Samba4ADDomainwithUbuntu12.

04

BuildingaSamba4ActiveDirectoryDomain
InthisArticle,iwilloutlinetheconfigurationofasmallActiveDirectoryusingSamba4.
TheUbuntuversionsinvolvedis12.04.IassumethatyouhavemodestknowledgeonhowtoconfigureUbuntuonthe
commandlinei.e.iwillnotexplaineverysinglestepindetail.
Networkparameterswewilluseare:
Networkname:demo.local
IPRange:192.168.99.0/24

BaseSystemandSamba4
Step1:InstallaUbuntu12.04System
Step2:ConfiguretheNetworktouseastaticaddress.Edit/etc/network/interfaces:
1
2
3
4
5
6
7
8
9

autoloeth0
ifaceloinetloopback

ifaceeth0inetstatic
address192.168.99.200
netmask255.255.255.0
gateway192.168.99.254
dnsnameservers192.168.99.200192.168.99.254
dnssearchdemo.local

Step3:AddthebasichostentriestoresolvewithoutDNS
Edit/etc/hostsandinsert:
1
2

127.0.0.1localhost
192.168.99.200vupapsam401vupapsam401.demo.local

Step4:InstalltheSamba4Packages
1

aptgetinstallsamba4

Theinstallationwillthrowoutanerrorandaptwillsetthepackagetohalfinstalled.Astheerrorisntrelevanttous,wehaveto
fixthepackagebymanuallysettingthepackagetoinstalled.
1. Edit/var/lib/dpkg/statusandsearchforPackage:samba4
2. Replacehalfconfiguredwithinstalled
NowwearegoingtobuildtheActiveDirectoryDomain:
1

rm/etc/samba/smb.conf

/usr/share/samba/setup/provisionrealm=demo.localdomain=DEMOadminpass='Test123'serv

ThiswillsetupallstuffneededforrunningaDomain(LDAP,Kerberos,)
NextstepistostartSamba:
1

initctlstartsamba4

Step5:Testingoutourinstallation
1
2

aptgetinstallsamba4clients
smbclientLlocalhostU%

Thelastcommandshoulddisplaythecurrentlydefinedandservedsharesontheserver.Shouldlooksomethinglike:
1
2
3
4
5

SharenameTypeComment

netlogonDisk
sysvolDisk
IPC$IPCIPCService

BindNameServer
Wealsoneedanamingserviceinournetworktoresolvehostsandservices.ActiveDirectoryusesDNStodiscoverahuge
amountofservices,soherewego:

Step1:InstallBind
1

aptgetinstallbind9

Step2:ConfigureBind
NowyouneedtoeditthebindconfigurationfiletoincludethenecessaryconfigurationsforSambaActiveDirectoryrelies
heavilyonspecialDNSentriestofindvariousservicesonthenetwork.
Edit/etc/bind/named.confandappendthefollowinglineattheend:
1

include"/var/lib/samba/private/named.conf"

Step3:AdapttheAppArmorconfiguration
AsUbuntuissecuringitsservicesusingAppArmorweneedtomakesurethatBindhastherightstoaccessthefilesprovided
bySamba.
Edit/etc/apparmor.d/usr.sbin.namedandappendthefollowingentries:
1
2
3
4
5
6

/var/lib/samba/private/**rkw,
/var/lib/samba/private/dns/**rkw,
/usr/lib/x86_64linuxgnu/samba/bind9/**rm,
/usr/lib/x86_64linuxgnu/samba/gensec/**rm,
/usr/lib/x86_64linuxgnu/ldb/modules/ldb/**rm,
/usr/lib/x86_64linuxgnu/samba/ldb/**rm,

Nowreloadtheconfigurationtotakeeffect:
1

/etc/init.d/apparmorreload

Step4:StartandtestBind
RunthefollowingcommandtostartBind:
1

/etc/init.d/bind9start

Tomakesurethateverythingworkedasexpected,runthefollowingcommandsandwatchtheiroutput.Itshouldreturnaresult
oneverycommand:
1
2
3

hosttSRV_ldap._tcp.demo.local.
root@vupapsam401:/var/lib/samba/private#hosttSRV_kerberos._tcp.demo.local.
root@vupapsam401:/var/lib/samba/private#hosttAvupapsam401.demo.local.

Theoutputshouldsomethinglike:
1
2
3

_ldap._tcp.biomerx.localhasSRVrecord0100389vupapsam401.demo.local.
_kerberos._tcp.biomerx.localhasSRVrecord010088vupapsam401.demo.local.
vupapsam401.biomerx.localhasaddress192.168.99.200

Step5:AllowdynamicDNSupdates
WewantourclientstobeabletoupdatetheirDNSentriesautomatically.Edit/etc/bind/named.confandappendthefollowing
line:
1

tkeygssapikeytab"/var/lib/samba/private/dns.keytab"

Step6:ConfigureBindasaForwarder
IfyouhaveanotherDNSServer(likeaSOHOROuter)onyourNetworkwhichprovidesDNSServicetoresolveexternalnames
(likewww.google.com),youllneedtoconfigureBindtousethisDNStoresolveentries.
FirstweneedtodisableIPv6inBindbyediting/etc/default/bind9andappending:
1

OPTIONS="4ubind"

Nowmodify/etc/bind/named.conftoincludethefollowingdirectivesintheoptions
section:
1
2
3
4

allowquery{any}
allowrecursion{any}
forwarders{192.168.99.254}
dnssecvalidationno

Kerberos
Step1:InstalltheKerberosUtilities
1

aptgetinstallkrb5user

Whenaskedforthedefaultrealm,enterdemo.localandvupapsam401asthehost.TestoutifKerberosworksbyexecuting:
1

kinitadministrator@DEMO.LOCAL

TheDomainNameneedstobewritteninUPPERCASEletters.Ifthecommandsucceeds,runthefollowingcommandtocheck
ifwehavegottenakerberosticket:
1

kliste

NetworkTimeProtocol
AsSambaprovidesthecorrecttimetoitsdomainmemberswewanttomakesurethatourhosthasthecorrecttime.Wedoso
byinstallingandconfiguringNTPtoretrievethetimefrominternettimeservers.
Step1:InstallNTP
1

aptgetinstallntp

Step2:ConfigureNTP
Edit/etc/ntp.confandreplacetheserverlinewiththeNTPTimeserverofyourchoice.Iusedmybordergatewayasitprovides
NTP:
1

servervupapgate01.demo.local

Now,doainitialtimesetup:
1
2
3

servicentpstop
ntpdateBvupapgate01.demo.local
servicentpstart

Checkifeverythingworkswith:
1

ntpqp

OtherconfigurationitemsandTroubleshooting
ACLSupport
TomakesurethatyouroperatingsystemcansupportAccesscontrollists(Samba
usesthemforstoringWindowspermissions)dothefollowing
1

aptgetinstallattr

TestoutifyourfilesystemsupportsACLs(mostshould):
1
2
3
4
5

touchtest.txt
setfattrnuser.testvtesttest.txt
setfattrnsecurity.testvtest2test.txt
getfattrdtest.txt
getfattrnsecurity.testdtest.txt

DNSServerdeliveryviaDHCP
YouwanttomakesurethatyourDHCPServersetsyourSambaserverastheoneandonlyDNSServerforyourclients
JoiningtheDomain
Makesurethatyouuseuppercaseletters,likeDEMO.LOCALasthedomainname
TestingtheAD
Rundsa.msconyourWindowsclient(afteryouinstalledtheWindowsRemoteServerAdministrationTools)
Ifsomethingdidnotworkasexpected(Domainnotavailable),makesurethatyourDNSresolutionworkssmooth.
Creatingshares
Tocreatesharesyouneedtoperformthefollowingactions:
1 mkdir/data/global
2 chmod777/data/global
Thenaddanentryto/etc/samba/smb.conf:
1
2
3
4

[global]
comment=Globalshareforallusers
path=/data/global
readonly=No

Restartsamba:
1

initctlrestartsamba4

Addingusers
Whenaddingnewuses,settheirhomedirectoryto
1

\\vupapsam401\users\

Thedirectorywillbecreatedautomatically.
AddingnewDNSentries
UsetheDNSSnapInintheManagementConsole
Errorwhilecopying
IfyoucopyfilesfromawindowssystemtosambaandgetsomethinglikeNotenoughmemory,thiscouldbebecauseofNTFS
Streamswithinthefiles(HiddenMetadata).Youcan
removethemwiththetoolstreamsavailableat:
http://technet.microsoft.com/dede/sysinternals/bb897440
andexecutingthefollowingcommand:
1

streamssdC:\data

Permissionproblems
Ifyouhaveproblemswithaccesstofilescreatedbydifferentusers(evenifthepermissionslookcorrect),appendthefollowing
in/etc/samba/smb.conf(inthesharesection):
1
2

directorymask=0777
createmask=0777

andrestartsamba:
1

servicesamba4restart

PrintThisPage