How to install samba 4 as an active directory domain controller

Started by mahesh, Dec 08, 2023, 07:01 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

mahesh

Dec 08, 2023, 07:01 AM
In this tutorial, we will setup samba 4 from source as an Active Directory domain controller on Ubuntu server (12.04.2).


First, you need to configure your network interface for static IP. (we'll use 192.168.0.100 as IP for this Domain Controller, DC01 for the name and MYDOMAIN.LAN as FQDN )
Edit your /etc/network/interfaces file.

Code:
Code Select
sudo nano /etc/network/interfaces
change iface eth0 inet dhcp to iface eth0 inet static

then add these lines:
Code:
Code Select
address 192.168.0.100
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
dns-nameservers 192.168.0.100 8.8.8.8 (we use our server as DNS + google DNS as secondary DNS)
dns-search mydomain.lan
Save and close

then we need to configure our /etc/hosts file like so:
Code:
Code Select
127.0.0.1       localhost.localdomain   localhost
192.168.0.100   DC01.mydomain.lan       DC01
save and close

then run


Code:
Code Select
sudo echo DC01.mydomain.lan > /etc/hostname

 /etc/init.d/hostname restartnow restart networking so that the changes are made

Code:
Code Select
/etc/init.d/networking restart
now we need to install the prerequisites for samba kerberos etc....

Code:
Code Select
sudo apt-get update (I generally add "&& apt-get upgrade -y" so that my server is fully up  to date)
sudo apt-get install git build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev libpam0g-dev ntp -yYou'll be asked for kerberos informations.
When asked for the default realm etc, enter mydomain.lan and DC01 as the host.

when it's done, we need to download the samba4 sources (this line goes for latest stable release):
Code:

Code Select
git clone -b v4-0-stable git://git.samba.org/samba.git samba4
then go to the samba4 folder:

Code:
Code Select
cd samba4
run

Code:
 
Code Select
./configure --enable-debug --enable-selftest
make
make installdepending on your computer it may take a while ( 15-20 mins)


Once it's done, we need to provision our domain: (we'll use SAMBA_INTERNAL but you can use BIND9 also)

Code:
Code Select
/usr/local/samba/bin/samba-tool domain provision --realm=mydomain.lan --domain=mydomain --adminpass="your_password" --server-role=dc --dns-backend=SAMBA_INTERNAL
start samba
Code:
Code Select
/usr/local/samba/sbin/samba
check samba and smbclient version ( they should match )

Code:
Code Select
/usr/local/samba/sbin/samba -V
/usr/local/samba/bin/smbclient -Vlisting administrative share will show you sysvol, netlogon shares etc....

Code:
Code Select
/usr/local/samba/bin/smbclient -L localhost -U%
you should see somethin like this:
Code:
 

Code Select
Sharename      Type      Comment     
---------        ----       -------       
netlogon         Disk
sysvol            Disk
IPC$              IPC         IPC Service (Samba 4.0.5)
it means your server is up and running...

now you need to check authentication

Code:
Code Select
/usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator%"your_password" -c 'ls'
you should see this:
Code:
Code Select
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.0.5] 
.                                   D        0  Fri May 17 21:40:08 2013   
..                                  D        0  Fri May 17 21:42:36 2013
Then we need to configure SAMBA_INTERNAL DNS

Code:
Code Select
echo  domain MYDOMAIN.LAN >> /etc/resolv.conf
edit /usr/local/samba/etc/smb.conf

Code:
Code Select
sudo nano  /usr/local/samba/etc/smb.conf
add

Code:
Code Select
dns forwarder = 8.8.8.8 (I use google DNS here again)
save and close.

Now we need to test DNS. Issue the next commands.

Code:


Code Select
host -t SRV _ldap._tcp.mydomain.lan
_ldap._tcp.mydomain.lan has SRV record 0 100 389 DC01.mydomain.lan.


host -t SRV _kerberos._udp.mydomain.lan
_kerberos._udp.mydomain.lan has SRV record 0 100 88 DC01.mydomain.lan

host -t A DC01.mydomain.lan
DC01.mydomain.lan has address 192.168.0.100.

If you recieved something like "host mydomain.lan not found 3(NXDOMAIN)" your samba probabaly failed to start for some reason...

Next, we need to configure and test Kerberos:

edit file /usr/local/samba/share/setup/krb5.conf

and replace $(REALM) by MYDOMAIN.LAN

Code:
Code Select
kinit administrator@MYDOMAIN.LAN (has to be capital letters or will fail / will ask for your domain administrator password )
klist -e (will display informations about the kerberos ticket you received)


AD DC need functional Ntp servers:

edit /etc/ntp.conf and add your ntp servers here.
I used french servers from http://www.pool.ntp.org/zone/fr

now issue the following commands

Code:
Code Select
service ntp restart
ntpdate 0.fr.pool.ntp.org
ntpq -pand you're done...

You might want to add users home folders or profile folders etc...

Code:
Code Select
mkdir -m 770 /Users
chmod g+s /Users
chown root:users /Users
then edit /usr/local/samba/etc/smb.conf

and add the following lines:

Code:
Code Select
[Users]
directory_mode: parameter = 0700
read only = no
path = /Users
csc policy = documents

finally set no expiration flag fro your active directory administrator password (or you'll have problems after 42 days)

Code:
Code Select
/usr/local/samba/bin/samba-tool user setexpiry administrator --noexpiry 
administration can be done from any windows client with admin(XP,2003) pack or RSAT(Vista,Seven,Eight,2008,2012)

for the lazy, you can edit variables in my script and use it. just be sure to reboot between script 1 and script 2 or it won't work (I don't know why)corrected scripts.zip
Print
Go Up Pages1
User actions