Wednesday 13 May 2015

Ubuntu 14.04 installing Samba4 AD Server with GIT

I found THIS site with the following instructions:


Active directory Domain controller on Ubuntu 14.04 (Samba Internal DNS)


Server Setup:
Hostname: dc1
Domain name: mydomain.local
O/S – Ubuntu 14.04 LTS
HDD: 20GB (Thin Provisioning) – LVM
No HDD Encryption
Memory: 4GB
Time Zone: Africa/Johannesburg
Networking:
IP 192.168.1.55
SM: 255.255.255.0
GW: 192.168.1.1
Installed Packages with initial installation: OpenSSH Server
Once the installation was done, log in as the user you created on the server.
Now change the root password.
sudo passwd root
Enter your new root password.
now log in a root on the server.
By default Ubuntu 14.04 does not allow you to ssh using root on the server, so you will need to log onto the server and then su to root.
digit@dc1:~$ su
Password:
root@dc1:/home/digit#
Now you will need to configure your network interface for static IP.
(we’ll use 192.168.1.55 as IP for this Domain Controller, dc1 for the name and MYDOMAIN.LOCAL as FQDN )
Edit your /etc/network/interfaces file.
vi /etc/network/interfaces
change iface eth0 inet dhcp to iface eth0 inet static
then add these lines:
address 192.168.1.55
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1 
dns-nameservers 8.8.8.8
dns-search mydomain.local
Save and close (:wq)
then we need to configure our /etc/hosts file like so:
127.0.0.1       localhost.localdomain   localhost 
192.168.1.55   dc1.mydomain.local dc1
save and close
then run
echo dc1.mydomain.local > /etc/hostname
now restart networking so that the changes are made
/etc/init.d/networking restart
now we need to install the prerequisites for samba kerberos etc….
apt-get update && apt-get upgrade -y
Now we install most of the packages that we will require (+/- 67MB t the time of writing)
apt-get install git build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev libpam0g-dev ntp -y
You’ll be asked for kerberos informations.
When asked for the default realm etc, enter mydomain.local and DC01 as the host.
Default Kerberos version 5 realm:
MYDOMAIN.LOCAL
<pre>

<pre>
Enter the hostnames of Kerberos servers in the MYDOMAIN.LOCAL Kerberos realm separated by spaces.

Kerberos servers for your realm: 
dc1
Enter the hostname of the administrative (password changing) server for the MYDOMAIN.LOCAL Kerberos realm.
Administrative server for your Kerberos realm:
dc1
Restart your server
init 6
We will be installing Samba 4, most current release, from the GIT repository,
git clone git://git.samba.org/samba.git /usr/src/samba4/
Now lets start to compile and configure Samab
cd /usr/src/samba4/
./configure --enable-debug --enable-selftest
make 
make install
Note:
If you run the configure command without any extra parameter then samba will be installed by default inside /usr/local/samba or else use –prefix option to specify different installation directory
Depending on your computer it may take a while ( 15-20 mins)
Before running the provision step make sure the following things are in place
vi /etc/hosts
Make sure your host file looks something like this:
127.0.0.1       localhost
192.168.1.55   dc1.mydomain.local      dc1
Make sure your hostname is correct
root@dc1:/usr/src/samba4# hostname
dc1.mydomain.local
root@dc1:/usr/src/samba4#
Set your DNS server to point to the local server
vi /etc/resolv.conf
nameserver 192.168.1.55
search mydomain.local
If the above steps complete without any error then you can move ahead for provisioning step
Add the new path location to your bash file for samba
vi ~/.bashrc
export PATH=$PATH:/usr/local/samba/sbin:/usr/local/samba/bin
Now lets provision the new domain
For now, you will be using Samba’s Internal DNS, we cal always upgrade it later to bind
 /usr/local/samba/bin/samba-tool domain provision --realm=mydomain.local --domain=MYDOMAIN --adminpass="Passw0rd" --server-role=dc --dns-backend=SAMBA_INTERNAL
You should see something like this:

root@dc1:/usr/src/samba4# /usr/local/samba/bin/samba-tool domain provision --realm=mydomain.local --domain=MYDOMAIN --adminpass="Passw0rd" --server-role=dc --dns-backend=SAMBA_INTERNAL
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=mydomain,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=mydomain,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              dc1
NetBIOS Domain:        MYDOMAIN
DNS Domain:            mydomain.local
DOMAIN SID:            S-1-5-21-3071701496-2123785088-2579521527
root@dc1:/usr/src/samba4#
Now lets start Samba
/usr/local/samba/sbin/samba
Check samba and smbclient version ( they should match )
root@dc1:/usr/src/samba4# /usr/local/samba/sbin/samba -V
Version 4.2.0pre1-GIT-6da8126
root@dc1:/usr/src/samba4# /usr/local/samba/bin/smbclient -V
Version 4.2.0pre1-GIT-6da8126
root@dc1:/usr/src/samba4#
Listing administrative share will show you sysvol, netlogon shares etc…
/usr/local/samba/bin/smbclient -L localhost -U%
You should see something like this:

root@dc1:/usr/src/samba4# /usr/local/samba/bin/smbclient -L localhost -U%
Domain=[MYDOMAIN] OS=[Windows 6.1] Server=[Samba 4.2.0pre1-GIT-6da8126]

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        IPC$            IPC       IPC Service (Samba 4.2.0pre1-GIT-6da8126)
Domain=[MYDOMAIN] OS=[Windows 6.1] Server=[Samba 4.2.0pre1-GIT-6da8126]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
root@dc1:/usr/src/samba4#
Now we can check the authentication:
/usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator%"Passw0rd" -c 'ls'
Response should be this:
root@dc1:/usr/src/samba4# /usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator%"Passw0rd" -c 'ls'
Domain=[MYDOMAIN] OS=[Windows 6.1] Server=[Samba 4.2.0pre1-GIT-6da8126]
  .                                   D        0  Wed Jun 11 13:55:54 2014
  ..                                  D        0  Wed Jun 11 13:56:04 2014

                16116664 blocks of size 1024. 12670940 blocks available
root@dc1:/usr/src/samba4#
**NOTE**: If you receive the following error:
session setup failed: NT_STATUS_LOGON_FAILURE
Make sure that you DNS is connect in /etc/network/interfaces and in /etc/resolv.conf.
Then run the command again.
Your DNS should point to the local machine.
Configure SAMBA INTERNAL DNS
echo "domain MYDOMAIN.LOCAL" >> /etc/resolv.conf
Now we will need to edit the smb.conf file and spesify the DNS Forwarder
Your ads will be inserted here by
Easy AdSense.
Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.
vi /usr/local/samba/etc/smb.conf
add under the [global] option
dns forwarder = 8.8.8.8
save and close.
8.8.8.8 is Google’s Public DNS server
This is what my smb.conf file looks like:

# Global parameters
[global]
        workgroup = MYDOMAIN
        realm = mydomain.local
        netbios name = DC1
        server role = active directory domain controller
        dns forwarder = 8.8.8.8

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/mydomain.local/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No
Now we need to test DNS. Issue the next commands.
host -t SRV _ldap._tcp.MYDOMAIN.LOCAL
host -t SRV _kerberos._udp.MYDOMAIN.LOCAL
host -t A dc1.mydomain.local
You should get results like this:

root@dc1:/usr/src/samba4# host -t SRV _ldap._tcp.MYDOMAIN.LOCAL
_ldap._tcp.MYDOMAIN.LOCAL has SRV record 0 100 389 dc1.mydomain.local.
root@dc1:/usr/src/samba4# host -t SRV _kerberos._udp.MYDOMAIN.LOCAL
_kerberos._udp.MYDOMAIN.LOCAL has SRV record 0 100 88 dc1.mydomain.local.
root@dc1:/usr/src/samba4# host -t A dc1.mydomain.local
dc1.mydomain.local has address 192.168.1.55
root@dc1:/usr/src/samba4#
***NOTE***: If you recieved something like “host mydomain.local not found 3(NXDOMAIN)” your samba probabaly failed to start for some reason or it can be a DNS issue. Check the interfaces config file or the resolv.conf file.
Next, we need to configure and test Kerberos by editting the krb5.conf file and replace $(REALM) by MYDOMAIN.LOCAL
vi /usr/local/samba/share/setup/krb5.conf
[libdefaults]
        default_realm = MYDOMAIN.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true
Now lets test it.
Please note that the domain name is in capitals
kinit administrator@MYDOMAIN.LOCAL
Result:
root@dc1:/usr/src/samba4# kinit administrator@MYDOMAIN.LOCAL
Password for administrator@MYDOMAIN.LOCAL:
Warning: Your password will expire in 41 days on Wed 23 Jul 2014 13:56:03 SAST
root@dc1:/usr/src/samba4#
Display informations about the kerberos ticket you received
klist -e
Result:
root@dc1:/usr/src/samba4# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYDOMAIN.LOCAL

Valid starting       Expires              Service principal
11/06/2014 14:12:51  12/06/2014 00:12:51  krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL
        renew until 12/06/2014 14:12:46, Etype (skey, tkt): arcfour-hmac, arcfour-hmac
root@dc1:/usr/src/samba4#
Active Directory also require a time server, so we need NTP server.
We will also set it to syncronize time from the Internet
Edit the ntp.conf file if you have your own time servers.
vi /etc/ntp.conf
I just left it as the default for now
[...]
# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
# more information.
server 0.ubuntu.pool.ntp.org
server 1.ubuntu.pool.ntp.org
server 2.ubuntu.pool.ntp.org
server 3.ubuntu.pool.ntp.org

# Use Ubuntu's ntp server as a fallback.
server ntp.ubuntu.com

[...]
Now lets start the time server
service ntp restart
Syncronise the time server
ntpq -p
You might want to add users home folders or profile folders etc…
mkdir -m 770 /Users
chmod g+s /Users
chown root:users /Users
then edit smb.conf
and add the following lines:
vi /usr/local/samba/etc/smb.conf
[Users]
directory_mode: parameter = 0700
read only = no
path = /Users
csc policy = documents
Complete smb.conf so far:
# Global parameters
[global]
        workgroup = MYDOMAIN
        realm = mydomain.local
        netbios name = DC1
        server role = active directory domain controller
        dns forwarder = 8.8.8.8

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/mydomain.local/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

[Users]
        directory_mode: parameter = 0700
        read only = no
        path = /Users
        csc policy = documents
finally set no expiration flag fro your active directory administrator password (or you’ll have problems after 42 days)
/usr/local/samba/bin/samba-tool user setexpiry administrator --noexpiry  
Result:
root@dc1:/usr/src/samba4# /usr/local/samba/bin/samba-tool user setexpiry administrator --noexpiry
Expiry for user 'administrator' disabled.
root@dc1:/usr/src/samba4#
Now lets create a init script so that it is easy to start & stop samba
vi /etc/init.d/samba4
Copy and paste the following into the file:

#! /bin/sh
### BEGIN INIT INFO
# Provides: samba
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $network $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start Samba daemons
### END INIT INFO
#
# Start/stops the Samba daemon (samba).
# Adapted from the Samba 3 packages.
#

SAMBAPID=/var/run/samba/samba.pid

# clear conflicting settings from the environment
unset TMPDIR
# See if the daemon and the config file are there
test -x /usr/local/samba/sbin -a -r /usr/local/samba/etc/ || exit 0

. /lib/lsb/init-functions

case "$1" in
start)
log_daemon_msg "Starting Samba 4 daemon" "samba"
if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/samba -- -D; then
log_end_msg 1
exit 1
fi

log_end_msg 0
;;
stop)
log_daemon_msg "Stopping Samba 4 daemon" "samba"

start-stop-daemon --stop --quiet --name samba $SAMBAPID
# Wait a little and remove stale PID file
sleep 1
if [ -f $SAMBAPID ] && ! ps h `cat $SAMBAPID` > /dev/null
then
# Stale PID file (samba was succesfully stopped),
# remove it (should be removed by samba itself IMHO.)
rm -f $SAMBAPID
fi

log_end_msg 0
;;
restart|force-reload)
$0 stop
sleep 1
$0 start
;;
*)
echo "Usage: /etc/init.d/samba {start|stop|restart|force-reload}"
exit 1
;;
esac

exit 0
After you have created the file, be sure to change the permissions and set the script to autostart using update-rc.d:
chmod 755 /etc/init.d/samba4
update-rc.d samba4 defaults
Result:

root@dc1:/usr/src/samba4# chmod 755 /etc/init.d/samba4
root@dc1:/usr/src/samba4# update-rc.d samba4 defaults
 Adding system startup for /etc/init.d/samba4 ...
   /etc/rc0.d/K20samba4 -> ../init.d/samba4
   /etc/rc1.d/K20samba4 -> ../init.d/samba4
   /etc/rc6.d/K20samba4 -> ../init.d/samba4
   /etc/rc2.d/S20samba4 -> ../init.d/samba4
   /etc/rc3.d/S20samba4 -> ../init.d/samba4
   /etc/rc4.d/S20samba4 -> ../init.d/samba4
   /etc/rc5.d/S20samba4 -> ../init.d/samba4
root@dc1:/usr/src/samba4#
Now lets retart the samba server using our new init script:
/etc/init.d/samba4 restart
Result:
root@dc1:/usr/src/samba4# /etc/init.d/samba4 restart
 * Stopping Samba 4 daemon samba [ OK ]
 * Starting Samba 4 daemon samba [ OK ]
root@dc1:/usr/src/samba4#
Your Active Directory Domain Controller has been setup.
You can download the MS Windows Remote Server Admin Tools to administer your users and group policies.
*** Tutorial soon to follow… ***
I had some issues on my network where if the users browsed the internet their browsers sometimes didnt open the web page. This was caused by DNS.
I resolved it by adding the following entries in my smb.conf file:
vi /usr/local/samba/etc/smb.conf
allow dns updates = nonsecure
dns forwarder = 8.8.8.8
log level = 3
server services = smb, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
And here is my complete smb.conf file
# Global parameters
[global]
        time server = yes
        dos filetimes = yes
        fake directory create times = yes
        dos filetime resolution = yes
        delete readonly = yes
        workgroup = MYDOMAIN
        realm = mydomain.local
        netbios name = DC1
        server role = active directory domain controller
        #dns forwarder = 8.8.8.8
        allow dns updates = nonsecure
        dns forwarder = 8.8.8.8
        log level = 3
        server services = smb, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/mydomain.local/scripts
        read only = No
        preexec = echo %u is in %G >> /var/log/smbshares.log

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

[Users]
        directory_mode: parameter = 0700
        read only = no
        path = /Users
        csc policy = documents
I have another server running DHCP, and I had to create a DNS Update script so that it updates the DNS records for the DHCP Server leases.
Edit the crontab.
vi /etc/crontab
Add the following:
01 *    * * *   root    /usr/local/samba/sbin/samba_dnsupdate
save and close.
Restart cron tab
/etc/init.d/cron restart

No comments:

Post a Comment