Quick and dirty way to setup a working Domain Contoller with Samba4 on Ubuntu. This installation uses bind9 as the DNS backend.
sudo apt-get install samba4 samba4-clients krb5-user bind9 bind9utils
/var/lib/dpkg/status
and search for samba4
half-configured
with installed
rm /etc/samba/smb.conf
/etc/hosts
. Our Domain for the DC will be samba.blackhole-networks.com so as not to conflict (or take over) our higher level domain.
172.20.88.37 dc.samba.blackhole-networks.com dc-1
/usr/share/samba/setup/provision --domain=BLACKHOLE-NETWORKS --adminpass=administratorP@$$w3rd --dns-backend=BIND9_DLZ --dnspass=DNSadministratorP@$$w3rd --server-role=dc --function-level=2003 --ldapadminpass=LDAPadministratorP@$$w3rd --realm=SAMBA.BLACKHOLE-NETWORKS.COM
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
service samba4 restart
/etc/bind/named.conf.local
include "/var/lib/samba/private/named.conf";
named -V
/etc/bind/named.conf.options
and add to the options
setcton (for bind 9.8) tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
forwarders { 10.0.0.53; };
$ORIGIN samba.blackhole-networks.com. @ NS dc.samba.blackhoole-networks.com. NS ns.blackhole-networks.com. dc-1 IN A 172.20.88.37
zone "samba.blackhole-networks.com" { type slave; file "slaves/samba.blackhole-networks.com.db"; masters { 172.20.88.37; }; };
chgrp bind /var/lib/samba/private/dns.keytab chmod g+r /var/lib/samba/private/dns.keytab
/etc/apparmor.d/usr.sbin.named
file:#Samba 4 stuff /var/lib/samba/private/named.conf r, /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so mr, /usr/lib/x86_64-linux-gnu/samba/gensec/krb5.so mr, /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/*.so mr, /usr/lib/x86_64-linux-gnu/samba/ldb/*.so mr, /var/lib/samba/private/dns/sam.ldb rwk, /var/lib/samba/private/dns/sam.ldb.d/*.ldb rwk, /var/lib/samba/private/dns/sam.ldb.d/metadata.tdb rwk, /var/lib/samba/private/dns.keytab kr, /var/tmp/DNS_104 rwk,
service apparmor restart
service bind9 restart
service samba4 restart service bind9 restart
smbclient --version
smbclient -L localhost -U%
smbclient -L localhost -U% root@dc-1:~# smbclient -L localhost -U% Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service REWRITE: list servers not implemented root@dc-1:~#
smbclient //localhost/netlogon -UAdministrator%'administratorP@$$w3rd' -c 'ls'
on the Domain Controllerroot@dc:~# smbclient //localhost/netlogon -UAdministrator%'administratorP@$$w3rd' -c 'ls' . D 0 Tue Feb 12 00:25:15 2013 .. D 0 Tue Feb 12 00:25:40 2013 8252800 blocks of size 512. 5622936 blocks available root@dc:~#
host -t SRV _ldap._tcp.samba.blackhole-networks.com. host -t SRV _kerberos._udp.samba.blackhole-networks.com. host -t A dc-1.samba.blackhole-networks.com.
kinit administrator@SAMBA.BLACKHOLE-NETWORKS.COM
root@dc:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@SAMBA.BLACKHOLE-NETWORKS.COM Valid starting Expires Service principal 02/12/13 09:59:49 02/12/13 19:59:49 krbtgt/SAMBA.BLACKHOLE-NETWORKS.COM@SAMBA.BLACKHOLE-NETWORKS.COM renew until 02/13/13 09:59:42 root@dc:~#
samba_dnsupdate --verbose --all-names
samba-tool domain info 172.20.88.37
samba-tool user add test test123 samba-tool group add testgroup samba-tool group addmembers test
samba-tool user delete test samba-tool group delete testgroup
We'll connect to our new DC with Apache Directory Studio. In my opinion, one of the best LDAP GUIs out there today.
Add in a user and make him a Domain Admin using the samba-tool command from the cli
samba-tool user add hubert myunguessablePA$$W0RD
samba-tool group "Domain Admins" addmembers hubert
After toiling with a few annoying problems and deficincies mainly related to the alpha versions of the samba4 package that Ubuntu 12.04 provides from the native repositories, I switched to the Enterprise Samba packages provided by SerNet. These seemed to solve a lot of little annoyances and allowed me to keep my DC operations consistent with the documentation the Samba project provides.