Set up Server with Active Directory Domain Controller with Samba4

Joe90 · 2014-10-12 20:44:52

ACTIVE DIRECTORY DOMAIN CONTROLLER
(on a linux box! with Samba4)

Why? Save some money on a Windows Server, Central Authentication and Control for Windows and Linux Users, just for the hell of it - because it is there.

The following indicates what I did and what I used to get it all working, I am sure you can use your preferred distribution and hardware setup.

So let us make a start. I carried out all the work in Virtualbox as opposed to using physical hardware, but the principles are the same. If using Virtualbox change the network adapter to “bridged adapter” once your installation has finished. This will make it available to other machines on your network - just like the real thing!

You are going to need a fresh install of Ubuntu Server 14.04 ( I used 64 bit) to follow this tut. The only selection from the server section I used was openssh server to allow me to ssh into it as opposed to logging in directly. Advice point: for the “first user” pick something like Admin1 or Superuser, a username that won’t be one of the AD logins. This helps to avoid confusion over usernames and passwords later. I used username Admin1 and password admin for simplicity.

We also need a few names, one for the hostname of the box, we will use adserver, (enter this during installation of 14.04) and one for the domain, we will use CBLD.LOCAL. Then we need a workgroup name, we will use TEST for this.

OK, let us login to the server and go root, and we will spend most of our time during setup needing root permissions:

sudo -s

We need to set a static IP address for this server so:

nano /etc/network/interfaces

and replace the auto eth0 stanza with:

auto eth0
iface eth0 inet static
address 192.168.1.100
network 192.168.1.0
netmask 255.255.255.0
broadcast 192.168.1.255
gateway 192.168.1.254
dns-nameservers 192.168.1.100 8.8.8.8
dns-search cbld.local

My network is on 192.168.1.0 and the router is at 192.162.1.254. Make sure you can set an address at 100 if you are using that. You may wish to change the google dns server (8.8.8.8) to that of your ISP or your preferred DNS.

Save.

We need to be able to resolve our server address so:

nano /etc/hosts

and add

192.168.1.100 adserver.cbld.local

Save.

Change the hostname:

nano /etc/hostname

adserver.cbld.local

Save.

To make all these settings take, it is easiest to just reboot:

shutdown -r now

Login again as Admin1 and go root again

You can check everything is OK:

ifconfig eth0
cat /etc/resolv.conf

OK, let us update the machine and have a coffee

apt-get update
apt-get upgrade -y

We now have a pile of packages and programs to install. Probably don’t need all of these as Samba4 does not need to be compiled, but I have included them anyway. ntp is important in order to keep time sync between machines. You might squeeze another cup of coffee in while this all installs. However, Kerberos will want some answers from you:

default Kerberos realm:

CBLD.LOCAL

administrative server AND kerberos server:

adserver

workgroup:

TEST

(glad we thought of these earlier now aren’t we!)

Kerberos is VERY case-sensitive, so where-ever I use capitals in the code, please do the same.

OK, the long list of packages:

apt-get install ntp samba smbclient libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev libpam0g-dev git build-essential -y

(you will get asked by Kerberos along the way)

Another reboot wouldn’t hurt here, just to get samba up and running.

Login with Admin1 and go root.

Ready to get going with the ADDC Provisioning! Enter:

samba-tool domain provision --realm=cbld.local --domain=CBLD --adminpass=12Oct2014! --server-role=dc --dns-backend=SAMBA_INTERNAL

A few things to note here. --domain is the first part of your “domain name”. The adminpass needs to have Numbers, Letters and Capital Letters (may also need a symbol). This password (12Oct2014!)is for the AD administrator so is different from your “sudo” password. Don’t forget it.

At this point your /etc/samba/smb.conf file should look something like this:

# Global parameters
[global]
	workgroup = TEST
	realm = cbld.local
	netbios name = ADSERVER
	server role = active directory domain controller
	[b]dns forwarder = 8.8.8.8[/b]

[netlogon]
	path = /var/lib/samba/sysvol/ffrr.local/scripts
	read only = No

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

If it is not there, create it and add the above details. The important one that will/may need to be added is the dns forwarder entry which should be your chosen dns server (not the domain)

Now just check that the date & time are OK and that ntp is running

service ntp status
date

Verify Samba and Kerberos are running OK:

lsof -i | grep ‘^samba.*IPv4’
smbclient -L localhost -U%
service samba status

kinit Administrator@CBLD.LOCAL
Enter password: (12Oct2014!)

You should get a warning about password expiry. To check you got a “ticket” for your password:

klist -e

We now need to add some domain users! Password requirements are still demanding!

samba-tool user add tom '3MeninBoat!'
samba-tool user add dick '2MeninBoat!'
samba-tool user add harry '1MeninBoat!'

(samba-tool user add "username" "'password'")

These are samba users, they do not need to be linux users as well. (But at the moment they won’t have a home directory). Check all users with:

samba-tool user list

OK, we are done, if all have gone well, Administrator, tom, dick and harry should be able to connect and authenticate as domain users.

But there is more!

Create folder shares:

OK, linux users will be given their own home folders when we get to connecting them to the domain (see below), but if we want to have a shared space for everyone to save their files, and a private space for an individual or group, then we can set these up on the domain server. I must admit to having a bit of a fight with this part, it may not be the best way of doing it, but I got it to work in the end.

We will start by creating a couple of folders. (Not we are still logged in as Admin1 and rooted):

mkdir -m /Users
mkdir -m /tanddfiles

sort out permissions:

chmod g+s /Users
chown root: users Users
chmod g+s /tanddfiles
chown root: users tanddfiles

Now let us edit smb.conf

nano /etc/samba/smb.conf

and add the following after everything else:

[tanddfiles]
	directory_mode: parameter = 755
	path = /tanddfiles
	read only = no
	csc policy = documents
	valid users = tom, dick
[Users]
	directory_mode: parameter = 755
	read only = no
	path = /Users
	csc policy = documents

Save.

You can check your syntax is OK by running:

testparm

This should now mean that all users can access, read and write the /Users directory, but that only tom and dick can access, read and write /tanddfiles (of course Administrator can too!)

reboot the server or restart samba:

shutdown -r now

or

service samba restart

Last edited by Joe90 (2014-10-12 20:52:20)

Joe90 · 2014-10-12 20:55:27

Connecting a Windows Client to the ADDC

Compared to what follows for the linux clients, this is very straight forward.

I used a Windows 7 Pro setup, also in Virtualbox (with bridged adapter). Again I used a "non-domain" username and password to avoid confusion when logging into the domain.

Boot up and login

Set the client's DNS server:

Control Panel>Network and Internet>View Network Status and Tasks>Change Adapter Settings>[select your network interface]>Properties>TCP/IPv4>Properties

Then enter your domains IP address as the preferred dns server (192.168.1.100) < see above post!

Join the domain:

Computer>Properties>Advanced System Settings>Computer Name>Change>Member of Domain

and enter domain name, in this case cbld.local. Click Apply/OK.

You may be asked for credentials, in which case use your domain administrators credentials:

username: CBLD/Administrator
password: 12Oct2014!

and click OK

Reboot to make changes come into effect.

At the login screen you should now be able to login as the domain Administrator or any of the domain users created in above post.

Suggest you use the full "path" to login (especially as the Administrator)

username:  CBLD/Administrator
password: 12Oct2014!

or

username: CBLD/tom
password: 3MeninBoat!

Test out the folder shares

Last edited by Joe90 (2014-10-12 21:10:39)

Joe90 · 2014-10-12 20:56:33

Connecting a Linux Client (#!) to the ADDC

Bearded_Blunder · 2014-10-20 11:34:43

Re the domain controller particularly, and possibly connecting clients to Active directory with a M$ domain controller.. I'd recommend grabbing the newer samba from backports.

Getting #! to authenticate against AD isn't that hard, I did it before the last reinstall, just forgot to document what I did.. it worked though..

Also saved me a world of frustration since I have decades of being used to a capitalised Username.. which dEBIAN refuses to accept natively.

This time I was lazy and just setup autologon instead.

Joe90 · 2014-10-20 21:48:20

The new package "realmd" found in jessie and sid appears to make joining linux to a domain a breeze?

Not available for wheezy/waldorf.

Reason I haven't written up my third post about connecting a linux box is that my effort is not perfect, and I haven't figured out why. Can connect OK, but have lost the ability to sudo, either with local or domain accounts.

CrunchBang Linux

SEARCH

#1 2014-10-12 20:44:52

Set up Server with Active Directory Domain Controller with Samba4

#2 2014-10-12 20:55:27

Re: Set up Server with Active Directory Domain Controller with Samba4

#3 2014-10-12 20:56:33

Re: Set up Server with Active Directory Domain Controller with Samba4

#4 2014-10-20 11:34:43

Re: Set up Server with Active Directory Domain Controller with Samba4

#5 2014-10-20 21:48:20

Re: Set up Server with Active Directory Domain Controller with Samba4

Board footer