Create an Active Directory Infrastructure with Samba4 on Ubuntu – Part 1

Samba is a free Open Source software which provides a standard interoperability between Windows OS and Linux/Unix Operating Systems.

Samba can operate as a standalone file and print server for Windows and Linux clients through the SMB/CIFS protocol suite or can act as an Active Directory Domain Controller or joined into a Realm as a Domain Member. The highest AD DC domain and forest level that currently Samba4 can emulate is Windows 2008 R2.

The series will be titled Setting Up Samba4 Active Directory Domain Controller, which covers following topics for Ubuntu, CentOS, and Windows:

Part 1: Install Active Directory Infrastructure with SAMBA4 on Ubuntu

This tutorial will start by explaining all the steps you need to take care off in order to install and configure Samba4 as a Domain Controller on Ubuntu 16.04 and Ubuntu 14.04.

This configuration will provide a central management point for users, machines, volume shares, permissions and other resources in a mixed-up Windows – Linux infrastructure.

Requirements:

  1. Ubuntu 16.04 Server Installation.
  2. Ubuntu 14.04 Server Installation.
  3. A static IP Address configured for your AD DC server.

Step 1: Initial Configuration for Samba4

1. Before proceeding your Samba4 AD DC installation first let’s run a few pre-required steps. First make sure the system is up to date with the last security features, kernels and packages by issuing the below command:

$ sudo apt-get update 
$ sudo apt-get upgrade
$ sudo apt-get dist-upgrade

2. Next, open machine /etc/fstab file and assure that your partitions file system has ACLs enabled as illustrated on the below screenshot.

Usually, common modern Linux file systems such as ext3, ext4, xfs or btrfs support and have ACLs enabled by default. If that’s not the case with your file system just open /etc/fstab file for editing and add acl string at the end of third column and reboot the machine in order to apply changes.

Enable ACL's on Linux Filesystem

Enable ACL’s on Linux Filesystem

3. Finally setup your machine hostname with a descriptive name, such as adc1 used in this example, by editing /etc/hostname file or by issuing.

$ sudo hostnamectl set-hostname adc1

A reboot is necessary after you’ve changed your machine name in order to apply changes.

Step 2: Install Required Packages for Samba4 AD DC

4. In order to transform your server into an Active Directory Domain Controller, install Samba and all the required packages on your machine by issuing the below command with root privileges in a console.

$ sudo apt-get install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind
Install Samba on Ubuntu

Install Samba on Ubuntu

5. While the installation is running a series of questions will be asked by the installer in order to configure the domain controller.

On the first screen you will need to add a name for Kerberos default REALM in uppercase. Enter the name you will be using for your domain in uppercase and hit Enter to continue..

Configuring Kerberos Authentication

Configuring Kerberos Authentication

6. Next, enter the hostname of Kerberos server for your domain. Use the same name as for your domain, with lowercases this time and hit Enter to continue.

Set Hostname Kerberos Server

Set Hostname Kerberos Server

7. Finally, specify the hostname for the administrative server of your Kerberos realm. Use the same as your domain and hit Enter to finish the installation.

Set Hostname Administrative Server

Set Hostname Administrative Server

Step 3: Provision Samba AD DC for Your Domain

8. Before starting to configure Samba for your domain, first run the below commands in order to stop and disable all samba daemons.

$ sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
$ sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service

9. Next, rename or remove samba original configuration. This step is absolutely required before provisioning Samba AD because at the provision time Samba will create a new configuration file from scratch and will throw up some errors in case it finds an old smb.conf file.

$ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.initial

10. Now, start the domain provisioning interactively by issuing the below command with root privileges and accept the default options that Samba provides you.

Also, make sure you supply the IP address for a DNS forwarder at your premises (or external) and choose a strong password for Administrator account. If you choose a week password for Administrator account the domain provision will fail.

$ sudo samba-tool domain provision --use-rfc2307 --interactive
Samba Domain Provisioning

Samba Domain Provisioning

11. Finally, rename or remove Kerberos main configuration file from /etc directory and replace it using a symlink with Samba newly generated Kerberos file located in /var/lib/samba/private path by issuing the below commands:

$ sudo mv /etc/krb5.conf /etc/krb5.conf.initial
$ sudo ln -s /var/lib/samba/private/krb5.conf /etc/
Create Kerberos Configuration

Create Kerberos Configuration

12. Start and enable Samba Active Directory Domain Controller daemons.

$ sudo systemctl start samba-ad-dc.service
$ sudo systemctl status samba-ad-dc.service
$ sudo systemctl enable samba-ad-dc.service
Enable Samba Active Directory Domain Controller

Enable Samba Active Directory Domain Controller

13. Next, use netstat command in order to verify the list of all services required by an Active Directory to run properly.

$ sudo netstat –tulpn| egrep ‘smbd|samba’
Verify Samba Active Directory

Verify Samba Active Directory

Step 4: Final Samba Configurations

14. At this moment Samba should be fully operational at your premises. The highest domain level Samba is emulating should be Windows AD DC 2008 R2.

It can be verified with the help of samba-tool utility.

$ sudo samba-tool domain level show
Verify Samba Domain Level

Verify Samba Domain Level

15. In order for DNS resolution to work locally, you need to open end edit network interface settings and point the DNS resolution by modifying dns-nameservers statement to the IP Address of your Domain Controller (use 127.0.0.1 for local DNS resolution) and dns-search statement to point to your realm.

$ sudo cat /etc/network/interfaces
$ sudo cat /etc/resolv.conf
Configure DNS for Samba AD

Configure DNS for Samba AD

When finished, reboot your server and take a look at your resolver file to make sure it points back to the right DNS name servers.

16. Finally, test the DNS resolver by issuing queries and pings against some AD DC crucial records, as in the below excerpt. Replace the domain name accordingly.

$ ping -c3 tecmint.lan         #Domain Name
$ ping -c3 adc1.tecmint.lan   #FQDN
$ ping -c3 adc1               #Host
Check Samba AD DNS Records

Check Samba AD DNS Records

Run following few queries against Samba Active Directory Domain Controller..

$ host -t A tecmint.lan
$ host -t A adc1.tecmint.lan
$ host -t SRV _kerberos._udp.tecmint.lan  # UDP Kerberos SRV record
$ host -t SRV _ldap._tcp.tecmint.lan # TCP LDAP SRV record

17. Also, verify Kerberos authentication by requesting a ticket for the domain administrator account and list the cached ticket. Write the domain name portion with uppercase.

$ kinit [email protected]
$ klist
Check Kerberos Authentication on Domain

Check Kerberos Authentication on Domain

That’s all! Now you have a fully operational AD Domain Controller installed in your network and you can start integrate Windows or Linux machines into Samba AD.

On the next series we’ll cover other Samba AD topics, such as how to manage you’re the domain controller from Samba command line, how to integrate Windows 10 into the domain name and manage Samba AD remotely using RSAT and other important topics.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Matei Cezar

I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide
The Complete Linux System Administrator Bundle
Become an Ethical Hacker Bonus Bundle

You may also like...

114 Responses

  1. Edson says:

    There is an error in this piece if you use ctrl+c and ctrl-v.

    $ host –t A tecmint.lan
    $ host –t A adc1.tecmint.lan
    $ host –t SRV _kerberos._udp.tecmint.lan  # UDP Kerberos SRV record
    

    It’s written with a "–" instead of a "-".

  2. Micha de Vries says:

    Hi, so, it all works fine on the server, though i cannot ping the domain on the client, how is that?
    (And yes i set the only dns server the the samba dc server)

    • Micha de Vries says:

      oh and the administrator account at the last step doesnt seem to exist

    • Peter Galgano says:

      Check the dns network settings of your client, maybe it doesn’t address the IP of the AD server. Set the first dns server and/or gateway address on the clients IP4 settings to address of the AD server. You may need to change your dhcp settings for the clients.

      • Peter Galgano says:

        Oh, and it is common that the Administrator password doesn’t seem to be set by provisioning. Use samba-tool to set a new password.

  3. Kai Wadsack says:

    Thanks for this really great tutorial. It’s by far the most comprehensive I could find on the web.
    Still it leaves one unanswered question to me:

    Is this a Ubuntu/Samba only solution or can we go a mixed way with one Windows Server based DC and an additional Ubuntu DC?

    Suppose you wanted to replace an existing Windows Server 2012 R2 based DC with an Ubuntu based DC, can we still follow the steps described in “Part 5: Join an Additional Ubuntu DC to Samba4 AD DC” and join the additional Ubuntu DC to the AD and later remove the Windows based DC from the domain?

    Or should we start from scratch? Too scared to try this out myself.

  4. Tony Mcmahon says:

    Has anyone done this on Ubuntu 18.04? Are any of the steps different?

    • Antonis Desillas says:

      I tried it some time ago. You have to use netplan (https://www.tecmint.com/configure-network-static-ip-address-in-ubuntu/) instead of /etc/network/insterfaces. If i remember well, I could not get the ping to work because you cannot use resolv.conf and i didn’t get much further after that.

      • Rusty says:

        What I’ve done and am doing again now, is install and get everything running on 16.04 and then upgrade to 18.04. That seems to work. I’ve done it on two domain controllers without issue.

      • eks says:

        If you are using netplan, you can do this to get the dns servers set in the netplan config file.

        # unlink /etc/resolv.conf
        # ln -snf /var/run/systemd/resolve/resolv.conf /etc/
        
        • Peter Galgano says:

          I had a further problem related to netplan, that took a while to find.

          By default, systemd.resolved (a local dns caching service) takes port 53, so the internal dns in samba can’t start.

          I think it will be necessary to disable systemd.resolved from starting

  5. Thank you for the perfect tutorial! I had the same problems with DNS where I could not ping the server. I found out after a second installation attempt, that I should follow the steps exactly as mentioned here and at the Ubuntu server installation instructions https://www.tecmint.com/installation-of-ubuntu-16-04-server-edition/ and after that everything worked fine.

    On my first attempt I installed the Linux server without looking the installation instructions and I installed the system as per usual. So I pre-installed DNS and other features, encrypted my home folder, and did not interrupt the network detection process to enter the settings manually.

    I also skipped step 3 from this page. On the second attempt I just entered the same hostname as on the installation process. I think this, or the pre-installed DNS server caused the problem.

    I also found two typos:
    At step 11 sudo mv /etc/krb6.conf /etc/krb5.conf.initial should be sudo mv /etc/krb5.conf /etc/krb5.conf.initial and at step 11, it should be broadcast.

  6. HJ Z says:

    Great tutorial,

    I did this on a Debian 9.6. Most things worked fine.

    I had to systemctl unmask samba-ad-dc, and install net-tools.

    I checked with smbclient -L localhost %U – It puzzles me why does Workgroup always return WORKGROUP?

  7. Juston Griggs says:

    Hello!

    Great Document, however, everything works for up to Step 16, when I do the command:

    # ping –c3 goneoweb.local
    

    I get the error

    ping: unknown host –c3
    

    Here is my /etc/network/interfaces and my /etc/resolv.conf.

    iface eth0 inet static
            address                 10.16.24.50
            netmask                 255.255.255.0
            broadcast               10.16.24.255
            gateway                 10.16.24.1
            dns-nameservers         127.0.0.1 10.16.24.50
            dns-search              goneoweb.local
    
    nameserver 10.16.24.50
    search goneoweb.local
    

    I’m kind of at a standstill. I’m in the process of setting this up for use with my small business, 3 computers, and 6 users. So any help would be greatly appreciated! Again, great article! Thanks

    • Cezar Matei says:

      Add 127…. to resolv.conf file. why you use the second nameserver. Is that a dc also? If not, leave only 127…8n both files.

      • Juston O Griggs says:

        The machine Im setting all this up on has a static of 10.16.24.50, so I dont need to reference that in the resolv.conf?

      • FauxKalEl says:

        Very good guide but still have a problem with step 16. I tried many things, but when using Ubuntu Server 18.04.2 (with alternative installer that is probably same as with standard 16.04), and configuring netplan, etc., i can’t ping domain.

        --------------------------------------------
        ping -c3 jakisserwer
        PING JakisSerwer.Business (127.0.1.1) 56(84) bytes of data.
        --------------------------------------------
        ping -c3 jakis.lan
        ping: jakis.lan: Name or service not known
        --------------------------------------------
        

        krb5.conf:

        [libdefaults]
                default_realm = SPBYCHLEW.LAN
                dns_lookup_realm = false
                dns_lookup_kdc = true
        --------------------------------------------------------
        

        /etc/hosts:

        127.0.0.1       localhost
        127.0.1.1       JakisSerwer.Business        JakisSerwer
        
        # The following lines are desirable for IPv6 capable hosts
        ::1     localhost ip6-localhost ip6-loopback
        ff02::1 ip6-allnodes
        ff02::2 ip6-allrouters
        

        resolv.conf:

        nameserver 127.0.0.1
        nameserver 192.168.0.77
        search jakis jakis.lan office
        

        netplan:

        # This file describes the network interfaces available on your system
        # For more information, see netplan(5).
        network:
          version: 2
          renderer: networkd
          ethernets:
            eno1:
        
              dhcp4: no
              addresses: [192.168.0.77/24]
              gateway4:  192.168.0.1
              nameservers:
                  search: [jakis, jakis.lan]
                  addresses: [127.0.0.1, 192.168.0.77]
        
  8. Michael Weber says:

    It’s a very nice to read guide, thank you for that. Still i have one issue i can not figure out:

    The DNS.

    I can ping rowdyserver
    I can ping rowdyserver.lindelaan.lan

    but i dont get any anwer when i just ping lindelaan.lan

    my resolv.conf looks like this

    nameserver 127.0.0.1
    nameserver 192.168.2.7
    nameserver 8.8.8.8
    search feuer.lan

    and i have no idea where to look to fix that.

  9. Venkatesh says:

    Thanks for this interesting tutorial. I have configured samba server in my system. But after the setup, the internet is not working. I getting the below-mentioned error. Please guide me to resolve the issues.

    FYI The error which gets is “Failed to start Raise network interfaces.” when restarting networking service

  10. Mohan N says:

    I am a newbie on Ubuntu as AD Server. I was going through the steps on this article on osx-virtualbox-ubuntu16 (host-only + nat). The same VM also has DNS (bind9), will be adding DHCP here as well if all goes well. :)

    For the DNS to be able to work for “host -t A tecmint.lan” what kind of record should be there in the DNS?

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.