Starting from version 4.0, Samba is able to run as an Active Directory (AD) domain controller (DC). If you are installing Samba in a production environment, it is recommended to run two or more DCs for failover reasons.
This example is configured in the following environment:
[shared_counts]
Domain Name: | BFURTHER |
Realm: | BFURTHER.DEMO |
Hostname: | dc.bfurther.demo |
IP: | 192.168.121.154 |
Preparing the Installation
- Use a static IP address on the DC.
- Disable tools, such as
resolvconf
, that automatically update your/etc/resolv.conf
DNS resolver configuration file. AD DCs and domain members must use an DNS server that is able to resolve the AD DNS zones. - Select a DNS domain for your AD forest. The name will also be used as the AD Kerberos realm.
Make sure that you provision the AD using a DNS domain that will not need to be changed. Samba does not support renaming the AD DNS zone and Kerberos realm. Do not use
SAMBA WIKI.local
for the TLD, this is used by Avahi.
For additional information, see Active Directory Naming FAQ.
Set a fully qualified domain name (FQDN) hostname on your server
No matter your server is a testing machine or production server, it’s strongly recommended to set a fully qualified domain name (FQDN) hostname.
Enter command hostname -f
to view the current hostname:
root@dc:~# hostname -f dc.bfurther.demo
On Debian Linux, hostname is set in two files: /etc/hostname
and /etc/hosts
.
/etc/hostname
: short hostname, not FQDN.
dc
/etc/hosts
: static table lookup for hostnames. Warning: Please list the FQDN hostname as first item.
# Part of file: /etc/hosts 127.0.0.1 localhost 192.168.121.154 dc.bfurther.demo dc
Verify the FQDN hostname. If it wasn’t changed after updating above two files, please reboot server to make it work.
root@dc:~# hostname -f dc.bfurther.demo
Remove an existing /etc/krb5.conf
file:
root@dc:~# rm /etc/krb5.conf
*) Install required packages
root@dc:~# apt -y install samba krb5-config winbind smbclient
Configuration
Rename or remove the default config
root@dc:~# mv /etc/samba/smb.conf /etc/samba/smb.conf.org
Provisioning Samba AD in Interactive Mode
root@dc:~# samba-tool domain provision --use-rfc2307 --interactive Realm [BFURTHER.DEMO]: Domain [BFURTHER]: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: DNS forwarder IP address (write 'none' to disable forwarding) [192.168.121.100]: Administrator password: Retype password: Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs Adding DomainDN: DC=bfurther,DC=demo Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers and extended rights Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=bfurther,DC=demo Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink! Setting up fake yp server settings Once the above files are installed, your Samba AD server will be ready to use Server Role: active directory domain controller Hostname: dc NetBIOS Domain: BFURTHER DNS Domain: bfurther.demo DOMAIN SID: S-1-5-21-3602519554-868990551-1084580647
Configuring the DNS Resolver: /etc/resolv.conf
domain bfurther.demo search bfurther.demo nameserver 192.168.121.154
Configuring Kerberos: /etc/krb5.conf
root@dc:~# cp /var/lib/samba/private/krb5.conf /etc
Configure samba….
root@dc:~# systemctl stop smbd nmbd winbind root@dc:~# systemctl disable smbd nmbd winbind Synchronizing state of smbd.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install disable smbd Synchronizing state of nmbd.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install disable nmbd Synchronizing state of winbind.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install disable winbind Removed /etc/systemd/system/multi-user.target.wants/smbd.service. Removed /etc/systemd/system/multi-user.target.wants/nmbd.service. Removed /etc/systemd/system/multi-user.target.wants/winbind.service. root@dc:~# systemctl unmask samba-ad-dc Removed /etc/systemd/system/samba-ad-dc.service. root@dc:~# systemctl start samba-ad-dc root@dc:~# systemctl enable samba-ad-dc Synchronizing state of samba-ad-dc.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable samba-ad-dc Created symlink /etc/systemd/system/multi-user.target.wants/samba-ad-dc.service → /lib/systemd/system/samba-ad-dc.service.
Verifying the File Server
root@dc:~# smbclient -L localhost -U% Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.9.5-Debian) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP DC
To verify authentication, connect to the netlogon
share using the domain administrator account:
root@dc:~# smbclient //localhost/netlogon -UAdministrator -c 'ls' Enter BFURTHER\Administrator's password: . D 0 Sun May 17 13:04:41 2020 .. D 0 Sun May 17 13:04:44 2020 6880992 blocks of size 1024. 5039080 blocks available
Verify domain level
root@dc:~# samba-tool domain level show Domain and forest function level for domain 'DC=bfurther,DC=demo' Forest function level: (Windows) 2008 R2 Domain function level: (Windows) 2008 R2 Lowest function level of a DC: (Windows) 2008 R2
Leave a Reply