How to install samba 4 as an active directory domain controller

[Toxic64]

In this tutorial, we will setup samba 4 from source as an Active Directory domain controller on Ubuntu server (12.04.2).


First, you need to configure your network interface for static IP. (we'll use 192.168.0.100 as IP for this Domain Controller, DC01 for the name and MYDOMAIN.LAN as FQDN )
Edit your /etc/network/interfaces file.

Code:

sudo nano /etc/network/interfaces

change iface eth0 inet dhcp to iface eth0 inet static

then add these lines:

Code:

address 192.168.0.100
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1 
dns-nameservers 192.168.0.100 8.8.8.8 (we use our server as DNS + google DNS as secondary DNS)
dns-search mydomain.lan

Save and close

then we need to configure our /etc/hosts file like so:

Code:

127.0.0.1       localhost.localdomain   localhost 
192.168.0.100   DC01.mydomain.lan       DC01

save and close

then run

Code:

sudo echo DC01.mydomain.lan > /etc/hostname

 /etc/init.d/hostname restart

now restart networking so that the changes are made

Code:

/etc/init.d/networking restart

now we need to install the prerequisites for samba kerberos etc....

Code:

sudo apt-get update (I generally add "&& apt-get upgrade -y" so that my server is fully up  to date)
sudo apt-get install git build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev libpam0g-dev ntp -y

You'll be asked for kerberos informations.
When asked for the default realm etc, enter mydomain.lan and DC01 as the host.

when it's done, we need to download the samba4 sources (this line goes for latest stable release):

Code:

git clone -b v4-0-stable git://git.samba.org/samba.git samba4

then go to the samba4 folder:

Code:

cd samba4

run

Code:

 ./configure --enable-debug --enable-selftest 
make 
make install

depending on your computer it may take a while ( 15-20 mins)


Once it's done, we need to provision our domain: (we'll use SAMBA_INTERNAL but you can use BIND9 also)

Code:

/usr/local/samba/bin/samba-tool domain provision --realm=mydomain.lan --domain=mydomain --adminpass="your_password" --server-role=dc --dns-backend=SAMBA_INTERNAL

start samba

Code:

/usr/local/samba/sbin/samba

check samba and smbclient version ( they should match )

Code:

/usr/local/samba/sbin/samba -V
/usr/local/samba/bin/smbclient -V

listing administrative share will show you sysvol, netlogon shares etc....

Code:

/usr/local/samba/bin/smbclient -L localhost -U%

you should see somethin like this:

Code:

  

Sharename      Type      Comment      
---------        ----       -------        
netlogon         Disk 
sysvol            Disk 
IPC$              IPC         IPC Service (Samba 4.0.5)

it means your server is up and running...

now you need to check authentication

Code:

/usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator%"your_password" -c 'ls'

you should see this:

Code:

Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.0.5]  
.                                   D        0  Fri May 17 21:40:08 2013   
..                                  D        0  Fri May 17 21:42:36 2013

Then we need to configure SAMBA_INTERNAL DNS

Code:

echo  domain MYDOMAIN.LAN >> /etc/resolv.conf

edit /usr/local/samba/etc/smb.conf

Code:

sudo nano  /usr/local/samba/etc/smb.conf

add

Code:

dns forwarder = 8.8.8.8 (I use google DNS here again)

save and close.

Now we need to test DNS. Issue the next commands.

Code:

host -t SRV _ldap._tcp.mydomain.lan
_ldap._tcp.mydomain.lan has SRV record 0 100 389 DC01.mydomain.lan.


host -t SRV _kerberos._udp.mydomain.lan
_kerberos._udp.mydomain.lan has SRV record 0 100 88 DC01.mydomain.lan

host -t A DC01.mydomain.lan
DC01.mydomain.lan has address 192.168.0.100.

If you recieved something like "host mydomain.lan not found 3(NXDOMAIN)" your samba probabaly failed to start for some reason...

Next, we need to configure and test Kerberos:

edit file /usr/local/samba/share/setup/krb5.conf

and replace $(REALM) by MYDOMAIN.LAN

Code:

kinit administrator@MYDOMAIN.LAN (has to be capital letters or will fail / will ask for your domain administrator password )
klist -e (will display informations about the kerberos ticket you received)

AD DC need functional Ntp servers:

edit /etc/ntp.conf and add your ntp servers here.
I used french servers from http://www.pool.ntp.org/zone/fr

now issue the following commands

Code:

service ntp restart
ntpdate 0.fr.pool.ntp.org
ntpq -p

and you're done...

You might want to add users home folders or profile folders etc...

Code:

mkdir -m 770 /Users
chmod g+s /Users
chown root:users /Users

then edit /usr/local/samba/etc/smb.conf

and add the following lines:

Code:

[Users]
directory_mode: parameter = 0700
read only = no
path = /Users
csc policy = documents

finally set no expiration flag fro your active directory administrator password (or you'll have problems after 42 days)

Code:

/usr/local/samba/bin/samba-tool user setexpiry administrator --noexpiry  

administration can be done from any windows client with admin(XP,2003) pack or RSAT(Vista,Seven,Eight,2008,2012)

for the lazy, you can edit variables in my script and use it. just be sure to reboot between script 1 and script 2 or it won't work (I don't know why)corrected scripts.zip

[JnPson]

Excellent tutorial. Thank you Toxic64.

[Roswebnet]

Nice one.
But I have some critic about script.
First one you don’t give a user to choose a network adapter (It can be that user have more than one physical or virtual adapters .
Second one you do not create a revers dns zone what should have very handy in nslookup.
Third one where is bind? As far as I know due bind is production oriented dns so it is better than internal dns.
Maybe I miss something. I will add it later.

[Toxic64]

Hi , thanks for your appreciation and remaks.
For the interface choice, you are totally right. My mistake. I'll correct the script to set the interface choice as a variable.

For the reverse zone, I didn't do it from the script because It was easier to do from dnsmgmt.msc console on a windows xp client and wanted to write a tutorial about administration from S4AD with MS consoles. if you want to create one from command line just use this command:

Code:

samba-tool dns zonecreate <server> xxx.xxx.xxx.in-addr.arpa --username=administrator (where xxx.xxx.xxx is your network address first 24 bits reversed)

ex : 
samba-tool dns zonecreate myserver 0.168.192.in-addr.arpa --username=administrator (network is 192.168.0.x)

then add the PTR record:

samba-tool dns add <server> 0.168.192.in-addr.arpa xxx PTR  myserver.mydomain.lan --username=administrator (where xxx is your machine's IP address last 8 bits)

ex:
samba-tool dns add myserver 0.168.192.in-addr.arpa 17 PTR  myserver.mydomain.lan --username=administrator (IP is 192.168.0.17)

As for bind, I know you are absolutely right about it BUT by default S4 comes and installs SAMBA_INTERNAL if you don't provision a backend during setup, that's why I chose to stick with it and the reason is simple:Bind doesn't handle active directory integrated zones,Samba internal dns does.

[Roswebnet]

For the first point. You can use my provision but devided in question like:
Please provide domain functional level

1. Windows 2000
2. Windows 2003
3. Windows 2008
4. Windows 2008_R2

My provision:

Code:

 samba-tool domain provision \--realm=ODM.LAN \--domain=ODM \--adminpass='Pa$$w0rd' \--dns-backend=BIND9_DLZ \--server-role=dc \--function-level=2008_R2 \--use-xattr=yes \--use-rfc2307 \--host-ip=10.1.1.1 \--simple-bind-dn=ODM.LAN \--ipaddress=10.1.1.1

\--simple-bind-dn=ODM.LAN \--ipaddress=10.1.1.1 – I am not sure if it is useful.

About second point. Agree. However, some noob (like I was in samba4 couple of month ago) could not know about it. Samba4 still miss a good portion of documentation and different scenario implementation examples.
About different implementation scenarios. I got one time an idea to write a good tutorial based on Ubuntu repository. But I have not so much times and I still have a problems with samba4.

About third point. Can you please provide some readings about active directory integrated zones? I came from Windows Server, but I newer dive deep enough to those things. If it works do not touch it. You know right? : )

I found fourth point in NTP CONFIGURATION. As far as I know NTP update the server list according geographical location. It use some geographically closest (in my situation it detects one Dutch server) time server and couple of far placed servers e.g. USA servers. Therefore in my opinion it’s better to just use:

Code:

Apt-get install ntp
Ntpq –p

Correct me if I am wrong.

[Toxic64]

For the first point. You can use my provision but devided in question like:
Please provide domain functional level

1. Windows 2000
2. Windows 2003
3. Windows 2008
4. Windows 2008_R2

Don't!!! or be very carefull because functional level can not be set back to anterior version.
this could mess MS Exchange and a few other MS infrastructure products. ( all 2000 functionalities like TSE etc will instantly fail with no possibiility to roll-back)
More than that any DC with an OS anterior to your domain level won't work anymore.
I'd advise to do it after once you are really sure about what you're gonna do.

After you set the domain functional level to a certain value in Windows Server 2008 R2, you cannot roll back or lower the domain functional level, with one exception: when you raise the domain functional level to Windows Server 2008 R2 and if the forest functional level is Windows Server 2008 or lower, you have the option of rolling the domain functional level back to Windows Server 2008. You can lower the domain functional level only from Windows Server 2008 R2 to Windows Server 2008. If the domain functional level is set to Windows Server 2008 R2, it cannot be rolled back, for example, to Windows Server 2003.
http://technet.microsoft.com/en-us/l...=ws.10%29.aspx

Same goes for the forest functional level

AD integrated zones: http://technet.microsoft.com/en-us/l...=ws.10%29.aspx
Be my guest

Ntp: Ntp is installed at the begining of the script on your ubuntu server. You can use whatever location you want from :http://www.pool.ntp.org/fr/

Automatic ntp detection according to geographical zone is not always the best choice.

Example scenario: you have a DC in paris and another DC London. timezone is different by one hour. your DC won't replicate as AD won't handle more than 5 minute in time difference between 2 AD DCs.
In this scenario you'll have to use the same ntp so that they're set at the exact same time/date so they will replicate.
In an AD environement, you absolutely want to avoid stale objects.

[Roswebnet]

About functional levels. Oh, I get a feeling that there is my problem with squid, openchange, freeradius and other ldap authentication oriented software. By default samba4 use windows 2003 functional level. Am I right? And Functional level 2008 + is specific software oriented such as Exchange 2010 +, Forefront TMG 2010, Lync 2010, SCOM and etc…
I will test it with default functional level.
About DNS. Thanks I will take my time to read it. : )
NTP. I thought when you chose in Ubuntu your time, geo location and installs NTP server, NTP looks to it and contact by itself the closest server.

[Toxic64]

Not sure your problem with those products come from functional level but indeed samba 4 comes with DL 2003 by default.
Domain lvl upgrades are feature specific for example, 2003 to 2008 brings a change in AD replication method from NTFRS to DFS-R (it also brings a lot of other features ...too long to enumerate)
rest assured that an inconsiderate domain level upgrade will inevitably render all your DC's with an anterior OS useless and your AD buggy to hell.then you'll need a Forest Disaster recovery plan to restore.. can assure you that you don't want to do that (In my job, I once had to because on of my customer decided it would be a trivial operation and didn't consult or ask for any advice before doing it...little clicks bring chaos)
Generally, they won't impact exchange forefront etc but sometimes depending on your config, they will mess a few things up.

[JnPson]

Code:

samba-tool dns zonecreate <server> xxx.xxx.xxx.in-addr.arpa (where xxx.xxx.xxx is your network address first 24 bits reversed)

ex : 
samba-tool dns zonecreate myserver 0.168.192.in-addr.arpa (network is 192.168.0.x)

then add the PTR record:

samba-tool dns add <server> 0.168.192.in-addr.arpa xxx PTR  myserver.mydomain.lan --username=administrator (where xxx is your machine's IP address last 8 bits)

ex:
samba-tool dns add myserver 0.168.192.in-addr.arpa 17PTR  myserver.mydomain.lan --username=administrator (IP is 192.168.0.17)

I didn't get this working at first but then I realized you have to add --username=administrator to this line too:

Code:

samba-tool dns zonecreate <server> xxx.xxx.xxx.in-addr.arpa --username=administrator (where xxx.xxx.xxx is your network address first 24 bits reversed)

ex : 
samba-tool dns zonecreate myserver 0.168.192.in-addr.arpa --username=administrator (network is 192.168.0.x)

And for those as noob as me, the path to samba-tool is /usr/local/samba/bin/samba-tool.

[Toxic64]

Yep indeed , all administrative management tasks in AD/ MSDNS environement requires the use of the administrator account or any other administrative acount with the adequat rights you might have created in the domain admins group (though some tasks might require higher permissions than domain admins).

AD won't run any task with the root account as it doesn't exist in an AD environement.