- Egon Rath's Notes - http://www.matrix44.

net/cms -

Samba 4 AD Domain with Ubuntu 12.04

Posted By egrath On May 30, 2012 @ 11:37 am In | Comments Disabled

Building a Samba 4 Active Directory Domain

In this Article, i will outline the configuration of a small Active Directory using Samba4. The Ubuntu versions involved is 12.04. I assume that you have modest knowledge on how to configure Ubuntu on the command line i.e. i will not explain every single step in detail. Network parameters we will use are: Network name:demo.local IP Range:192.168.99.0/24

Base System and Samba 4

Step 1 : Install a Ubuntu 12.04 System Step 2 : Configure the Network to use a static address. Edit /etc/network/interfaces: auto lo eth0 iface lo inet loopback iface eth0 inet static address 192.168.99.200 netmask 255.255.255.0 gateway 192.168.99.254 dns-nameservers 192.168.99.200 192.168.99.254 dns-search demo.local Step 3 : Add the basic host entries to resolve without DNS Edit /etc/hosts and insert: 127.0.0.1 192.168.99.200 localhost vupapsam401 vupapsam401.demo.local

Step 4 : Install the Samba 4 Packages apt-get install samba4 The installation will throw out an error and apt will set the package to half installed. As the error isnt relevant to us, we have to fix the package by manually setting the package to installed. 1. Edit /var/lib/dpkg/status and search for Package: samba4 2. Replace half-configured with installed Now we are going to build the Active Directory Domain: rm /etc/samba/smb.conf /usr/share/samba/setup/provision --realm=demo.local --domain=DEMO --adminpass='Test123' --server-role=dc This will set up all stuff needed for running a Domain (LDAP, Kerberos, ) Next step is to start Samba: initctl start samba4 Step 5 : Testing out our installation apt-get install samba4-clients smbclient -L localhost -U% The last command should display the currently defined and served shares on the server. Should look something like: Sharename --------netlogon sysvol IPC$ Type ---Disk Disk IPC Comment -------

IPC Service

Bind Name Server

We also need a naming service in our network to resolve hosts and services. Active Directory uses DNS to discover a huge amount of services, so here we go: Step 1 : Install Bind apt-get install bind9 Step 2 : Configure Bind Now you need to edit the bind configuration file to include the necessary configurations for Samba Active Directory relies heavily on special DNS entries to find various services on the network. Edit /etc/bind/named.conf and append the following line at the end: include "/var/lib/samba/private/named.conf" Step 3 : Adapt the AppArmor configuration As Ubuntu is securing its services using AppArmor we need to make sure that Bind has the rights to access the files provided by Samba. Edit /etc/apparmor.d/usr.sbin.named and append the following entries: /var/lib/samba/private/** rkw, /var/lib/samba/private/dns/** rkw, /usr/lib/x86_64-linux-gnu/samba/bind9/** rm, /usr/lib/x86_64-linux-gnu/samba/gensec/** rm, /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm, /usr/lib/x86_64-linux-gnu/samba/ldb/** rm, Now reload the configuration to take effect: /etc/init.d/apparmor reload Step 4 : Start and test Bind Run the following command to start Bind: /etc/init.d/bind9 start To make sure that everything worked as expected, run the following commands and watch their output. It should return a result on every command: host -t SRV _ldap._tcp.demo.local. root@vupapsam401:/var/lib/samba/private# host -t SRV _kerberos._tcp.demo.local. root@vupapsam401:/var/lib/samba/private# host -t A vupapsam401.demo.local. The output should something like: _ldap._tcp.biomerx.local has SRV record 0 100 389 vupapsam401.demo.local. _kerberos._tcp.biomerx.local has SRV record 0 100 88 vupapsam401.demo.local. vupapsam401.biomerx.local has address 192.168.99.200 Step 5 : Allow dynamic DNS updates We want our clients to be able to update their DNS entries automatically. Edit /etc/bind/named.conf and append the following line: tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; Step 6 : Configure Bind as a Forwarder If you have another DNS Server (like a SOHO ROuter) on your Network which provides DNS Service to resolve external names (like www.google.com), youll need to configure Bind to use this DNS to resolve entries. First we need to disable IPv6 in Bind by editing /etc/default/bind9 and appending: OPTIONS="-4 -u bind" Now modify /etc/bind/named.conf to include the following directives in the options section: allow-query { any; }; allow-recursion { any; }; forwarders { 192.168.99.254; }; dnssec-validation no;

Kerberos
Step 1 : Install the Kerberos Utilities

apt-get install krb5-user When asked for the default realm, enter demo.local and vupapsam401 as the host. Test out if Kerberos works by executing: kinit administrator@DEMO.LOCAL The Domain Name needs to be written in UPPERCASE letters. If the command succeeds, run the following command to check if we have gotten a kerberos ticket: klist -e

Network Time Protocol

As Samba provides the correct time to its domain members we want to make sure that our host has the correct time. We do so by installing and configuring NTP to retrieve the time from internet time servers. Step 1 : Install NTP apt-get install ntp Step 2 : Configure NTP Edit /etc/ntp.conf and replace the server line with the NTP Timeserver of your choice. I used my border gateway as it provides NTP: server vupapgate01.demo.local Now, do a initial time setup: service ntp stop ntpdate -B vupapgate01.demo.local service ntp start Check if everything works with: ntpq -p

Other configuration items and Troubleshooting

ACL Support To make sure that your operating system can support Access control lists (Samba uses them for storing Windows permissions) do the following apt-get install attr Test out if your filesystem supports ACLs (most should): touch test.txt setfattr -n user.test -v test test.txt setfattr -n security.test -v test2 test.txt getfattr -d test.txt getfattr -n security.test -d test.txt DNS Server delivery via DHCP You want to make sure that your DHCP Server sets your Samba server as the one and only DNS Server for your clients Joining the Domain Make sure that you use uppercase letters, like DEMO.LOCAL as the domain name Testing the AD Run dsa.msc on your Windows client (after you installed the Windows Remote Server Administration Tools) If something did not work as expected (Domain not available), make sure that your DNS resolution works smooth. Creating shares To create shares you need to perform the following actions: mkdir /data/global chmod 777 /data/global Then add an entry to /etc/samba/smb.conf: [global]

comment = Global share for all users path = /data/global read only = No Restart samba: initctl restart samba4 Adding users When adding new uses, set their homedirectory to \\vupapsam401\users\ The directory will be created automatically. Adding new DNS entries Use the DNS Snap-In in the Management Console Error while copying If you copy files from a windows system to samba and get something like Not enough memory, this could be because of NTFS Streams within the files (Hidden Metadata). You can remove them with the tool streams available at: http://technet.microsoft.com/de-de/sysinternals/bb897440 and executing the following command: streams -s -d C:\data Permission problems If you have problems with access to files created by different users (even if the permissions look correct), append the following in /etc/samba/smb.conf (in the share section): directory mask = 0777 create mask = 0777 and restart samba: service samba4 restart

Article printed from Egon Rath's Notes: http://www.matrix44.net/cms URL to article: http://www.matrix44.net/cms/notes/gnulinux/samba-4-ad-domain-with-ubuntu-12-04