Results 1 to 10 of 87

Thread: How to install samba 4 as an active directory domain controller

Threaded View

  1. #1
    Join Date
    Apr 2013
    Location
    Bordeaux, France
    Beans
    136
    Distro
    Ubuntu 13.04 Raring Ringtail

    How to install samba 4 as an active directory domain controller

    In this tutorial, we will setup samba 4 from source as an Active Directory domain controller on Ubuntu server (12.04.2).


    First, you need to configure your network interface for static IP. (we'll use 192.168.0.100 as IP for this Domain Controller, DC01 for the name and MYDOMAIN.LAN as FQDN )
    Edit your /etc/network/interfaces file.

    Code:
    sudo nano /etc/network/interfaces
    change iface eth0 inet dhcp to iface eth0 inet static

    then add these lines:
    Code:
    address 192.168.0.100
    netmask 255.255.255.0
    network 192.168.0.0
    broadcast 192.168.0.255
    gateway 192.168.0.1 
    dns-nameservers 192.168.0.100 8.8.8.8 (we use our server as DNS + google DNS as secondary DNS)
    dns-search mydomain.lan

    Save and close

    then we need to configure our /etc/hosts file like so:
    Code:
    127.0.0.1       localhost.localdomain   localhost 
    192.168.0.100   DC01.mydomain.lan       DC01
    save and close

    then run


    Code:
    sudo echo DC01.mydomain.lan > /etc/hostname
    
     /etc/init.d/hostname restart
    now restart networking so that the changes are made

    Code:
    /etc/init.d/networking restart

    now we need to install the prerequisites for samba kerberos etc....

    Code:
    sudo apt-get update (I generally add "&& apt-get upgrade -y" so that my server is fully up  to date)
    sudo apt-get install git build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev libpam0g-dev ntp -y
    You'll be asked for kerberos informations.

    When asked for the default realm etc, enter mydomain.lan and DC01 as the host.

    when it's done, we need to download the samba4 sources (this line goes for latest stable release):

    Code:
    git clone -b v4-0-stable git://git.samba.org/samba.git samba4
    then go to the samba4 folder:

    Code:
    cd samba4

    run

    Code:
     ./configure --enable-debug --enable-selftest 
    make 
    make install
    depending on your computer it may take a while ( 15-20 mins)


    Once it's done, we need to provision our domain: (we'll use SAMBA_INTERNAL but you can use BIND9 also)

    Code:
    /usr/local/samba/bin/samba-tool domain provision --realm=mydomain.lan --domain=mydomain --adminpass="your_password" --server-role=dc --dns-backend=SAMBA_INTERNAL
    start samba
    Code:
    /usr/local/samba/sbin/samba
    check samba and smbclient version ( they should match )

    Code:
    /usr/local/samba/sbin/samba -V
    /usr/local/samba/bin/smbclient -V
    listing administrative share will show you sysvol, netlogon shares etc....

    Code:
    /usr/local/samba/bin/smbclient -L localhost -U%
    you should see somethin like this:
    Code:
      
    
    Sharename      Type      Comment      
    ---------        ----       -------        
    netlogon         Disk 
    sysvol            Disk 
    IPC$              IPC         IPC Service (Samba 4.0.5)
    it means your server is up and running...

    now you need to check authentication

    Code:
    /usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator%"your_password" -c 'ls'
    you should see this:
    Code:
    Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.0.5]  
    .                                   D        0  Fri May 17 21:40:08 2013   
    ..                                  D        0  Fri May 17 21:42:36 2013

    Then we need to configure SAMBA_INTERNAL DNS

    Code:
    echo  domain MYDOMAIN.LAN >> /etc/resolv.conf
    edit /usr/local/samba/etc/smb.conf

    Code:
    sudo nano  /usr/local/samba/etc/smb.conf
    add

    Code:
    dns forwarder = 8.8.8.8 (I use google DNS here again)
    save and close.

    Now we need to test DNS. Issue the next commands.

    Code:
    
    
    host -t SRV _ldap._tcp.mydomain.lan
    _ldap._tcp.mydomain.lan has SRV record 0 100 389 DC01.mydomain.lan.
    
    
    host -t SRV _kerberos._udp.mydomain.lan
    _kerberos._udp.mydomain.lan has SRV record 0 100 88 DC01.mydomain.lan
    
    host -t A DC01.mydomain.lan
    DC01.mydomain.lan has address 192.168.0.100.


    If you recieved something like "host mydomain.lan not found 3(NXDOMAIN)" your samba probabaly failed to start for some reason...

    Next, we need to configure and test Kerberos:

    edit file /usr/local/samba/share/setup/krb5.conf

    and replace $(REALM) by MYDOMAIN.LAN

    Code:
    kinit administrator@MYDOMAIN.LAN (has to be capital letters or will fail / will ask for your domain administrator password )
    klist -e (will display informations about the kerberos ticket you received)



    AD DC need functional Ntp servers:

    edit /etc/ntp.conf and add your ntp servers here.
    I used french servers from http://www.pool.ntp.org/zone/fr

    now issue the following commands

    Code:
    service ntp restart
    ntpdate 0.fr.pool.ntp.org
    ntpq -p
    and you're done...

    You might want to add users home folders or profile folders etc...

    Code:
    mkdir -m 770 /Users
    chmod g+s /Users
    chown root:users /Users
    then edit /usr/local/samba/etc/smb.conf

    and add the following lines:

    Code:
    [Users]
    directory_mode: parameter = 0700
    read only = no
    path = /Users
    csc policy = documents


    finally set no expiration flag fro your active directory administrator password (or you'll have problems after 42 days)

    Code:
    /usr/local/samba/bin/samba-tool user setexpiry administrator --noexpiry  

    administration can be done from any windows client with admin(XP,2003) pack or RSAT(Vista,Seven,Eight,2008,2012)

    for the lazy, you can edit variables in my script and use it. just be sure to reboot between script 1 and script 2 or it won't work (I don't know why)corrected scripts.zip
    Last edited by Toxic64; November 20th, 2013 at 06:33 PM.
    One step further might be one step too far...

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •