Modern Samba Provisioning
I have two OPNsense boxes, and I created a jail on each one:
- dc1.ad.entree.com
- dc2.ad.entree.com
(Rule of thumb is to use a third DNS label to avoid public DNS conflicts, so always "ad.example.com", never "example.com".)
DC1 Configuration Attempt One
Starting with DC1, I started with configuration like this:
# hostname dc1.ad.entree.com; sysrc hostname=`hostname`
# export domain=entree; export realm=local; export adminpass='PASSWORD'
# samba-tool domain provision --use-rfc2307 \\
--realm=${domain}.$realm --domain=$domain \\
--server-role=dc --adminpass $adminpass \\
--option="ad dc functional level = 2016"
cp /var/db/samba4/private/krb5.conf /etc/krb5.confThis creates our Kerberos config (which I copied in place) and our smb4.conf. I may have made changes to these. I made some edits and reran the provisioning.
DC1 /etc/krb.conf
[libdefaults]
default_realm = AD.ENTREE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
AD.ENTREE.COM = {
default_domain = ad.entree.com
}
[domain_realm]
dc1 = AD.ENTREE.COM
DC1 /usr/local/etc/smb.conf
[global]
ad dc functional level = 2016
dns forwarder = 9.9.9.9
netbios name = DC1
realm = AD.ENTREE.COM
server role = active directory domain controller
workgroup = ENTREE
idmap_ldb:use rfc2307 = yes
[sysvol]
path = /var/db/samba4/sysvol
read only = No
[netlogon]
path = /var/db/samba4/sysvol/ad.entree.com/scripts
read only = No
DC1 Provisioning
After config cleanup, I reran the provisioning command like this. I think if you configure the two above files correctly, you can jump right to this step:
# samba-tool domain provision --use-rfc2307 --realm=AD.ENTREE.COM --domain=ENTREE --server-role=dc # service samba_server enable # service samba_server start