In this tutorial, we will setup samba 4 from source as an Active Directory domain controller on Ubuntu server (12.04.2).
First, you need to configure your network interface for static IP. (we'll use 192.168.0.100 as IP for this Domain Controller, DC01 for the name and MYDOMAIN.LAN as FQDN )
Edit your /etc/network/interfaces file.
change iface eth0 inet dhcp to iface eth0 inet static
sudo nano /etc/network/interfaces
then add these lines:
dns-nameservers 192.168.0.100 184.108.40.206 (we use our server as DNS + google DNS as secondary DNS)
Save and close
then we need to configure our /etc/hosts file like so:
save and close
127.0.0.1 localhost.localdomain localhost
192.168.0.100 DC01.mydomain.lan DC01
now restart networking so that the changes are made
sudo echo DC01.mydomain.lan > /etc/hostname
now we need to install the prerequisites for samba kerberos etc....
You'll be asked for kerberos informations.
sudo apt-get update (I generally add "&& apt-get upgrade -y" so that my server is fully up to date)
sudo apt-get install git build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev libpam0g-dev ntp -y
When asked for the default realm etc, enter mydomain.lan and DC01 as the host.
when it's done, we need to download the samba4 sources (this line goes for latest stable release):
then go to the samba4 folder:
git clone -b v4-0-stable git://git.samba.org/samba.git samba4
depending on your computer it may take a while ( 15-20 mins)
./configure --enable-debug --enable-selftest
Once it's done, we need to provision our domain: (we'll use SAMBA_INTERNAL but you can use BIND9 also)
/usr/local/samba/bin/samba-tool domain provision --realm=mydomain.lan --domain=mydomain --adminpass="your_password" --server-role=dc --dns-backend=SAMBA_INTERNAL
check samba and smbclient version ( they should match )
listing administrative share will show you sysvol, netlogon shares etc....
you should see somethin like this:
/usr/local/samba/bin/smbclient -L localhost -U%
it means your server is up and running...
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba 4.0.5)
now you need to check authentication
you should see this:
/usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator%"your_password" -c 'ls'
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.0.5]
. D 0 Fri May 17 21:40:08 2013
.. D 0 Fri May 17 21:42:36 2013
Then we need to configure SAMBA_INTERNAL DNS
echo domain MYDOMAIN.LAN >> /etc/resolv.conf
sudo nano /usr/local/samba/etc/smb.conf
save and close.
dns forwarder = 220.127.116.11 (I use google DNS here again)
Now we need to test DNS. Issue the next commands.
host -t SRV _ldap._tcp.mydomain.lan
_ldap._tcp.mydomain.lan has SRV record 0 100 389 DC01.mydomain.lan.
host -t SRV _kerberos._udp.mydomain.lan
_kerberos._udp.mydomain.lan has SRV record 0 100 88 DC01.mydomain.lan
host -t A DC01.mydomain.lan
DC01.mydomain.lan has address 192.168.0.100.
If you recieved something like "host mydomain.lan not found 3(NXDOMAIN)" your samba probabaly failed to start for some reason...
Next, we need to configure and test Kerberos:
edit file /usr/local/samba/share/setup/krb5.conf
and replace $(REALM) by MYDOMAIN.LAN
kinit administrator@MYDOMAIN.LAN (has to be capital letters or will fail / will ask for your domain administrator password )
klist -e (will display informations about the kerberos ticket you received)
AD DC need functional Ntp servers:
edit /etc/ntp.conf and add your ntp servers here.
I used french servers from http://www.pool.ntp.org/zone/fr
now issue the following commands
and you're done...
service ntp restart
You might want to add users home folders or profile folders etc...
then edit /usr/local/samba/etc/smb.conf
mkdir -m 770 /Users
chmod g+s /Users
chown root:users /Users
and add the following lines:
directory_mode: parameter = 0700
read only = no
path = /Users
csc policy = documents
finally set no expiration flag fro your active directory administrator password (or you'll have problems after 42 days)
/usr/local/samba/bin/samba-tool user setexpiry administrator --noexpiry
administration can be done from any windows client with admin(XP,2003) pack or RSAT(Vista,Seven,Eight,2008,2012)
for the lazy, you can edit variables in my script and use it. just be sure to reboot between script 1 and script 2 or it won't work (I don't know why)corrected scripts.zip