Start networking and exchanging professional insights

Register now or log in to join your professional community.

Follow

How to Setup Primary Domain Controller in Linux with Microsoft RSAT?

Configuration step by step of PDC with samba4, and Management Microsoft RSAT.

user-image
Question added by mohsin Butt , IT Operations and Support Executive , Bahria Enterprise Systems and Technologies
Date Posted: 2014/07/08
Deleted user
by Deleted user

1. Configure a fixed IP for your new server.

Edit /etc/network/interfaces and change the config to set a static IP. Please use your own IP information where applicable:

sudo nano /etc/network/interfaces

auto eth0 lo

iface lo inet loopback

iface eth0 inet static

address...

netmask...

broadcast...

network...

gateway...

dns-nameservers...

dns-search      ssno.org

 

2. Login as root and update your server

# apt-get update

# apt-get upgrade

3. Install the following packages required for installing and building Samba4:

# apt-get install glibc glibc-devel gcc python krb5-workstation krb5-libs pam_krb5

#apt-get  install libacl-devel e2fsprogs-devel gnutls-devel readline-devel python-devel gdb pkgconfig

4. If there are any older samba packages remove them with apt-get:

# apt-get remove samba-winbind-client samba-common samba-client

5. Install git to dowload the latest Samba4 version:

# apt-get  install git-core

6. Use a directory of your choice and download the latest version of samba from git:

#cd /usr/src/

# git clone git://git.samba.org/samba.git samba-master

Configure and install Samba4

#cd /usr/src/samba-master

#./configure

#make

#make install

After the install we will add the path to the bin and sbin directory of Samba:

#nano ~/.bashrc

add the following line at the bottom

export PATH=”/usr/local/samba/sbin:/usr/local/samba/bin:$PATH”

 

7. Reboot the server as a precaution so that all packages or kernel updates will be applied:

# shutdown -r now

Now we need to Provision Samba4

The provision step sets up a basic user database, and is used when you are setting up your Samba4 server in its own domain.

As root issue this command:

# /usr/local/samba/bin/samba-tool domain provision

The ‘domain provision’ tool should pick defaults for you automatically. Change to your configurations if necessary:

Realm [SSNO.ORG]: Domain [MYDOMAIN]: (press Enter) Server Role (dc, member, standalone) [dc]: (press Enter) DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: (press Enter) DNS forwarder IP address (write 'none' to disable forwarding) [..0.1]:... Administrator password: <your_secret_admin_password> Retype password:

If above was successful, stdout should look similar to this:

Creating CN=MicrosoftDNS,CN=System,DC=mydomain,DC=com Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba4 has been generated at /usr/local/samba/private/krb5.conf Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: samba NetBIOS Domain: MYDOMAIN DNS Domain: SSNO.ORG DOMAIN SID: S-1-5-xx-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx

NOTE: You may need to remove the ‘/usr/local/samba/etc/smb.conf’ file if you are re-running the provision command. If you encounter any errors when running the provision command, you may need to install the necessary missing packages or fix errors and then run ‘./configure’, ‘make’ and ‘make install’ commands again as stated above. Remember to do a  ‘make clean’ in the root of your ‘samba-master’ directory  before running ‘make’ again.

If the provision setup was successful reboot the server:

# shutdown -r now Start Samba4 AD DC

Start the samba daemon:

# /usr/local/samba/sbin/samba

If you would like Samba to start at boot, append the following to your ‘/etc/rc.d/rc.local’ file:

/usr/local/samba/sbin/samba

 

Testing Samba as an Active Directory DC

Verify you are indeed running the correct version of Samba. Your version should start with version4 (note: samba daemon must be running):

# /usr/local/samba/sbin/samba -V Version4.1.0pre1-GIT-c1fbd

Verify you are running the correct samba-client version:

# /usr/local/samba/bin/smbclient --version Version4.1.0pre1-GIT-c1fbd

Now run this command to list the shares on your Samba4 server:

# /usr/local/samba/bin/smbclient -L localhost -U% Domain=[MYDOMAIN] OS=[Unix] Server=[Samba4.1.0pre1-GIT-c1fbd]        Sharename       Type      Comment        ---------       ----      -------        netlogon        Disk        sysvol          Disk        IPC$            IPC       IPC Service (Samba4.1.0pre1-GIT-c1fbd) Domain=[MYDOMAIN] OS=[Unix] Server=[Samba4.1.0pre1-GIT-c1fbd]        Server               Comment        ---------            -------        Workgroup            Master        ---------            -------

 

Configure DNS

You will need to edit your ‘/etc/resolv.conf’ and ‘/etc/sysconfig/network-scripts/ifcfg-eth0′ file so that Samba will use it’s internal DNS correctly. If you specified a forwarding DNS server when you provisioned earlier, DNS should work correctly (you can verify this in /usr/local/samba/etc/smb.conf). Here is an example of my current ‘/usr/local/samba/etc/smb.conf’ file:

# cat /usr/local/samba/etc/smb.conf # Global parameters [global] workgroup = MYDOMAIN realm = SSNO.ORG netbios name = SAMBA server role = active directory domain controller dns forwarder =8.8.8.8 [netlogon] path = /usr/local/samba/var/locks/sysvol/ssno.org/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No

Edit your ‘/etc/resolv.conf’ file to look like this:

# Generated by NetworkManager domain ssno.org nameserver... search  ssno.org

Testing DNS

Make sure that samba is running and then test to make sure that DNS is working properly. Run the following commands and compare the output to what is shown:

# host -t SRV _ldap._tcp.ssno.org. _ldap._tcp.ssno.org has SRV record adhd.ssno.org. # host -t SRV _kerberos._udp.ssno.org. _kerberos._udp.ssno.org has SRV record adhd.ssno.org. # host -t A adhd.ssno.org. adhd.ssno.org has address...

The answers you get should be similar to the ones above (adjusted for your DNS domain name and hostname). If you get any errors, carefully check your system logs and your ‘/etc/resolv.conf’ and ‘/etc/network/interfaces’ files.

 

Disable Firewall (Optional)

To reduce the chances of problems you can completely disable the firewall on the Samba4 server. Once you have successfully joined a Windows client to the domain you could then re-enable the firewall and configure IP Tables correctly.

Disable the firewall and then reboot the server.

 

Configure Kerberos

In Ubuntu, kerberos is handled by the ‘/etc/krb5.conf’ file. Make a backup copy of this original file, and then replace the existing file, if any, with the sample from /usr/local/samba/share/setup/krb5.conf.

# cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf

Edit the file and replace ${REALM} with the value you chose for the ‘–realm’ parameter of the provision command earlier, make sure to enter the realm in uppercase letters. It should look something like this:

# cat /etc/krb5.conf [libdefaults] default_realm = SSNO.ORG dns_lookup_realm = false dns_lookup_kdc = true

 

Testing Kerberos

The simplest test is to use the ‘kinit’ command as follows:

# kinit Password for : Warning: Your password will expire in days on Sun Feb::

NOTE: You must specify your domain realm SSNO.ORG in uppercase letters!!

‘kinit’ will not give you any output. To verify that Kerberos is working, and that you received a ticket, run the following:

# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Valid starting Expires Service principal//:://:: renew until//::

 

NTP (Network Time Protocol)

Make sure that ‘ntpd’ is running and installed. If ‘ntp’ is not installed you can install it with APT-GET:

# apt-get install ntp

Enable ntpd:

# /etc/init.d/ntp start

Also, use the ‘chkconfig’ command to have ntpd run at boot:

# chkconfig ntp on

NOTE: CORRECT TIME IS IMPORTANT FOR KERBEROS TO FUNCTION CORRECTLY. MAKE SURE NTPD IS RUNNING ON THE SAMBA SERVER AND THAT YOU SET THE WINDOWS CLIENT TO THE MOST ACCURATE TIME POSSIBLE! THE WINDOWS CLIENT TIME SHOULD BE SET TO THE EXACT TIME OF THE SAMBA4 SERVER WITHIN A FEW SECONDS IF POSSIBLE.

 

Configure Windows Client to Join Domain

The following will describe how to add a Windows7 client to the samba DC. For other versions of Windows the same principle should be the same.

To simplify and to limit errors with DHCP, we will assign a static IP address to our Windows7 client NIC. Configure your network device as follows:

 

 

Click ‘OK’ to save the changes.

Now bring up a command prompt in windows and ping the Samba DC:

ping...

Verify that DNS is working correctly by pinging the FQDN:

ping adhd.ssno.org

If you get replies from both then this is a good sign and should mean that your Samba DC is functional. Also, you may need to reboot Windows for network settings to take effect.

  Configure Date, Time and Time Zone on Windows Client

Active Directory uses Kerberos as the backend for authentication. Kerberos requires that the system clocks on the client and server be synchronized to within a few seconds of each other. If they are not synchronized, then authentication will fail for apparently no reason. Adjust your date, time and time zone accordingly on your Windows client to match your Samba4 server.

 

Join Windows7 Client to the Domain

1. Right-click ‘My Computer’ icon and choose ‘Properties’

2. From the left-side pane click ‘Advanced system settings’

3. Choose the ‘Computer Name’ tab and click ‘Change…’

4. Select option ‘Domain’, and insert SSNO.ORG. If this fails just try SSNO.

5. When it requests a username and password, type ‘Administrator’ as the username and then enter your password. (password = the password you used when you ran the ‘samba-tool domain provision’ command)

6. You should get a message box stating ‘Welcome to the SSNO.ORG domain’

7. Click OK on this message box and the Properties window, and you will then be instructed to restart your computer.

8. After restarting you should be presented with the normal login dialog. Click on ‘Switch User’ button.

9. Choose ‘Other user’ and then enter in the following:

Press ‘Enter’ or the arrow button.

. You should then authenticate and then login to Windows.

 

Install Windows Remote Administration Tools

To install the GUI tools to manage the domain you must install the Remote Server Administration Tools. This will allow you easily manage the domain using Active Directory.

Windows7

1. Download the Windows Remote Server Administration Tools

2. Follow the ‘Install RSAT’ instructions

3. Enable the necessary components in ‘Control Panel -> Programs -> Turn Windows features on or off -> Remote Server Administration Tools’

4. You may need to add the Administrative Tools to your start menu. Right-click ‘Start button’ and select ‘Properties -> Start Menu tab – Customize… -> System administrative tools – Display on the All Programs menu’

 

Managing Samba4 AD DC from Windows7 Client

This is beyond the scope of this article. For further information please refer to the Samba4 HOWTO

 

Configure the Firewall

Once you have been able to successfully have your windows clients attach to your Samba4 DC, it is prudent to renable the firewall on your Ubuntu Samba4 DC.

Configure the firewall to have AT LEAST these ports open:

, TCP & UDP (DNS)

, TCP & UDP (Kerberos authentication)

, TCP (MS RPC)

, UDP (NetBIOS name service)

, UDP (NetBIOS datagram service)

, TCP (NetBIOS session service)

, TCP & UDP (LDAP)

, TCP (MS-DS AD)

, TCP & UDP (Kerberos change/set password)

, TCP (AD?)

 

For RSAT tools and extras other ports may need to be opened. Microsoft has a list of the port required which you can find here: http://technet.microsoft.com/en-us/library/dd%WS.%.aspx

To setup folder redirection for users and configure offline files that synchronize, please see my article Folder Redirection using Group Policy

 

 

Init script for auto start

When rebooting the server, it would be nice if the Samba service would start automatically. The following init.d startup script will take care of that:

# vim /etc/init.d/samba4

#! /bin/sh ### BEGIN INIT INFO # Provides: samba # Required-Start: $network $local_fs $remote_fs # Required-Stop: $network $local_fs $remote_fs # Default-Start: # Default-Stop: # Short-Description: start Samba daemons ### END INIT INFO # # Start/stops the Samba daemon (samba). # Adapted from the Samba3 packages. #

SAMBAPID=/var/run/samba/samba.pid

# clear conflicting settings from the environment unset TMPDIR # See if the daemon and the config file are there test -x /usr/local/samba/sbin -a -r /usr/local/samba/etc/ || exit0

. /lib/lsb/init-functions

case “$1″ in start) log_daemon_msg “Starting Samba4 daemon” “samba” if ! start-stop-daemon –start –quiet –oknodo –exec /usr/local/samba/sbin/samba — -D; then log_end_msg1 exit1 fi

log_end_msg0 ;; stop) log_daemon_msg “Stopping Samba4 daemon” “samba”

start-stop-daemon –stop –quiet –name samba $SAMBAPID # Wait a little and remove stale PID file sleep1 if [ -f $SAMBAPID ] && ! ps h `cat $SAMBAPID` > /dev/null then # Stale PID file (samba was succesfully stopped), # remove it (should be removed by samba itself IMHO.) rm -f $SAMBAPID fi log_end_msg0 ;; restart|force-reload) $0 stop sleep1 $0 start ;; *) echo “Usage: /etc/init.d/samba {start|stop|restart|force-reload}” exit1 ;; esac

exit0

#sudo chmod /etc/init.d/samba4

#sudo update-rc.d samba4 defaults

 

Homefolders for Acitve Directory users

First we need to create a folder where all the Home folders will reside:

sudo mkdir -m /Users

sudo chmod g+s /Users

chown root.users /Users

Next we will add the the following to /usr/local/samba/etc/smb.conf:

[Users] directory_mode: parameter = read only = no path = /Users csc policy = documents

You can either map that by using net use h: \\\\samba\\Users\\%USERNAME% or by adding the same path to the home folder paragraph under the profile tab of the AD user. The home folder will be created automatically if you use the last option.

 

More Questions Like This