Create an Active Directory Infrastructure with Samba4 on Ubuntu – Part 1

Samba is a free Open Source software which provides a standard interoperability between Windows OS and Linux/Unix Operating Systems.

Samba can operate as a standalone file and print server for Windows and Linux clients through the SMB/CIFS protocol suite or can act as an Active Directory Domain Controller or joined into a Realm as a Domain Member. The highest AD DC domain and forest level that currently Samba4 can emulate is Windows 2008 R2.

The series will be titled Setting Up Samba4 Active Directory Domain Controller, which covers following topics for Ubuntu, CentOS, and Windows:

Part 1: Install Active Directory Infrastructure with SAMBA4 on Ubuntu

This tutorial will start by explaining all the steps you need to take care off in order to install and configure Samba4 as a Domain Controller on Ubuntu 16.04 and Ubuntu 14.04.

This configuration will provide a central management point for users, machines, volume shares, permissions and other resources in a mixed-up Windows – Linux infrastructure.

Requirements:

  1. Ubuntu 16.04 Server Installation.
  2. Ubuntu 14.04 Server Installation.
  3. A static IP Address configured for your AD DC server.

Step 1: Initial Configuration for Samba4

1. Before proceeding your Samba4 AD DC installation first let’s run a few pre-required steps. First make sure the system is up to date with the last security features, kernels and packages by issuing the below command:

$ sudo apt-get update 
$ sudo apt-get upgrade
$ sudo apt-get dist-upgrade

2. Next, open machine /etc/fstab file and assure that your partitions file system has ACLs enabled as illustrated on the below screenshot.

Usually, common modern Linux file systems such as ext3, ext4, xfs or btrfs support and have ACLs enabled by default. If that’s not the case with your file system just open /etc/fstab file for editing and add acl string at the end of third column and reboot the machine in order to apply changes.

Enable ACL's on Linux Filesystem

Enable ACL’s on Linux Filesystem

3. Finally setup your machine hostname with a descriptive name, such as adc1 used in this example, by editing /etc/hostname file or by issuing.

$ sudo hostnamectl set-hostname adc1

A reboot is necessary after you’ve changed your machine name in order to apply changes.

Step 2: Install Required Packages for Samba4 AD DC

4. In order to transform your server into an Active Directory Domain Controller, install Samba and all the required packages on your machine by issuing the below command with root privileges in a console.

$ sudo apt-get install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind
Install Samba on Ubuntu

Install Samba on Ubuntu

5. While the installation is running a series of questions will be asked by the installer in order to configure the domain controller.

On the first screen you will need to add a name for Kerberos default REALM in uppercase. Enter the name you will be using for your domain in uppercase and hit Enter to continue..

Configuring Kerberos Authentication

Configuring Kerberos Authentication

6. Next, enter the hostname of Kerberos server for your domain. Use the same name as for your domain, with lowercases this time and hit Enter to continue.

Set Hostname Kerberos Server

Set Hostname Kerberos Server

7. Finally, specify the hostname for the administrative server of your Kerberos realm. Use the same as your domain and hit Enter to finish the installation.

Set Hostname Administrative Server

Set Hostname Administrative Server

Step 3: Provision Samba AD DC for Your Domain

8. Before starting to configure Samba for your domain, first run the below commands in order to stop and disable all samba daemons.

$ sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
$ sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service

9. Next, rename or remove samba original configuration. This step is absolutely required before provisioning Samba AD because at the provision time Samba will create a new configuration file from scratch and will throw up some errors in case it finds an old smb.conf file.

$ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.initial

10. Now, start the domain provisioning interactively by issuing the below command with root privileges and accept the default options that Samba provides you.

Also, make sure you supply the IP address for a DNS forwarder at your premises (or external) and choose a strong password for Administrator account. If you choose a week password for Administrator account the domain provision will fail.

$ sudo samba-tool domain provision --use-rfc2307 --interactive
Samba Domain Provisioning

Samba Domain Provisioning

11. Finally, rename or remove Kerberos main configuration file from /etc directory and replace it using a symlink with Samba newly generated Kerberos file located in /var/lib/samba/private path by issuing the below commands:

$ sudo mv /etc/krb5.conf /etc/krb5.conf.initial
$ sudo ln -s /var/lib/samba/private/krb5.conf /etc/
Create Kerberos Configuration

Create Kerberos Configuration

12. Start and enable Samba Active Directory Domain Controller daemons.

$ sudo systemctl start samba-ad-dc.service
$ sudo systemctl status samba-ad-dc.service
$ sudo systemctl enable samba-ad-dc.service
Enable Samba Active Directory Domain Controller

Enable Samba Active Directory Domain Controller

13. Next, use netstat command in order to verify the list of all services required by an Active Directory to run properly.

$ sudo netstat –tulpn| egrep ‘smbd|samba’
Verify Samba Active Directory

Verify Samba Active Directory

Step 4: Final Samba Configurations

14. At this moment Samba should be fully operational at your premises. The highest domain level Samba is emulating should be Windows AD DC 2008 R2.

It can be verified with the help of samba-tool utility.

$ sudo samba-tool domain level show
Verify Samba Domain Level

Verify Samba Domain Level

15. In order for DNS resolution to work locally, you need to open end edit network interface settings and point the DNS resolution by modifying dns-nameservers statement to the IP Address of your Domain Controller (use 127.0.0.1 for local DNS resolution) and dns-search statement to point to your realm.

$ sudo cat /etc/network/interfaces
$ sudo cat /etc/resolv.conf
Configure DNS for Samba AD

Configure DNS for Samba AD

When finished, reboot your server and take a look at your resolver file to make sure it points back to the right DNS name servers.

16. Finally, test the DNS resolver by issuing queries and pings against some AD DC crucial records, as in the below excerpt. Replace the domain name accordingly.

$ ping -c3 tecmint.lan         #Domain Name
$ ping -c3 adc1.tecmint.lan   #FQDN
$ ping -c3 adc1               #Host
Check Samba AD DNS Records

Check Samba AD DNS Records

Run following few queries against Samba Active Directory Domain Controller..

$ host -t A tecmint.lan
$ host -t A adc1.tecmint.lan
$ host -t SRV _kerberos._udp.tecmint.lan  # UDP Kerberos SRV record
$ host -t SRV _ldap._tcp.tecmint.lan # TCP LDAP SRV record

17. Also, verify Kerberos authentication by requesting a ticket for the domain administrator account and list the cached ticket. Write the domain name portion with uppercase.

$ kinit [email protected]
$ klist
Check Kerberos Authentication on Domain

Check Kerberos Authentication on Domain

That’s all! Now you have a fully operational AD Domain Controller installed in your network and you can start integrate Windows or Linux machines into Samba AD.

On the next series we’ll cover other Samba AD topics, such as how to manage you’re the domain controller from Samba command line, how to integrate Windows 10 into the domain name and manage Samba AD remotely using RSAT and other important topics.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Matei Cezar

I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

108 Responses

  1. Riccardo Sacchetto says:

    The guide is really great, congratulations. But I would have a little problem… after changing the DNS (Nameserver) so that it is local, copying the configuration file that you entered in the article, if I enter the command.

    # ping google.it
    

    the output is “Unknown host “.

    How can I fix? I attach my configuration files resolv.conf:

    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
    #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
    nameserver 192.168.1.9
    nameserver 1.1.1.1
    search tng.lan
    

    interfaces:

    # This file describes the network interfaces available on your system
    # and how to activate them. For more information, see interfaces(5).
    source /etc/network/interfaces.d/*
    # The loopback network interface
    auto lo
    iface lo inet loopback
    # The primary network interface
    auto enp0s3
    iface enp0s3 inet static
    address 192.168.1.9
    netmask 255.255.255.0
    broadcast 192.168.1.1
    gateway 192.168.1.1
    dns-nameservers 127.0.0.1 192.168.1.9
    dns-search tng.local
    
  2. Steve says:

    Worked until this point:11. Finally, rename or remove Kerberos main configuration file from /etc directory and replace it using a symlink with Samba newly generated Kerberos file located in /var/lib/samba/private path by issuing the below commands:

    $ sudo mv /etc/krb6.conf /etc/krb5.conf.initial
    $ sudo ln –s /var/lib/samba/private/krb5.conf /etc/
    

    Then i received:

    [email protected]:~$ sudo mv /etc/krb6.conf /etc/krb5.conf.initial
    mv: cannot stat '/etc/krb6.conf': No such file or directory
    
    [email protected]:~$ sudo ln –s /var/lib/samba/private/krb5.conf /etc/
    ln: failed to access '–s': No such file or directory
    ln: failed to create hard link '/etc/krb5.conf': File exists
    
  3. Anand Mane says:

    Hi Matei,

    Very nice article, full understand samba connectivity with Windows and Ubuntu.

    Now my Question is here I am connected Win-7 Desktop with Ubuntu Samba AD Controller. (I am using Administrator Login/Password ) which I created using kinit command. but I want to connect with normal user. if you have any further steps please help me.

    My connectivity is successfully done but I want to login with normal user.

    Thanking you,

    Anand.

  4. weleh says:

    Many thanks. This tutorial so helpfully for me to create AD server under ubuntu.
    I will continue, using samba as sharing file/directory.

  5. Attila Ruzsinszky says:

    Hi,

    It was the best doc for Samba AD DC!
    I tried to this description in my notebook with LXD containers, so not everything was trivial. (xattr + LXD!)

    I followed step-by-step and some things are not clear:

    0. The Kerberos example screenshots are almost unreadable (and that was the most problematic part of the setup for me). I haven’t used Kerberos, yet.
    1. Why do I need A record for domain itself? I don’t have.
    2. Where are these records? In my DNS server or AD?

        $ host –t SRV _kerberos._udp.tecmint.lan  # UDP Kerberos SRV record
        $ host -t SRV _ldap._tcp.tecmint.lan # TCP LDAP SRV record
    

    Are those a must? They don’t have,too.

    With this Samba AD DC I want to setup a user auth system for Win10 and Squid+SquidGuard using NTLM with SSO. I found squid normal plain text auth system – htpasswd – not accept UTF-8 characters, so the Win “long” (or full) name login ID not working and I don’t want two different ids for login and squid. I very hope it will work shortly.

  6. James says:

    Great guide! I did have a question: I currently run DHCP on my Windows AD controller too. Could I also run DHCP on an Ubuntu using the documentation on https://help.ubuntu.com/lts/serverguide/dhcp.html AND still manage it with the RSAT tools in Windows?

    • Matei Cezar says:

      You cannot control in any a Linux dhcp server via RSAT. They have different inplementations in Linux and Windows, altough they offer the same services. In linux you can manage the server from cli and through its config files. However, you can setup both dhcp servers to assign ip addresses for your network, but use different network ranges and setup only one server as authorative.

    • Attila Ruzsinszky says:

      It doesn’t work.

      I think and I can see from the log the problem is in DNS. Because of dnsmasq is a very simple server and I don’t know which records need.

  7. Rafael Pereira says:

    Congratulations!! Thanks a lot!!!

  8. Pat says:

    What a great article! Quick question. I had this running nicely for a while, but all of a sudden, my Windows 7 hosts cannot connect to shares in the AD anymore. I haven’t touched anything on the settings side of things.

    Are you aware of an update that might have broken things? My Mac hosts are still happily connecting with their domain accounts, but any windows 7 hosts just keep prompting for the password without allowing connection.

    • Matei Cezar says:

      It can be some update issues with windows file sharing clients. Consult Microsoft docs and verify if samba SMBv1 has been disabled in Windows client, after applying wannacry updates.

      • Pat says:

        Thanks for the reply Matei. It turns out it was user error.

        The servers I was trying to connect to had been reconfigured in the DNS and there was a mistake with the CNAME and A Record being inverted. Simply fixing the DNS resolved the issue.

        I’m surprised it worked for so long after changing the DNS, I assume the entries were cached.

  9. Chris Restemayer says:

    kinit [email protected]

    Everything worked all the way up until that point. That command doesn’t work for me. It rejects the password. This is a fresh install. I’ve put one, and only one, password on this computer, and that doesn’t work, so I have no idea what its asking for here.

    I’ve tried the one password that I’ve actually set; I’ve tried leaving it blank; I’ve tried “password,” “administrator,” and “admin.” I’m out of ideas. What is this default password? More importantly, how do I root change the password.

    Kpassword demands the old password, which I obviously don’t have.

    • Adrian says:

      I had the same issue and think that the administrator password that Kerberos uses is not set up during the domain provision. I was able to reset it using.

      # samba-tool user setpassword administrator
      
  10. Bas Auer says:

    Hi Matei,

    Yet again a great manual. You make admin life a lot easier!

    I have a question. Do you know when Ubuntu will release a more up to date samba4 version. The version which is installed with Ubuntu 16.04.3 LTS is version 4.3.11-Ubuntu. Samba 4 version 4.3.11 is already EOL since 2017-03-07.

    Or does Ubuntu maintain this version till the EOL of Ubuntu 16.04?

    • Matei Cezar says:

      You should check out on Ubuntu launchpad. I don’t know what Ubuntu is planning with maintaining their versions of the samba project.

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.