I love to mess around with Linux in my home lab and I like to check out the state of Samba from time to time. I originally wrote this article for Ubuntu 14.04 and it has been one of the most popular posts on this blog, so I have updated it and fixed a few things that have changed over the years. There is a screencast that accompanied the original post on YouTube outlining the process for 14.04. Largely the process is the same except for a few more dependencies(see the apt-get sections) and I cleaned up the testing with smbclient. I chose Ubuntu because they have pretty recent packages of Samba, more info about binary packages for different Distributions on the Samba Wiki. If you are following this as a guide, I’m assuming that you have already installed Ubuntu 16.04. If you do watch the screencast for 14.04, it is best viewed in HD!
This is the setup:
This is just a reference as some of these will be unique to your setup.
AD DC Hostname: DC1 AD DNS Domain Name: shaver.net Kerberos Realm: shaver.net NT4 Domain Name/NetBIOS Name: shaver IP Address: 192.168.0.200 Server Role: Domain Controller (DC) Forwarder DNS Server: 192.168.0.1
First make sure everything is up to date and install some pre-requisites. You may want to reboot if your kernel updates.
#get fresh sources $sudo apt-get update #get fresh updates $sudo apt-get upgrade #install samba pre-reqs $sudo apt-get install attr build-essential libacl1-dev libattr1-dev \ libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev \ python-dnspython gdb pkg-config libpopt-dev libldap2-dev \ dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl ntp ntpdate winbind
During the installation of Kerberos, it may ask you what your Kerberos realm as well as the name of this server. This is our Kerberos Realm and AD DC Hostname from above:
Realm=SHAVER.NET Server=DC1.SHAVER.NET
Setting a static IP
It is important for our server to have a static IP, mostly because DNS is so important to the configuration of Samba
$sudo nano /etc/network/interfaces
# #/etc/network/interfaces # #and change: iface eth0 inet dhcp #to: #this will depend on your network setup, 192.168.0.200 is the IP of the box that Samba will be on. iface eth0 inet static address 192.168.0.200 netmask 255.255.255.0 gateway 192.168.0.1 #currently we want this server and our upstream DNS dns-nameservers 192.168.0.200 192.168.0.1 #this should be set to what you want your samba domain to be dns-search shaver.net
Setting your hostname:
$sudo nano /etc/hostname
Put in the name that you want your domain controller to be named:
# #/etc/hostname # dc1
Setting file system parameters:
Because samba makes use of some extended filesystem attributes that EXT3/4 don’t normally support we have to set them in fstab. Not that the packages acl and attr are required for this to work.
$sudo nano /etc/fstab
# #/etc/fstab # #this is an example of a partition where our Samba shares will live. UUID=xyzxyzxy-xyzx-xyzx-xyzx-xyzxyzxyzxyzxy / ext4 errors=remount-ro 0 1 #Add a few parameters: UUID=xyzxyzxy-xyzx-xyzx-xyzx-xyzxyzxyzxyzxy / ext4 user_xattr,acl,barrier=1,errors=remount-ro 0 1
We need to reboot for the changes to take effect.
#do a reboot sudo shutdown -r 0
Setting hosts file:
We need to be certain that dc1 always resolves to localhost.
$sudo nano /etc/hosts
# #/etc/hosts # #change: 127.0.1.1 shaver.net shaver #to whatever your FQDN is going to be for your server: 127.0.1.1 dc1.shaver.net dc1
Setting NTP:
Network Time Protocol is the system that manages what time it is on your system, and it is important that our time is accurate for the proper functioning of Kerberos.
# #Configuring ntp # #stop the ntp service $sudo service ntp stop #sync ntp $sudo ntpdate -B 0.ubuntu.pool.ntp.org #start the ntp service $sudo service ntp start
Setting up Samba
This is where we actually install Samba. The default smb.conf file needs to be moved elsewhere so that Samba doesn’t try to use it. It will generate its own during the provisioning process. I like to run samba-tool in interactive mode because it gives you suggestions, though if you prefer you can specify all of the parameters in one command.
# #Installing samba # $sudo apt-get install samba smbclient
# #Provisioning Samba # #move the old smb.conf to a safe place: $sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.orig #provision samba in interactive mode: $sudo samba-tool domain provision --use-rfc2307 --interactive DOMAIN:SHAVER Server Role:dc DNS backend:SAMBA_INTERNAL #note: this should be the upstream DNS server DNS forwarder IP address: 192.168.0.1 Administrator password: Something!S3cure!
Removing Upstream DNS:
We now want to remove the upstream DNS server from our network config, so that when resolv.conf is generated at boot it only points dns at ourselves. We do this because Samba is now managing
DNS and forwarding any external requests to the upstream DNS server.
$sudo nano /etc/network/interfaces
# #/etc/network/interfaces # #Remove the upstream DNS server as Samba is now handling it #192.168.0.200 is the address of the samba server dns-nameservers 192.168.0.200 192.168.0.1 #becomes dns-nameservers 192.168.0.200
$sudo shutdown -r 0
Testing DNS:
It is very important that DNS is working well for Samba to function correctly, therefore we should test it to make sure that it is working correctly. These three tests ensure A records are resolving and that Kerberos and LDAP SRV records are resolving to the proper server(s). The results should include the server that you are on.
#test SRV record for ldap on TCP $ host -t SRV _ldap._tcp.shaver.net _ldap._tcp.shaver.net has SRV record 0 100 389 dc1.shaver.net. #test SRV record for kerberos on UDP $ host -t SRV _kerberos._udp.shaver.net _kerberos._udp.shaver.net has SRV record 0 100 88 dc1.shaver.net #test name resolution of our host $ host -t A dc1.shaver.net dc1.shaver.net has address 192.168.0.200
Setting up Kerberos
Samba generated us a Kerberos config file, but Kerberos also comes with a default configuration file that we need to move before using the Samba one. We use a symbolic link so that if samba does any updates to the config file we don’t have to do this again.
# #Setting up kerberos # #move original kerberos file to a safe place $sudo mv /etc/krb5.conf /etc/krb5.conf.orig #link the samba created kerberos file to it's config location $sudo ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
Testing Kerberos and authentication:
We want to make sure that Kerberos is actually handing out tickets(authentication tokens) and that we can actually authenticate using these tokens.
# #Test kerberos and smbclient # $kinit administrator@SHAVER.NET #enter the password that you created with samba $klist #you should see valid krbtgt ticket #now we try to connect to the server we are on using smbclient $sudo smbclient -L dc1.shaver.net -U 'administrator' # you should see netlogon and sysvol listed #test authentication with smblient $sudo smbclient //localhost/netlogon -U 'administrator'
Great article. Once this is complete, should i be able to log into dc1 with user “administrator”? I can’t – it says invalid username or password, even though everything else in the tutorial and tests works fine.
You should not. You will however be able to join windows machines to the domain and be able to auth to those machines as “administrator”.
Thanks for the response – what are the steps to enable this? Looking at other tutorials on how to enable domain login are for systems which aren’t acting as a domain controller, and specify changes to smb.conf which are in conflict with those that the domain controller requires. Simply installing winbind and adding winbind to nss.conf doesn’t work… so something I’m missing.
Alternatively – is this never supposed to work, either out of best practices or other reasons?
Not sure. Please feel free to share anything you come across in your research.
After a lot of trouble, I was able to get AD users to be able to log into the domain controller. In the end I needed to make sure there was a keytab file present:
sudo kinit administrator
sudo klist
sudo net ads keytab create -k
install SSSD, and add this line to sssd.conf
ldap_id_mapping = True
https://www.centos.org/forums/viewtopic.php?t=55233
Hope this helps someone else!
You installed several dev libraries by default, but I don’t see where they are being used or required. For instance, I’m trying to resist having `gcc` and friends installed on the server if I can help it (security paranoia). Are they needed in a way that the `apt`-based dependencies do not reflect? (Similarly for `docbook-xsl`.)
Yup. I invite you to test what is actually required and share your research.
I’m having a hard time getting past `kinit: KDC reply did not match expectations while getting initial credentials` (both without and with the additional dev libraries), so I can’t exactly say much else yet.
Currently I’m getting `RuntimeError: kinit for DC1$@SAMDOM.MYDOMAIN.COM failed (Cannot contact any KDC for requested realm)` in syslog, as well as `../source4/dsdb/dns/dns_update.c:294: Failed DNS update – NT_STATUS_ACCESS_DENIED`, I suppose they are directly related.
I’m trying to see if apparmor is affecting things. There do not appear to be any samba-related apparmor configurations, so perhaps that’s a problem. Learning.
Are you authenticating with the built-in “Administrator” account?
Yes, `kinit Administrator@SAMDOM.MYDOMAIN.COM`. Sorry, should have included that in the last comment. BTW, the `smbclient` commands both work, it’s just the kerberos side that is problematic.
Check your krb5.conf file and make sure the realm is correct and in all caps.
Thanks Jim, I keep forgetting kerberos is case-sensitive. It wasn’t the file, it was my command-line. Thanks, I’ll keep moving.
I have followed your instruction up to “testing DNS” several times now starting with a fresh install using the complete hard drive, Ubuntu Server 16.04 CD then doing apt-get upgrade, unfortunately all I get is:
;; connection timed out; no servers could be reached
any ideas on what is going wrong?
Acer Aspire laptop, 500Gb HD, 8Gb ram
Thanks,
Anthony
I would check that the DNS server in your /etc/samba/smb.conf is the real upstream dns server that you want it to be. Restart samba.
Upstream dns server was correct.
Does the ‘host’ test depend on the upstream server?
Noticed apt-get update no longer works.
So is it my local DNS that is not working (host test) and not passing requests on for apt-get?
Thank you for the tutorial 🙂 Would you happen to have instructions on how to setup a backup domain controller? I would love to set this up for the non-profit I’m helping out, but I need to make sure the AD accounts are backed up for when the primary domain controller goes down. The guides I’ve found use the standard smbpasswd not kerberos (https://help.ubuntu.com/lts/serverguide/samba-dc.html) 🙁 so I’m not sure how to sync the primary with the backup. Anyway, just thought I’d ask 🙂
Actually that is Samba 3 compatible with NT4 style DCs. Take a look at https://www.samba.org/samba/docs/man/manpages/samba-tool.8.html where you will set up a server using “samba-tool domain join” in a similar way to how you ran “samba-tool domain provision”.
So, just so I’m clear – should I set up two domain controllers, as per your instructions above, and then run the “samba-tool domain join” on one of them? I apologize if my questions seem a bit amateur, but this is more of a hobby for me rather than a profession O:-)
No you use the one command to join instead of provision. If you provision on the second server you will have two different domains. If you join you will have two AD DCs in the same domain(you want this).
Hi Jim,
thanks for your tutorial. AD is now successfully set up on two domains for me. However, when I try to create additional users from within AD (using RSAT on Win10) I receive an error from Active Directory Domain Services: “Windows cannot create the object username because: Not enough storage is available to complete this operation.”
Microsoft suggested a fix at https://support.microsoft.com/en-au/kb/935744 however, this has not worked. Any thoughts?
David
Not sure. Do all the mounted partitions have enough space?
I bypassed the problem by using the samba-tool to create my new users and manage the groups. eg sudo samba-tool user add username1 password1.
Windows 10 RSAT and SAMBA do not work at the moment.
O contrair
I setup Ubuntu 16.04 LTS with the samba i believe the current disto’s version is samba 4.3.8 and I am using the RSAT tools on Windows 10 and window 7
works fine for DNS Administration and User Administration, haven’t checked others yet
This is one fine piece of work, Sir!
I wandered fruitlessly, all over the internet, site after site, all claiming to do what this posting has finally let me accomplish! For a while, I thought that I might need to “go back” to 14.04 just so that I could join my AD domain with my Ubuntu-based server PC’s!
I have been running Xubuntu 16.04 LTS for quite a while, and really like 16.04’s stability, so even though I HAVE run Ubuntu 14.04, I still don’t relish going backwards just for this single requirement!
Bless you, and thank you very much for your contnued diligence in this so important but all-to-often quite badly handled proceedure! You took a fairly lengthy and quite complex process and broke it down into small, easy to manage bits, which I found very easy to follow…
One quick question, if I may (and pardon my ignorance if this seems trivial to you) – In your reply to Riccardo’s post, you mention both PROVISION and JOIN; my question is: do you simply follow these SAME INSTRUCTIONS, verbatim, until the point where you run samba-tool, at which point you swap out the word “provision” and replace that with the word “join” instead? Or, is the process of setting up another DC to “join” the domain slightly different? Because if the different result is simply based on a single word, that is remarkably handy!
Thanks again, and do keep up the great work!
Um well both “provision” and “join” create Active Directory domain controllers. If you want to be able to authenticate(or login), on a linux box, against an AD DC(whether it is windows or linux) then you should look at https://www.powerbrokeropen.org/. Used to be called Likewise.
I LOVE this article, and have had success multiple times in rolling out an ADDC with Ubuntu 16.04! I tried following your 14.04 with 16.04, and found the issues personally, so I am grateful you brought this version up to date. I do have one question, what are the differences between using BIND9 and SAMBA_INTERNAL as the DNS backend? What if I have a DHCP and DNS setup already managed, and just want to plug this into it? Would I still use SAMBA_INTERNAL and point it towards the managed DNS? I also might have to use this due to our multi-site situation.
Yeah one of the most annoying things about this setup is the inflexibility of this setup. In theory you can use BIND if you need the flexibility. According to what I have read on the Samba wiki, BIND needs to be running on the same box that Samba does. I’m not really sure why this is a requirement. In theory you should just be able to have whatever you want as the upstream server. You just wouldn’t be able to manage the DNS records configured by Samba.
Is there a way to set up a backup domain controller if this tutorial will setup the primary domain controller?
Hi Jim,
This is a fantastic article. Thanks. I have successfully set up an Active Directory Server.
One quick question though and apologies if you have mentioned it before, Do I perform the same steps to create a backup domain controller. DO you know any additional steps I might need to make to do this?
Your assistance and help is appreciated. Keep up the great work
It has been asked before. Search through the rest of the comments.
It hasn’t been answered though…. Please answer the question, I am really desperate. Thanks!
Great tutorial!
It hasn’t been answered though, please answer my question… I am really desperate… Thanks!
Sorry to be the freak that uses btrfs instead of ext4, but does everything work the same there?
I am not sure how btrfs handles the extended attributes and ACLs.
After some research, it appears btrfs is ready right out of the box.
HI. Thanks for the great article. I am installing samba 4 on Ubuntu 16.04. When I join win 10 pc to the domain, it fails saying it can’t find the ads. It carries out a search on ‘SRV record for _ldap._tcp.dc._msdcs.MYDOMAIN’.
When I search the dns from terminal on the server, it can not be found. It seems that the dns update is not working. Pl help me to understand.
Thnx
Very good article. You may add gateway 2 nics?
if yes how?
Thanks
I’m following your exact steps, but when I get to testing DNS nothing at all works:
(my domain is aev25.local)
$host -t SRV _ldap._tcp.aev25.local
Host _ldap._tcp.aev25.local not found: 3(NXDOMAIN)
$host -t SRV _kerberos._udp.aev25.local
Host _kerberos._udp.aev25.local not found: 3(NXDOMAIN)
$host -t A odin.aev25.local
Host odin.aev25.local not found: 3(NXDOMAIN)
Any ideas? It would be nice to include som hints for troubleshoting as well.
Frank did you ever find a solution to this, seems this is my problem as well.
I would like to know how to fix this issue as well i am stuck with dns and KDC issues
run: sudo netstat -tulpn | grep “:53”
check if named is using port 53, if so disable service and reboot
Thanks, looks like that solved that problem. Unfortunately now I get the following:
@dc1:host -t SRV _ldap._tcp.xxx.net
;; connection timed out; no servers could be reached
Everything seems to work, according to the steps in your article. However, I’m unable to join my Windows 10 client to the Samba domain.
Using the whole domain name – in my case, aev25.local – yields an immediate error.
Using just aev25 results in Windows working for several minutes, then giving the error that the domain controller either doesn’t exist or cannot be reached.
Hi
i have a problem with kerberos.
user@dc01:~$ kinit administrator@DUDU.LOCAL
kinit: Cannot contact any KDC for realm ‘DUDU.LOCAL’ while getting initial credentials
My /etc/kerb.conf
[libdefaults]
default_realm = DUDU.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
I also ran into this issue and found that I had to add some additional info tot he /etc/krb5.conf file:
From https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/winbind.html
[libdefaults]
…
default_realm = ADEXAMPLE.COM
[realms]
ADEXAMPLE.COM = {
kdc = kdc.adexample.com
}
[domain_realm]
adexample.com = ADEXAMPLE.COM
.adexample.com = ADEXAMPLE.COM
Hi I have a feeling my last attempt at making a comment got flagged as spam. But anyways I made a small java app following your algorythm. Check it out on github. https://sandervend.github.io/AddcBuilder/
Hi, thanks for the article, everything looks good until I get to the very end of the smbclient testing. I get NT_STATUS_OBJECT_NAME_NOT_FOUND. where could I have possibly done wrong? thank you.
Installing winbind solved the problem: https://ubuntuforums.org/showthread.php?t=2324439
last kerberos testing worked only with ‘-k’ parameter for me:
smbclient -k -L //localhost/netlogon -U administrator
Is this a error there
$sudo (ntpdate) -B 0.ubuntu.pool.ntp.org
I’m currently running to AD DC’s on Windows 2012 R2, I want to migrate these to this Ubuntu setup. Do I provision one server en join the other one? Any suggestion on how to migrate the Windows AD to the Ubuntu flawlessly?
Great article Jim!!! Thx a lot!
Everything seems to work fine so far. However I discovered an issue with dynamic DNS updates. Suddenly my registered host entries are lost (maybe the client does update them correctly). When I perform “samba_dnsupdate –verbose –all-names” command on the DC it seems to fail with ” TSIG error with server: tsig verify failure” for each entry. Could this be related to my DNS update issue? Or any other hints?
Thx 🙂