Samba4 Active Directory Domain Controller on Debian 8

Samba4 Active Directory Domain Controller

Samba4 is a free open source software that seeks to emulate the workings of Windows Server 2008r2. It can function as a 2008r2 active directory domain controller and as a file and print server for windows and linux clients.
If you are looking for a cost effective, yet secure way to set up your active directory infrastructure for your windows and linux clients alike, then samba4 is the way to go.

  1. Install Samba4 Active directory domain controller on debian 8.

  2. Manage Samba4 Active Directory Using RSAT on windows 7

  3. Manage Samba4 DNS, GROUP POLICY USING RSAT

  4. JOIN UBUNTU DESKTOP TO SAMBA4 ACTIVE DIRECTORY.

In this guide, we will look at how to install samba4 active directory domain controller on debian 8.

INSTALL SAMBA4 ACTIVE DIRECTORY DOMAIN CONTROLLER ON DEBIAN 8.

First install debian 8 using this guide, https://topnetworkguide.com/debian-8-jessie/.

Remember that in our guide, how to install and configure dhcp server on ubuntu, we added a host to our dhcp server configuration that will always dynamically recieve the same static ip address. In order word, the host will have the same ip address as if the ip address was statically applied to its interface.

dhcp lease

Howerver, if you choose to statically give the samba server an ip address simply do:

#su

#vi /etc/network/interfaces

and edit the interface eth0 to

iface eth0  inet static

   address 192.168.x.x
   netmask 255.255.255.0
   network 192.168.x.x
   broadcast x.x.x.x
   gateway 192.168.x.x
   dns-nameservers x.x.x.x
   dns-search type domain-name here

You can choose to change the hostname from debian to ad-wks by:

#vi /etc/hostnames

enter ad-wks or add hostname of your choice. Then save and quit.

Also go to the host fie, #vi /etc/hosts

and change the line 127.0.1.1 debian to the ip address of your ad server 192.168.100.12 ad-wks.carehealth.local ad-wks

edit hosts file

Now do a #service networking restart to force system to use hostname without a reboot.

Open up sources.list file and include

#vi /etc/apt/sources.list

deb http://httpredir.debian.org/debian jessie main
deb-src http://httpredir.debian.org/debian jessie main

deb http://httpredir.debian.org/debian jessie-updates main
deb-src http://httpredir.debian.org/debian jessie-updates main

add jessie to sources.list file

Now run :

#su

#apt-get update;apt-get upgrade;apt-get dist-upgrade to install newest versions of all packages in the souces.list file and to remove packages that needs to be removed before new packages can be installed to avoid incompatibility between packages.

Now install samba using some set of packages like winbind, libnss and so on.

#apt-get install samba krb5-user winbind krb5-config libnss-winbind libpam-winbind

install-samba-and-some-packages

During installation, if you recieve an error saying

Media change: please insert the disc labeled
 'Debian GNU/Linux 7.0.0 _Wheezy_ - Official amd64 CD Binary-1 20130504-14:44'
in the drive '/media/cdrom/' and press enter

Simply go to your sources.list file and comment out the 2 line starting with deb cdrom: as shown under;

cd rom error

Enter in the name of your domain in capital letter in the screen that pops up and hit ok to continue.

default kerberos

For kerberos authentication, enter in the same name as above in small letters and hit ok.

kerberos authentication

Next enter the hostname for the password changing server which is still your domain name in small letters

hostname for password changing server

Now use systemctl to stop file and print services, services that replies to Netbios over TCP/IP and winbind service

#systemctl stop smbd.service nmbd.service winbind.service samba-ad-dc.service

#systemctl disable smbd.service nmbd.service winbind.service samba-ad-dc.service

Next, rename smb.conf by #mv /etc/samba/smb.conf /etc/samba/smb.conf.renamed so that provisioning will create a new smb file

Provisioning a Samba Active Directory

According to this samba wiki: setting up samba as active directory domain controller, we can provision samba as active directory server by running the command bellow:

#samba-tool domain provision –use-rfc2307  –interactive

provision ad in interactive mode

rfc2307 defines the possibility to store user/group information in LDAP directory in an AD with Linux integration.

Enter in your domain name in capital in  Realm field and hit next all the way.

sample configuration from samba wiki

# samba-tool domain provision --use-rfc2307 --interactive
Realm [SAMDOM.EXAMPLE.COM]: SAMDOM.EXAMPLE.COM
 Domain [SAMDOM]: SAMDOM
 Server Role (dc, member, standalone) [dc]: dc
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: SAMBA_INTERNAL
 DNS forwarder IP address (write 'none' to disable forwarding) [10.99.0.1]: 8.8.8.8
Administrator password: Passw0rd
Retype password: Passw0rd
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=samdom,DC=example,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container                                                                                                                                                                                        
Modifying users container                                                                                                                                                                                     
Adding computers container                                                                                                                                                                                    
Modifying computers container                                                                                                                                                                                 
Setting up sam.ldb data                                                                                                                                                                                       
Setting up well known security principals                                                                                                                                                                     
Setting up sam.ldb users and groups                                                                                                                                                                           
Setting up self join                                                                                                                                                                                          
Adding DNS accounts                                                                                                                                                                                           
Creating CN=MicrosoftDNS,CN=System,DC=samdom,DC=example,DC=com                                                                                                                                                
Creating DomainDnsZones and ForestDnsZones partitions                                                                                                                                                         
Populating DomainDnsZones and ForestDnsZones partitions                                                                                                                                                       
Setting up sam.ldb rootDSE marking as synchronized                                                                                                                                                            
Fixing provision GUIDs                                                                                                                                                                                        
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf                                                                                                        
Setting up fake yp server settings                                                                                                                                                                            
Once the above files are installed, your Samba4 server will be ready to use                                                                                                                                   
Server Role:           active directory domain controller                                                                                                                                                     
Hostname:              DC1                                                                                                                                                                                    
NetBIOS Domain:        SAMDOM                                                                                                                                                                                 
DNS Domain:            samdom.example.com

since our version of samba is 4.2, we will have to create a symbolic link as opposed to not creating a symbolic link if we had version 4.7 and above.

To see your version of samba simply run #smbd -V

#mv /etc/krb5.conf /etc/krb5.conf.renamed

#ln -s /var/lib/samba/private/krb5.conf /etc/

create symbolic link

To start samba server,

#systemctl start samba-ad-dc.service or #service samba-ad-dc start or simply enter samba

To enable samba to start on boot up

#systemctl enable samba-ad-dc.service or #service samba-ad-dc enable

You can verify the domain functional level of your server by running:

#samba-tool domain level show

domain level show

VERIFY DNS

You can also confirm that you have your dns in place by going to #vi /etc/resolve.conf

confirm dns.

Now run #host -t A carehealth.local to test if you have an A record for carehealth.local

You can also verify kerberos authentication by requesting a kerberos ticket for the domain Administrator account. The kerberos realm is automatically appended as shown below.

#kinit administrator

kinit-administrator

List cached tickets by:

#klist

klist

TESTING IF THIS WORKED

Power up a windows machine and let us try to authenticate against samba4 active directory.

Right click computer => Properties => change settings and then click change.

setting in computer properties

In the domain field, enter carehealth.local and click ok.

carehealth

When you are prompted for username and password, enter Administrator and the pasword you set while installing samba4.

enter password

Not bad! Our setup was successfull and we can begin adding users and computers to our active directory. Howerver, at the moment, we can only authenticate using administrator account.

Next: Manage Samba4 Active Directory Using RSAT on windows 7

Did You Enjoy What You Read? Sign Up To Our News Letter
I agree to have my personal information transfered to MailChimp ( more information )
Join over 1.000 visitors who are receiving our newsletter and learn how to design networks that work using open source technology and commercial offerings. Also learn how to proactively defend against security threats.
We hate spam. Your email address will not be sold or shared with anyone else.
Share This.