ACTIVE DIRECTORY DOMAIN CONTROLLER
(on a linux box! with Samba4)
Why? Save some money on a Windows Server, Central Authentication and Control for Windows and Linux Users, just for the hell of it - because it is there.
The following indicates what I did and what I used to get it all working, I am sure you can use your preferred distribution and hardware setup.
So let us make a start. I carried out all the work in Virtualbox as opposed to using physical hardware, but the principles are the same. If using Virtualbox change the network adapter to “bridged adapter” once your installation has finished. This will make it available to other machines on your network - just like the real thing!
You are going to need a fresh install of Ubuntu Server 14.04 ( I used 64 bit) to follow this tut. The only selection from the server section I used was openssh server to allow me to ssh into it as opposed to logging in directly. Advice point: for the “first user” pick something like Admin1 or Superuser, a username that won’t be one of the AD logins. This helps to avoid confusion over usernames and passwords later. I used username Admin1 and password admin for simplicity.
We also need a few names, one for the hostname of the box, we will use adserver, (enter this during installation of 14.04) and one for the domain, we will use CBLD.LOCAL. Then we need a workgroup name, we will use TEST for this.
OK, let us login to the server and go root, and we will spend most of our time during setup needing root permissions:
We need to set a static IP address for this server so:
and replace the auto eth0 stanza with:
auto eth0 iface eth0 inet static address 192.168.1.100 network 192.168.1.0 netmask 255.255.255.0 broadcast 192.168.1.255 gateway 192.168.1.254 dns-nameservers 192.168.1.100 220.127.116.11 dns-search cbld.local
My network is on 192.168.1.0 and the router is at 18.104.22.168. Make sure you can set an address at 100 if you are using that. You may wish to change the google dns server (22.214.171.124) to that of your ISP or your preferred DNS.
We need to be able to resolve our server address so:
Change the hostname:
To make all these settings take, it is easiest to just reboot:
shutdown -r now
Login again as Admin1 and go root again
You can check everything is OK:
ifconfig eth0 cat /etc/resolv.conf
OK, let us update the machine and have a coffee
apt-get update apt-get upgrade -y
We now have a pile of packages and programs to install. Probably don’t need all of these as Samba4 does not need to be compiled, but I have included them anyway. ntp is important in order to keep time sync between machines. You might squeeze another cup of coffee in while this all installs. However, Kerberos will want some answers from you:
default Kerberos realm:
administrative server AND kerberos server:
(glad we thought of these earlier now aren’t we!)
Kerberos is VERY case-sensitive, so where-ever I use capitals in the code, please do the same.
OK, the long list of packages:
apt-get install ntp samba smbclient libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev libpam0g-dev git build-essential -y
(you will get asked by Kerberos along the way)
Another reboot wouldn’t hurt here, just to get samba up and running.
Login with Admin1 and go root.
Ready to get going with the ADDC Provisioning! Enter:
samba-tool domain provision --realm=cbld.local --domain=CBLD --adminpass=12Oct2014! --server-role=dc --dns-backend=SAMBA_INTERNAL
A few things to note here. --domain is the first part of your “domain name”. The adminpass needs to have Numbers, Letters and Capital Letters (may also need a symbol). This password (12Oct2014!)is for the AD administrator so is different from your “sudo” password. Don’t forget it.
At this point your /etc/samba/smb.conf file should look something like this:
# Global parameters [global] workgroup = TEST realm = cbld.local netbios name = ADSERVER server role = active directory domain controller [b]dns forwarder = 126.96.36.199[/b] [netlogon] path = /var/lib/samba/sysvol/ffrr.local/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No
If it is not there, create it and add the above details. The important one that will/may need to be added is the dns forwarder entry which should be your chosen dns server (not the domain)
Now just check that the date & time are OK and that ntp is running
service ntp status date
Verify Samba and Kerberos are running OK:
lsof -i | grep ‘^samba.*IPv4’ smbclient -L localhost -U% service samba status
kinit Administrator@CBLD.LOCAL Enter password: (12Oct2014!)
You should get a warning about password expiry. To check you got a “ticket” for your password:
We now need to add some domain users! Password requirements are still demanding!
samba-tool user add tom '3MeninBoat!' samba-tool user add dick '2MeninBoat!' samba-tool user add harry '1MeninBoat!'
(samba-tool user add "username" "'password'")
These are samba users, they do not need to be linux users as well. (But at the moment they won’t have a home directory). Check all users with:
samba-tool user list
OK, we are done, if all have gone well, Administrator, tom, dick and harry should be able to connect and authenticate as domain users.
But there is more!
Create folder shares:
OK, linux users will be given their own home folders when we get to connecting them to the domain (see below), but if we want to have a shared space for everyone to save their files, and a private space for an individual or group, then we can set these up on the domain server. I must admit to having a bit of a fight with this part, it may not be the best way of doing it, but I got it to work in the end.
We will start by creating a couple of folders. (Not we are still logged in as Admin1 and rooted):
mkdir -m /Users mkdir -m /tanddfiles
sort out permissions:
chmod g+s /Users chown root: users Users chmod g+s /tanddfiles chown root: users tanddfiles
Now let us edit smb.conf
and add the following after everything else:
[tanddfiles] directory_mode: parameter = 755 path = /tanddfiles read only = no csc policy = documents valid users = tom, dick [Users] directory_mode: parameter = 755 read only = no path = /Users csc policy = documents
You can check your syntax is OK by running:
This should now mean that all users can access, read and write the /Users directory, but that only tom and dick can access, read and write /tanddfiles (of course Administrator can too!)
reboot the server or restart samba:
shutdown -r now
service samba restart
1. Set up Windows Clients
2. Set up Linux Clients
(I'll link these once written up)
Last edited by Joe90 (2014-10-12 20:52:20)
Connecting a Windows Client to the ADDC
Compared to what follows for the linux clients, this is very straight forward.
I used a Windows 7 Pro setup, also in Virtualbox (with bridged adapter). Again I used a "non-domain" username and password to avoid confusion when logging into the domain.
Boot up and login
Set the client's DNS server:
Control Panel>Network and Internet>View Network Status and Tasks>Change Adapter Settings>[select your network interface]>Properties>TCP/IPv4>Properties
Then enter your domains IP address as the preferred dns server (192.168.1.100) < see above post!
Join the domain:
Computer>Properties>Advanced System Settings>Computer Name>Change>Member of Domain
and enter domain name, in this case cbld.local. Click Apply/OK.
You may be asked for credentials, in which case use your domain administrators credentials:
username: CBLD/Administrator password: 12Oct2014!
and click OK
Reboot to make changes come into effect.
At the login screen you should now be able to login as the domain Administrator or any of the domain users created in above post.
Suggest you use the full "path" to login (especially as the Administrator)
username: CBLD/Administrator password: 12Oct2014!
username: CBLD/tom password: 3MeninBoat!
Test out the folder shares
Last edited by Joe90 (2014-10-12 21:10:39)
Connecting a Linux Client (#!) to the ADDC
Re the domain controller particularly, and possibly connecting clients to Active directory with a M$ domain controller.. I'd recommend grabbing the newer samba from backports.
Getting #! to authenticate against AD isn't that hard, I did it before the last reinstall, just forgot to document what I did.. it worked though..
Also saved me a world of frustration since I have decades of being used to a capitalised Username.. which dEBIAN refuses to accept natively.
This time I was lazy and just setup autologon instead.
Blessed is he who expecteth nothing, for he shall not be disappointed...
The new package "realmd" found in jessie and sid appears to make joining linux to a domain a breeze?
Not available for wheezy/waldorf.
Reason I haven't written up my third post about connecting a linux box is that my effort is not perfect, and I haven't figured out why. Can connect OK, but have lost the ability to sudo, either with local or domain accounts.