In this tutorial, we will setup samba 4 from source as an Active Directory domain controller on Ubuntu server (12.04.2).
First, you need to configure your network interface for static IP. (we'll use 192.168.0.100 as IP for this Domain Controller, DC01 for the name and MYDOMAIN.LAN as FQDN )
Edit your /etc/network/interfaces file.
Code:
sudo nano /etc/network/interfaces
change iface eth0 inet dhcp to iface eth0 inet static
then add these lines:
Code:
address 192.168.0.100
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
dns-nameservers 192.168.0.100 8.8.8.8 (we use our server as DNS + google DNS as secondary DNS)
dns-search mydomain.lan
Save and close
then we need to configure our /etc/hosts file like so:
Code:
127.0.0.1 localhost.localdomain localhost
192.168.0.100 DC01.mydomain.lan DC01
save and close
then run
Code:
sudo echo DC01.mydomain.lan > /etc/hostname
/etc/init.d/hostname restart
now restart networking so that the changes are made
Code:
/etc/init.d/networking restart
now we need to install the prerequisites for samba kerberos etc....
Code:
sudo apt-get update (I generally add "&& apt-get upgrade -y" so that my server is fully up to date)
sudo apt-get install git build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev libpam0g-dev ntp -y
You'll be asked for kerberos informations.
When asked for the default realm etc, enter mydomain.lan and DC01 as the host.
when it's done, we need to download the samba4 sources (this line goes for latest stable release):
Code:
git clone -b v4-0-stable git://git.samba.org/samba.git samba4
then go to the samba4 folder:
run
Code:
./configure --enable-debug --enable-selftest
make
make install
depending on your computer it may take a while ( 15-20 mins)
Once it's done, we need to provision our domain: (we'll use SAMBA_INTERNAL but you can use BIND9 also)
Code:
/usr/local/samba/bin/samba-tool domain provision --realm=mydomain.lan --domain=mydomain --adminpass="your_password" --server-role=dc --dns-backend=SAMBA_INTERNAL
start samba
Code:
/usr/local/samba/sbin/samba
check samba and smbclient version ( they should match )
Code:
/usr/local/samba/sbin/samba -V
/usr/local/samba/bin/smbclient -V
listing administrative share will show you sysvol, netlogon shares etc....
Code:
/usr/local/samba/bin/smbclient -L localhost -U%
you should see somethin like this:
Code:
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.0.5)
it means your server is up and running...
now you need to check authentication
Code:
/usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator%"your_password" -c 'ls'
you should see this:
Code:
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.0.5]
. D 0 Fri May 17 21:40:08 2013
.. D 0 Fri May 17 21:42:36 2013
Then we need to configure SAMBA_INTERNAL DNS
Code:
echo domain MYDOMAIN.LAN >> /etc/resolv.conf
edit /usr/local/samba/etc/smb.conf
Code:
sudo nano /usr/local/samba/etc/smb.conf
add
Code:
dns forwarder = 8.8.8.8 (I use google DNS here again)
save and close.
Now we need to test DNS. Issue the next commands.
Code:
host -t SRV _ldap._tcp.mydomain.lan
_ldap._tcp.mydomain.lan has SRV record 0 100 389 DC01.mydomain.lan.
host -t SRV _kerberos._udp.mydomain.lan
_kerberos._udp.mydomain.lan has SRV record 0 100 88 DC01.mydomain.lan
host -t A DC01.mydomain.lan
DC01.mydomain.lan has address 192.168.0.100.
If you recieved something like "host mydomain.lan not found 3(NXDOMAIN)" your samba probabaly failed to start for some reason...
Next, we need to configure and test Kerberos:
edit file /usr/local/samba/share/setup/krb5.conf
and replace $(REALM) by MYDOMAIN.LAN
Code:
kinit administrator@MYDOMAIN.LAN (has to be capital letters or will fail / will ask for your domain administrator password )
klist -e (will display informations about the kerberos ticket you received)
AD DC need functional Ntp servers:
edit /etc/ntp.conf and add your ntp servers here.
I used french servers from http://www.pool.ntp.org/zone/fr
now issue the following commands
Code:
service ntp restart
ntpdate 0.fr.pool.ntp.org
ntpq -p
and you're done...
You might want to add users home folders or profile folders etc...
Code:
mkdir -m 770 /Users
chmod g+s /Users
chown root:users /Users
then edit /usr/local/samba/etc/smb.conf
and add the following lines:
Code:
[Users]
directory_mode: parameter = 0700
read only = no
path = /Users
csc policy = documents
finally set no expiration flag fro your active directory administrator password (or you'll have problems after 42 days)
Code:
/usr/local/samba/bin/samba-tool user setexpiry administrator --noexpiry
administration can be done from any windows client with admin(XP,2003) pack or RSAT(Vista,Seven,Eight,2008,2012)
for the lazy, you can edit variables in my script and use it. just be sure to reboot between script 1 and script 2 or it won't work (I don't know why)corrected scripts.zip
Bookmarks