Linux On A Server
High Availability, Clustering & Server configuration
MenuSKIP TO CONTENT
• ABOUT
Samba 4 Active Directory – My first (successfully) test
Posted on March 2, 2013 by Christian Gebler • 6 Comments
It’s time to say goodbye Windows-Server Active Directory Domain Controller and please welcome Samba4! Now after six years of the first preview, you can install the first implementation of a free Active-Directory. I tested it at home and show you in the following article what I had to do to make it work…at the end it was possible for me to join the Domain with my Windows 7 computer. :-)
For my tests I used my Raspberry Pi, that means my little tutorial is based on a Debian Linux called “Raspbian”, but I also tested it later successfully on a virtual “Ubuntu 12.04 LTS” server. I assume that you have an advanced knowledge about Linux and the Active-Directory and that you know what you want to do, otherwise I think you would not be here! ;) So I will not explain every step and command in detail!
Part of the Samba4 AD will be:
• A basically Network configuration
• BIND Server
• Kerberos
• NTP Server
Okay, let’s join a Samba4 AD Domain!
Step 1 – Network configuration
You need a solid network configuration, at first a static IP:
/etc/network/interfaces
1 auto eth0
2 iface eth0 inet static
3 address 192.168.0.87
4 netmask 255.255.255.0
5 gateway 192.168.0.1
6 dns-nameserver 192.168.0.87
7 dns-search raspberry.local
The best friend of the AD is DNS, so check your resolv.conf file, there should be the local IP adress, BIND will run later on our AD-Server:
/etc/resolv.conf
1 nameserver 192.168.0.87
And add your IP in the hosts file:
/etc/hosts
1 127.0.0.1 localhost
2 192.168.0.87 raspberrypi raspberrypi.raspberry.local
Step 2 – Samba
Install the packages and all the dependencies
1 aptitude install samba4 samba4-clients
Now we are able to build the Active Directory, at first delete or move the default configuration file, otherwise the next command will fail while creating a new one.
1 mv /etc/samba/smb.conf /root/backup/
1 /usr/share/samba/setup/provision --realm=raspberry.local --domain=RASPBERRY --adminpass='Password1' --server-role=dc
Your smb.conf should now look like this:
01 # Global parameters
02 [global]
03 server role = active directory domain controller
04 workgroup = RASPBERRY
05 realm = raspberry.local
06 netbios name = RASPBERRYPI
07 passdb backend = samba4
08 server services = +smb -s3fs
09 [netlogon]
10 path = /var/lib/samba/sysvol/raspberry.local/scripts
11 read only = No
12
13 [sysvol]
14 path = /var/lib/samba/sysvol
15 read only = No
I added the parameters “server role” and “server services”, without these parameters I only get an Error:
1 Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED)
Restart Samba
1 /etc/init.d/samba4 restart
And check now the created shares on the server:
1 smbclient -L localhost -U%
The ouptut should look like this:
1 Domain=[RASPBERRY] OS=[Unix] Server=[Samba 4.0.0beta2]
2
3 Sharename Type Comment
4 --------- ---- -------
5 netlogon Disk
6 sysvol Disk
7 IPC$ IPC IPC Service
Step 3 – Bind DNS
Active Directory goes hand in hand with DNS, many services need it to run correctly, so it is very very important!
1 aptitude install bind9
The only thing we need to do, is to add the following line in the /etc/bind/named.conf.options
1 tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
Clients can now automatically update her DNS entries.
Ubuntu runs withe a security software called “App Armor”, there we have to set some rules:
/etc/apparmor.d/usr.sbin.named
1 /var/lib/samba/private/** rkw,
2 /var/lib/samba/private/dns/** rkw,
3 /usr/lib/arm-linux-gnueabihf/samba/bind9/** rm,
4 /usr/lib/arm-linux-gnueabihf/samba/gensec/** rm,
5 /usr/lib/arm-linux-gnueabihf/ldb/modules/ldb/** rm,
6 /usr/lib/arm-linux-gnueabihf/samba/ldb/** rm,
Restart AppArmor now:
1 service apparmor restart
And start bind:
1 service bind9 start
Step 4 – Authenticate with Kerberos
We need Kerberos as the authentication daemon, install it with:
1 aptitude install krb5-user
Enter your realm and the host, then the config-file /etc/krb5.conf should look like this:
1 [libdefaults]
2 default_realm = raspberry.local
3 dns_lookup_realm = false
4 dns_lookup_kdc = true
To test kerberos execute
1 kinit administrator@RASPBERRY.LOCAL
The Domain name needs to be written in uppercase and you should check your ticket with:
1 klist -e
Step 5 – NTP
At least, install ntp, it’s optional but a nice to have to provide the right time on the hosts:
1 aptitude install ntp
The file /etc/ntp.conf wil have some default server, check your ntp server connection with:
1 ntpq -p
Step 6 – Add a user and join the party
Simply add an user with:
1 samba-tool user add USERNAME
That’s it! Now boot your windows or linux client and join the domain.
Please feel free to post your problems and experiences (especially the samba and kerberos config) with Samba4 as a comment! I had some errors that suddenly where solved and I don’t know why…I could not even reproduce them. It would be also interesting to know whether you use it just to test it or on a real production server. Furthermore, if you find some wrong configurations or mistakes in this article just write me a message!
Thanks for your feedback! :-)
