I love to mess around with Linux in my home lab and I like to check out the state of Samba from time to time. I originally wrote this article for Ubuntu 14.04 and it has been one of the most popular posts on this blog, so I have updated it and fixed a few things that have changed over the years. There is a screencast that accompanied the original post on YouTube outlining the process for 14.04. Largely the process is the same except for a few more dependencies(see the apt-get sections) and I cleaned up the testing with smbclient. I chose Ubuntu because they have pretty recent packages of Samba, more info about binary packages for different Distributions on the Samba Wiki. If you are following this as a guide, I’m assuming that you have already installed Ubuntu 16.04. If you do watch the screencast for 14.04, it is best viewed in HD!
This is the setup:
This is just a reference as some of these will be unique to your setup.
AD DC Hostname: DC1 AD DNS Domain Name: shaver.net Kerberos Realm: shaver.net NT4 Domain Name/NetBIOS Name: shaver IP Address: 192.168.0.200 Server Role: Domain Controller (DC) Forwarder DNS Server: 192.168.0.1
First make sure everything is up to date and install some pre-requisites. You may want to reboot if your kernel updates.
#get fresh sources $sudo apt-get update #get fresh updates $sudo apt-get upgrade #install samba pre-reqs $sudo apt-get install attr build-essential libacl1-dev libattr1-dev \ libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev \ python-dnspython gdb pkg-config libpopt-dev libldap2-dev \ dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl ntp ntpdate winbind
During the installation of Kerberos, it may ask you what your Kerberos realm as well as the name of this server. This is our Kerberos Realm and AD DC Hostname from above:
Setting a static IP
It is important for our server to have a static IP, mostly because DNS is so important to the configuration of Samba
$sudo nano /etc/network/interfaces
# #/etc/network/interfaces # #and change: iface eth0 inet dhcp #to: #this will depend on your network setup, 192.168.0.200 is the IP of the box that Samba will be on. iface eth0 inet static address 192.168.0.200 netmask 255.255.255.0 gateway 192.168.0.1 #currently we want this server and our upstream DNS dns-nameservers 192.168.0.200 192.168.0.1 #this should be set to what you want your samba domain to be dns-search shaver.net
Setting your hostname:
$sudo nano /etc/hostname
Put in the name that you want your domain controller to be named:
# #/etc/hostname # dc1
Setting file system parameters:
Because samba makes use of some extended filesystem attributes that EXT3/4 don’t normally support we have to set them in fstab. Not that the packages acl and attr are required for this to work.
$sudo nano /etc/fstab
# #/etc/fstab # #this is an example of a partition where our Samba shares will live. UUID=xyzxyzxy-xyzx-xyzx-xyzx-xyzxyzxyzxyzxy / ext4 errors=remount-ro 0 1 #Add a few parameters: UUID=xyzxyzxy-xyzx-xyzx-xyzx-xyzxyzxyzxyzxy / ext4 user_xattr,acl,barrier=1,errors=remount-ro 0 1
We need to reboot for the changes to take effect.
#do a reboot sudo shutdown -r 0
Setting hosts file:
We need to be certain that dc1 always resolves to localhost.
$sudo nano /etc/hosts
# #/etc/hosts # #change: 127.0.1.1 shaver.net shaver #to whatever your FQDN is going to be for your server: 127.0.1.1 dc1.shaver.net dc1
Network Time Protocol is the system that manages what time it is on your system, and it is important that our time is accurate for the proper functioning of Kerberos.
# #Configuring ntp # #stop the ntp service $sudo service ntp stop #sync ntp $sudo ntpdate -B 0.ubuntu.pool.ntp.org #start the ntp service $sudo service ntp start
Setting up Samba
This is where we actually install Samba. The default smb.conf file needs to be moved elsewhere so that Samba doesn’t try to use it. It will generate its own during the provisioning process. I like to run samba-tool in interactive mode because it gives you suggestions, though if you prefer you can specify all of the parameters in one command.
# #Installing samba # $sudo apt-get install samba smbclient
# #Provisioning Samba # #move the old smb.conf to a safe place: $sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.orig #provision samba in interactive mode: $sudo samba-tool domain provision --use-rfc2307 --interactive DOMAIN:SHAVER Server Role:dc DNS backend:SAMBA_INTERNAL #note: this should be the upstream DNS server DNS forwarder IP address: 192.168.0.1 Administrator password: Something!S3cure!
Removing Upstream DNS:
We now want to remove the upstream DNS server from our network config, so that when resolv.conf is generated at boot it only points dns at ourselves. We do this because Samba is now managing
DNS and forwarding any external requests to the upstream DNS server.
$sudo nano /etc/network/interfaces
# #/etc/network/interfaces # #Remove the upstream DNS server as Samba is now handling it #192.168.0.200 is the address of the samba server dns-nameservers 192.168.0.200 192.168.0.1 #becomes dns-nameservers 192.168.0.200
$sudo shutdown -r 0
It is very important that DNS is working well for Samba to function correctly, therefore we should test it to make sure that it is working correctly. These three tests ensure A records are resolving and that Kerberos and LDAP SRV records are resolving to the proper server(s). The results should include the server that you are on.
#test SRV record for ldap on TCP $ host -t SRV _ldap._tcp.shaver.net _ldap._tcp.shaver.net has SRV record 0 100 389 dc1.shaver.net. #test SRV record for kerberos on UDP $ host -t SRV _kerberos._udp.shaver.net _kerberos._udp.shaver.net has SRV record 0 100 88 dc1.shaver.net #test name resolution of our host $ host -t A dc1.shaver.net dc1.shaver.net has address 192.168.0.200
Setting up Kerberos
Samba generated us a Kerberos config file, but Kerberos also comes with a default configuration file that we need to move before using the Samba one. We use a symbolic link so that if samba does any updates to the config file we don’t have to do this again.
# #Setting up kerberos # #move original kerberos file to a safe place $sudo mv /etc/krb5.conf /etc/krb5.conf.orig #link the samba created kerberos file to it's config location $sudo ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
Testing Kerberos and authentication:
We want to make sure that Kerberos is actually handing out tickets(authentication tokens) and that we can actually authenticate using these tokens.
# #Test kerberos and smbclient # $kinit administrator@SHAVER.NET #enter the password that you created with samba $klist #you should see valid krbtgt ticket #now we try to connect to the server we are on using smbclient $sudo smbclient -L dc1.shaver.net -U 'administrator' # you should see netlogon and sysvol listed #test authentication with smblient $sudo smbclient //localhost/netlogon -U 'administrator'