Raspberry Pi Domain Controller – Part 1
I started this project largely as a proof of concept for myself – can you build a fully functioning domain controller on a Raspberry Pi? I’ve written this guide so hopefully most admins and homw computer hobbyists can use it, though it does assume some basic understanding of networking, Linux, etc. I’ve included all the commands you need to run but glossed over some of the build aspects. First the shopping list for this project. You can start with a Raspberry Pi kit or you can buy the gear I used for mine, either works just fine.
- Element14 Raspberry Pi 3 B+ Motherboard
- CanaKit 5V 2.5A Raspberry Pi 3 B+ Power Supply
- Flirc Raspberry Pi Case Gen2
- SanDisk Extreme PRO 32GB
I’m a fan of the Flirc case instead of the plastic cases as it has a built-in heat sink that contacts the CPU which aids some of the overheating you can run into with the Raspberry Pi. I also recommend you pick up some silver thermal paste as it’s cheap and really does make a difference.
Next you’re going to need an OS. You have a ton of options, I went with CentOS for this one for the stability. There’s a trade-off there though as CentOS is always consistently behind other operating systems in terms of both kernel and packages. Head over to the ARM CentOS Mirror and grab the ISO called CentOS-Userland-7-armv7hl-RaspberryPI-Minimal-xxxx-sda.raw.xz (at the time I wrote this it’s CentOS-Userland-7-armv7hl-RaspberryPI-Minimal-1810-sda.raw.xz). Next you’ll need to get the image onto the SD card which means you’ll need a card-reader. Most laptops have one you can use, but if you don’t have one handy you’ll need to snag one to use for this. You can grab one on the cheap from Amazon.I recommend using Etcher as it’s available for Linux, macos, and Windows (and it’s free). Flashing the image to the card is pretty straightforward, just select the SD as the target and the downloaded CentOS image and you’re on your way, just make sure to let it finish the install before you pull the card from the slot or you’re going to have to do this all over again. Plug the SD card into the Pi, connect the wired NIC to your router/switch, and power it up.
You’ve done the the physical build out and install of the OS, last steps for this part is to connect, get the OS updated, and the base packages installed. You’ve got a few options for getting into the OS once you’ve powered up the Pi. If you can easily query the devices on your network, you’ll see a new one without a hostname and you can SSH into it. If not then you’ll need an HDMI cable, monitor, keyboard, and mouse (just steal these off your main system, you’re not going to need them once you have an IP address). Either way your username for login is ‘root’ and password is ‘centos.’ Before you do anything else, expand the root OS to fill up the SD card (by default it’s only using around 1.4 GB and doesn’t give you much room to do anything).
No need to reboot, the new space is added and available immediately. Next you’ll need to set your hostname.
hostnamectl set-hostname dc01.example.com
Obviously replace the hostname with what you wish to use for your network, and the domain set to what you wish to utilize for your Windows domain. For the examples in this setup I’m sticking with dc01.example.com. Next you need to set a static IP for the device. My assumption here is you’re working with a basic home network so we’ll work with 192.168.0.0/24 for this setup, adjust as needed
cat > /etc/sysconfig/network-scripts/ifcfg-eth0 << EOF DEVICE=eth0 BOOTPROTO=static ONBOOT=yes HWADDR=aa:bb:cc:dd:ee:ff IPADDR=192.168.0.2 NETMASK=255.255.255.0 GATEWAY=192.168.0.1 DNS1=188.8.131.52 DNS2=184.108.40.206 EOF
You can get the mac address for your device by running ifconfig, it’ll be the third line for eth0 o you’ll see “ether aa:bb:cc:dd:ee:ff txqueuelen 1000 (Ethernet)”
I don’t have the security constraints of a production environment so I’ve disabled selinux in this guide. You can certainly keep it on but you’ll need to adjust your policies to allow everything to work. I may cover that in a future guide but for now it’s outside the scope of what I want to cover here.
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/sysconfig/selinux
Before I install anything else I install two packages – deltarpm and yum-plugin-protectbase. Installing deltarpm allows your yum updates to only pull down the deltas instead of the full package. It’ll save you time and space in the long run. Adding yum-plugin-protectbase is going to keep you from falling into dependency hell as it will protect your base packages from being overwritten (as you’ll be adding the epel repo).
yum install -y deltarpm yum-plugin-protectbase
Now you need to enable the yum protect plugin…
sed -i "s/enabled=1/enabled=1\nprotect=1/" /etc/yum.repos.d/CentOS-armhfp-kernel.repo sed -i "s/CentOS-$releasever - Base/CentOS-$releasever - Base\nprotect=1/" /etc/yum.repos.d/CentOS-Base.repo sed -i "s/CentOS-$releasever - Updates/CentOS-$releasever - Updates\nprotect=1/" /etc/yum.repos.d/CentOS-Base.repo sed -i "s/CentOS-$releasever - Extras/CentOS-$releasever - Extras\nprotect=1/" /etc/yum.repos.d/CentOS-Base.repo
… before finally adding in the epel repository
cat > /etc/yum.repos.d/epel.repo << EOF [epel] name=Epel rebuild for armhfp baseurl=https://armv7.dev.centos.org/repodir/epel-pass-1/ enabled=1 gpgcheck=0 EOF
You’re finally ready to start pulling down packages! Let’s start with a quick yum update and a reboot and we’ll get started with that and that will wrap up this part of the guide.
yum update -y && reboot
Once the system comes back up you can install all the base packages. This is going to take a bit as there are a lot of them; go grab a drink and a snack. You’ll find installing packages is slower on the Pi than it is on standard server hardware or even in a VM. The Pi only has 1 GB of RAM so I think it does pretty well with those limited resources.
yum -y groupinstall "Development Tools" && yum -y install python36 python36-virtualenv python36-pip python36-cryptography-vectors python-cffi libffi-devel openssl openssl-devel wget screen perl-ExtUtils* asciidoc xmlto docbook-dtds texinfo texinfo-tex texi2html docbook-utils docbook5-schemas publican bind-sdb bind-utils ntpdate attr gnutls-devel gpgme-devel jansson-devel krb5-workstation libacl-devel libaio-devel libarchive-devel libattr-devel libblkid-devel libxml2-devel openldap-devel pam-devel perl-Parse-Yapp perl-Test-Base popt-devel python-devel python2-crypto readline-devel systemd-devel ansible dos2unix
If you happen to be watching the install, you’ll notice an error get thrown as it reaches the bind install. This is to be expected as we disabled selinux earlier.
OSError: No such file or directory ValueError: SELinux policy is not managed or store cannot be accessed. warning: %posttrans(bind-32:9.9.4-74.el7_6.1.armv7hl) scriptlet failed, exit status 1 Non-fatal POSTTRANS scriptlet failure in rpm package 32:bind-9.9.4-74.el7_6.1.armv7hl
That’s it, you’re all done with getting the OS loaded, updated, and all the base packages you need installed. Now let’s get all the pieces in place for the domain, which I’ll pick up in Part Two.