Create an Active Directory Infrastructure with Samba4 on Ubuntu – Part 1

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.45/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Matei Cezar

I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

79 Responses

  1. Riccardo Sacchetto says:

    The guide is really great, congratulations. But I would have a little problem… after changing the DNS (Nameserver) so that it is local, copying the configuration file that you entered in the article, if I enter the command.

    # ping google.it
    

    the output is “Unknown host “.

    How can I fix? I attach my configuration files resolv.conf:

    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
    #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
    nameserver 192.168.1.9
    nameserver 1.1.1.1
    search tng.lan
    

    interfaces:

    # This file describes the network interfaces available on your system
    # and how to activate them. For more information, see interfaces(5).
    source /etc/network/interfaces.d/*
    # The loopback network interface
    auto lo
    iface lo inet loopback
    # The primary network interface
    auto enp0s3
    iface enp0s3 inet static
    address 192.168.1.9
    netmask 255.255.255.0
    broadcast 192.168.1.1
    gateway 192.168.1.1
    dns-nameservers 127.0.0.1 192.168.1.9
    dns-search tng.local
    
  2. Steve says:

    Worked until this point:11. Finally, rename or remove Kerberos main configuration file from /etc directory and replace it using a symlink with Samba newly generated Kerberos file located in /var/lib/samba/private path by issuing the below commands:

    $ sudo mv /etc/krb6.conf /etc/krb5.conf.initial
    $ sudo ln –s /var/lib/samba/private/krb5.conf /etc/
    

    Then i received:

    [email protected]:~$ sudo mv /etc/krb6.conf /etc/krb5.conf.initial
    mv: cannot stat '/etc/krb6.conf': No such file or directory
    
    [email protected]:~$ sudo ln –s /var/lib/samba/private/krb5.conf /etc/
    ln: failed to access '–s': No such file or directory
    ln: failed to create hard link '/etc/krb5.conf': File exists
    
  3. Anand Mane says:

    Hi Matei,

    Very nice article, full understand samba connectivity with Windows and Ubuntu.

    Now my Question is here I am connected Win-7 Desktop with Ubuntu Samba AD Controller. (I am using Administrator Login/Password ) which I created using kinit command. but I want to connect with normal user. if you have any further steps please help me.

    My connectivity is successfully done but I want to login with normal user.

    Thanking you,

    Anand.

  4. weleh says:

    Many thanks. This tutorial so helpfully for me to create AD server under ubuntu.
    I will continue, using samba as sharing file/directory.

  5. Attila Ruzsinszky says:

    Hi,

    It was the best doc for Samba AD DC!
    I tried to this description in my notebook with LXD containers, so not everything was trivial. (xattr + LXD!)

    I followed step-by-step and some things are not clear:

    0. The Kerberos example screenshots are almost unreadable (and that was the most problematic part of the setup for me). I haven’t used Kerberos, yet.
    1. Why do I need A record for domain itself? I don’t have.
    2. Where are these records? In my DNS server or AD?

        $ host –t SRV _kerberos._udp.tecmint.lan  # UDP Kerberos SRV record
        $ host -t SRV _ldap._tcp.tecmint.lan # TCP LDAP SRV record
    

    Are those a must? They don’t have,too.

    With this Samba AD DC I want to setup a user auth system for Win10 and Squid+SquidGuard using NTLM with SSO. I found squid normal plain text auth system – htpasswd – not accept UTF-8 characters, so the Win “long” (or full) name login ID not working and I don’t want two different ids for login and squid. I very hope it will work shortly.

  6. James says:

    Great guide! I did have a question: I currently run DHCP on my Windows AD controller too. Could I also run DHCP on an Ubuntu using the documentation on https://help.ubuntu.com/lts/serverguide/dhcp.html AND still manage it with the RSAT tools in Windows?

    • Matei Cezar says:

      You cannot control in any a Linux dhcp server via RSAT. They have different inplementations in Linux and Windows, altough they offer the same services. In linux you can manage the server from cli and through its config files. However, you can setup both dhcp servers to assign ip addresses for your network, but use different network ranges and setup only one server as authorative.

    • Attila Ruzsinszky says:

      It doesn’t work.

      I think and I can see from the log the problem is in DNS. Because of dnsmasq is a very simple server and I don’t know which records need.

  7. Rafael Pereira says:

    Congratulations!! Thanks a lot!!!

  8. Pat says:

    What a great article! Quick question. I had this running nicely for a while, but all of a sudden, my Windows 7 hosts cannot connect to shares in the AD anymore. I haven’t touched anything on the settings side of things.

    Are you aware of an update that might have broken things? My Mac hosts are still happily connecting with their domain accounts, but any windows 7 hosts just keep prompting for the password without allowing connection.

    • Matei Cezar says:

      It can be some update issues with windows file sharing clients. Consult Microsoft docs and verify if samba SMBv1 has been disabled in Windows client, after applying wannacry updates.

      • Pat says:

        Thanks for the reply Matei. It turns out it was user error.

        The servers I was trying to connect to had been reconfigured in the DNS and there was a mistake with the CNAME and A Record being inverted. Simply fixing the DNS resolved the issue.

        I’m surprised it worked for so long after changing the DNS, I assume the entries were cached.

  9. Chris Restemayer says:

    kinit [email protected]

    Everything worked all the way up until that point. That command doesn’t work for me. It rejects the password. This is a fresh install. I’ve put one, and only one, password on this computer, and that doesn’t work, so I have no idea what its asking for here.

    I’ve tried the one password that I’ve actually set; I’ve tried leaving it blank; I’ve tried “password,” “administrator,” and “admin.” I’m out of ideas. What is this default password? More importantly, how do I root change the password.

    Kpassword demands the old password, which I obviously don’t have.

    • Adrian says:

      I had the same issue and think that the administrator password that Kerberos uses is not set up during the domain provision. I was able to reset it using.

      # samba-tool user setpassword administrator
      
  10. Bas Auer says:

    Hi Matei,

    Yet again a great manual. You make admin life a lot easier!

    I have a question. Do you know when Ubuntu will release a more up to date samba4 version. The version which is installed with Ubuntu 16.04.3 LTS is version 4.3.11-Ubuntu. Samba 4 version 4.3.11 is already EOL since 2017-03-07.

    Or does Ubuntu maintain this version till the EOL of Ubuntu 16.04?

    • Matei Cezar says:

      You should check out on Ubuntu launchpad. I don’t know what Ubuntu is planning with maintaining their versions of the samba project.

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.