nethserver-dc¶
The nethserver-dc package runs a systemd-nspawn container (nsdc
) with a vanilla
Samba 4 inside of it. It downloads, installs, configures and provision an Active
Directory domain controller based on Samba.
The nsdc
container needs an IP address in a green network, different from the
host machine one. It enslaves its network interface to a host bridge, with green
role. If needed, this bridge is created automatically.
This is a typical configuration:
# config show nsdc
nsdc=service
ProvisionType=newdomain
IpAddress=192.168.122.50
bridge=br0
status=enabled
nethserver-dc-save event¶
- it creates and configures systemd-nspawn machine (nethserver-dc-install
action). The Samba domain is provisioned by the
samba-provision.service
unit, according to theProvisionType
prop value. Supported values are:newdomain
(default): domain and realm are taken from local system and won’t be possible to change them anymore. For instance if system domain is nethserver.org domain will be NETHSERVER and realm nethserver.org.ns6upgrade
: connect the LDAP service running on the host machine and migrate the WS/PDC domain from ns6 backup to an Active Directory domain. The realm and domain name are set as described in thenewdomain
provision type.sme8migration
: this provision procedure is driven bynethserver-dc-migrate
action. It requires a running NSDC, provisioned asnewdomain
. It copies Samba 3 files from the migration source directory to the NSDC chroot, then restarts thesamba-provision
andsamba
services in the running NSDC container.
- it creates a network bridge if needed, or select an existing one and save it in nsdc bridge db prop (nethserver-dc-create-bridge action)
- it waits for the machine to come up (nethserver-dc-waitstart)
- it joins the domain of new machine using default credentials (nethserver-dc-join).
- it sets the password policy (nethserver-dc-password-policy)
Realmd writes a lot of information on the system journal. See journalctl command.
Running commands in nsdc
¶
To get a shell inside the nsdc
container, you can run
# systemd-run -M nsdc -t /bin/bash
As alternative, run a specific command in the container with the nsdc-run
helper:
# nsdc-run cat /etc/hostname
The --
string helps to separate the argument list:
# nsdc-run -- ls --help
For more information:
# nsdc-run --help
Always make sure to close interactive sessions to avoid errors like:
Failed to get machine PTY: No such file or directory
To get a list of sessions run
loginctl
Manual Join¶
nethserver-dc-join action joins automatically to domain. If for any reason the join is invalid you can attempt a manual join following this procedure
Check nsdc is running:
systemctl status nsdc
Check the DNS is responding:
# host -t SRV _ldap._tcp.$(config getprop sssd Realm)
_ldap._tcp.nethsever.org has SRV record 0 100 389 nsdc-vm8.nethsever.org.
Clean up any previous join state:
config setprop sssd Provider none
signal-event nethserver-sssd-leave
Join the domain:
realm join -v -U admin $(config getprop sssd Realm)
You can replace admin
with any other administrative account name. The
command above prompts for a password. When join is successful:
config setprop sssd Provider ad
signal-event nethserver-sssd-save
If everything goes well
getent passwd administrator@$(hostname -d)
# output: administrator@nethserver.org:*:261600500:261600513:Administrator:/home/administrator@nethserver.org:/bin/bash
/usr/libexec/nethserver/list-users -s administrator
# output: {"administrator": ...
Once domain is joined, you can manage users from interface. From command line, you can use net command
# net ads info
Factory reset¶
The “Start DC” procedure from the “Accounts provider” page is designed for a single run. If it fails, re-installing the whole server can be avoided by running the following command
signal-event nethserver-dc-factory-reset
The command cleans up the DC state and prepare it for new provisioning run. Any existing user and group account is erased.
If a full DC re-install is desired, after factory reset event, run also
rm -rf /var/lib/machines/nsdc
Upgrade the container¶
The upgrade procedure will:
- stop the container
- upgrade the chroot base system
- upgrade samba
- restart the container
To upgrade, execute:
signal-event nethserver-dc-upgrade
Changing the IP address of DC¶
Warning
Before applying this procedure, read carefully the official Samba wiki page.
The IP address of nsdc container must be in the same network of the bridged green interface. If needed, first change the address of the green interface, then proceed with the following.
Example, change the network address:
- current host IP: 192.168.101.7
- current nsdc container IP: 192.168.122.77
- new nsdc container IP: 192.168.101.77
Execute the nethserver-dc-change-ip
with the new ip address:
signal-event nethserver-dc-change-ip <new_ip_address>
Example:
signal-event nethserver-dc-change-ip 192.168.101.77
Note that the event will fail if the new nsdc ip address is not in the same network of the green interface.
Alternate UPN suffix¶
The default UPN (User Principal Name) suffix for a user account is the SSSD realm, but the nsdc container is configured to use also an extra UPN suffix set to the FQDN of the host machine.
Example:
- Host FQDN: nethserver.org
- SSSD realm: ad.nethserver.org
- Default UPN: ad.nethserver.org
- Extra UPN: nethserver.org
If required, the administrator can use RSAT tools to select the extra UPN for a specific user.
References:
Enable check password script¶
This manual fix is only needed for old installations.
Edit /var/lib/machines/nsdc/etc/samba/smb.conf
and add
check password script = /usr/local/sbin/checkpassword.pl
to the global section. Restart samba on the NSDC container:
systemctl -M nsdc restart samba
Apply the current system password policy to the Samba DC:
signal-event password-policy-update
ns-samba binary build¶
Clone the git repo at https://github.com/NethServer/ns-samba, enter its directory
Download pristine sources from the Samba project
wget https://download.samba.org/pub/samba/stable/samba-4.8.6.tar.gz https://download.samba.org/pub/samba/stable/samba-4.8.6.tar.asc
Check the sources signature
gunzip -c samba-4.8.6.tar.gz | gpg --verify samba-4.8.6.tar.asc -
Bump the source hash sum
sha1sum samba-4.8.6.tar.gz > SHA1SUM
Edit
ns-samba.spec
to fix version references and%changelog
section
- Commit changes and add (signed) tag (i.e.
4.8.6
) - Push commit and tag to remote git repository to start the automated x86_64 build
- Once the automated build has finished successfully, fill the new relase page here: https://github.com/NethServer/ns-samba/releases
- Copy the RPM URL to the local
nethserver-dc.spec
file - Update SHA1SUM with the new RPM hash sum