Create an Active Directory Infrastructure with Samba4 on Ubuntu

Step 1: Initial Configuration for Samba4

1. Before proceeding your Samba4 AD DC installation first let’s run a few pre-required steps. First make sure the system is up to date with the last security features, kernels and packages by issuing the below command:

$ sudo apt-get update 
$ sudo apt-get upgrade
$ sudo apt-get dist-upgrade

2. Next, open machine /etc/fstab file and assure that your partitions file system has ACLs enabled as illustrated on the below screenshot.

Usually, common modern Linux file systems such as ext3ext4xfs or btrfs support and have ACLs enabled by default. If that’s not the case with your file system just open /etc/fstab file for editing and add acl string at the end of third column and reboot the machine in order to apply changes.

Enable ACL's on Linux Filesystem

Enable ACL’s on Linux Filesystem

3. Finally setup your machine hostname with a descriptive name, such as adc1 used in this example, by editing /etc/hostname file or by issuing.

$ sudo hostnamectl set-hostname adc1

reboot is necessary after you’ve changed your machine name in order to apply changes.

Step 2: Install Required Packages for Samba4 AD DC

4. In order to transform your server into an Active Directory Domain Controller, install Samba and all the required packages on your machine by issuing the below command with root privileges in a console.

$ sudo apt-get install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind
Install Samba on Ubuntu

Install Samba on Ubuntu

5. While the installation is running a series of questions will be asked by the installer in order to configure the domain controller.

On the first screen you will need to add a name for Kerberos default REALM in uppercase. Enter the name you will be using for your domain in uppercase and hit Enter to continue..

Configuring Kerberos Authentication

Configuring Kerberos Authentication

6. Next, enter the hostname of Kerberos server for your domain. Use the same name as for your domain, with lowercases this time and hit Enter to continue.

Set Hostname Kerberos Server

Set Hostname Kerberos Server

7. Finally, specify the hostname for the administrative server of your Kerberos realm. Use the same as your domain and hit Enter to finish the installation.

Set Hostname Administrative Server

Set Hostname Administrative Server

Step 3: Provision Samba AD DC for Your Domain

8. Before starting to configure Samba for your domain, first run the below commands in order to stop and disable all samba daemons.

$ sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
$ sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service

9. Next, rename or remove samba original configuration. This step is absolutely required before provisioning Samba AD because at the provision time Samba will create a new configuration file from scratch and will throw up some errors in case it finds an old smb.conf file.

$ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.initial

10. Now, start the domain provisioning interactively by issuing the below command with root privileges and accept the default options that Samba provides you.

Also, make sure you supply the IP address for a DNS forwarder at your premises (or external) and choose a strong password for Administrator account. If you choose a week password for Administrator account the domain provision will fail.

$ sudo samba-tool domain provision --use-rfc2307 --interactive
Samba Domain Provisioning

Samba Domain Provisioning

11. Finally, rename or remove Kerberos main configuration file from /etc directory and replace it using a symlink with Samba newly generated Kerberos file located in /var/lib/samba/private path by issuing the below commands:

$ sudo mv /etc/krb6.conf /etc/krb5.conf.initial
$ sudo ln –s /var/lib/samba/private/krb5.conf /etc/
Create Kerberos Configuration

Create Kerberos Configuration

12. Start and enable Samba Active Directory Domain Controller daemons.

$ sudo systemctl start samba-ad-dc.service
$ sudo systemctl status samba-ad-dc.service
$ sudo systemctl enable samba-ad-dc.service
Enable Samba Active Directory Domain Controller

Enable Samba Active Directory Domain Controller

13. Next, use netstat command in order to verify the list of all services required by an Active Directoryto run properly.

$ sudo netstat –tulpn| egrep ‘smbd|samba’
Verify Samba Active Directory

Verify Samba Active Directory

Step 4: Final Samba Configurations

14. At this moment Samba should be fully operational at your premises. The highest domain level Samba is emulating should be Windows AD DC 2008 R2.

It can be verified with the help of samba-tool utility.

$ sudo samba-tool domain level show
Verify Samba Domain Level

Verify Samba Domain Level

15. In order for DNS resolution to work locally, you need to open end edit network interface settings and point the DNS resolution by modifying dns-nameservers statement to the IP Address of your Domain Controller (use 127.0.0.1 for local DNS resolution) and dns-search statement to point to your realm.

$ sudo cat /etc/network/interfaces
$ sudo cat /etc/resolv.conf
Configure DNS for Samba AD

Configure DNS for Samba AD

When finished, reboot your server and take a look at your resolver file to make sure it points back to the right DNS name servers.

16. Finally, test the DNS resolver by issuing queries and pings against some AD DC crucial records, as in the below excerpt. Replace the domain name accordingly.

$ ping –c3 tecmint.lan       #Domain Name
$ ping –c3 adc1.tecmint.lan  #FQDN
$ ping –c3 adc1              #Host
Check Samba AD DNS Records

Check Samba AD DNS Records

Run following few queries against Samba Active Directory Domain Controller..

$ host –t A tecmint.lan
$ host –t A adc1.tecmint.lan
$ host –t SRV _kerberos._udp.tecmint.lan  # UDP Kerberos SRV record
$ host -t SRV _ldap._tcp.tecmint.lan # TCP LDAP SRV record

17. Also, verify Kerberos authentication by requesting a ticket for the domain administrator account and list the cached ticket. Write the domain name portion with uppercase.

$ kinit administrator@TECMINT.LAN
$ klist
Check Kerberos Authentication on Domain

Check Kerberos Authentication on Domain

That’s all! Now you have a fully operational AD Domain Controller installed in your network and you can start integrate Windows or Linux machines into Samba AD.

On the next series we’ll cover other Samba AD topics, such as how to manage you’re the domain controller from Samba command line, how to integrate Windows 10 into the domain name and manage Samba AD remotely using RSAT and other important topics.

Step 1: Manage Samba AD DC from Command Line

1. Samba AD DC can be managed through samba-tool command line utility which offers a great interface for administrating your domain.

With the help of samba-tool interface you can directly manage domain users and groups, domain Group Policy, domain sites, DNS services, domain replication and other critical domain functions.

To review the entire functionality of samba-tool just type the command with root privileges without any option or parameter.

# samba-tool -h
samba-tool - Manage Samba Administration Tool

samba-tool – Manage Samba Administration Tool

2. Now, let’s start using samba-tool utility to administer Samba4 Active Directory and manage our users.

In order to create a user on AD use the following command:

# samba-tool user add your_domain_user

To add a user with several important fields required by AD, use the following syntax:

--------- review all options --------- 
# samba-tool user add -h  
# samba-tool user add your_domain_user --given-name=your_name --surname=your_username --mail-address=your_domain_user@tecmint.lan --login-shell=/bin/bash
Create User on Samba AD

Create User on Samba AD

3. A listing of all samba AD domain users can be obtained by issuing the following command:

# samba-tool user list
List Samba AD Users

List Samba AD Users

4. To delete a samba AD domain user use the below syntax:

# samba-tool user delete your_domain_user

5. Reset a samba domain user password by executing the below command:

# samba-tool user setpassword your_domain_user

6. In order to disable or enable an samba AD User account use the below command:

# samba-tool user disable your_domain_user
# samba-tool user enable your_domain_user

7. Likewise, samba groups can be managed with the following command syntax:

--------- review all options --------- 
# samba-tool group add –h  
# samba-tool group add your_domain_group

8. Delete a samba domain group by issuing the below command:

# samba-tool group delete your_domain_group

9. To display all samba domain groups run the following command:

# samba-tool group list

10. To list all the samba domain members in a specific group use the command:

# samba-tool group listmembers "your_domain group"
List Samba Domain Members of Group

List Samba Domain Members of Group

11. Adding/Removing a member from a samba domain group can be done by issuing one of the following commands:

# samba-tool group addmembers your_domain_group your_domain_user
# samba-tool group remove members your_domain_group your_domain_user

12. As mentioned earlier, samba-tool command line interface can also be used to manage your samba domain policy and security.

To review your samba domain password settings use the below command:

# samba-tool domain passwordsettings show
Check Samba Domain Password

Check Samba Domain Password

13. In order to modify samba domain password policy, such as the password complexity level, password ageing, length, how many old password to remember and other security features required for a Domain Controller use the below screenshot as a guide.

---------- List all command options ---------- 
# samba-tool domain passwordsettings -h 
Manage Samba Domain Password Settings

Manage Samba Domain Password Settings

Never use the password policy rules as illustrated above on a production environment. The above settings are used just for demonstration purposes.

Step 2: Samba Local Authentication Using Active Directory Accounts

14. By default, AD users cannot perform local logins on the Linux system outside Samba AD DCenvironment.

In order to login on the system with an Active Directory account you need to make the following changes on your Linux system environment and modify Samba4 AD DC.

First, open samba main configuration file and add the below lines, if missing, as illustrated on the below screenshot.

$ sudo nano /etc/samba/smb.conf

Make sure the following statements appear on the configuration file:

winbind enum users = yes
winbind enum groups = yes
Samba Authentication Using Active Directory User Accounts

Samba Authentication Using Active Directory User Accounts

15. After you’ve made the changes, use testparm utility to make sure no errors are found on samba configuration file and restart samba daemons by issuing the below command.

$ testparm
$ sudo systemctl restart samba-ad-dc.service
Check Samba Configuration for Errors

Check Samba Configuration for Errors

16. Next, we need to modify local PAM configuration files in order for Samba4 Active Directoryaccounts to be able to authenticate and open a session on the local system and create a home directory for users at first login.

Use the pam-auth-update command to open PAM configuration prompt and make sure you enable all PAM profiles using [space] key as illustrated on the below screenshot.

When finished hit [Tab] key to move to Ok and apply changes.

$ sudo pam-auth-update
Configure PAM for Samba4 AD

Configure PAM for Samba4 AD

Enable PAM Authentication Module for Samba4 AD Users

Enable PAM Authentication Module for Samba4 AD Users

17. Now, open /etc/nsswitch.conf file with a text editor and add winbind statement at the end of the password and group lines as illustrated on the below screenshot.

$ sudo vi /etc/nsswitch.conf
Add Windbind Service Switch for Samba

Add Windbind Service Switch for Samba

18. Finally, edit /etc/pam.d/common-password file, search for the below line as illustrated on the below screenshot and remove the use_authtok statement.

This setting assures that Active Directory users can change their password from command line while authenticated in Linux. With this setting on, AD users authenticated locally on Linux cannot change their password from console.

password       [success=1 default=ignore]      pam_winbind.so try_first_pass
Allow Samba AD Users to Change Passwords

Allow Samba AD Users to Change Passwords

Remove use_authtok option each time PAM updates are installed and applied to PAM modules or each time you execute pam-auth-update command.

19. Samba4 binaries comes with a winbindd daemon built-in and enabled by default.

For this reason you’re no longer required to separately enable and run winbind daemon provided by winbind package from official Ubuntu repositories.

In case the old and deprecated winbind service is started on the system make sure you disable it and stop the service by issuing the below commands:

$ sudo systemctl disable winbind.service
$ sudo systemctl stop winbind.service

Although, we no longer need to run old winbind daemon, we still need to install Winbind package from repositories in order to install and use wbinfo tool.

Wbinfo utility can be used to query Active Directory users and groups from winbindd daemon point of view.

The following commands illustrates how to query AD users and groups using wbinfo.

$ wbinfo -g
$ wbinfo -u
$ wbinfo -i your_domain_user
Check Samba4 AD Information

Check Samba4 AD Information

Check Samba4 AD User Info

Check Samba4 AD User Info

20. Apart from wbinfo utility you can also use getent command line utility to query Active Directory database from Name Service Switch libraries which are represented in /etc/nsswitch.conf file.

Pipe getent command through a grep filter in order to narrow the results regarding just your AD realm user or group database.

# getent passwd | grep TECMINT
# getent group | grep TECMINT
Get Samba4 AD Details

Get Samba4 AD Details

Step 3: Login in Linux with an Active Directory User

21. In order to authenticate on the system with a Samba4 AD user, just use the AD usernameparameter after su - command.

At the first login a message will be displayed on the console which notifies you that a home directory has been created on /home/$DOMAIN/ system path with the mane of your AD username.

Use id command to display extra information about the authenticated user.

# su - your_ad_user
$ id
$ exit
Check Samba4 AD User Authentication on Linux

Check Samba4 AD User Authentication on Linux

22. To change the password for an authenticated AD user type passwd command in console after you have successfully logged into the system.

$ su - your_ad_user
$ passwd
Change Samba4 AD User Password

Change Samba4 AD User Password

23. By default, Active Directory users are not granted with root privileges in order to perform administrative tasks on Linux.

To grant root powers to an AD user you must add the username to the local sudo group by issuing the below command.

Make sure you enclose the realmslash and AD username with single ASCII quotes.

# usermod -aG sudo 'DOMAIN\your_domain_user'

To test if AD user has root privileges on the local system, login and run a command, such as apt-get update, with sudo permissions.

# su - tecmint_user
$ sudo apt-get update
Grant sudo Permission to Samba4 AD User

Grant sudo Permission to Samba4 AD User

24. In case you want to add root privileges for all accounts of an Active Directory group, edit /etc/sudoers file using visudo command and add the below line after root privileges line, as illustrated on the below screenshot:

%DOMAIN\\your_domain\  group ALL=(ALL:ALL) ALL

Pay attention to sudoers syntax so you don’t break things out.

Sudoers file doesn’t handles very well the use of ASCII quotation marks, so make sure you use % to denote that you’re referring to a group and use a backslash to escape the first slash after the domain name and another backslash to escape spaces if your group name contains spaces (most of AD built-in groups contain spaces by default). Also, write the realm with uppercases.

Give Sudo Access to All Samba4 AD Users

Give Sudo Access to All Samba4 AD Users

That’s all for now! Managing Samba4 AD infrastructure can be also achieved with several tools from Windows environment, such as ADUCDNS ManagerGPM or other, which can be obtained by installing RSAT package from Microsoft download page.

To administer Samba4 AD DC through RSAT utilities, it’s absolutely necessary to join the Windows system into Samba4 Active Directory. This will be the subject of our next tutorial, till then stay tuned to TecMint.

Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3