Samba 4 Active Directory – My first (successfully) test

It’s time to say goodbye Windows-Server Active Directory Domain Controller and please welcome Samba4! Now after six years of the first preview, you can install the first implementation of a free Active-Directory. I tested it at home and show you in the following article what I had to do to make it work…at the end it was possible for me to join the Domain with my Windows 7 computer. :-)

For my tests I used my Raspberry Pi, that means my little tutorial is based on a Debian Linux called “Raspbian”, but I also tested it later successfully on a virtual “Ubuntu 12.04 LTS” server. I assume that you have an advanced knowledge about Linux and the Active-Directory and that you know what you want to do, otherwise I think you would not be here! ;) So I will not explain every step and command in detail!

Part of the Samba4 AD will be:

  •  A basically Network configuration
  •  BIND Server
  •  Kerberos
  •  NTP Server

Okay, let’s join a Samba4 AD Domain!

 

Step 1 – Network configuration

You need a solid network configuration, at first a static IP:
/etc/network/interfaces

 
auto eth0
iface eth0 inet static
        address 192.168.0.87
        netmask 255.255.255.0
        gateway 192.168.0.1
	    dns-nameserver 192.168.0.87
	    dns-search raspberry.local

The best friend of the AD is DNS, so check your resolv.conf file, there should be the local IP adress, BIND will run later on our AD-Server:

/etc/resolv.conf

 
nameserver 192.168.0.87

And add your IP in the hosts file:

/etc/hosts

 
127.0.0.1       localhost
192.168.0.87    raspberrypi raspberrypi.raspberry.local

 

Step 2 – Samba

Install the packages and all the dependencies

aptitude install samba4 samba4-clients

Now we are able to build the Active Directory, at first delete or move the default configuration file, otherwise the next command will fail while creating a new one.

 
mv /etc/samba/smb.conf /root/backup/
 
/usr/share/samba/setup/provision --realm=raspberry.local --domain=RASPBERRY --adminpass='Password1' --server-role=dc

Your smb.conf should now look like this:

 
# Global parameters
[global]
        server role = active directory domain controller
        workgroup = RASPBERRY
        realm = raspberry.local
        netbios name = RASPBERRYPI
        passdb backend = samba4
        server services = +smb -s3fs
[netlogon]
        path = /var/lib/samba/sysvol/raspberry.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

I added the parameters “server role” and “server services”, without these parameters I only get an Error:

Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED)

Restart Samba

 
/etc/init.d/samba4 restart

And check now the created shares on the server:

 
smbclient -L localhost -U%

The ouptut should look like this:

 
Domain=[RASPBERRY] OS=[Unix] Server=[Samba 4.0.0beta2]

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk      
        sysvol          Disk      
        IPC$            IPC       IPC Service

 

Step 3 – Bind DNS

Active Directory goes hand in hand with DNS, many services need it to run correctly, so it is very very important!

 
aptitude install bind9

The only thing we need to do, is to add the following line in the /etc/bind/named.conf.options

 
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

Clients can now automatically update her DNS entries.

Ubuntu runs withe a security software called “App Armor”, there we have to set some rules:

/etc/apparmor.d/usr.sbin.named

 
/var/lib/samba/private/** rkw,
/var/lib/samba/private/dns/** rkw,
/usr/lib/arm-linux-gnueabihf/samba/bind9/** rm,
/usr/lib/arm-linux-gnueabihf/samba/gensec/** rm,
/usr/lib/arm-linux-gnueabihf/ldb/modules/ldb/** rm,
/usr/lib/arm-linux-gnueabihf/samba/ldb/** rm,

Restart AppArmor now:

 
service apparmor restart

And start bind:

 
service bind9 start

 

Step 4 – Authenticate with Kerberos

We need Kerberos as the authentication daemon, install it with:

 
aptitude install krb5-user

Enter your realm and the host, then the config-file /etc/krb5.conf should look like this:

 
[libdefaults]
        default_realm = raspberry.local
        dns_lookup_realm = false
        dns_lookup_kdc = true

To test kerberos execute

 
kinit administrator@RASPBERRY.LOCAL

The Domain name needs to be written in uppercase and you should check your ticket with:

 
klist -e

 

Step 5 – NTP

At least, install ntp, it’s optional but a nice to have to provide the right time on the hosts:

 
aptitude install ntp

The file /etc/ntp.conf wil have some default server, check your ntp server connection with:

 
ntpq -p

 

Step 6 – Add a user and join the party

Simply add an user with:

 
samba-tool user add USERNAME

 
That’s it! Now boot your windows or linux client and join the domain.

Please feel free to post your problems and experiences (especially the samba and kerberos config) with Samba4 as a comment! I had some errors that suddenly where solved and I don’t know why…I could not even reproduce them. It would be also interesting to know whether you use it just to test it or on a real production server. Furthermore, if you find some wrong configurations or mistakes in this article just write me a message!

Thanks for your feedback! :-)
 
 

16 thoughts on “Samba 4 Active Directory – My first (successfully) test

  1. Instructions are really good, but I am getting
    kinit: KDC reply did not match expectations while getting initial credentials
    on the administrator account and a test id I created? samba-tool user add USERNAME
    any suggestion?
    I’d really like to run a smaller DC.

  2. I ended up going to the samba4 wiki and following those instructions (which worked!) I didn’t use the suggested repo, I git samba4 stable. It did take longer but less setup so I am sure less places for me to make a mistake. Windows clients joined with no issues.

    I used PowerBroker Identity Services to connect Linux Clients to the domain.

    If there are any suggestions on more setup I open to other’s experiences.

    I did a domain group to grant sudo access.

  3. Pingback: ActiveDirectory Domain Controller with Samba4 on RaspberryPi | Just tinkering Blog

  4. NTP is kind of optional, but Kerberos doesn’t work if there’s excessive clock-skew (i.e. the times on the hosts don’t match the KDC sufficiently well). So I’d say it’s a bit more than “nice to have”.

  5. [libdefaults]
    default_realm = ILM.LOCAL
    default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
    default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
    dns_lookup_kdc = true
    dns_lookup_realm = false

    [realms]
    ILM.LOCAL = {
    kdc = kerberos.mit.edu
    kdc = kerberos-1.mit.edu
    kdc = kerberos-2.mit.edu:750
    admin_server = kerberos.mit.edu
    master_kdc = kerberos.mit.edu
    default_domain = mit.edu
    }
    EXAMPLE.COM = {
    kdc = kerberos.example.com
    kdc = kerberos-1.example.com
    admin_server = kerberos.example.com
    }

    [domain_realm]
    .mit.edu = ATHENA.MIT.EDU
    mit.edu = ATHENA.MIT.EDU

    [capaths]
    ATHENA.MIT.EDU = {
    EXAMPLE.COM = .
    }
    EXAMPLE.COM = {
    ATHENA.MIT.EDU = .
    }

    [logging]
    kdc = SYSLOG:INFO
    admin_server = FILE=/var/kadm5.log

  6. If you cant install Samba4 try the following

    Leave your router DNS in “X”.

    /etc/resolv.conf

    nameserver 192.168.0.87
    nameserver 192.168.0.”X”

  7. Hi this is kind of of off topic but I was wanting to know if blogs use WYSIWYG editors oor if you have to manually code with HTML.
    I’m starting a blog soon but have no coding knowledge so I wanted to get advice from someone with experience.

    Any help would be greatly appreciated!

  8. Hi thank you very much…..

    but im having a issue in resolving my dns n krb5

    (/usr/bin/dpkg returned an error code)

    please help…

  9. I have an issue while trying setting the Netbios name to viescom-consulting.com, but when I use itgstore it works. I’ve made many test and I realise that the issue is on the “-” character between itgstore and consullting. I’m using SAMBA_INTERNAL DNS. SO How to solve this issue?

Leave a Comment

Your email address will not be published. Required fields are marked *