Ubuntu 12.04 Samba4 AD DC & Join Existing AD Domain

Ubuntu Linux Specific Guides
Post Reply
User avatar
dedwards
Site Admin
Posts: 70
Joined: Wed Mar 15, 2006 8:28 pm
Contact:

Ubuntu 12.04 Samba4 AD DC & Join Existing AD Domain

Post by dedwards » Wed Jun 12, 2013 11:56 am

This HowTo is a quick and easy guide to setting up an Ubuntu 12.04 Samba4 AD DC and join it to an existing AD domain. Setting up a Linux additional DC vs a Windows one is a cheap option since you don't have to worry about a Windows Server license.

This guide is based on Ubuntu 12.04 LTS 64-bit. I have also got it to work on Ubuntu 10.04 LTS 32-bit. For the purposes of this tutorial the AD domain will be yourdomain.tld, the domain Admin account will be Administrator and the server name will be dc02.yourdomain.tld
  • Ensure you have the latest repositories

Code: Select all

sudo apt-get update
  • Ensure you have the latest updates

Code: Select all

sudo apt-get upgrade
  • Install Prerequisites

Code: Select all

sudo apt-get install git build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev libpam0g-dev ntp -y
  • Ensure server hostname has FQDN:

Code: Select all

sudo echo dc02.yourdomain.tld > /etc/hostname
/etc/init.d/hostname restart
/etc/init.d/networking restart
Ensure your /etc/network/intefaces points to your Windows AD DNS server and windows domain like below where 192.168.0.100 is the your Windows AD DC/DNS server and yourdomain.tld is the actual name of your AD domain:

Code: Select all

dns-nameservers 192.168.0.100
dns-search yourdomain.tld

We will be building Samba 4 from source using git. I don't trust the samba 4 packages from the Ubuntu repositories to be current or in working condition.

  • Download latest stable Samba 4 using git

Code: Select all

git clone -b v4-0-stable git://git.samba.org/samba.git samba-v4-0-stable
This will create a samba-v4-0-stable directory into whatever directory you are in and download Samba 4 stable into the newly created directory.

  • Compile & Install Samba 4

Code: Select all

cd samba-v4-0-stable
./configure
You should have a similar message like below upon success of the configure command:

Code: Select all

'configure' finished successfully (1m7.115s)
Next run make:

Code: Select all

make
You should have a similar message like below upon success of the make command:

Code: Select all

'build' finished successfully (10m7.227s)
Install Samba from within the samba-v4-0-stable directory:

Code: Select all

make install
This should install Samba in /usr/local/samba

Upon success, you should get a similar message like below:

Code: Select all

'install' finished successfully (1m40.677s)
  • Prepare to join your Samba server as an additional DC to an existing domain


First ensure there isn't a smb.conf file under the /usr/local/samba/etc directory. If there is one, simply rename it to smb.bak as follows:

Code: Select all

mv /usr/local/samba/etc/smb.conf /usr/local/samba/etc/smb.bak
Next, edit /etc/krb5.conf file and ensure the following entries are under the [libefaults] section where yourdomain.tld is the actual name of your AD domain:

Code: Select all

[libdefaults]
 dns_lookup_realm = true
 dns_lookup_kdc = true
 default_realm = yourdomain.tld
Next run the following command where Administrator is the username of your domain admin account and then enter the Administrator password when prompted:

Code: Select all

kinit Administrator
The command will run with no output at the console. Next, run the following command:

Code: Select all

klist
You should get an output similar to below:

Code: Select all

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@yourdomain.tld

Valid starting     Expires            Service principal
11/11/12 17:29:51  11/12/12 03:29:51  krbtgt/yourdomain.tld@yourdomain.tld
       renew until 11/12/12 17:29:49
If you get the above message proceed with joining the domain below.

  • Join your Samba server as an additional DC to an existing domain


Run the following commands ensuring your substitute the actual name of your domain and your domain admin account:

Code: Select all

/usr/local/samba/bin/samba-tool domain join yourdomain.tld DC -UAdministrator --realm=yourdomain.tld
Upon success, you should see a similar message like below:

Code: Select all

Joined domain SAMBA (SID S-1-5-21-3565189888-2228146013-2029845409) as a DC
You are now joined to the AD domain.

Next, run the following commands where 192.168.0.100 is the IP of your Windows AD DC/DNS server, yourdomain.tld is the actual name of your AD domain, DC02 is the host name of your newly joined Samba server and 192.168.0.101 is the IP of your newly joined Samba server:

Code: Select all

/usr/local/samba/bin/samba-tool dns add 192.168.0.100 yourdomain.tld DC02 192.168.0.101 -UAdministrator
Next, run the following command to ensure the Samba server's hostname is resolvable where dc02.yourdomain.tld is the hostname of your Samba server (don't forget the (.) at the end of the command:

Code: Select all

host -t A dc02.yourdomain.tld.
You should get a message similar to below:

Code: Select all

dc02.yourdomain.tld has address 192.168.0.101
Next, ensure that the objectGUID of the Samba server is resolvable. In order to ensure that, you must first get the objectGUID by running the command below:

Code: Select all

/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid
You should get an output similar to below:

Code: Select all

record 1
dn: CN=NTDS Settings,CN=DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=yourdomain,DC=tld
objectGUID: 737506d0-bfe6-40c8-815d-08c3dff7a67f
So, the objectGUID for this server is 737506d0-bfe6-40c8-815d-08c3dff7a67f but of course yours will be different.

Next, add the objectGUID to your domain where 192.168.0.100 is the IP of your Windows AD DC/DNS server, your domain.tld is the name of your domain, 737506d0-bfe6-40c8-815d-08c3dff7a67f is the actual objectGUID you got from the previous step, DC02.yourdomain.tld is the hostname of your Samba server and Administrator is the username of your domain admin account. Enter the domain admin password when prompted:

Code: Select all

/usr/local/samba/bin/samba-tool dns add 192.168.0.100 _msdcs.yourdomain.tld 737506d0-bfe6-40c8-815d-08c3dff7a67f CNAME DC02.yourdomain.tld -UAdministrator
Next, query the domain and ensure the objectGUID is resolvable where 737506d0-bfe6-40c8-815d-08c3dff7a67f is the actual objectGUID of your Samba server and yourdomain.tld is the name of your AD domain. Ensure you include the (.) at the end of the command:

Code: Select all

host -t CNAME 737506d0-bfe6-40c8-815d-08c3dff7a67f._msdcs.yourdomain.tld.
You should get an output similar to the one below:

Code: Select all

737506d0-bfe6-40c8-815d-08c3dff7a67f._msdcs.yourdomain.tld is an alias for dc02.yourdomain.tld.
Next, check the replication between the Windows AD DC and your Samba server by typing the following command:

Code: Select all

/usr/local/samba/bin/samba-tool drs showrepl
You should get an output like the one below:

Code: Select all

Default-First-Site-Name\DC02
DSA Options: 0x00000001
DSA object GUID: 737506d0-bfe6-40c8-815d-08c3dff7a67f
DSA invocationId: eb242434-ca7e-4da7-9b1d-b289ba1922e9

==== INBOUND NEIGHBORS ====

DC=samba,DC=yourdomain,DC=tld
       Default-First-Site-Name\DC1 via RPC
               DSA object GUID: 25e33532-42f2-4082-b9f4-072f9108b565
               Last attempt @ Sun Nov 11 18:02:02 2012 CET was successful
               0 consecutive failure(s).
               Last success @ Sun Nov 11 18:02:02 2012 CET

CN=Configuration,DC=samba,DC=yourdomain,DC=tld
       Default-First-Site-Name\DC1 via RPC
               DSA object GUID: 25e33532-42f2-4082-b9f4-072f9108b565
               Last attempt @ Sun Nov 11 18:02:02 2012 CET was successful
               0 consecutive failure(s).
               Last success @ Sun Nov 11 18:02:02 2012 CET
Next, test directory replication by adding a domain account on your Samba server and see if it shows up in your Windows AD DC as follows where someusername is the username of the new user and somepassword is the password of the new user:

Code: Select all

/usr/local/samba/bin/samba-tool user add someusername somepassword
You should get the following output on the console:

Code: Select all

User 'someusername' created successfully
Next, go into your Windows AD DC Users and Computers and verify the username you just added is there.

  • Set Samba to start automatically on system boot


The command to start Samba is simply:

/usr/local/samba/bin/samba

The command to stop Samba is simply:

killall samba

Unfortunately, having to start Samba manually everytime you reboot the server is not ideal so we are going to create a script to do it for us automatically. So, we are going to create a script under /etc/init/ and we are going to name it samba4.conf like below:

Code: Select all

vi /etc/init/samba4.conf
Insert the following into the script and save it:

Code: Select all

description "SMB/CIFS File and Active Directory Server"
author      "Jelmer Vernooij <jelmer@ubuntu.com>"
start on (local-filesystems and net-device-up)
stop on runlevel [!2345]
expect fork
normal exit 0
pre-start script
        [ -r /etc/default/samba4 ] && . /etc/default/samba4
        install -o root -g root -m 755 -d /var/run/samba
        install -o root -g root -m 755 -d /var/log/samba
end script
exec /usr/local/samba/sbin/samba -D
Reboot your server and add another account to your domain from your Samba server as described above in order to ensure that Samba started automatically.

  • Important Facts


It is possible to point your Windows clients DNS settings to your new Samba DC and you would be able to resolve hostnames within your domain only. Since the DNS on your Samba server is not authorative you will not be able to resolve hostnames outside our domain. In order to do that, you must add the following in the /usr/local/samba/etc/smb.conf under the [global] section, save the file and restart Samba:

Code: Select all

dns forwarder = 8.8.8.8
8.8.8.8 is a google DNS server. You can use whatever authoritative server you like if you don't want to use the google one.
Post Reply