You are not logged in.
ACTIVE DIRECTORY DOMAIN CONTROLLER
(on a linux box! with Samba4)
Why? Save some money on a Windows Server, Central Authentication and Control for Windows and Linux Users, just for the hell of it - because it is there.
The following indicates what I did and what I used to get it all working, I am sure you can use your preferred distribution and hardware setup.
So let us make a start. I carried out all the work in Virtualbox as opposed to using physical hardware, but the principles are the same. If using Virtualbox change the network adapter to “bridged adapter” once your installation has finished. This will make it available to other machines on your network - just like the real thing!
You are going to need a fresh install of Ubuntu Server 14.04 ( I used 64 bit) to follow this tut. The only selection from the server section I used was openssh server to allow me to ssh into it as opposed to logging in directly. Advice point: for the “first user” pick something like Admin1 or Superuser, a username that won’t be one of the AD logins. This helps to avoid confusion over usernames and passwords later. I used username Admin1 and password admin for simplicity.
We also need a few names, one for the hostname of the box, we will use adserver, (enter this during installation of 14.04) and one for the domain, we will use CBLD.LOCAL. Then we need a workgroup name, we will use TEST for this.
OK, let us login to the server and go root, and we will spend most of our time during setup needing root permissions:
sudo -s
We need to set a static IP address for this server so:
nano /etc/network/interfaces
and replace the auto eth0 stanza with:
auto eth0
iface eth0 inet static
address 192.168.1.100
network 192.168.1.0
netmask 255.255.255.0
broadcast 192.168.1.255
gateway 192.168.1.254
dns-nameservers 192.168.1.100 8.8.8.8
dns-search cbld.local
My network is on 192.168.1.0 and the router is at 192.162.1.254. Make sure you can set an address at 100 if you are using that. You may wish to change the google dns server (8.8.8.8) to that of your ISP or your preferred DNS.
Save.
We need to be able to resolve our server address so:
nano /etc/hosts
and add
192.168.1.100 adserver.cbld.local
Save.
Change the hostname:
nano /etc/hostname
adserver.cbld.local
Save.
To make all these settings take, it is easiest to just reboot:
shutdown -r now
Login again as Admin1 and go root again
You can check everything is OK:
ifconfig eth0
cat /etc/resolv.conf
OK, let us update the machine and have a coffee
apt-get update
apt-get upgrade -y
We now have a pile of packages and programs to install. Probably don’t need all of these as Samba4 does not need to be compiled, but I have included them anyway. ntp is important in order to keep time sync between machines. You might squeeze another cup of coffee in while this all installs. However, Kerberos will want some answers from you:
default Kerberos realm:
CBLD.LOCAL
administrative server AND kerberos server:
adserver
workgroup:
TEST
(glad we thought of these earlier now aren’t we!)
Kerberos is VERY case-sensitive, so where-ever I use capitals in the code, please do the same.
OK, the long list of packages:
apt-get install ntp samba smbclient libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev libpam0g-dev git build-essential -y
(you will get asked by Kerberos along the way)
Another reboot wouldn’t hurt here, just to get samba up and running.
Login with Admin1 and go root.
Ready to get going with the ADDC Provisioning! Enter:
samba-tool domain provision --realm=cbld.local --domain=CBLD --adminpass=12Oct2014! --server-role=dc --dns-backend=SAMBA_INTERNAL
A few things to note here. --domain is the first part of your “domain name”. The adminpass needs to have Numbers, Letters and Capital Letters (may also need a symbol). This password (12Oct2014!)is for the AD administrator so is different from your “sudo” password. Don’t forget it.
At this point your /etc/samba/smb.conf file should look something like this:
# Global parameters
[global]
workgroup = TEST
realm = cbld.local
netbios name = ADSERVER
server role = active directory domain controller
[b]dns forwarder = 8.8.8.8[/b]
[netlogon]
path = /var/lib/samba/sysvol/ffrr.local/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
If it is not there, create it and add the above details. The important one that will/may need to be added is the dns forwarder entry which should be your chosen dns server (not the domain)
Now just check that the date & time are OK and that ntp is running
service ntp status
date
Verify Samba and Kerberos are running OK:
lsof -i | grep ‘^samba.*IPv4’
smbclient -L localhost -U%
service samba status
kinit Administrator@CBLD.LOCAL
Enter password: (12Oct2014!)
You should get a warning about password expiry. To check you got a “ticket” for your password:
klist -e
We now need to add some domain users! Password requirements are still demanding!
samba-tool user add tom '3MeninBoat!'
samba-tool user add dick '2MeninBoat!'
samba-tool user add harry '1MeninBoat!'
(samba-tool user add "username" "'password'")
These are samba users, they do not need to be linux users as well. (But at the moment they won’t have a home directory). Check all users with:
samba-tool user list
OK, we are done, if all have gone well, Administrator, tom, dick and harry should be able to connect and authenticate as domain users.
But there is more!
Create folder shares:
OK, linux users will be given their own home folders when we get to connecting them to the domain (see below), but if we want to have a shared space for everyone to save their files, and a private space for an individual or group, then we can set these up on the domain server. I must admit to having a bit of a fight with this part, it may not be the best way of doing it, but I got it to work in the end.
We will start by creating a couple of folders. (Not we are still logged in as Admin1 and rooted):
mkdir -m /Users
mkdir -m /tanddfiles
sort out permissions:
chmod g+s /Users
chown root: users Users
chmod g+s /tanddfiles
chown root: users tanddfiles
Now let us edit smb.conf
nano /etc/samba/smb.conf
and add the following after everything else:
[tanddfiles]
directory_mode: parameter = 755
path = /tanddfiles
read only = no
csc policy = documents
valid users = tom, dick
[Users]
directory_mode: parameter = 755
read only = no
path = /Users
csc policy = documents
Save.
You can check your syntax is OK by running:
testparm
This should now mean that all users can access, read and write the /Users directory, but that only tom and dick can access, read and write /tanddfiles (of course Administrator can too!)
reboot the server or restart samba:
shutdown -r now
or
service samba restart
Next:
1. Set up Windows Clients
2. Set up Linux Clients
(I'll link these once written up)
Last edited by Joe90 (2014-10-12 20:52:20)
Offline
Connecting a Windows Client to the ADDC
Compared to what follows for the linux clients, this is very straight forward.
I used a Windows 7 Pro setup, also in Virtualbox (with bridged adapter). Again I used a "non-domain" username and password to avoid confusion when logging into the domain.
Boot up and login
Set the client's DNS server:
Control Panel>Network and Internet>View Network Status and Tasks>Change Adapter Settings>[select your network interface]>Properties>TCP/IPv4>Properties
Then enter your domains IP address as the preferred dns server (192.168.1.100) < see above post!
Join the domain:
Computer>Properties>Advanced System Settings>Computer Name>Change>Member of Domain
and enter domain name, in this case cbld.local. Click Apply/OK.
You may be asked for credentials, in which case use your domain administrators credentials:
username: CBLD/Administrator
password: 12Oct2014!
and click OK
Reboot to make changes come into effect.
At the login screen you should now be able to login as the domain Administrator or any of the domain users created in above post.
Suggest you use the full "path" to login (especially as the Administrator)
username: CBLD/Administrator
password: 12Oct2014!
or
username: CBLD/tom
password: 3MeninBoat!
Test out the folder shares
Last edited by Joe90 (2014-10-12 21:10:39)
Offline
Connecting a Linux Client (#!) to the ADDC
Offline
Re the domain controller particularly, and possibly connecting clients to Active directory with a M$ domain controller.. I'd recommend grabbing the newer samba from backports.
Getting #! to authenticate against AD isn't that hard, I did it before the last reinstall, just forgot to document what I did.. it worked though..
Also saved me a world of frustration since I have decades of being used to a capitalised Username.. which dEBIAN refuses to accept natively.
This time I was lazy and just setup autologon instead.
Blessed is he who expecteth nothing, for he shall not be disappointed...
Offline
The new package "realmd" found in jessie and sid appears to make joining linux to a domain a breeze?
Not available for wheezy/waldorf.
Reason I haven't written up my third post about connecting a linux box is that my effort is not perfect, and I haven't figured out why. Can connect OK, but have lost the ability to sudo, either with local or domain accounts.
Offline
Copyright © 2012 CrunchBang Linux.
Proudly powered by Debian. Hosted by Linode.
Debian is a registered trademark of Software in the Public Interest, Inc.
Server: acrobat