \ --username=administrator --password="$ADMIN_PASS"
    • currently hardcoded to Google DNS (8.8.8.8)
      edit /etc/samba/smb.conf and adjust the field that is currently «dns forwarder = 8.8.8.8»

    To join a Windows Desktop to a Samba AD domain see the Samba Wiki: https://wiki.samba.org/index.php/Joining_a_Windows_client_to_a_domain

    Administer your AD: install RSAT

    To administer your AD please install Microsoft RSAT (Remote Server Administration Tools) onto a Windows member of your Domain. Note RSAT should already be pre-installed in the latest versions of Windows 10.

    Some simple administration tasks, such as adding new AD/Samba users; can be completed via samba-tool from your TurnKey Domain-Controller commandline. For more info please see the Samba Wiki — Add Users to Samba AD.

    Features to be added in the future:

    • Option to provision a fileserver AD member server
      • not yet sure on how this will be implemented.
      • see «Best Practice» notes below
      • will require AD member fileserver
      • strictly speaking they’re not required but would be good

      Backups

      Currently TKLBAM won’t properly backup a domain. If you wish to use TKLBAM hooks to script it there is info on the Samba Wiki: https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC

      Note: if you have multiple AD DCs then rather than restore from backup; just rejoin the server to the domain. Restoring a backup to a server that is already a member of a domain will likely cause DB corruption and/or multiple identical domain objects.

      General best practice recommendations

      Running AD DC in a container

      For best experience it is recommended that TurnKey Domain Controller is run within a «proper» VM (or bare metal; rather than within a LXC or Docker container). However, Samba4 should generally function ok within a «privileged» container (although no guarantees that there will be no issues). Some functionality may work within a «unprivileged» container, but strange unexpected issues will likely occur, including (but not limited to) failures when running ‘samba-tool’.

      General DC Notes

      In production it is recommended that you have a minimum of 2 domain controllers in an AD domain.

      File storage/fileserver

      Samba advise against using a (Samba4) domain controller as a fileserver as well. Instead it is recommended that you create a dedicated fileserver (as a domain member server). The current TurnKey fileserver appliance is NOT useful for this with it’s default config. See notes on the Samba wiki on setting up a member server: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

      Please note, that the TurnKey Fileserver appliance includes the same version of Sambas as the DC appliance, but is configured as «stand-alone» by default. You are welcome to reconfigure it to join an existing domain and that should work fine. Please post on the forums if you do that and would like to share your experience and/or need a hand.

      Further domain configuration e.g. DNS

      As noted above, Samba recommend using Microsoft RSAT (from within a Windows workstation) to do additional AD (Samba4) configuration.

      Realm/TLD

      For production usage it is recommended to use a domain name that you have registered with a domain registrar as the realm. If you plan to use a domain that you already own (e.g. «example.com») as your realm then add a unique subdomain to avoid potential problems (e.g. «ad.example.com»)

      Do not use «.local» realms/tlds as they can conflict with Apple (bonjour) and zeroconf type networked devices.

      Integration with LDAP

      Samba4 includes it’s own custom AD user database. As a general rule, you should just use this built-in service. However, there is some limited support for integration with LDAP. For more info, please see these Samba Wiki links:

      Источник

      Domain Controller

      A Samba4-based Active Directory-compatible domain controller that supports printing services and centralized Netlogon authentication for Windows systems, without requiring Windows Server. Since 1992, Samba has provided a secure and stable free software re-implementation of standard Windows services and protocols (SMB/CIFS).

      Run from browser

      V 17.1

      V 16.2

      GitHub

      This appliance includes all the standard features in TurnKey Core, and on top of that:

Оцените статью
Adblock
detector