{"id":888,"date":"2018-03-20T13:35:31","date_gmt":"2018-03-20T11:35:31","guid":{"rendered":"https:\/\/helia.ee\/koolitus\/?page_id=888"},"modified":"2018-03-20T13:35:31","modified_gmt":"2018-03-20T11:35:31","slug":"create-active-directory-infrastructure-samba4-ubuntu","status":"publish","type":"page","link":"https:\/\/helia.ee\/koolitus\/?page_id=888","title":{"rendered":"Create an Active Directory Infrastructure with Samba4 on Ubuntu"},"content":{"rendered":"

Step 1: Initial Configuration for Samba4<\/h3>\n

1.<\/strong>\u00a0Before proceeding your\u00a0Samba4 AD DC<\/strong>\u00a0installation first let\u2019s run a few pre-required steps. First make sure the system is up to date with the last security features, kernels and packages by issuing the below command:<\/p>\n

$ sudo apt-get update \r\n$ sudo apt-get upgrade\r\n$ sudo apt-get dist-upgrade\r\n<\/pre>\n
2.<\/strong>\u00a0Next, open machine\u00a0\/etc\/fstab<\/strong>\u00a0file and assure that your partitions file system has\u00a0ACLs<\/strong>\u00a0enabled as illustrated on the below screenshot.<\/p>\n
Usually, common modern Linux file systems such as\u00a0ext3<\/strong>,\u00a0ext4<\/strong>,\u00a0xfs<\/strong>\u00a0or\u00a0btrfs<\/strong>\u00a0support and have ACLs enabled by default. If that\u2019s not the case with your file system just open\u00a0\/etc\/fstab<\/strong>\u00a0file for editing and add\u00a0acl<\/code>\u00a0string at the end of third column and\u00a0reboot<\/strong>\u00a0the machine in order to apply changes.<\/p>\n
\"Enable<\/a><\/p>\n
Enable ACL\u2019s on Linux Filesystem<\/p>\n<\/div>\n
3.<\/strong>\u00a0Finally\u00a0setup your machine hostname<\/a>\u00a0with a descriptive name, such as\u00a0adc1<\/code>\u00a0used in this example, by editing\u00a0\/etc\/hostname<\/strong>\u00a0file or by issuing.<\/p>\n
$ sudo hostnamectl set-hostname adc1\r\n<\/pre>\n
A\u00a0reboot<\/strong>\u00a0is necessary after you\u2019ve changed your machine name in order to apply changes.<\/p>\n
Step 2: Install Required Packages for Samba4 AD DC<\/h3>\n
4.<\/strong>\u00a0In order to transform your server into an\u00a0Active Directory Domain Controller<\/strong>, install\u00a0Samba<\/strong>\u00a0and all the required packages on your machine by issuing the below command with\u00a0root<\/strong>\u00a0privileges in a console.<\/p>\n
$ sudo apt-get install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind\r\n<\/pre>\n
\"Install<\/a><\/p>\n
Install Samba on Ubuntu<\/p>\n<\/div>\n
5.<\/strong>\u00a0While the installation is running a series of questions will be asked by the installer in order to configure the domain controller.<\/p>\n
On the first screen you will need to add a name for\u00a0Kerberos<\/strong>\u00a0default\u00a0REALM<\/code>\u00a0in uppercase. Enter the name you will be using for your domain in uppercase and hit\u00a0Enter<\/strong>\u00a0to continue..<\/p>\n
\"Configuring<\/a><\/p>\n
Configuring Kerberos Authentication<\/p>\n<\/div>\n
6.<\/strong>\u00a0Next, enter the\u00a0hostname<\/strong>\u00a0of\u00a0Kerberos<\/strong>\u00a0server for your domain. Use the same name as for your domain, with lowercases this time and hit\u00a0Enter<\/strong>\u00a0to continue.<\/p>\n
\"Set<\/a><\/p>\n
Set Hostname Kerberos Server<\/p>\n<\/div>\n
7.<\/strong>\u00a0Finally, specify the\u00a0hostname<\/strong>\u00a0for the administrative server of your\u00a0Kerberos<\/strong>\u00a0realm. Use the same as your domain and hit\u00a0Enter<\/strong>\u00a0to finish the installation.<\/p>\n
\"Set<\/a><\/p>\n
Set Hostname Administrative Server<\/p>\n<\/div>\n
Step 3: Provision Samba AD DC for Your Domain<\/h3>\n
8.<\/strong>\u00a0Before starting to configure\u00a0Samba<\/strong>\u00a0for your domain, first run the below commands in order to stop and disable all samba daemons.<\/p>\n
$ sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service\r\n$ sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service\r\n<\/pre>\n
9.<\/strong>\u00a0Next, rename or remove samba original configuration. This step is absolutely required before provisioning\u00a0Samba AD<\/strong>\u00a0because at the provision time\u00a0Samba<\/strong>\u00a0will create a new configuration file from scratch and will throw up some errors in case it finds an old\u00a0smb.conf<\/code>\u00a0file.<\/p>\n
$ sudo mv \/etc\/samba\/smb.conf \/etc\/samba\/smb.conf.initial\r\n<\/pre>\n
10.<\/strong>\u00a0Now, start the domain provisioning interactively by issuing the below command with root privileges and accept the default options that Samba provides you.<\/p>\n
Also, make sure you supply the IP address for a DNS forwarder at your premises (or external) and choose a strong password for Administrator account. If you choose a week password for Administrator account the domain provision will fail.<\/p>\n
$ sudo samba-tool domain provision --use-rfc2307 --interactive\r\n<\/pre>\n
\"Samba<\/a><\/p>\n
Samba Domain Provisioning<\/p>\n<\/div>\n
11.<\/strong>\u00a0Finally, rename or remove Kerberos main configuration file from\u00a0\/etc<\/strong>\u00a0directory and replace it using a symlink with Samba newly generated Kerberos file located in\u00a0\/var\/lib\/samba\/private<\/strong>\u00a0path by issuing the below commands:<\/p>\n
$ sudo mv \/etc\/krb6.conf \/etc\/krb5.conf.initial\r\n$ sudo ln \u2013s \/var\/lib\/samba\/private\/krb5.conf \/etc\/\r\n<\/pre>\n
\"Create<\/a><\/p>\n
Create Kerberos Configuration<\/p>\n<\/div>\n
12.<\/strong>\u00a0Start and enable\u00a0Samba Active Directory Domain Controller<\/strong>\u00a0daemons.<\/p>\n
$ sudo systemctl start samba-ad-dc.service\r\n$ sudo systemctl status samba-ad-dc.service\r\n$ sudo systemctl enable samba-ad-dc.service\r\n<\/pre>\n
\"Enable<\/a><\/p>\n
Enable Samba Active Directory Domain Controller<\/p>\n<\/div>\n
13.<\/strong>\u00a0Next,\u00a0use netstat command<\/a>\u00a0in order to verify the list of all services required by an\u00a0Active Directory<\/strong>to run properly.<\/p>\n
$ sudo netstat \u2013tulpn| egrep \u2018smbd|samba\u2019\r\n<\/pre>\n
\"Verify<\/a><\/p>\n
Verify Samba Active Directory<\/p>\n<\/div>\n
Step 4: Final Samba Configurations<\/h3>\n
14.<\/strong>\u00a0At this moment\u00a0Samba<\/strong>\u00a0should be fully operational at your premises. The highest domain level\u00a0Samba<\/strong>\u00a0is emulating should be\u00a0Windows AD DC 2008 R2<\/strong>.<\/p>\n
It can be verified with the help of\u00a0samba-tool<\/strong>\u00a0utility.<\/p>\n
$ sudo samba-tool domain level show\r\n<\/pre>\n
\"Verify<\/a><\/p>\n
Verify Samba Domain Level<\/p>\n<\/div>\n
15.<\/strong>\u00a0In order for\u00a0DNS<\/strong>\u00a0resolution to work locally, you need to open end edit network interface settings and point the DNS resolution by modifying\u00a0dns-nameservers<\/strong>\u00a0statement to the IP Address of your\u00a0Domain Controller<\/strong>\u00a0(use\u00a0127.0.0.1<\/strong>\u00a0for local DNS resolution) and\u00a0dns-search<\/strong>\u00a0statement to point to your\u00a0realm<\/strong>.<\/p>\n
$ sudo cat \/etc\/network\/interfaces\r\n$ sudo cat \/etc\/resolv.conf\r\n<\/pre>\n
\"Configure<\/a><\/p>\n
Configure DNS for Samba AD<\/p>\n<\/div>\n
When finished,\u00a0reboot<\/strong>\u00a0your server and take a look at your resolver file to make sure it points back to the right DNS name servers.<\/p>\n
16.<\/strong>\u00a0Finally, test the DNS resolver by issuing queries and pings against some\u00a0AD DC<\/strong>\u00a0crucial records, as in the below excerpt. Replace the domain name accordingly.<\/p>\n
$ ping \u2013c3 tecmint.lan       #Domain Name<\/strong>\r\n$ ping \u2013c3 adc1.tecmint.lan  #FQDN<\/strong>\r\n$ ping \u2013c3 adc1              #Host<\/strong>\r\n<\/pre>\n
\"Check<\/a><\/p>\n
Check Samba AD DNS Records<\/p>\n<\/div>\n
Run following few queries against Samba Active Directory Domain Controller..<\/p>\n
$ host \u2013t A tecmint.lan\r\n$ host \u2013t A adc1.tecmint.lan\r\n$ host \u2013t SRV _kerberos._udp.tecmint.lan  # UDP Kerberos SRV record\r\n$ host -t SRV _ldap._tcp.tecmint.lan # TCP LDAP SRV record\r\n<\/pre>\n
17.<\/strong>\u00a0Also, verify\u00a0Kerberos<\/strong>\u00a0authentication by requesting a ticket for the domain administrator account and list the cached ticket. Write the domain name portion with uppercase.<\/p>\n
$ kinit administrator@TECMINT.LAN\r\n$ klist\r\n<\/pre>\n
\"Check<\/a><\/p>\n
Check Kerberos Authentication on Domain<\/p>\n<\/div>\n
That\u2019s all! Now you have a fully operational\u00a0AD Domain Controller<\/strong>\u00a0installed in your network and you can start integrate\u00a0Windows<\/strong>\u00a0or\u00a0Linux<\/strong>\u00a0machines into\u00a0Samba AD<\/strong>.<\/p>\n
On the next series we\u2019ll cover other\u00a0Samba AD<\/strong>\u00a0topics, such as how to manage you\u2019re the domain controller from Samba command line, how to integrate Windows 10 into the domain name and manage Samba AD remotely using RSAT and other important topics.<\/p>\n
Step 1: Manage Samba AD DC from Command Line<\/h3>\n
1.<\/strong>\u00a0Samba AD DC<\/strong>\u00a0can be managed through\u00a0samba-tool<\/strong>\u00a0command line utility which offers a great interface for administrating your domain.<\/p>\n
With the help of samba-tool interface you can directly manage domain users and groups, domain Group Policy, domain sites, DNS services, domain replication and other critical domain functions.<\/p>\n