Developers Documentation

×

Warning

301 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


Using ClearOS as an Active Directory Domain Controller

It is now possible to run ClearOS as an Active Directory Domain Controller by running a version of Samba in a docker container.

If you want to try this out you will need a Business version of ClearOS or you will have to purchase the Active Directory Connector, but it is ClearCenter's intention to release the AD Connector for free soon

If you follow this guide you should end up with a fully functioning Active Directory Domain Controller running in ClearOS. On a new installation of ClearOS you should be able to use the Active Directory Connector instead of OpenLDAP for you directory server. Dave Loper is working on a migration path for existing installations.

Decide on a LAN IP for your Docker/Samba installation

This should be a fixed IP on your LAN, so outside if DHCP scope. My ClearOS LAN interface is 172.17.2.1/24 and I am going to use 172.17.2.2 for my Docker/Samba installation. Wherever you see 172.17.2.2 in this guide substitute it for your chosen LAN IP and 172.17.2.1 for your ClearOS LAN interface IP.

In Webconfig > Network > Settings > IP Settings > Add Virtual button set up your Docker LAN IP as a virtual IP, attached your LAN interface with the same Netmask as your LAN. Note the name of the name if the interface it creates.

Install the AD Connector

yum install app-active-directory

If you're doing a fresh install with Community, do not install Windows Networking before you activate the AD Connector.

Change the ClearOS Samba port bindings to bind so it does not bind to the virtual interface. Edit /etc/samba/smb.conf and set:

bind interfaces only = yes
interfaces = lo enp2s0f1
nmbd bind explicit broadcast = yes 
socket address = 172.22.22.1

In the “interfaces” section, list all your normal LAN interfaces and possibly the tun interfaces and docker0 interface. If you do an “ifconfig” you'll see a full list from which to make your choice. Do not add the virtual interface. For the “socket address”, just set it to one of your LAN interface IP's. this is a bit of a kludge.

If you are running Gateway Management/DNSThingy

Note that the Gateway Management/DNSThingy manager, dnsthingymgr, must not be running before you start the docker samba container as that also binds to udp:137 and will stop the docker samba container from starting. To stop dnsthingymgr, disable Gateway Manager/DNSThingy. If it is already disabled, enable it and disable it again. Gateway Manager/DNSThingy can be started after docker/samba starts. For a permanent fix you can either:

echo "disable-neighbour-discovery" > /etc/dnsthingy/dnsthingymgr.conf

or change the netbios ports in dnsthingymgr to something silly. In /etc/dnsthingy/dnsthingymgr.conf:

netbios-listen-port=54321
netbios-reply-port=54322

Stop ClearOS from restarting Winbind when looking at Users

Now we have to adjust a ClearOS routine which kills Winbind each time you visit the Users of Groups screen a while after you join the domain. The edits need to be made to /usr/clearos/apps/samba_common/libraries/Winbind.php. In the "// Classes" section, add a line:

use \clearos\apps\base\Shell as Shell;
clearos_load_library('base/Shell');

and near the end of the file, change:

            $this->set_running_state(TRUE);

to

            $shell = new Shell();
            $shell->Execute('/usr/bin/systemctl', 'restart winbind', TRUE);

Add a guest user or Samba won't start

useradd -r guest -u 353

Then start smb, nmb and winbind.

systemctl start smb nmb winbind

If smb won't start you may need to add a /var/samba/drivers folder manually:

mkdir /var/samba/drivers -p

Sort dnsmasq port bindings

[*] Change the port bindings in dnsmasq not to bind on the virtual interface and, jumping ahead of ourselves set up a split DNS. Create a file /etc/dnsmasq.d/docker-samba (you can call it what you want as long as it is in this folder) and add the lines:

bind-dynamic
except-interface=enp2s0f1:0
server=/howitts.local/172.22.22.2

enp2s0f1:0 is my virtual interface and howitts.local is my domain. Instead of “except-interfaces=” you can do “interfaces=” and list all your interfaces, including docker0. Restart dnsmasq with a:

systemctl restart dnsmasq.service

Install app-docker

Andset it to start on boot and start it, then restart the firewall and dnsmasq:

yum install app-docker
systemctl enable docker.service
systemctl start docker.service
systemctl restart firewall.service
systemctl restart dnsmasq.service

Note that if you already had docker installed and running, you'll need to restart it after creating your virtual interface

Also note that Docker tries to choose a free /16 network for its docker0 interface. It may be worth at this point doing an “ifconfig” and checking it has chosen a subnet which does not clash with any of yours. It does not seem to spot VLAN subnets in use and can have other issues (mine, obscurely, is a VM running with natted interfaces on my desktop which has a local IP in the 172.17.2.0/24 subnet). If this is the case, see the “Configure the default bridge network” section of this doc and add a line between the braces:

"bip": "your_manual_subnet"

in /etc/docker/daemon.json and restart the docker service and dnsmasq. Note that the IP address you use should be the IP address you want to give the docker0 interface, so 172.16.0.1/16 would give the docker interface an address of 172.16.0.1, and assign a /16 subnet to the interface. If you use 172.16.0.0/16, docker will not start as 172.16.0.0 is not a valid NIC IP. A /24 subnet should be big enough for just a domain controller docker container.

Install the AD DC docker container

Now install the docker container from https://github.com/Fmstrat/samba-domain:

docker pull nowsci/samba-domain

Prep your data folders:

mkdir -p /var/clearos/samba/data
mkdir -p /var/clearos/samba/config

Start your Docker/Samba container which will be called “samba”:

docker run -t -i -d \
	-e "DOMAIN=HOWITTS.LOCAL" \
	-e "DOMAINPASS=SomeC0mplexPassword" \
	-e "DNSFORWARDER=172.22.22.1" \
	-e "HOSTIP=172.22.22.2" \
	-e "NOCOMPLEXITY=true" \
	-p 172.22.22.2:53:53 \
	-p 172.22.22.2:53:53/udp \
	-p 172.22.22.2:88:88 \
	-p 172.22.22.2:88:88/udp \
	-p 172.22.22.2:135:135 \
	-p 172.22.22.2:137-138:137-138/udp \
	-p 172.22.22.2:139:139 \
	-p 172.22.22.2:389:389 \
	-p 172.22.22.2:389:389/udp \
	-p 172.22.22.2:445:445 \
	-p 172.22.22.2:464:464 \
	-p 172.22.22.2:464:464/udp \
	-p 172.22.22.2:636:636 \
	-p 172.22.22.2:1024-1044:1024-1044 \
	-p 172.22.22.2:3268-3269:3268-3269 \
	-v /etc/localtime:/etc/localtime:ro \
	-v /var/clearos/samba/data:/var/lib/samba \
	-v /var/clearos/samba/config:/etc/samba/external \
	--dns-search howitts.local \
	--dns 172.22.22.2 \
	--dns 172.22.22.1 \
	--add-host localdc.howitts.local:172.22.22.2 \
	-h localdc \
	--name samba \
	--privileged \
	--restart unless-stopped \
	nowsci/samba-domain

Notes: DOMAIN is the name of your domain. https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ says to use a subdomain of your proper external domain which does not resolve externally. As an example, my proper domain is howitts.co.uk so a best practice AD domain could be ad.howitts.co.uk and not howitts.local as in my example. This domain name should also be the one you put into your /etc/dnsmasq.d/samba-domain.

Change all occurrences of howitts.local to your domain name.

I have set password complexity off but the start script only changes the settings after the administrator password is set so you must use a complex administrator password. You can leave complexity on by removing the “COMPLEXITY” line. You can also change the administrator password to something else (non-complex) later on. I am not sure what the restrictions are for complexity but I had to have at least one upper case character, one lower case character and a number. 16 mixed lower case and number characters did not work.

localdc is the name given to the domain controller (not very imaginative. I've just used their example for now) Compared to the example, I've added “–restart unless-stopped \” to enable the container to start automatically when docker starts.

It may be worth leaving out:

	-e "DNSFORWARDER=172.22.22.1" \

from the start up command. This will remove the ability of samba to resolve IP's externally, but is should not have to as the normal ClearOS dnsmasq DNS server looks after everything except domain lookups which must be handled by Docker/Samba. The container itself can still resolve externally because of the “–dns” lines. I have noticed high loads at times and it may be because of DNS lookups going round and round between ClearOS/dnamasq and Docker/Samba.

Check the container is running

After a few seconds check the container is running with a:

docker ps

If you have just a number of capitalised headers wrapped over a couple of lines, it is not running. You should see some output where you can match a lot of it to the start up command. If it fails, for me it was due to lack of password complexity and you'll see the error in /var/log/messages. If that is the case, the best thing to do is to do a:

docker rm samba

Then remove everything in /var/clearos/samba/data and /var/clearos/samba/config and try again with a different password.

Sort the firewall

You now need to add some rules to the firewall. Create a file /etc/clearos/firewall.d/11-docker-samba (the name is unimportant but must begin with a number greater than 10) and in it put:

if [ "$FW_PROTO" == "ipv4" ]; then true
    DOCKER_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' "samba" 2>/dev/null)
    if [ -z "$DOCKER_IP" ]; then
        return
    fi

    $IPTABLES -I DOCKER ! -i docker0 -o docker0 -d $DOCKER_IP -j ACCEPT
    $IPTABLES -A POSTROUTING -t nat -s $DOCKER_IP -d $DOCKER_IP -j MASQUERADE
    $IPTABLES -A DOCKER -t nat ! -i docker0 -d 172.22.22.2 -j DNAT --to-destination $DOCKER_IP
fi

Then restart the firewall with a:

service firewall restart

Test Connectivity to container

Check that you can get the domain controller's IP address from ClearOS:

host localdc.howitts.local

This must resolve to the IP correctly (172.22.22.2 in my case) before you proceed to the next step as it checks if the DC is resolving names correctly.

Edit the hosts file

Add an entry to the /etc/hosts file for the DC or you will fail to join the domain:

172.22.22.2 localdc.howitts.local localdc

Then, just to make sure the addition is used:

service dnsmasq restart
service nscd restart

End of Installation

At this point you should have a fully functioning AD Domain controller which will start every time ClearOS starts. You should be able to use the ClearOS Active Directory Connector to connect to it from a new ClearOS installation (instead of using the OpenLDAP Directory Server).

Troubleshooting the Active Directory Connector

When joining ClearOS to the AD domain, I kept getting errors such as Accounts System is Offline, even though the join appeared to have worked. There is a troubleshooter here.

Administering the domain

You can administer the domain using Microsoft's publicly available RSAT tool or the the Samba utility samba-tool“.

To use samba-tool you have to get to a command line within docker. To do this, you can issue the command:

docker exec -it samba /bin/bash

Type “exit” to quit.

Adding default groups

I suggest you use the docker command line to set up all the default groups you may need from the Active Directory Connector User Guide by doing:

samba-tool group add ftp_plugin
samba-tool group add imap_plugin
samba-tool group add openfire_plugin
samba-tool group add openvpn_plugin
samba-tool group add pptpd_plugin
samba-tool group add print_server_plugin
samba-tool group add smtp_plugin
samba-tool group add user_certificates_plugin
samba-tool group add web_proxy_plugin

Note The groups will show in RSAT but only show in the Webconfig when the relevant app is installed.

Password Policies

You can check password policies with:

samba-tool domain passwordsettings show

and change them with commands like:

samba-tool domain passwordsettings set --complexity=off
samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --history-length=0
samba-tool domain passwordsettings set --min-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-length=4

You were forced into setting a complex administrator password when initialising the docker container. You can change it here with:

samba-tool user setpassword administrator

and so on. RSAT may be the better tool to add users and add them to groups but that is down to you.

Starting Again

Note that if you mess up you can blow everything away by doing a:

docker stop samba
docker rm samba

Then remove everything in /var/clearos/samba/data and /var/clearos/samba/config.
Start again from “Prep your data folders” or “Start your Docker/Samba container”.

You can change some startup settings (I added ”–restart unless-stopped \“ much later), but only those related to the docker container and not to samba, just by doing:

docker stop samba
docker rm samba

then changing my “docker run” command but you can only change some things like that. Anything which has been written to the samba databases will not change (password complexity, the administrator password and so on)

If you run this on a production system it is very strongly recommended to regularly back up the contents of the two folders:

/var/clearos/samba/data
/var/clearos/samba/config

content/en_us/kb_active_directory_domain_controller.txt · Last modified: 2019/07/29 11:48 by nickh

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3Akb_active_directory_domain_controller&1711657901