Samba: Setup an Active Directory


unfortunately Microsoft has deceided to discontinue its Small Buisiness Server and for small environments you not really want to buy an Windows Server and install them as an Active Directory Domain Controller. When Microsofts Cloud isn’t also an option then you can use Samba :-).

These steps describes to install an Active Directory from scratch. First ensure you have a timeserver running in your network. If not I described to install and configure ntp for Linux in this post. ntpd can run on the same machine as samba.

Also configure a static IP Address. In this example

Base System is Linux Debian 9 stretch.

Active Directory domain: franken.local

Install packages. Kerberos REALM: FRANKEN.LOCAL (Uppercase Domain name)

root@debdev: ~ # apt-get update && apt-get upgrade && apt-get -y  samba attr dnsutils net-tools smbclient krb5-user krb5-config winbind libpam-winbind libnss-winbind libpam-krb5 

Set your hostname and reboot

root@debdev: ~ # hostnamectl set-hostname frankendc1
root@debdev: ~ # reboot

Move or delete to default smb.conf file

root@frankendc1: ~ # mv /etc/samba/smb.conf /etc/samba/

Start Active Directory provisioning. Internal DNS backend is used, kerberos REALM: FRANKEN.LOCAL, NetBIOS Domainname: FRANKEN, –use-rfc2307 is only necessary when you want to use the NIS Extensions for authenticating UNIX User against your AD.

Note: This command line uses your Hostname as DC Hostname and adds configured DNS Servers from /etc/resolv.conf as forwarder to the the Samba integrated DNS Server. A random Administrator password is set. You can set your own password with the –adminpass= parameter, but you have to quota special characters like &!. Best practise is to set it randomly and set after the installation has fished.

root@frankendc1: ~ # samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=FRANKEN.LOCAL --domain=FRANKEN
Admin password:        ~zl3=Q7nNHYHA+)!#_NeUKZv9.d
Server Role:           active directory domain controller
Hostname:              frankendc1
NetBIOS Domain:        FRANKEN
DNS Domain:            franken.local
DOMAIN SID:            S-1-5-21-2606902105-126693256-2254647617

Disable lecacy samba daemons, enable and start Active Directory

root@frankendc1: ~ # systemctl stop smbd nmbd winbind
root@frankendc1: ~ # systemctl disable smbd nmbd winbind
root@frankendc1: ~ # systemctl unmask samba-ad-dc
root@frankendc1: ~ # systemctl start samba-ad-dc
root@frankendc1: ~ # systemctl enable samba-ad-dc

Change /etc/resolv.conf to use the Samba integrated DNS Server. Remove the existing link (create by setting a static IP)

root@frankendc1: ~ # rm /etc/resolv.conf

and create a new /etc/resolv.conf with your domain in the search list and your static IP as DNS Server

search franken.local

Check if DNS works. Your new AD Domain and your dc should be resolved

root@frankendc1: ~ # 

Setup kerberos. Samba also generates an krd5.conf file /var/lib/samba/private/krb5.conf but generate it yourself
Kerberos-Server: frankendc1.franken.local
Administrations-Server: frankendc1.franken.local

root@frankendc1:~# nslookup franken.local

Name:   franken.local
root@frankendc1:~# nslookup frankendc1.franken.local

Name:   frankendc1.franken.local

Samba builds a valid krb5.conf for your Directory for you. Copy to etc

root@frankendc1:~# cp  /var/lib/samba/private/krb5.conf /etc/

add “default_ccache_name = /tmp/krb5cc_%{uid}” to section [libdefaults]. Like this:

default_ccache_name = /tmp/krb5cc_%{uid}
default_realm = FRANKEN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true

Initiate a final reboot

root@frankendc1:~# reboot

First connect. Try to get a kerberos ticket for the administrator (Note: REALM FRANKEN.LOCAL is case sensitiv)

root@frankendc1:~# kinit administrator@FRANKEN.LOCAL
Passwort for administrator@FRANKEN.LOCAL:
Warning: Your password will expire in 41 days on Fri Nov 29 21:19:41 2018

And show ticket(s)

root@frankendc1:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@FRANKEN.LOCAL

Valid starting     Expires            Service principal
10/18/18 21:58:20  10/19/18 07:58:20  krbtgt/FRANKEN.LOCAL@FRANKEN.LOCAL
        renew until 10/19/18 21:58:11

If you got a kerberos ticket you can use it for the samba-tool command to authenticate against your new Active Directory without entering your password each time you called samba-tool.

Important: samba-tool uses the existing kerberos ticket but the server parameter must be filled with name not the IP Address of the Domain Controller!! Otherwise samba-tool asks for a User/password.

If your intergrated DNS should also be authoritative for the reverse DNS zone (resolves IP Addesses to hostnames) for subnet create the zone.

root@frankendc1:~# samba-tool dns zonecreate frankendc1.franken.local
Zone created successfully

Your Active Directory is now up and running. You can now join Computers to your Domain. Install the Microsoft RSAT Tools to manage it.

Here are a set of helpful command line examples for samba-tool.

Showing the domain level

root@frankendc1:~# samba-tool domain level show
Domain and forest function level for domain 'DC=franken,DC=local'

Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2

(Re)set a Users password. Here the password for the Administrator

root@frankendc1:~# samba-tool user setpassword --filter=samaccountname=Administrator

Get a user password hash

root@frankendc1:~# samba-tool user getpassword --filter=samaccountname=Administrator --attributes==msDS-KeyVersionNumber,unicodePwd,virtualClearTextUTF16

Get all DNS zones

root@frankendc1:~# samba-tool dns zonelist

Query the DNS

root@frankendc1:~# samba-tool dns query frankendc1.franken.local franken.local frankendc1.franken.local A
  Name=, Records=2, Children=0
    A: (flags=f0, serial=110, ttl=900)

Show local shares

smbclient -L localhost -U% -k

Group Policies
To configure Group Policies Administrative Templates copy the content of your Windows 10 C:\windows\PolicyDefinition Folder to all Domain Controllers sysvol folder. Samba do currently not support the replication of the sysvol folder. You must implement your own replication via rsync or robocopy

C:\> mkdir \\frankendc1.franken.local\sysvol\Policies\PolicyDefinition
C:\> mkdir \\frankendc2.franken.local\sysvol\Policies\PolicyDefinition
C:\> robocopy /s C:\Windows\PolicyDefinition \\frankendc1.franken.local\sysvol\Policies\PolicyDefinition
C:\> robocopy /s C:\Windows\PolicyDefinition \\frankendc2.franken.local\sysvol\Policies\PolicyDefinition


Leave a Reply