A Profile
From version 4.0, samba as Active Directory (AD) domain controller (DC) is running, if the samba installed in a production environment, it is recommended to run two or more DC for failover
This article describes how to set up Samba to a new AD DC for the first cluster. In addition, if you want to migrate samba NT4 domain to Samaba AD, also can refer to this article
AD DC samba as support:
Integrated LDAP backend server as AD
In the Key Distribution Center heimdal's kerberos (KDC)
If you are running Samba 4.7 or later and have used this option to build, test support with-system-mitkrb5 MIT Kerberos KDC samba for your operating system provided. In other cases, Samba use heimdal KDC Samba contains.
Two ready to install
Select the host name of the AD DC
Do not only use the term NT4 as the host name, such as PDC or BDC. These patterns do not exist and cause confusion in AD.
Select DNS domain AD forest. The name will be used as AD Kerberos art
Be sure to use DNS domain configuration need not be changed to AD. Samba does not support renaming AD DNS zone and Kerberos realm. Do not .local for the TLD, Avahi use it.
Use a static IP address on DC
Resolvconf disable automatic updates /etc/resolv.confDNS resolver configuration file tool, for example . AD DC domain members and the AD must be able to resolve the DNS server DNS zone.
Samba verification process is not running
#ps ax | egrep“samba | smbd | nmbd | winbindd”
If any of the listed output samba, smbd, nmbdor winbindd processes , turn off the process.
Verify / etc / hosts on DC a file resolves correctly fully qualified domain name (FQDN) and a short host names to LAN IP address of DC. E.g
127.0.0.1 localhost localhost.localdomain 10.99.0.1 DC1.samdom.example.com DC1
Hostname and FQDN may not be resolved to 127.0.0.1an IP address or any other IP addresses, rather than IP addresses used on DC LAN interface.
If you have previously run the Samba installed on this host
Delete an existing smb.conffile. List the path to the file:
#smbd -b | grep“CONFIGFILE”
CONFIGFILE:/usr/local/samba/etc/samba/smb.conf
Samba delete all the database files, for example, *.tdband *.ldbfiles. Samba database file containing the list of folders
#smbd -b | egrep“LOCKDIR | STATEDIR | CACHEDIR | PRIVATE_DIR” LOCKDIR:/ usr / local / samba / var / lock / STATEDIR:/ usr / local / samba / var / locks / CACHEDIR:/ usr / local / samba / var / cache / PRIVATE_DIR :/ usr / local / samba / private /
Start from a clean environment helps prevent confusion and to ensure that any files from the previous installation will not install Samba mixed with your new domain DC
Delete an existing /etc/krb5.conffile:
#rm /etc/krb5.conf
Three install Samba
Operating System Requirements
Construction package installation required depend Samba
File System Support
Build Samba from source
Program-specific distribution of the installation package
Four configuration Samba Active Directory
Create AD AD samba configuration database and add the initial recording, the desired domain management account DNS entries e.g.
If you want Samba NT4 domain migration to AD, classic upgrade for Samba
AD configuration requires root privileges to create files and set permissions.
This samba-tool domain provisioncommand provides several parameters for interactive and non-interactive settings, see the detailed instructions can help
#samba-tool domain provision --help
When you configure a new AD, recommended by the --use-rfc2307parameters passed to the samba-tool domain provisioncommand to enable NIS expansion . This allows you to store the attribute in AD Unix, such as a user ID (UID), home directory path, the group ID (GID). Enable NIS extended without any drawbacks. However, they need to be enabled in an existing domain manually extend the AD schema.
4.1 Parameter Description
Set the following parameters during configuration
| Interactive Set |
Non-interactive mode parameter |
Explanation |
| --use-rfc2307 |
--use-rfc2307 |
Enable NIS expansion. |
| Realm |
--realm |
Kerberos realm. Uppercase version of AD DNS domain. For example: SAMDOM.EXAMPLECOM. |
| Domain |
--domain |
NetBIOS domain name (workgroup). This can be anything, but it must be a word, no more than 15 characters and does not contain a dot. We recommend the use of a first portion of AD DNS domain. For example: samdom. Do not use the short hostname of the computer. |
| Server Role |
--server-role |
Install a domain controller |
| DNS backend |
--dns-backend |
Set DNS backend. AD DNS must be installed in the rear end of the first DC. Please note that this version is not supported BIND9_FLATFILE will be removed in a future version of Samba. |
| DNS forwarder IP address |
Not available |
This setting is only available when using SAMBA_INTERNAL DNS backend. |
| Administrator password |
--adminpass |
Set domain administrator password. If the password does not match the complexity of the requirements, the configuration will fail. |
samba-tool domain provision command other frequently used parameters :
--option = "interfaces = lo eth0" --option = "bind interfaces only = yes": If your server has multiple network interfaces, use these options Samba bound to the specified interface. This allows the samba-toolcommand to register the correct LAN IP address in the directory during the connection.
Do NONE as a DNS backend, it is not supported, it will be removed in a future version of Samba.
If you use the Bind DNS as a back-end, do not use BIND9_FLATFILE, it is not supported, it will be removed in a future version of Samba.
After AD configure the first DC in the domain, do not configure any other DC in the same domain, then add any DC.
4.2 Samba AD configured to deposit mode
To interactive way to configure Samba AD, run:
# samba-tool domain provision --use-rfc2307 --interactive Realm [SAMDOM.EXAMPLE.COM]: SAMDOM.EXAMPLE.COM Domain [SAMDOM]: SAMDOM Server Role (dc, member, standalone) [dc]: dc DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: SAMBA_INTERNAL DNS forwarder IP address (write 'none' to disable forwarding) [10.99.0.1]: 8.8.8.8 Administrator password: Passw0rd Retype password: Passw0rd Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=samdom,DC=example,DC=com Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=samdom,DC=example,DC=com Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf Setting up fake yp server settings Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: DC1 NetBIOS Domain: employees DNS Domain: samdom.example.com DOMAIN SID: S - 1 - 5 - 21 - 2614513918 - 2685075268-614796884
Interactive configuration mode support to pass additional parameters to the samba-tool domain provisioncommand. This allows you to modify the parameters do not belong to an interactive setting.
4.3 Configuration Samba AD in non-interactive
For example, the following configuration settings to use the non-interactive configuration Samba AD:
Server Role: AD
Together with the expansion of NIS
Internal DNS backend
And Kerberos realm AD DNS zone: samdom.example.com
NetBIOS domain name: SAMDOM
Domain administrator password: Passw0rd
#samba-tool domain provision --server-role = dc --use-rfc2307 --dns-backend = SAMBA_INTERNAL --realm = SAMDOM.EXAMPLE.COM --domain = SAMDOM --adminpass = Passw0rd
Five AD DNS rear end is provided
If a backend configuration SAMBA_INTERNAL DNS DC skip this step:
BIND DNS server settings and BIND_DLZ module.
Start BIND DNS server. E.g
#systemctl start named
Six configure the DNS resolver
AD domain members to locate in use the DNS services, such as LDAP, and Kerberos. To do this, they need to be able to resolve the AD DNS zone DNS server.
On the DC, the filedomain 's nameserverparameter settings in AD DNS domain DC and DC of the IP /etc/resolv.conf. E.g:
search samdom.example.com nameserver 10.99.0.1
Seven create a reverse zone
You can add a reverse lookup zone
# samba-tool dns zonecreate <Your-AD-DNS-Server-IP-or-hostname> 0.99.10.in-addr.arpa Password for [[email protected]]: Zone 0.99.10.in-addr.arpa created successfully
If you need more than reverse zone (multiple subnets), simply run the above command again, but use the data to another subnet
Reverse the area immediately take effect, no need to restart Samba or BIND
Eight Kerberos configuration
In AD, Kerberos for user authentication and service computer
During configuration, Samba kerberos configuration file is created for you, copy the configuration file to the Kerberos configuration of the operating system. E.g
# cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
Do not create a symbolic link pointing to the resulting krb5.conf file. In the Samba . 4 .7 later versions, / usr / local / samba / private / users other than the user can no longer access the directory root. If the file is a symbolic link, then other users can not read the file, for example, if you use BIND_DLZDNS back-end, the dynamic DNS update will fail.
Kerberos configuration using pre-created DBNS Service (SRV) resource records to locate the KDC
Nine test Samba AD DC
To manually start the samba service
#samba
samba does not provide System V init scripts, systemd, upstart, or other configuration files
If you use a software package to install Samba, use a script or service configuration file contained in the package to start Samba.
If you build Samba, you can use the init scripts, systemd, upstart management
Verify File Server 9.1
Share lists provided by DC
$ smbclient -L localhost -U% Domain=[SAMDOM] OS=[Unix] Server=[Samba x.y.z] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba x.y.z) Domain=[SAMDOM] OS=[Unix] Server=[Samba x.y.z] Server Comment --------- ------- Workgroup Master --------- -------
The netlogon and sysvol shares were auto-created during the provisioning and must exist on a DC.
To verify authentication, netlogona domain administrator account to connect to shared:
$ smbclient //localhost/netlogon -UAdministrator -c 'ls' Enter Administrator's password: Domain=[SAMDOM] OS=[Unix] Server=[Samba x.y.z] . D 0 Tue Nov 1 08:40:00 2016 .. D 0 Tue Nov 1 08:40:00 2016 49386 blocks of size 524288. 42093 blocks available
9.2 verify DNS
To verify your AD DNS configuration is working properly, consult some of the DNS records:
_ldapBased on tcp SRV records in the domain:
$ host -t SRV _ldap._tcp.samdom.example.com. _ldap._tcp.samdom.example.com has SRV record 0 100 389 dc1.samdom.example.com.
_kerberosUdp-based domain SRV resource records of:
$ host -t SRV _kerberos._udp.samdom.example.com. _kerberos._udp.samdom.example.com has SRV record 0 100 88 dc1.samdom.example.com.
A recording domain controllers:
$ host -t A dc1.samdom.example.com. dc1.samdom.example.com has address 10.99.0.1
9.3 Verify Kerberos
Kerberos ticket request a domain administrator account:
$ kinit administrator
Password for [email protected]:
If not the user@REALMformat body is transferred to the kinitcommand will automatically attached Kerberos domain .
The Kerberos field is set to uppercase
Kerberos ticket cache list:
$ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 01.11.2016 08:45:00 12.11.2016 18:45:00 krbtgt/[email protected] renew until 02.11.2016 08:44:59
9.4 Configuring time synchronization
Kerberos needs to synchronize the time on all domain members.
9.5 using the domain controller as a file server
Although Samba AD DC can provide file sharing, but like all other installation mode, Samba team is not recommended as DC as a file server, because:
But the smallest organizations, with more than DC is a very good backup practices, safer and upgrade
it encourages the DC upgrade also upgrade the host operating system every two years or every year, because there is no complex data to be converted or involved in other service.
This means that you can upgrade by installing new, and replicate in changes to the completion of these changes have been a better test in Samba, access to new features and avoids the risk of damage to a lot of lingering data.
DC and file server with a different point organization wants to upgrade. New features on the DC and file server needs at different times. Currently, AD DC is rapidly developing to achieve function, and the file server in 20 years later, more conservative.
Enforce mandatory smb signature on DC.
If you decide to Samba DC as a file server, consider the DC run a VM on a separate domain member Samba Unix and use it.
If Samba DC must be used as a file server, you should pay attention to acl_xattr virtual file system is automatically enabled (VFS) objects allow you to use only Windows access control list (ACL) configuration sharing. POSIX ACL will not work with the use of the shared DC Samba.
Samba to provide full functionality for network sharing, use the File Sharing Settings Samba domain member.
If you have only a small region (small office, home networks) and do not want to follow the recommendations of the Samba team and DC Also used as a file server, configure Winbindd Before you begin sharing.
If you do use AD DC as a file server, do not add any "idmap config" line uses the Unix domain members. They will not work, cause problems.
If you do use AD DC as a file server, you must set permissions from Windows, do not attempt to use any old method (forcing the user, etc.). They do not work properly and can cause problems.
references:
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller