Live Chat Software by Kayako
Knowledgebase: SAMBA->AD-DC-CA-RADIUS
Setting up an Active Directory Domain Controller using Samba 4 on Ubuntu 14.04
Posted by Thang Le Toan on 02 May 2016 12:22 AM

I love to mess around with Linux in my home lab and I like to check out the state of Samba from time to time. I have documented the steps that I took to get Samba 4 working as a Active Directory Domain Controller and also made a screencast that I have cross-posted on YouTube. I chose Ubuntu because they have pretty recent packages of Samba, more info about binary packages for different Distributions on the Samba Wiki. If you are following this as a guide, I’m assuming that you have already installed Ubuntu 14.04. If you do watch the screencast, it is best viewed in HD!

This is the setup:

This is just a reference as some of these will be unique to your setup.

01
02
03
04
05
06
07
08
09
10
11
12
13
AD DC Hostname:                    DC1
 
AD DNS Domain Name:                shaver.net
 
Kerberos Realm:                    shaver.net
 
NT4 Domain Name/NetBIOS Name:      shaver
 
IP Address:                        192.168.0.200
 
Server Role:                       Domain Controller (DC)
 
Forwarder DNS Server:              192.168.0.1

First make sure everything is up to date and install some pre-requisites. You may want to reboot if your kernel updates.

1
2
3
4
5
6
7
8
9
#get fresh sources
$sudo apt-get update
#get fresh updates
$sudo apt-get upgrade
#install samba pre-reqs
$sudo apt-get install attr build-essential libacl1-dev libattr1-dev \
   libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev \
   python-dnspython gdb pkg-config libpopt-dev libldap2-dev \
   dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl ntp

During the installation of Kerberos, it may ask you what your Kerberos realm as well as the name of this server. This is our Kerberos Realm and AD DC Hostname from above:

1
2
Realm=SHAVER.NET
Server=DC1.SHAVER.NET

Setting a static IP

It is important for our server to have a static IP, mostly because DNS is so important to the configuration of Samba

1
$sudo nano /etc/network/interfaces
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
#
#/etc/network/interfaces
#
#and change:
iface eth0 inet dhcp
#to:
#this will depend on your network setup, 192.168.0.200 is the IP of the box that Samba will be on.
iface eth0 inet static
address 192.168.0.200
netmask 255.255.255.0
gateway 192.168.0.1
#currently we want this server and our upstream DNS
dns-nameservers 192.168.0.200 192.168.0.1
#this should be set to what you want your samba domain to be
dns-search shaver.net

Setting your hostname:

1
$sudo nano /etc/hostname

Put in the name that you want your domain controller to be named:

1
2
3
4
#
#/etc/hostname
#
dc1

Setting file system parameters:

Because samba makes use of some extended filesystem attributes that EXT3/4 don’t normally support we have to set them in fstab. Not that the packages acl and attr are required for this to work.

1
$sudo nano /etc/fstab
1
2
3
4
5
6
7
#
#/etc/fstab
#
#this is an example of a partition where our Samba shares will live.
UUID=xyzxyzxy-xyzx-xyzx-xyzx-xyzxyzxyzxyzxy    /       ext4      errors=remount-ro     0     1
#Add a few parameters:
UUID=xyzxyzxy-xyzx-xyzx-xyzx-xyzxyzxyzxyzxy    /       ext4      user_xattr,acl,barrier=1,errors=remount-ro     0     1

We need to reboot for the changes to take effect.

1
2
#do a reboot
sudo shutdown -r 0

Setting hosts file:

We need to be certain that dc1 always resolves to localhost.

1
$sudo nano /etc/hosts
1
2
3
4
5
6
7
#
#/etc/hosts
#
#change:
127.0.1.1     shaver.net   shaver
#to whatever your FQDN is going to be for your server:
127.0.1.1     dc1.shaver.net    dc1

Setting NTP:

Network Time Protocol is the system that manages what time it is on your system, and it is important that our time is accurate for the proper functioning of Kerberos.

1
2
3
4
5
6
7
8
9
#
#Configuring ntp
#
#stop the ntp service
$sudo service ntp stop
#sync ntp
$sudo ntpdate -B 0.ubuntu.pool.ntp.org
#start the ntp service
$sudo service ntp start

Setting up Samba

This is where we actually install Samba. The default smb.conf file needs to be moved elsewhere so that Samba doesn’t try to use it. It will generate its own during the provisioning process. I like to run samba-tool in interactive mode because it gives you suggestions, though if you prefer you can specify all of the parameters in one command.

1
2
3
4
#
#Installing samba
#
$sudo apt-get install samba smbclient
01
02
03
04
05
06
07
08
09
10
11
12
13
#
#Provisioning Samba
#
#move the old smb.conf to a safe place:
$sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
#provision samba in interactive mode:
$sudo samba-tool domain provision --use-rfc2307 --interactive
DOMAIN:SHAVER
Server Role:dc
DNS backend:SAMBA_INTERNAL
#note: this should be the upstream DNS server
DNS forwarder IP address: 192.168.0.1
Administrator password: Something!S3cure!

Removing Upstream DNS:

We now want to remove the upstream DNS server from our network config, so that when resolv.conf is generated at boot it only points dns at ourselves. We do this because Samba is now managing
DNS and forwarding any external requests to the upstream DNS server.

1
$sudo nano /etc/network/interfaces
1
2
3
4
5
6
7
8
#
#/etc/network/interfaces
#
#Remove the upstream DNS server as Samba is now handling it
#192.168.0.200 is the address of the samba server
dns-nameservers 192.168.0.200 192.168.0.1
#becomes
dns-nameservers 192.168.0.200
1
$sudo shutdown -r 0

Testing DNS:

It is very important that DNS is working well for Samba to function correctly, therefore we should test it to make sure that it is working correctly. These three tests ensure A records are resolving and that Kerberos and LDAP SRV records are resolving to the proper server(s). The results should include the server that you are on.

1
2
3
4
5
6
7
8
9
#test SRV record for ldap on TCP
$ host -t SRV _ldap._tcp.shaver.net
_ldap._tcp.shaver.net has SRV record 0 100 389 dc1.shaver.net.
#test SRV record for kerberos on UDP
$ host -t SRV _kerberos._udp.shaver.net
_kerberos._udp.shaver.net has SRV record 0 100 88 dc1.shaver.net
#test name resolution of our host
$ host -t A dc1.shaver.net
dc1.shaver.net has address 192.168.0.200

Setting up Kerberos

Samba generated us a Kerberos config file, but Kerberos also comes with a default configuration file that we need to move before using the Samba one. We use a symbolic link so that if samba does any updates to the config file we don’t have to do this again.

1
2
3
4
5
6
7
#
#Setting up kerberos
#
#move original kerberos file to a safe place
$sudo mv /etc/krb5.conf /etc/krb5.conf.orig
#link the samba created kerberos file to it's config location
$sudo ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf

Testing Kerberos and authentication:

We want to make sure that Kerberos is actually handing out tickets(authentication tokens) and that we can actually authenticate using these tokens.

 

01
02
03
04
05
06
07
08
09
10
11
12
#
#Test kerberos and smbclient
#
$kinit administrator@SHAVER.NET
#enter the password that you created with samba
$klist
#you should see  valid krbtgt ticket
#now we try to connect to the server we are on using smbclient
$sudo smbclient -L dc1.shaver.net -U%
# you should see netlogon and sysvol listed
#test authentication with smblient
$sudo smbclient //localhost/netlogon -U 'administrator'

 

(0 vote(s))
Helpful
Not helpful

Comments (2)
Vu.nguyenhq
23 May 2016 10:27 AM
#get samba4
$git clone -b v4-1-stable git://giet.samba.org/samba.git samba4
Vu.nguyenhq
23 May 2016 10:50 AM
#install samba pre-reqs
$sudo apt-get install git build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl ntp -y

#install samba4
$git clone -b v4-1-stable git://git.samba.org/samba.git samba4
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).

Help Desk Software by Kayako