Samba4 is a free open source software that seeks to emulate the workings of Windows Server 2008r2. It can function as a 2008r2 active directory domain controller and as a file and print server for windows and linux clients.
If you are looking for a cost effective, yet secure way to set up your active directory infrastructure for your windows and linux clients alike, then samba4 is the way to go.
- JOIN UBUNTU DESKTOP TO SAMBA4 ACTIVE DIRECTORY.
In this guide, we will look at how to install samba4 active directory domain controller on debian 8.
INSTALL SAMBA4 ACTIVE DIRECTORY DOMAIN CONTROLLER ON DEBIAN 8.
First install debian 8 using this guide, https://topnetworkguide.com/debian-8-jessie/.
Remember that in our guide, how to install and configure dhcp server on ubuntu, we added a host to our dhcp server configuration that will always dynamically recieve the same static ip address. In order word, the host will have the same ip address as if the ip address was statically applied to its interface.
Howerver, if you choose to statically give the samba server an ip address simply do:
and edit the interface eth0 to
iface eth0 inet static
dns-search type domain-name here
You can choose to change the hostname from debian to ad-wks by:
enter ad-wks or add hostname of your choice. Then save and quit.
Also go to the host fie, #vi /etc/hosts
and change the line 127.0.1.1 debian to the ip address of your ad server 192.168.100.12 ad-wks.carehealth.local ad-wks
Now do a #service networking restart to force system to use hostname without a reboot.
Open up sources.list file and include
deb http://httpredir.debian.org/debian jessie main deb-src http://httpredir.debian.org/debian jessie main deb http://httpredir.debian.org/debian jessie-updates main deb-src http://httpredir.debian.org/debian jessie-updates main
Now run :
#apt-get update;apt-get upgrade;apt-get dist-upgrade to install newest versions of all packages in the souces.list file and to remove packages that needs to be removed before new packages can be installed to avoid incompatibility between packages.
Now install samba using some set of packages like winbind, libnss and so on.
#apt-get install samba krb5-user winbind krb5-config libnss-winbind libpam-winbind
During installation, if you recieve an error saying
Media change: please insert the disc labeled 'Debian GNU/Linux 7.0.0 _Wheezy_ - Official amd64 CD Binary-1 20130504-14:44' in the drive '/media/cdrom/' and press enter
Simply go to your sources.list file and comment out the 2 line starting with deb cdrom: as shown under;
Enter in the name of your domain in capital letter in the screen that pops up and hit ok to continue.
For kerberos authentication, enter in the same name as above in small letters and hit ok.
Next enter the hostname for the password changing server which is still your domain name in small letters
Now use systemctl to stop file and print services, services that replies to Netbios over TCP/IP and winbind service
#systemctl stop smbd.service nmbd.service winbind.service samba-ad-dc.service
#systemctl disable smbd.service nmbd.service winbind.service samba-ad-dc.service
Next, rename smb.conf by #mv /etc/samba/smb.conf /etc/samba/smb.conf.renamed so that provisioning will create a new smb file
Provisioning a Samba Active Directory
According to this samba wiki: setting up samba as active directory domain controller, we can provision samba as active directory server by running the command bellow:
#samba-tool domain provision –use-rfc2307 –interactive
rfc2307 defines the possibility to store user/group information in LDAP directory in an AD with Linux integration.
Enter in your domain name in capital in Realm field and hit next all the way.
sample configuration from samba wiki
# samba-tool domain provision --use-rfc2307 --interactive Realm [SAMDOM.EXAMPLE.COM]: SAMDOM.EXAMPLE.COM Domain [SAMDOM]: SAMDOM Server Role (dc, member, standalone) [dc]: dc DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: SAMBA_INTERNAL DNS forwarder IP address (write 'none' to disable forwarding) [10.99.0.1]: 220.127.116.11 Administrator password: Passw0rd Retype password: Passw0rd Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=samdom,DC=example,DC=com Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=samdom,DC=example,DC=com Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf Setting up fake yp server settings Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: DC1 NetBIOS Domain: SAMDOM DNS Domain: samdom.example.com
since our version of samba is 4.2, we will have to create a symbolic link as opposed to not creating a symbolic link if we had version 4.7 and above.
To see your version of samba simply run #smbd -V
#mv /etc/krb5.conf /etc/krb5.conf.renamed
#ln -s /var/lib/samba/private/krb5.conf /etc/
To start samba server,
#systemctl start samba-ad-dc.service or #service samba-ad-dc start or simply enter samba
To enable samba to start on boot up
#systemctl enable samba-ad-dc.service or #service samba-ad-dc enable
You can verify the domain functional level of your server by running:
#samba-tool domain level show
You can also confirm that you have your dns in place by going to #vi /etc/resolve.conf
Now run #host -t A carehealth.local to test if you have an A record for carehealth.local
You can also verify kerberos authentication by requesting a kerberos ticket for the domain Administrator account. The kerberos realm is automatically appended as shown below.
List cached tickets by:
TESTING IF THIS WORKED
Power up a windows machine and let us try to authenticate against samba4 active directory.
Right click computer => Properties => change settings and then click change.
In the domain field, enter carehealth.local and click ok.
When you are prompted for username and password, enter Administrator and the pasword you set while installing samba4.
Not bad! Our setup was successfull and we can begin adding users and computers to our active directory. Howerver, at the moment, we can only authenticate using administrator account.