Samba 4 AD Domain with Ubuntu 12.04

Building a Samba 4 Active Directory Domain

In this Article, i will outline the configuration of a small Active Directory using Samba4.

The Ubuntu versions involved is 12.04. I assume that you have modest knowledge on how to configure Ubuntu on the command line – i.e. i will not explain every single step in detail.

Network parameters we will use are:

Network name:demo.local
IP Range:192.168.99.0/24

Base System and Samba 4

Step 1: Install a Ubuntu 12.04 System
Step 2: Configure the Network to use a static address. Edit /etc/network/interfaces:

auto lo eth0
iface lo inet loopback

iface eth0 inet static
address 192.168.99.200
netmask 255.255.255.0
gateway 192.168.99.254
dns-nameservers 192.168.99.200 192.168.99.254
dns-search demo.local

Step 3: Add the basic host entries to resolve without DNS

Edit /etc/hosts and insert:

127.0.0.1       localhost
192.168.99.200  vupapsam401 vupapsam401.demo.local

Step 4: Install the Samba 4 Packages

apt-get install samba4

The installation will throw out an error and apt will set the package to half installed. As the error isn’t relevant to us, we have to fix the package by manually setting the package to installed.

  1. Edit /var/lib/dpkg/status and search for “Package: samba4″
  2. Replace “half-configured” with “installed”

Now we are going to build the Active Directory Domain:

rm /etc/samba/smb.conf
/usr/share/samba/setup/provision --realm=demo.local --domain=DEMO --adminpass='Test123' --server-role=dc

This will set up all stuff needed for running a Domain (LDAP, Kerberos, …)

Next step is to start Samba:

initctl start samba4

Step 5: Testing out our installation

apt-get install samba4-clients
smbclient -L localhost -U%

The last command should display the currently defined and served shares on the server. Should look something like:

Sharename       Type       Comment
---------       ----       -------
netlogon        Disk
sysvol          Disk
IPC$            IPC        IPC Service

Bind Name Server

We also need a naming service in our network to resolve hosts and services. Active Directory uses DNS to discover a huge amount of services, so here we go:

Step 1: Install Bind

apt-get install bind9

Step 2: Configure Bind

Now you need to edit the bind configuration file to include the necessary configurations for Samba – Active Directory relies heavily on special DNS entries to find various services on the network.

Edit /etc/bind/named.conf and append the following line at the end:

include "/var/lib/samba/private/named.conf"

Step 3: Adapt the AppArmor configuration

As Ubuntu is securing it’s services using AppArmor we need to make sure that Bind has the rights to access the files provided by Samba.

Edit /etc/apparmor.d/usr.sbin.named and append the following entries:

/var/lib/samba/private/** rkw,
/var/lib/samba/private/dns/** rkw,
/usr/lib/x86_64-linux-gnu/samba/bind9/** rm,
/usr/lib/x86_64-linux-gnu/samba/gensec/** rm,
/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm,
/usr/lib/x86_64-linux-gnu/samba/ldb/** rm,

Now reload the configuration to take effect:

/etc/init.d/apparmor reload

Step 4: Start and test Bind

Run the following command to start Bind:

/etc/init.d/bind9 start

To make sure that everything worked as expected, run the following commands and watch their output. It should return a result on every command:

host -t SRV _ldap._tcp.demo.local.
root@vupapsam401:/var/lib/samba/private# host -t SRV _kerberos._tcp.demo.local.
root@vupapsam401:/var/lib/samba/private# host -t A vupapsam401.demo.local.

The output should something like:

_ldap._tcp.biomerx.local has SRV record 0 100 389 vupapsam401.demo.local.
_kerberos._tcp.biomerx.local has SRV record 0 100 88 vupapsam401.demo.local.
vupapsam401.biomerx.local has address 192.168.99.200

Step 5: Allow dynamic DNS updates

We want our clients to be able to update their DNS entries automatically. Edit /etc/bind/named.conf and append the following line:

tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

Step 6: Configure Bind as a Forwarder

If you have another DNS Server (like a SOHO ROuter) on your Network which provides DNS Service to resolve external names (like www.google.com), you’ll need to configure Bind to use this DNS to resolve entries.

First we need to disable IPv6 in Bind by editing /etc/default/bind9 and appending:

OPTIONS="-4 -u bind"

Now modify /etc/bind/named.conf to include the following directives in the options
section:

allow-query { any; };
allow-recursion { any; };
forwarders { 192.168.99.254; };
dnssec-validation no;

Kerberos

Step 1: Install the Kerberos Utilities

apt-get install krb5-user

When asked for the default realm, enter demo.local and ‘vupapsam401′ as the host. Test out if Kerberos works by executing:

kinit administrator@DEMO.LOCAL

The Domain Name needs to be written in UPPERCASE letters. If the command succeeds, run the following command to check if we have gotten a kerberos ticket:

klist -e

Network Time Protocol

As Samba provides the correct time to it’s domain members we want to make sure that our host has the correct time. We do so by installing and configuring NTP to retrieve the time from internet time servers.

Step 1: Install NTP

apt-get install ntp

Step 2: Configure NTP

Edit /etc/ntp.conf and replace the ‘server’ line with the NTP Timeserver of your choice. I used my border gateway as it provides NTP:

server vupapgate01.demo.local

Now, do a initial time setup:

service ntp stop
ntpdate -B vupapgate01.demo.local
service ntp start

Check if everything works with:

ntpq -p

Other configuration items and Troubleshooting

ACL Support

To make sure that your operating system can support Access control lists (Samba
uses them for storing Windows permissions) do the following

apt-get install attr

Test out if your filesystem supports ACL’s (most should):

touch test.txt
setfattr -n user.test -v test test.txt
setfattr -n security.test -v test2 test.txt
getfattr -d test.txt
getfattr -n security.test -d test.txt

DNS Server delivery via DHCP

You want to make sure that your DHCP Server sets your Samba server as the one and only DNS Server for your clients

Joining the Domain

Make sure that you use uppercase letters, like ‘DEMO.LOCAL’ as the domain name

Testing the AD

Run ‘dsa.msc’ on your Windows client (after you installed the Windows Remote Server Administration Tools)

If something did not work as expected (Domain not available), make sure that your DNS resolution works smooth.

Creating shares

To create shares you need to perform the following actions:

mkdir /data/global
chmod 777 /data/global

Then add an entry to /etc/samba/smb.conf:

[global]
comment = Global share for all users
path = /data/global
read only = No

Restart samba:

initctl restart samba4

Adding users

When adding new uses, set their homedirectory to

\\vupapsam401\users\

The directory will be created automatically.

Adding new DNS entries

Use the DNS Snap-In in the Management Console

Error while copying

If you copy files from a windows system to samba and get something like ‘Not enough memory’, this could be because of NTFS Streams within the files (Hidden Metadata). You can
remove them with the tool ‘streams’ available at:

http://technet.microsoft.com/de-de/sysinternals/bb897440

and executing the following command:

streams -s -d C:\data

Permission problems

If you have problems with access to files created by different users (even if the permissions look correct), append the following in /etc/samba/smb.conf (in the share section):

directory mask = 0777
create mask = 0777

and restart samba:

service samba4 restart
Print This Page Print This Page