An Active Directory Domain Controller is a vital tool for business network administrators. It allows the centralized management of all the computers in a business network, whether it’s local, nation or worldwide. You can add a user to the network with all there information, set their limits to features on a computer and they will be able to login to any computer on the business network.
Active Directory Domain Controllers used to be a costly feature exculsive to Microsoft Windows Servers, but with the recent open source release of Samba 4.0 stable all of these features are now avaliable for free. This will allow small businesses and home users to utilize this Active Directory Domain Controllers on a limited budget. Today we will walk you through the steps to setup your own Samba4 Active Directory Domain Controller on Ubuntu
Tips Before we Begin
- Before setting up your Samba4 domain controller you will want to remove any older versions of Samba 3.x to prevent interference with Samba4, unless you plan on migrating an old NT style Samba3 domain controller to Samba4. ***If this is the case, this tutorial is not for you***
- If you are starting with a fresh install make sure to enable xattr on any partition that Samba will be running on or accessing. This will be addressed later if you have a currently running install.
- Resolv.conf is often a source if issues as it typically gets overwritten automatically. If you run into issues down the road make sure that this file hasn’t changed.
- If you are new to Linux tutorials commands that are typed into the command prompt “aka Bash” will appear in a grey box and will start with “$ “. You can omit the “$” sign and just type that command. See the example below:
$ echo “This is an example of a command to type at the Bash prompt”
- If the grey box doesn’t contain the “$ ” then apply the contents as described in that step of the process.
1) Install Samba4 dependencies and utilities required for this tutorial with the following command.
$ sudo apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl
2) The krb5-user package will ask for the following questions, highlighted in bold text. We have included the proper responses in the example below.
Default Realm: test.lan
Default Realm: 127.0.0.1
Administrative Server: 127.0.0.1
FSTAB File Setup
Now that all dependencies for Samba4 are installed we will now configure the /etc/fstab file.
Warning: If you are not farmiliar with the contents of this file read your distrobutions manual. Edit at your own risk!!!
1) Open the /etc/fstab file in your preferred text editor. For this example we will use nano.
$ nano /etc/fstab
2) Within the fstab file you will find your hard drive partition configuration. Add the following parameters if they aren’t present, and you are using ext3/ext4: user_xattr, acl and barrier=1. If you are using another file system like btrfs then you don’t need to make any changes to your fstab file. View the example below.
UUID=db6f8346-60ca-47b4-8ab2-046337abd834 / ext4 user_xattr,acl,barrier=1,errors=remount-ro 0 1
NOTE: If you are using the btrfs file system no changes need to be made to your fstab file.
3) You must apply these setting to all partitions that Samba4 will access and remount your partition with the following command.
$ mount -a
We will download the latest version of Samba4 via a program called git. The following command will download the latest stable version.
$ git clone git://git.samba.org/samba.git samba-master
Compile and Install Samba4
Compile and install Samba4 with the following commands.
$ cd samba-master
$ sudo ./configure
$ sudo make
$ sudo make install
1) Provisioning the Samba4 Domain Controller creates the configuration files and the Active Directory database. Use the following command to start the process.
$ sudo /usr/local/samba/bin/samba-tool domain provision –use-rfc2307 –interactive
2) The provision command will ask you for some information about your network. Use the following example as a guideline, but modify the info as needed for your network.
Realm [test.local]: TEST.LAN
Domain [S4]: TEST
Server Role (dc, member, standalone) [dc]: dc
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: SAMBA_INTERNAL
DNS forwarder IP address (write ‘none’ to disable forwarding) [192.168.2.1]: 188.8.131.52
Administrator password: Ex@mpleP@$$word
Retype password: Ex@mpleP@$$word
You should see output similar to the following example:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=test,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
NetBIOS Domain: TEST
DNS Domain: TEST.LAN
DOMAIN SID: S-1-5-21-1811932520-1978264231-2890610938
Modify resolv.conf and hosts File
1) Edit your resolv.conf file in nano
$ nano /etc/resolv.conf
2) The following info should be sufficient as long as this system is running only Samba4.
3) Ubuntu by default will overwrite the /etc/resolv.conf file with updated DHCP and other network services. To prevent this we make the resolv.conf file read only.
$ chattr +i /etc/resolv.conf
Note: This is not the most elegant solution, especially if you are running other services. Other solutions to this issue are out of the scope of this tutorial.
1) Samba4 has created a krb5.conf for you to use as a replacement for the existing configuration file. Use the following commands to backup the old file and copy the new configuration file.
$ mv /etc/krb5.conf /etc/krb5.conf.bak
$ cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
2) Now you must edit the new krb5.conf file to include your domain realm info.
$ nano /etc/krb5.conf
3) Modify the “default_realm = SAMDOM.EXAMPLE.COM” line to contain your domain info. In our tutorial it is “TEST.LAN”
NOTE: The domain realm MUST be typed in uppercase!
You should now have a functioning Samba4 Domain Controller. Start Your Domain Controller by using the following command. You should now be able to connect your Windows and other device to your Active Directory Domain Controller.
$ sudo ./usr/local/samba/sbin/samba
Add Samba Directories to PATH Variable (optional):
1) Edit your enviromental variables with nano.
$ sudo nano ~/.bashrc
2) Add the following to your .bashrc config file
Post Setup Tips:
- Any devices that you will connect to your domain should have the primary DNS of your Samba4 server. (ie:192.168.1.2)
- If your windows machine doesn’t seem to be connecting to the Samba4 DNS server, try the following command at the Windows command prompt.