Академический Документы
Профессиональный Документы
Культура Документы
Samba is a free Open Source software which provides a standard interoperability between
Windows OS and Linux/Unix Operating Systems.
Samba can operate as a standalone file and print server for Windows and Linux clients through
the SMB/CIFS protocol suite or can act as an Active Directory Domain Controller or joined into
a Realm as a Domain Member. The highest AD DC domain and forest level that currently
Samba4 can emulate is Windows 2008 R2.
The series will be titled Setting Up Samba4 Active Directory Domain Controller, which covers
following topics for Ubuntu, CentOS, and Windows:
Part 3: Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT
Part 4: Manage Samba4 AD Domain Controller DNS and Group Policy from Windows
Part 6: Add a Shared Volume from Linux DC and Map to AD via GPO
This tutorial will start by explaining all the steps you need to take care off in order to install
and configure Samba4 as a Domain Controller on Ubuntu 16.04 and Ubuntu 14.04.
This configuration will provide a central management point for users, machines, volume
shares, permissions and other resources in a mixed-up Windows – Linux infrastructure.
Requirements:
2. Next, open machine /etc/fstab file and assure that your partitions file system has ACLs
enabled as illustrated on the below screenshot.
Usually, common modern Linux file systems such as ext3, ext4, xfs or btrfs support and have
ACLs enabled by default. If that’s not the case with your file system just open /etc/fstab file for
editing and add acl string at the end of third column and reboot the machine in order to apply
changes.
3. Finally setup your machine hostname with a descriptive name, such as adc1 used in this
example, by editing /etc/hostname file or by issuing.
A reboot is necessary after you’ve changed your machine name in order to apply changes.
4. In order to transform your server into an Active Directory Domain Controller, install Samba
and all the required packages on your machine by issuing the below command with root
privileges in a console.
5. While the installation is running a series of questions will be asked by the installer in order
to configure the domain controller.
On the first screen you will need to add a name for Kerberos default REALM in uppercase.
Enter the name you will be using for your domain in uppercase and hit Enter to continue..
6. Next, enter the hostname of Kerberos server for your domain. Use the same name as for
your domain, with lowercases this time and hit Enter to continue.
7. Finally, specify the hostname for the administrative server of your Kerberos realm. Use the
same as your domain and hit Enter to finish the installation.
8. Before starting to configure Samba for your domain, first run the below commands in order
to stop and disable all samba daemons.
9. Next, rename or remove samba original configuration. This step is absolutely required
before provisioning Samba AD because at the provision time Samba will create a new
configuration file from scratch and will throw up some errors in case it finds an old smb.conf
file.
10. Now, start the domain provisioning interactively by issuing the below command with root
privileges and accept the default options that Samba provides you.
Also, make sure you supply the IP address for a DNS forwarder at your premises (or external)
and choose a strong password for Administrator account. If you choose a week password for
Administrator account the domain provision will fail.
11. Finally, rename or remove Kerberos main configuration file from /etc directory and replace
it using a symlink with Samba newly generated Kerberos file located in /var/lib/samba/private
path by issuing the below commands:
12. Start and enable Samba Active Directory Domain Controller daemons.
13. Next, use netstat command in order to verify the list of all services required by an Active
Directory to run properly.
14. At this moment Samba should be fully operational at your premises. The highest domain
level Samba is emulating should be Windows AD DC 2008 R2.
When finished, reboot your server and take a look at your resolver file to make sure it points
back to the right DNS name servers.
16. Finally, test the DNS resolver by issuing queries and pings against some AD DC crucial
records, as in the below excerpt. Replace the domain name accordingly.
Run following few queries against Samba Active Directory Domain Controller..
$ host –t A tecmint.lan
$ host –t A adc1.tecmint.lan
17. Also, verify Kerberos authentication by requesting a ticket for the domain administrator
account and list the cached ticket. Write the domain name portion with uppercase.
$ kinit administrator@TECMINT.LAN
$ klist
On the next series we’ll cover other Samba AD topics, such as how to manage you’re the
domain controller from Samba command line, how to integrate Windows 10 into the domain
name and manage Samba AD remotely using RSAT and other important topics.
1. Samba AD DC can be managed through samba-tool command line utility which offers a great
interface for administrating your domain.
With the help of samba-tool interface you can directly manage domain users and groups,
domain Group Policy, domain sites, DNS services, domain replication and other critical domain
functions.
This tutorial will cover some basic daily commands you need to use in
order to manage Samba4 AD Domain Controller infrastructure, such as
adding, removing, disabling or listing users and groups.
We’ll also take a look on how to manage domain security policy and
how to bind AD users to local PAM authentication in order for AD users
to be able to perform local logins on Linux Domain Controller.
Requirements
1. Create an AD Infrastructure with Samba4 on Ubuntu 16.04 – Part 1
2. Manage Samba4 Active Directory Infrastructure from Windows10 via
RSAT – Part 3
3. Manage Samba4 AD Domain Controller DNS and Group Policy from
Windows – Part 4
Step 1: Manage Samba AD DC from
Command Line
1. Samba AD DC can be managed through samba-tool command line
utility which offers a great interface for administrating your domain.
With the help of samba-tool interface you can directly manage domain
users and groups, domain Group Policy, domain sites, DNS services,
domain replication and other critical domain functions.
To add a user with several important fields required by AD, use the
following syntax:
10. To list all the samba domain members in a specific group use the
command:
15. After you’ve made the changes, use testparm utility to make sure no
errors are found on samba configuration file and restart samba
daemons by issuing the below command.
$ testparm
$ sudo pam-auth-update
17. Now, open /etc/nsswitch.conf file with a text editor and add winbind
statement at the end of the password and group lines as illustrated on
the below screenshot.
$ sudo vi /etc/nsswitch.conf
Add Windbind Service Switch for Samba
Remove use_authtok option each time PAM updates are installed and
applied to PAM modules or each time you execute pam-auth-
update command.
19. Samba4 binaries comes with a winbindd daemon built-in and
enabled by default.
For this reason you’re no longer required to separately enable and
run winbind daemon provided by winbind package from official Ubuntu
repositories.
In case the old and deprecated winbind service is started on the
system make sure you disable it and stop the service by issuing the
below commands:
$ wbinfo -g
$ wbinfo -u
$ wbinfo -i your_domain_user
# su - your_ad_user
$ id
$ exit
$ su - your_ad_user
$ passwd
Change Samba4 AD User Password
23. By default, Active Directory users are not granted with root
privileges in order to perform administrative tasks on Linux.
To grant root powers to an AD user you must add the username to the
local sudo group by issuing the below command.
Make sure you enclose the realm, slash and AD username with
single ASCII quotes.
To test if AD user has root privileges on the local system, login and run
a command, such as apt-get update, with sudo permissions.
# su - tecmint_user
Comment the default server list by adding a # in front of each pool line and
add the below pool lines with your proper NTP servers as illustrated on the
below screenshot.
pool 3.ro.pool.ntp.org
ntpsigndsocket /var/lib/samba/ntp_signd/
Sync AD with NTP
4. Finally, move to the bottom of the file and add the below line, as illustrated
on the below screenshot, which will allow network clients only to query the
time on the server.
$ ntpq -p
# ntpdate -d adc1.tecmint.lan
ping tecmint.lan
ping adc1.tecmint.lan
Check Network Connectivity Between Windows and Samba4 AD
11. If the resolver correctly responds to Windows client DNS queries, then,
you need to assure that the time is accurately synchronized with the realm.
Open Control Panel -> Clock, Language and Region -> Set Time and Date -
> Internet Time tab -> Change Settings and write your domain name on
Synchronize with and Internet time server field.
Hit on Update Now button to force time synchronization with the realm and
hit OK to close the window.
Synchronize Time with Internet Server
12. Finally, join the domain by opening System Properties -> Change -
> Member of Domain, write your domain name, hit OK, enter your domain
administrative account credentials and hit OK again.
A new pop-up window should open informing you’re a member of the
domain. Hit OK to close the pop-up window and reboot the machine in order
to apply domain changes.
The below screenshot will illustrate these steps.
Join Windows Domain to Samba4 AD
Enter Domain Administration Login
Domain Joined to Samba4 AD Confirmation
1. To administer the DNS service for your domain controller via RSAT,
go to your Windows machine, open Control Panel -> System and
Security -> Administrative Tools and run DNS Manager utility.
Once the tool opens, it will ask you on what DNS running server you
want to connect. Choose The following computer, type your domain
name in the field (or IP Address or FQDN can be used as well), check
the box that says ‘Connect to the specified computer now’ and hit OK to
open your Samba DNS service.
3. On the New host opened window, type the name and the IP
Address of your DNS resource. The FQDN will be automatically written
for you by DNS utility. When finished, hit the Add Host button and a
pop-up window will inform you that your DNS A record has been
successfully created.
Make sure you add DNS A records only for those resources in your
network configured with static IP Addresses. Don’t add DNS A records for
hosts which are configured to acquire network configurations from
a DHCP server or their IP Addresses change often.
Configure Samba Host on Windows
5. Next, hit Next button and choose Primary zone from Zone Type
Wizard.
9. At this point you have a valid DNS reverse lookup zone configured
for your domain. In order to add a PTR record in this zone, right click
on the right plane and choose to create a PTR record for a network
resource.
In this case we’ve created a pointer for our gateway. In order to test if
the record was properly added and works as expected from client’s
point of view, open a Command Prompt and issue a nslookup query
against the name of the resource and another query for its IP Address.
Both queries should return the correct answer for your DNS resource.
nslookup gate.tecmint.lan
nslookup 192.168.1.1
ping gate
12. After finishing editing the two entries, close all windows, open an
elevated Command prompt and force group policy to apply on your
machine by issuing the below command:
gpupdate /force
13. Finally, reboot your computer and you’ll see the logon banner in
action when you’ll try to perform logon.