** This Samba version is at EOL as of 03-07-2017 **

As the same as Installing Samba AD DC 4.2.2 post, since I am used to using Ubuntu-mix, using VMware Player I chose Lubuntu Desktop because of wanted “less fuss” than Ubuntu Desktop and chose not to use Ubuntu Server because I wanted a web browser so that I can that copy of a lot of website stuff while installing Samba AD DC.

I will be using this information for the Samba AD DC server:

Samba Server: lubuntu
IP Address: 192.168.2.100
Netmask: 255.255.255.0
Default Gateway: 192.168.2.1
DNS Domain Name: bales.lan
NetBIOS Domain Name: BALES
DNS Backend: SAMBA_INTERNAL

After Installing Lubuntu:

I asks for updates using LXTerminal:

sudo apt-get update

Then I did a dist-upgrade and rebooted.

sudo apt-get dist-upgrade

Then I disabled the firewall and rebooted.

sudo ufw disable

Prerequisite Lubuntu:

After I rebooted, using leafpad I set a static IP for the server by configuring in /etc/network/interfaces by adding the IP address and other info for eth0 (0 as in zero and not an o) network:

sudo leafpad /etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 192.168.2.100
netmask 255.255.255.0
gateway 192.168.2.1
dns-nameservers 192.168.2.100 192.168.2.1
dns-search bales.lan

Then a changed the hosts file to go the correct IP address for the server:

127.0.0.1       localhost.bales.lan localhost
192.168.2.100   lubuntu.bales.lan lubuntu 

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Make sure your hostname is configure to the same as the Samba server name but not the FQDN name (lubuntu for me):

sudo leafpad /etc/hostname

Reboot.

After rebooting install the requirements/dependencies for Samba AD DC:

 sudo apt-get install acl attr autoconf bison build-essential \
  debhelper dnsutils docbook-xml docbook-xsl flex gdb krb5-user \
  libacl1-dev libaio-dev libattr1-dev libblkid-dev libbsd-dev \
  libcap-dev libcups2-dev libgnutls-dev libjson-perl \
  libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl \
  libpopt-dev libreadline-dev perl perl-modules pkg-config \
  python-all-dev python-dev python-dnspython python-crypto \
  xsltproc zlib1g-dev

You might type the kerberos realm and server while doing this.  Reboot.

Installing Samba AD DC:

Download the ‘samba 4.3.1’ zipped file from http://www.samba.org and extract it to your Downloads directory.  Using LXTerminal first do a ./configure in the extraction directory:

sudo ./configure

Then do a make:

sudo make

Lastly do a make install.

sudo make install

Add the “/usr/local/samba/bin/” and “/usr/local/samba/sbin/” at the end in the /etc/environment and ‘Defaults secure_path’ in the /etc/sudoers file:

sudo leafpad /etc/environment
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/local/samba/bin:/usr/local/samba/sbin"
sudo leafpad /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:
/sbin:/bin:/usr/local/samba/bin:/usr/local/samba/sbin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root	ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

Reboot.

Time to build the Samba AD DC:

sudo samba-tool domain provision --use-rfc2307 --interactive
Realm [BALES.LAN]:
 Domain [BALES]: 
 Server Role (dc, member, standalone) [dc]: dc
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: SAMBA_INTERNAL
 DNS forwarder IP address (write 'none' to disable forwarding) [192.168.2.100]: 192.168.2.1
Administrator password: *
Retype password: *
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=samdom,DC=example,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container                                                                                                                                                                                        
Modifying users container                                                                                                                                                                                     
Adding computers container                                                                                                                                                                                    
Modifying computers container                                                                                                                                                                                 
Setting up sam.ldb data                                                                                                                                                                                       
Setting up well known security principals                                                                                                                                                                     
Setting up sam.ldb users and groups                                                                                                                                                                           
Setting up self join                                                                                                                                                                                          
Adding DNS accounts                                                                                                                                                                                           
Creating CN=MicrosoftDNS,CN=System,DC=bales,DC=lan                                                                                                                                                
Creating DomainDnsZones and ForestDnsZones partitions                                                                                                                                                         
Populating DomainDnsZones and ForestDnsZones partitions                                                                                                                                                       
Setting up sam.ldb rootDSE marking as synchronized                                                                                                                                                            
Fixing provision GUIDs                                                                                                                                                                                        
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf                                                                                                        
Setting up fake yp server settings                                                                                                                                                                            
Once the above files are installed, your Samba4 server will be ready to use                                                                                                                                   
Server Role:           active directory domain controller                                                                                                                                                     
Hostname:              lubuntu                                                                                                                                                                                   
NetBIOS Domain:        BALES                                                                                                                                                                                 
DNS Domain:            bales.lan                                                                                                                                                                   
DOMAIN SID:            S-1-5-21-4179608152-431274704-1813065677

* Administrator password:

At least 8 characters
Containing at least three of the following five character groups:

  1. Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
  2. Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
  3. Base 10 digits (0 through 9)
  4. Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;”‘<>,.?/
  5. Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.

If the password doesn’t fulfil the complexity requirements, the provisioning will fail and you will have to start over (remove the generated new “smb.conf” in that case).

Testing your Samba Domain Controller:

First start samba*:

sudo samba

* Samba does not have init script for AD DC.   I used this for my init script:  http://ubuntuforums.org/showthread.php?t=2171745

Testing my Samba AD DC default netlogon and sysvol shares:

$ smbclient -L localhost -U%
Domain=[BALES] OS=[Windows 6.1] Server=[Samba 4.3.1]

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk      
        sysvol          Disk      
        IPC$            IPC       IPC Service (Samba 4.3.1)
Domain=[BALES] OS=[Windows 6.1] Server=[Samba 4.3.1]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

To test that authentication is working, I connected to the netlogon share, using the Domain Administrator account, that was created during provisioning:

$ smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter Administrator's password: *
Domain=[BALES] OS=[Windows 6.1] Server=[Samba 4.3.1]
 .                                   D        0  Sat Jul  5 08:40:00 2015
 ..                                  D        0  Sat Jul  5 08:40:00 2015

               59732092 blocks of size 1024. 52582052 blocks available

To test that DNS is working properly, I ran the following commands:

$ host -t SRV _ldap._tcp.bales.lan
_ldap._tcp.bales.lan has SRV record 0 100 389 lubuntu.bales.lan
$ host -t SRV _kerberos._udp.bales.lan
_kerberos._udp.bales.lan has SRV record 0 100 88 lubuntu.bales.lan
$ host -t A lubuntu.bales.lan
lubuntu.bales.lan has address 192.168.2.100

Use “kinit” to obtain a Kerberos ticket:

$ kinit administrator@BALES.LAN
Password for administrator@BALES.LAN: 
Warning: Your password will expire in 41 days on Mon 21 Dec 2015 12:46:12 PM PST

Note: You must always specify your realm in uppercase letters!

$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator@BALES.LAN

Valid starting       Expires              Service principal
11/09/2015 13:32:44  11/09/2015 23:32:44  krbtgt/BALES.LAN@BALES.LAN
	renew until 11/10/2015 13:32:39

No error message, you are ready to go! But you do or something is going wrong, see the Samba AD DC Troubleshooting page.

I tried to creating a share on the Samba AD DC server but it’s quirky, so I will create a share on a member server in the next few weeks.  I figure how to make a share on the AD DC server even though Samba does not recommend making a share on the server. See this post how to make it.

Notes:

I’m using Windows 7 Pro to test it out and it works.  I also install RSAT since I used rfc2307 in the building of the domain.  RSAT works in Windows 7 Pro, but it doesn’t works in Windows 10 Pro; it errors.  I haven’t tried with Windows 8.1 Pro yet.

References:

https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s