Setting up an Active Directory Domain Controller using Samba 4 on Ubuntu 16.04

I love to mess around with Linux in my home lab and I like to check out the state of Samba from time to time. I originally wrote this article for Ubuntu 14.04 and it has been one of the most popular posts on this blog, so I have updated it and fixed a few things that have changed over the years. There is a screencast that accompanied the original post on YouTube outlining the process for 14.04.  Largely the process is the same except for a few more dependencies(see the apt-get sections) and I cleaned up the testing with smbclient. I chose Ubuntu because they have pretty recent packages of Samba, more info about binary packages for different Distributions on the Samba Wiki. If you are following this as a guide, I’m assuming that you have already installed Ubuntu 16.04. If you do watch the screencast for 14.04, it is best viewed in HD!

This is the setup:

This is just a reference as some of these will be unique to your setup.

AD DC Hostname:                    DC1

AD DNS Domain Name:                shaver.net

Kerberos Realm:                    shaver.net

NT4 Domain Name/NetBIOS Name:      shaver

IP Address:                        192.168.0.200

Server Role:                       Domain Controller (DC)

Forwarder DNS Server:              192.168.0.1

First make sure everything is up to date and install some pre-requisites. You may want to reboot if your kernel updates.

#get fresh sources
$sudo apt-get update
#get fresh updates
$sudo apt-get upgrade
#install samba pre-reqs
$sudo apt-get install attr build-essential libacl1-dev libattr1-dev \
   libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev \
   python-dnspython gdb pkg-config libpopt-dev libldap2-dev \
   dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl ntp ntpdate winbind 

During the installation of Kerberos, it may ask you what your Kerberos realm as well as the name of this server. This is our Kerberos Realm and AD DC Hostname from above:

Realm=SHAVER.NET
Server=DC1.SHAVER.NET

Setting a static IP

It is important for our server to have a static IP, mostly because DNS is so important to the configuration of Samba

$sudo nano /etc/network/interfaces
#
#/etc/network/interfaces
#
#and change:
iface eth0 inet dhcp
#to:
#this will depend on your network setup, 192.168.0.200 is the IP of the box that Samba will be on.
iface eth0 inet static
address 192.168.0.200
netmask 255.255.255.0
gateway 192.168.0.1
#currently we want this server and our upstream DNS
dns-nameservers 192.168.0.200 192.168.0.1
#this should be set to what you want your samba domain to be
dns-search shaver.net

Setting your hostname:

$sudo nano /etc/hostname

Put in the name that you want your domain controller to be named:

#
#/etc/hostname
#
dc1

Setting file system parameters:

Because samba makes use of some extended filesystem attributes that EXT3/4 don’t normally support we have to set them in fstab. Not that the packages acl and attr are required for this to work.

$sudo nano /etc/fstab
#
#/etc/fstab
#
#this is an example of a partition where our Samba shares will live.
UUID=xyzxyzxy-xyzx-xyzx-xyzx-xyzxyzxyzxyzxy    /       ext4      errors=remount-ro     0     1
#Add a few parameters:
UUID=xyzxyzxy-xyzx-xyzx-xyzx-xyzxyzxyzxyzxy    /       ext4      user_xattr,acl,barrier=1,errors=remount-ro     0     1

We need to reboot for the changes to take effect.

#do a reboot
sudo shutdown -r 0

Setting hosts file:

We need to be certain that dc1 always resolves to localhost.

$sudo nano /etc/hosts
#
#/etc/hosts
#
#change:
127.0.1.1     shaver.net   shaver
#to whatever your FQDN is going to be for your server:
127.0.1.1     dc1.shaver.net    dc1

Setting NTP:

Network Time Protocol is the system that manages what time it is on your system, and it is important that our time is accurate for the proper functioning of Kerberos.

#
#Configuring ntp
#
#stop the ntp service
$sudo service ntp stop
#sync ntp
$sudo ntpdate -B 0.ubuntu.pool.ntp.org
#start the ntp service
$sudo service ntp start

Setting up Samba

This is where we actually install Samba. The default smb.conf file needs to be moved elsewhere so that Samba doesn’t try to use it. It will generate its own during the provisioning process. I like to run samba-tool in interactive mode because it gives you suggestions, though if you prefer you can specify all of the parameters in one command.

#
#Installing samba
#
$sudo apt-get install samba smbclient
#
#Provisioning Samba
#
#move the old smb.conf to a safe place:
$sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
#provision samba in interactive mode:
$sudo samba-tool domain provision --use-rfc2307 --interactive
DOMAIN:SHAVER
Server Role:dc
DNS backend:SAMBA_INTERNAL
#note: this should be the upstream DNS server
DNS forwarder IP address: 192.168.0.1
Administrator password: Something!S3cure!

Removing Upstream DNS:

We now want to remove the upstream DNS server from our network config, so that when resolv.conf is generated at boot it only points dns at ourselves. We do this because Samba is now managing
DNS and forwarding any external requests to the upstream DNS server.

$sudo nano /etc/network/interfaces
#
#/etc/network/interfaces
#
#Remove the upstream DNS server as Samba is now handling it
#192.168.0.200 is the address of the samba server
dns-nameservers 192.168.0.200 192.168.0.1
#becomes
dns-nameservers 192.168.0.200
$sudo shutdown -r 0

Testing DNS:

It is very important that DNS is working well for Samba to function correctly, therefore we should test it to make sure that it is working correctly. These three tests ensure A records are resolving and that Kerberos and LDAP SRV records are resolving to the proper server(s). The results should include the server that you are on.

#test SRV record for ldap on TCP
$ host -t SRV _ldap._tcp.shaver.net
_ldap._tcp.shaver.net has SRV record 0 100 389 dc1.shaver.net.
#test SRV record for kerberos on UDP
$ host -t SRV _kerberos._udp.shaver.net
_kerberos._udp.shaver.net has SRV record 0 100 88 dc1.shaver.net
#test name resolution of our host
$ host -t A dc1.shaver.net
dc1.shaver.net has address 192.168.0.200

Setting up Kerberos

Samba generated us a Kerberos config file, but Kerberos also comes with a default configuration file that we need to move before using the Samba one. We use a symbolic link so that if samba does any updates to the config file we don’t have to do this again.

#
#Setting up kerberos
#
#move original kerberos file to a safe place
$sudo mv /etc/krb5.conf /etc/krb5.conf.orig
#link the samba created kerberos file to it's config location
$sudo ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf

Testing Kerberos and authentication:

We want to make sure that Kerberos is actually handing out tickets(authentication tokens) and that we can actually authenticate using these tokens.

#
#Test kerberos and smbclient
#
$kinit administrator@SHAVER.NET
#enter the password that you created with samba
$klist
#you should see  valid krbtgt ticket
#now we try to connect to the server we are on using smbclient
$sudo smbclient -L dc1.shaver.net -U 'administrator' # you should see netlogon and sysvol listed
#test authentication with smblient
$sudo smbclient //localhost/netlogon -U 'administrator'

Photo Credit

43 thoughts on “Setting up an Active Directory Domain Controller using Samba 4 on Ubuntu 16.04

  1. Great article. Once this is complete, should i be able to log into dc1 with user “administrator”? I can’t – it says invalid username or password, even though everything else in the tutorial and tests works fine.

      1. Thanks for the response – what are the steps to enable this? Looking at other tutorials on how to enable domain login are for systems which aren’t acting as a domain controller, and specify changes to smb.conf which are in conflict with those that the domain controller requires. Simply installing winbind and adding winbind to nss.conf doesn’t work… so something I’m missing.

        Alternatively – is this never supposed to work, either out of best practices or other reasons?

  2. You installed several dev libraries by default, but I don’t see where they are being used or required. For instance, I’m trying to resist having `gcc` and friends installed on the server if I can help it (security paranoia). Are they needed in a way that the `apt`-based dependencies do not reflect? (Similarly for `docbook-xsl`.)

      1. I’m having a hard time getting past `kinit: KDC reply did not match expectations while getting initial credentials` (both without and with the additional dev libraries), so I can’t exactly say much else yet.

        Currently I’m getting `RuntimeError: kinit for DC1$@SAMDOM.MYDOMAIN.COM failed (Cannot contact any KDC for requested realm)` in syslog, as well as `../source4/dsdb/dns/dns_update.c:294: Failed DNS update – NT_STATUS_ACCESS_DENIED`, I suppose they are directly related.

        I’m trying to see if apparmor is affecting things. There do not appear to be any samba-related apparmor configurations, so perhaps that’s a problem. Learning.

  3. Thanks Jim, I keep forgetting kerberos is case-sensitive. It wasn’t the file, it was my command-line. Thanks, I’ll keep moving.

  4. I have followed your instruction up to “testing DNS” several times now starting with a fresh install using the complete hard drive, Ubuntu Server 16.04 CD then doing apt-get upgrade, unfortunately all I get is:

    ;; connection timed out; no servers could be reached

    any ideas on what is going wrong?

    Acer Aspire laptop, 500Gb HD, 8Gb ram

    Thanks,
    Anthony

  5. Upstream dns server was correct.
    Does the ‘host’ test depend on the upstream server?
    Noticed apt-get update no longer works.
    So is it my local DNS that is not working (host test) and not passing requests on for apt-get?

  6. Thank you for the tutorial 🙂 Would you happen to have instructions on how to setup a backup domain controller? I would love to set this up for the non-profit I’m helping out, but I need to make sure the AD accounts are backed up for when the primary domain controller goes down. The guides I’ve found use the standard smbpasswd not kerberos (https://help.ubuntu.com/lts/serverguide/samba-dc.html) 🙁 so I’m not sure how to sync the primary with the backup. Anyway, just thought I’d ask 🙂

      1. So, just so I’m clear – should I set up two domain controllers, as per your instructions above, and then run the “samba-tool domain join” on one of them? I apologize if my questions seem a bit amateur, but this is more of a hobby for me rather than a profession O:-)

        1. No you use the one command to join instead of provision. If you provision on the second server you will have two different domains. If you join you will have two AD DCs in the same domain(you want this).

  7. Hi Jim,

    thanks for your tutorial. AD is now successfully set up on two domains for me. However, when I try to create additional users from within AD (using RSAT on Win10) I receive an error from Active Directory Domain Services: “Windows cannot create the object username because: Not enough storage is available to complete this operation.”

    Microsoft suggested a fix at https://support.microsoft.com/en-au/kb/935744 however, this has not worked. Any thoughts?

    David

      1. I bypassed the problem by using the samba-tool to create my new users and manage the groups. eg sudo samba-tool user add username1 password1.

  8. This is one fine piece of work, Sir!

    I wandered fruitlessly, all over the internet, site after site, all claiming to do what this posting has finally let me accomplish! For a while, I thought that I might need to “go back” to 14.04 just so that I could join my AD domain with my Ubuntu-based server PC’s!

    I have been running Xubuntu 16.04 LTS for quite a while, and really like 16.04’s stability, so even though I HAVE run Ubuntu 14.04, I still don’t relish going backwards just for this single requirement!

    Bless you, and thank you very much for your contnued diligence in this so important but all-to-often quite badly handled proceedure! You took a fairly lengthy and quite complex process and broke it down into small, easy to manage bits, which I found very easy to follow…

    One quick question, if I may (and pardon my ignorance if this seems trivial to you) – In your reply to Riccardo’s post, you mention both PROVISION and JOIN; my question is: do you simply follow these SAME INSTRUCTIONS, verbatim, until the point where you run samba-tool, at which point you swap out the word “provision” and replace that with the word “join” instead? Or, is the process of setting up another DC to “join” the domain slightly different? Because if the different result is simply based on a single word, that is remarkably handy!

    Thanks again, and do keep up the great work!

  9. I LOVE this article, and have had success multiple times in rolling out an ADDC with Ubuntu 16.04! I tried following your 14.04 with 16.04, and found the issues personally, so I am grateful you brought this version up to date. I do have one question, what are the differences between using BIND9 and SAMBA_INTERNAL as the DNS backend? What if I have a DHCP and DNS setup already managed, and just want to plug this into it? Would I still use SAMBA_INTERNAL and point it towards the managed DNS? I also might have to use this due to our multi-site situation.

    1. Yeah one of the most annoying things about this setup is the inflexibility of this setup. In theory you can use BIND if you need the flexibility. According to what I have read on the Samba wiki, BIND needs to be running on the same box that Samba does. I’m not really sure why this is a requirement. In theory you should just be able to have whatever you want as the upstream server. You just wouldn’t be able to manage the DNS records configured by Samba.

  10. Hi Jim,

    This is a fantastic article. Thanks. I have successfully set up an Active Directory Server.

    One quick question though and apologies if you have mentioned it before, Do I perform the same steps to create a backup domain controller. DO you know any additional steps I might need to make to do this?

    Your assistance and help is appreciated. Keep up the great work

  11. HI. Thanks for the great article. I am installing samba 4 on Ubuntu 16.04. When I join win 10 pc to the domain, it fails saying it can’t find the ads. It carries out a search on ‘SRV record for _ldap._tcp.dc._msdcs.MYDOMAIN’.
    When I search the dns from terminal on the server, it can not be found. It seems that the dns update is not working. Pl help me to understand.
    Thnx

  12. I’m following your exact steps, but when I get to testing DNS nothing at all works:

    (my domain is aev25.local)

    $host -t SRV _ldap._tcp.aev25.local

    Host _ldap._tcp.aev25.local not found: 3(NXDOMAIN)

    $host -t SRV _kerberos._udp.aev25.local

    Host _kerberos._udp.aev25.local not found: 3(NXDOMAIN)

    $host -t A odin.aev25.local

    Host odin.aev25.local not found: 3(NXDOMAIN)

    Any ideas? It would be nice to include som hints for troubleshoting as well.

  13. Everything seems to work, according to the steps in your article. However, I’m unable to join my Windows 10 client to the Samba domain.

    Using the whole domain name – in my case, aev25.local – yields an immediate error.
    Using just aev25 results in Windows working for several minutes, then giving the error that the domain controller either doesn’t exist or cannot be reached.

  14. Hi, thanks for the article, everything looks good until I get to the very end of the smbclient testing. I get NT_STATUS_OBJECT_NAME_NOT_FOUND. where could I have possibly done wrong? thank you.

Leave a Reply