Active directory Domain controller on Ubuntu 14.04 (Samba Internal DNS)
Server Setup:
Hostname: dc1
Domain name: mydomain.local
O/S – Ubuntu 14.04 LTS
HDD: 20GB (Thin Provisioning) – LVM
No HDD Encryption
Memory: 4GB
Time Zone: Africa/Johannesburg
Networking:
IP 192.168.1.55
SM: 255.255.255.0
GW: 192.168.1.1
Installed Packages with initial installation: OpenSSH Server
Hostname: dc1
Domain name: mydomain.local
O/S – Ubuntu 14.04 LTS
HDD: 20GB (Thin Provisioning) – LVM
No HDD Encryption
Memory: 4GB
Time Zone: Africa/Johannesburg
Networking:
IP 192.168.1.55
SM: 255.255.255.0
GW: 192.168.1.1
Installed Packages with initial installation: OpenSSH Server
Once the installation was done, log in as the user you created on the server.
Now change the root password.
Now change the root password.
sudo passwd root
Enter your new root password.
now log in a root on the server.
By default Ubuntu 14.04 does not allow you to ssh using root on the server, so you will need to log onto the server and then su to root.
By default Ubuntu 14.04 does not allow you to ssh using root on the server, so you will need to log onto the server and then su to root.
digit@dc1:~$ su Password: root@dc1:/home/digit#
Now you will need to configure your network interface for static IP.
(we’ll use 192.168.1.55 as IP for this Domain Controller, dc1 for the name and MYDOMAIN.LOCAL as FQDN )
(we’ll use 192.168.1.55 as IP for this Domain Controller, dc1 for the name and MYDOMAIN.LOCAL as FQDN )
Edit your /etc/network/interfaces file.
vi /etc/network/interfaces
change iface eth0 inet dhcp to iface eth0 inet static
then add these lines:
address 192.168.1.55 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1 dns-nameservers 8.8.8.8 dns-search mydomain.local
Save and close (:wq)
then we need to configure our /etc/hosts file like so:
127.0.0.1 localhost.localdomain localhost 192.168.1.55 dc1.mydomain.local dc1
save and close
then run
echo dc1.mydomain.local > /etc/hostname
now restart networking so that the changes are made
/etc/init.d/networking restart
now we need to install the prerequisites for samba kerberos etc….
apt-get update && apt-get upgrade -y
Now we install most of the packages that we will require (+/- 67MB t the time of writing)
apt-get install git build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev libpam0g-dev ntp -y
You’ll be asked for kerberos informations.
When asked for the default realm etc, enter mydomain.local and DC01 as the host.
When asked for the default realm etc, enter mydomain.local and DC01 as the host.
Default Kerberos version 5 realm: MYDOMAIN.LOCAL <pre> <pre> Enter the hostnames of Kerberos servers in the MYDOMAIN.LOCAL Kerberos realm separated by spaces. Kerberos servers for your realm: dc1
Enter the hostname of the administrative (password changing) server for the MYDOMAIN.LOCAL Kerberos realm. Administrative server for your Kerberos realm: dc1
Restart your server
init 6
We will be installing Samba 4, most current release, from the GIT repository,
git clone git://git.samba.org/samba.git /usr/src/samba4/
Now lets start to compile and configure Samab
cd /usr/src/samba4/ ./configure --enable-debug --enable-selftest make make install
Note:
If you run the configure command without any extra parameter then samba will be installed by default inside /usr/local/samba or else use –prefix option to specify different installation directory
Depending on your computer it may take a while ( 15-20 mins)
If you run the configure command without any extra parameter then samba will be installed by default inside /usr/local/samba or else use –prefix option to specify different installation directory
Depending on your computer it may take a while ( 15-20 mins)
Before running the provision step make sure the following things are in place
vi /etc/hosts
Make sure your host file looks something like this:
127.0.0.1 localhost 192.168.1.55 dc1.mydomain.local dc1
Make sure your hostname is correct
root@dc1:/usr/src/samba4# hostname dc1.mydomain.local root@dc1:/usr/src/samba4#
Set your DNS server to point to the local server
vi /etc/resolv.conf
nameserver 192.168.1.55 search mydomain.local
If the above steps complete without any error then you can move ahead for provisioning step
Add the new path location to your bash file for samba
Add the new path location to your bash file for samba
vi ~/.bashrc export PATH=$PATH:/usr/local/samba/sbin:/usr/local/samba/bin
Now lets provision the new domain
For now, you will be using Samba’s Internal DNS, we cal always upgrade it later to bind
For now, you will be using Samba’s Internal DNS, we cal always upgrade it later to bind
/usr/local/samba/bin/samba-tool domain provision --realm=mydomain.local --domain=MYDOMAIN --adminpass="Passw0rd" --server-role=dc --dns-backend=SAMBA_INTERNAL
You should see something like this:
root@dc1:/usr/src/samba4# /usr/local/samba/bin/samba-tool domain provision --realm=mydomain.local --domain=MYDOMAIN --adminpass="Passw0rd" --server-role=dc --dns-backend=SAMBA_INTERNAL Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=mydomain,DC=local Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=mydomain,DC=local Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: dc1 NetBIOS Domain: MYDOMAIN DNS Domain: mydomain.local DOMAIN SID: S-1-5-21-3071701496-2123785088-2579521527 root@dc1:/usr/src/samba4#
Now lets start Samba
/usr/local/samba/sbin/samba
Check samba and smbclient version ( they should match )
root@dc1:/usr/src/samba4# /usr/local/samba/sbin/samba -V Version 4.2.0pre1-GIT-6da8126 root@dc1:/usr/src/samba4# /usr/local/samba/bin/smbclient -V Version 4.2.0pre1-GIT-6da8126 root@dc1:/usr/src/samba4#
Listing administrative share will show you sysvol, netlogon shares etc…
/usr/local/samba/bin/smbclient -L localhost -U%
You should see something like this:
root@dc1:/usr/src/samba4# /usr/local/samba/bin/smbclient -L localhost -U% Domain=[MYDOMAIN] OS=[Windows 6.1] Server=[Samba 4.2.0pre1-GIT-6da8126] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.2.0pre1-GIT-6da8126) Domain=[MYDOMAIN] OS=[Windows 6.1] Server=[Samba 4.2.0pre1-GIT-6da8126] Server Comment --------- ------- Workgroup Master --------- ------- root@dc1:/usr/src/samba4#
Now we can check the authentication:
/usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator%"Passw0rd" -c 'ls'
Response should be this:
root@dc1:/usr/src/samba4# /usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator%"Passw0rd" -c 'ls' Domain=[MYDOMAIN] OS=[Windows 6.1] Server=[Samba 4.2.0pre1-GIT-6da8126] . D 0 Wed Jun 11 13:55:54 2014 .. D 0 Wed Jun 11 13:56:04 2014 16116664 blocks of size 1024. 12670940 blocks available root@dc1:/usr/src/samba4#
**NOTE**: If you receive the following error:
session setup failed: NT_STATUS_LOGON_FAILURE
session setup failed: NT_STATUS_LOGON_FAILURE
Make sure that you DNS is connect in /etc/network/interfaces and in /etc/resolv.conf.
Then run the command again.
Then run the command again.
Your DNS should point to the local machine.
Configure SAMBA INTERNAL DNS
echo "domain MYDOMAIN.LOCAL" >> /etc/resolv.conf
Now we will need to edit the smb.conf file and spesify the DNS Forwarder
Your ads will be inserted here by
Easy AdSense.
Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.
Paste your ad code OR
Suppress this ad slot.
vi /usr/local/samba/etc/smb.conf
add under the [global] option
dns forwarder = 8.8.8.8
save and close.
8.8.8.8 is Google’s Public DNS server
This is what my smb.conf file looks like:
# Global parameters [global] workgroup = MYDOMAIN realm = mydomain.local netbios name = DC1 server role = active directory domain controller dns forwarder = 8.8.8.8 [netlogon] path = /usr/local/samba/var/locks/sysvol/mydomain.local/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No
Now we need to test DNS. Issue the next commands.
host -t SRV _ldap._tcp.MYDOMAIN.LOCAL host -t SRV _kerberos._udp.MYDOMAIN.LOCAL host -t A dc1.mydomain.local
You should get results like this:
root@dc1:/usr/src/samba4# host -t SRV _ldap._tcp.MYDOMAIN.LOCAL _ldap._tcp.MYDOMAIN.LOCAL has SRV record 0 100 389 dc1.mydomain.local. root@dc1:/usr/src/samba4# host -t SRV _kerberos._udp.MYDOMAIN.LOCAL _kerberos._udp.MYDOMAIN.LOCAL has SRV record 0 100 88 dc1.mydomain.local. root@dc1:/usr/src/samba4# host -t A dc1.mydomain.local dc1.mydomain.local has address 192.168.1.55 root@dc1:/usr/src/samba4#
***NOTE***: If you recieved something like “host mydomain.local not found 3(NXDOMAIN)” your samba probabaly failed to start for some reason or it can be a DNS issue. Check the interfaces config file or the resolv.conf file.
Next, we need to configure and test Kerberos by editting the krb5.conf file and replace $(REALM) by MYDOMAIN.LOCAL
vi /usr/local/samba/share/setup/krb5.conf
[libdefaults] default_realm = MYDOMAIN.LOCAL dns_lookup_realm = false dns_lookup_kdc = true
Now lets test it.
Please note that the domain name is in capitals
Please note that the domain name is in capitals
kinit administrator@MYDOMAIN.LOCAL
Result:
root@dc1:/usr/src/samba4# kinit administrator@MYDOMAIN.LOCAL Password for administrator@MYDOMAIN.LOCAL: Warning: Your password will expire in 41 days on Wed 23 Jul 2014 13:56:03 SAST root@dc1:/usr/src/samba4#
Display informations about the kerberos ticket you received
klist -e
Result:
root@dc1:/usr/src/samba4# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@MYDOMAIN.LOCAL Valid starting Expires Service principal 11/06/2014 14:12:51 12/06/2014 00:12:51 krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL renew until 12/06/2014 14:12:46, Etype (skey, tkt): arcfour-hmac, arcfour-hmac root@dc1:/usr/src/samba4#
Active Directory also require a time server, so we need NTP server.
We will also set it to syncronize time from the Internet
Edit the ntp.conf file if you have your own time servers.
We will also set it to syncronize time from the Internet
Edit the ntp.conf file if you have your own time servers.
vi /etc/ntp.conf
I just left it as the default for now
[...] # Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board # on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for # more information. server 0.ubuntu.pool.ntp.org server 1.ubuntu.pool.ntp.org server 2.ubuntu.pool.ntp.org server 3.ubuntu.pool.ntp.org # Use Ubuntu's ntp server as a fallback. server ntp.ubuntu.com [...]
Now lets start the time server
service ntp restart
Syncronise the time server
ntpq -p
You might want to add users home folders or profile folders etc…
mkdir -m 770 /Users chmod g+s /Users chown root:users /Users
then edit smb.conf
and add the following lines:
vi /usr/local/samba/etc/smb.conf
[Users] directory_mode: parameter = 0700 read only = no path = /Users csc policy = documents
Complete smb.conf so far:
# Global parameters [global] workgroup = MYDOMAIN realm = mydomain.local netbios name = DC1 server role = active directory domain controller dns forwarder = 8.8.8.8 [netlogon] path = /usr/local/samba/var/locks/sysvol/mydomain.local/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [Users] directory_mode: parameter = 0700 read only = no path = /Users csc policy = documents
finally set no expiration flag fro your active directory administrator password (or you’ll have problems after 42 days)
/usr/local/samba/bin/samba-tool user setexpiry administrator --noexpiry
Result:
root@dc1:/usr/src/samba4# /usr/local/samba/bin/samba-tool user setexpiry administrator --noexpiry Expiry for user 'administrator' disabled. root@dc1:/usr/src/samba4#
Now lets create a init script so that it is easy to start & stop samba
vi /etc/init.d/samba4
Copy and paste the following into the file:
#! /bin/sh ### BEGIN INIT INFO # Provides: samba # Required-Start: $network $local_fs $remote_fs # Required-Stop: $network $local_fs $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: start Samba daemons ### END INIT INFO # # Start/stops the Samba daemon (samba). # Adapted from the Samba 3 packages. # SAMBAPID=/var/run/samba/samba.pid # clear conflicting settings from the environment unset TMPDIR # See if the daemon and the config file are there test -x /usr/local/samba/sbin -a -r /usr/local/samba/etc/ || exit 0 . /lib/lsb/init-functions case "$1" in start) log_daemon_msg "Starting Samba 4 daemon" "samba" if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/samba -- -D; then log_end_msg 1 exit 1 fi log_end_msg 0 ;; stop) log_daemon_msg "Stopping Samba 4 daemon" "samba" start-stop-daemon --stop --quiet --name samba $SAMBAPID # Wait a little and remove stale PID file sleep 1 if [ -f $SAMBAPID ] && ! ps h `cat $SAMBAPID` > /dev/null then # Stale PID file (samba was succesfully stopped), # remove it (should be removed by samba itself IMHO.) rm -f $SAMBAPID fi log_end_msg 0 ;; restart|force-reload) $0 stop sleep 1 $0 start ;; *) echo "Usage: /etc/init.d/samba {start|stop|restart|force-reload}" exit 1 ;; esac exit 0
After you have created the file, be sure to change the permissions and set the script to autostart using update-rc.d:
chmod 755 /etc/init.d/samba4 update-rc.d samba4 defaults
Result:
root@dc1:/usr/src/samba4# chmod 755 /etc/init.d/samba4 root@dc1:/usr/src/samba4# update-rc.d samba4 defaults Adding system startup for /etc/init.d/samba4 ... /etc/rc0.d/K20samba4 -> ../init.d/samba4 /etc/rc1.d/K20samba4 -> ../init.d/samba4 /etc/rc6.d/K20samba4 -> ../init.d/samba4 /etc/rc2.d/S20samba4 -> ../init.d/samba4 /etc/rc3.d/S20samba4 -> ../init.d/samba4 /etc/rc4.d/S20samba4 -> ../init.d/samba4 /etc/rc5.d/S20samba4 -> ../init.d/samba4 root@dc1:/usr/src/samba4#
Now lets retart the samba server using our new init script:
/etc/init.d/samba4 restart
Result:
root@dc1:/usr/src/samba4# /etc/init.d/samba4 restart * Stopping Samba 4 daemon samba [ OK ] * Starting Samba 4 daemon samba [ OK ] root@dc1:/usr/src/samba4#
Your Active Directory Domain Controller has been setup.
You can download the MS Windows Remote Server Admin Tools to administer your users and group policies.
*** Tutorial soon to follow… ***
You can download the MS Windows Remote Server Admin Tools to administer your users and group policies.
*** Tutorial soon to follow… ***
I had some issues on my network where if the users browsed the internet their browsers sometimes didnt open the web page. This was caused by DNS.
I resolved it by adding the following entries in my smb.conf file:
I resolved it by adding the following entries in my smb.conf file:
vi /usr/local/samba/etc/smb.conf
allow dns updates = nonsecure dns forwarder = 8.8.8.8 log level = 3 server services = smb, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
And here is my complete smb.conf file
# Global parameters [global] time server = yes dos filetimes = yes fake directory create times = yes dos filetime resolution = yes delete readonly = yes workgroup = MYDOMAIN realm = mydomain.local netbios name = DC1 server role = active directory domain controller #dns forwarder = 8.8.8.8 allow dns updates = nonsecure dns forwarder = 8.8.8.8 log level = 3 server services = smb, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns [netlogon] path = /usr/local/samba/var/locks/sysvol/mydomain.local/scripts read only = No preexec = echo %u is in %G >> /var/log/smbshares.log [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [Users] directory_mode: parameter = 0700 read only = no path = /Users csc policy = documents
I have another server running DHCP, and I had to create a DNS Update script so that it updates the DNS records for the DHCP Server leases.
Edit the crontab.
Edit the crontab.
vi /etc/crontab
Add the following:
01 * * * * root /usr/local/samba/sbin/samba_dnsupdate
save and close.
Restart cron tab
Restart cron tab
No comments:
Post a Comment