.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. |date| date::

.. meta::
  :description: Installing and configuring Samba-AD on RHEL8 / RHEL9 and derivatives
  :keywords: install, RedHat10, RHEL8, AlmaLinux8, CentOS8, CloudOS8, Samba, Samba-AD, configure, documentation

.. _server_install_samba_redhat:

############################################################
Installing and configuring Samba-AD on RHEL and derivatives
############################################################

.. note::

  EnterpriseLinux distribution and derivatives do not embed Samba-AD packages.
  Indeed Samba-AD relies on Heimdal Kerberos for Active Directory support while RedHat only distributes and supports products based on Kerberos-MIT.

.. note::

  Tranquil IT RPMs are currently validated for Redhat7, RedHat8, Redhat9 and Redhat10 (and derivatives like CentOS, AlmaLinux, OracleLinux, etc.).

  If you want to stick to a community supported derivative of Redhat, we recommand to use AlmaLinux8.4 which we are currently using for building and testing.
  
.. include:: samba_config_server-server_prepare_redhat.rst.inc

.. include:: samba_config_server-samba_config_server-server_install_samba_redhat_repo.rst.inc

***********************************************
Instantiating the Active Directory Samba domain
***********************************************

.. _configure_kerberos_redhat:

Configuring Kerberos
====================

* Modify the file :file:`/etc/krb5.conf` and **replace all its contents by the 4 following lines** by specifying the Active Directory domain of your organization (here *MYDOMAIN.LAN*):

.. attention::

 The ``default_realm`` must absolutely be written in **UPPERCASE LETTERS**!!

.. code-block:: bash

  [libdefaults]
    default_realm = MYDOMAIN.LAN
    dns_lookup_kdc = false
    dns_lookup_realm = false

  [realms]
    MYDOMAIN.LAN = {
    kdc = 127.0.0.1
    }

Configuring Samba
=================

* Delete the file :file:`/etc/samba/smb.conf` if it has already been generated (it will be regenerated by the instantiation command):

  .. code-block:: bash

    rm -f /etc/samba/smb.conf

* Configure Samba with the role of domain controller. In the following line, you will think about changing both the name of the *kerberos kingdom*, and the short name of the domain (netbios name):

  .. code-block:: bash

    samba-tool domain provision --realm=MYDOMAIN.LAN --domain MYDOMAIN --server-role=dc

* Reset the *administrator* password:

  .. code-block:: bash

    samba-tool user setpassword administrator

* Check the line ``dns forwarder = xxx.xxx.xxx`` in your :file:`/etc/samba/smb.conf`. It must point to a valid DNS server, e.g.:

  .. code-block:: ini

    dns forwarder = 1.1.1.1

* Reconfigure the DNS resolution for the local machine. In the :file:`/etc/sysconfig/network-scripts/ifcfg-xxxx` file of the network interface, replace the following line:

* Reconfigure the DNS resolution for the local machine using nmcli command or nmtui for a semi-graphical interface 
  (Click `here <https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/networking_guide/sec-configuring_ip_networking_with_nmtui#sec-Configuring_IP_Networking_with_nmtui>`_ for more information about the nmtui command).
  The name of the interface name can be different, like :code:`enp0s17`, :code:`eth0` for example.

  .. code-block:: bash

    nmcli con mod ens18 ipv4.dns 127.0.0.1

* Restart :program:`NetworkManager` to take into account the changes and check that the *resolver* has been reported in :file:`/etc/resolv.conf`:

  .. code-block:: bash


    systemctl restart NetworkManager

* The Samba domain creation script creates an unnecessary :file:`/var/lib/samba/private/krb5.conf` file.
  It must be removed and replaced by a symbolic link to the :file:`/etc/krb5.conf` file:

  .. code-block:: bash

    rm -f /var/lib/samba/private/krb5.conf
    ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf

* Activate Samba so that it starts automatically at the next reboot:

  .. code-block:: bash

    systemctl enable samba
    systemctl start samba

* Reboot the machine with a :command:`reboot` to verify that Samba reboots:

  .. code-block:: bash

    reboot

* After rebooting, test that the kerberos is properly configured and that you get a :abbr:`TGT (Ticket Granting Ticket)`.
  Type the password for the *administrator* account you defined above with the command :command:`samba-tool setpassword`.
  If it does not return anything or you get a message about the password expiration, it is fine).

  .. code-block:: bash

    kinit administrator
    klist

  .. attention::

    Samba-AD made the wise choice not to implement the translation of system accounts.
    The default Administrator is therefore **administrator** in English.

* Test the DNS:

  .. code-block:: bash

    dig @localhost google.fr
    dig @localhost srvads.mydomain.lan
    dig -t SRV @localhost _ldap._tcp.mydomain.lan

Validating the new installation with a Windows client
=====================================================

You can now join a Windows client in your new domain.

To manage your new domain, the management interfaces must be installed on a Windows workstation. The Samba command line is efficient for many administrative tasks, and the :abbr:`RSAT (Remote Server Administration Tools)` graphical interfaces are a good complement to the command line.

To install the RSAT tools, follow the page on :ref:`installing RSAT on your management machine <samba_install_RSAT>`.

Once RSAT is installed:

* Create and delete a DNS record from the :guilabel:`DNS Active Directory` console.

* Create and delete a user account or a machine account from the :guilabel:`Users and Computers Active Directory console`.

* Create a new GPO.

Great, if you have made it this far, then everything is going well and you have a new Samba Active Directory domain up and running.

Now we will :ref:`configure the DNS service in hybrid mode <server_install_hybrid_dns_redhat>` to improve the performance of your Samba-AD.
