How to Setup Samba Active Directory on Linux?

711

You’re mistaken if you think Active Directory and Domain Controller are words associated exclusively with Windows. It may be surprising for some, but it is possible to set up a Linux domain controller with Samba Active Directory.

The best deal is Samba Active Directory is free. Let’s go over the process of installing and configuring a Samba Active Directory Domain Controller in this post.

Requirements

Before installing Samba, there are some requirements you must meet.

• A Linux server, such as RHEL, Debian, Ubuntu, and their derivatives. This post will use Ubuntu Server 20.04.
• The server must have a static IP address. The server in this post will have an IP address of 10.0.0.6.
• A DNS domain. This post uses a non-internet facing domain name demo.int.

Configure the Server Hostname and FQDN

As part of the preparation for the Samba Active Directory installation, let’s set up the server’s identity in the network by configuring its name and FQDN.

On your terminal, run the command below to change the server name. In this example, the server name is dc1.

sudo hostnamectl set-hostname dc1

Next, open the /etc/hosts file in a text editor like nano.

sudo nano /etc/hosts

Append the host entry below. Make sure to replace the IP address, domain, and hostname.

# IP, FQDN, and hostname
10.0.0.6 dc1.demo.int dc1

The file would look similar to the screenshot below. Save the file and exit the editor.

Confirm that the short name and FQDN changes were successful by running this command:

# Get the short name
hostname
# Get the FQDN
hostname -f

Disable the Default DNS Resolver

On Ubuntu, the systemd-resolved service manages the DNS resolution on the system. Before installing Samba Active Directory, we want to disable the default DNS manager so that we can point the DNS resolver to the server itself.

First, disable the systemd-resolved service.

sudo systemctl disable --now systemd-resolved

Next, remove the link of the /etc/resolv.conf file to the /run/systemd/resolve/stub-resolv.conf so that we can replace it.

sudo unlink /etc/resolv.conf

Let’s create a new /etc/resolv.conf file using the text editor now.

sudo nano /etc/resolv.conf

Populate the file with the below values. Make sure to replace the first nameserver IP address with your server’s IP address and the search domain with your DNS domain. You may leave the second nameserver IP address to 1.1.1.1, which is the Cloudflare Public DNS resolver.

# The Samba server's static IP address
nameserver 10.0.0.6

# The fallback DNS resolver IP address
nameserver 1.1.1.1

# The Samba DNS domain
search demo.int

Save the file and exit the text editor.

Make the /etc/resolv.conf immutable. This is to prevent Ubuntu from overwriting it during a system reboot and any changes to be written to it.

sudo chattr +i /etc/resolv.conf

Finally, restart the server.

sudo reboot

Install Samba

After rebooting, log in to your server again and follow these steps to install Samba.

Update the local package index cache.

sudo apt-get update

Install Samba and its required packages.

sudo apt-get install -y acl attr samba samba-dsdb-modules samba-vfs-modules smbclient winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user dnsutils chrony net-tools

The package configuration automatically starts. The first page asks you to specify the default Kerberos realm, which is the DNS domain. If you followed the preparation steps, the domain should already be indicated. If not, type in the domain and press Enter.

On the next page, enter the hostname of the Kerberos server and press Enter. In this case, we only have one server.

Type your server name at the prompt asking for the administrative server name and press Enter. Wait for the installation to finish.

Run the below command to disable unnecessary services for the Samba Active Directory Domain Controller server.

sudo systemctl stop --now smbd nmbd winbind
sudo systemctl disable --now smbd nmbd winbind

The installation process creates a placeholder configuration that can break the Samba Active Directory Domain Controller provisioning process. This file is in /etc/samba/smb.conf. So before we proceed, let’s rename this file first.

sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.bak

Lastly, enable the samba-ad-dc service, which is crucial to running a Samba Active Directory Domain Controller.

sudo systemctl unmask samba-ad-dc
sudo systemctl enable samba-ad-dc

Configure the Samba Active Directory Domain Controller

Installing Samba doesn’t automatically make it usable as a domain controller. There are a few more steps before the Samba Active Directory Domain Controller is fully functional.

Domain provisioning is done using the samba-tool command, and you can do it in a non-interactive and interactive way. But for the sake of this demonstration, let’s perform interactive provisioning.

Run the following command in the terminal. The –use-rfc2307 parameter enables the NIS extensions to properly handle Unix user attributes.

sudo samba-tool domain provision --use-rfc2307 --interactive

The tool will ask you to enter/confirm information, such as:

• Realm — Your full domain. Press Enter to accept the default.
• Demo — The domain base name. You probably better know this as NetBIOS. Press Enter to accept the default.
• Server role — The Samba server role. The default selection is dc. Press Enter to accept.
• DNS backend — The default option is SAMBA_INTERNAL, which means you’ll use Samba as the DNS server. Press Enter.
• DNS forwarder IP address — This defaults to the server’s internal IP address. In this case, enter a public DNS resolver to where Samba will forward queries it cannot handle internally. For example, type 1.1.1.1 and press Enter.
• Administrator password — The default Samba Administrator account password. The password must be at least 7 characters long.
• At the end of the provisioning, you’ll see a result similar to the below screenshot.
  

So what has happened at this point? The samba-tool created the Samba configuration file at /etc/samba/smb.conf. You can inspect its contents like so.

cat /etc/samba/smb.conf

Also, the Kerberos configuration file at /var/lib/samba/private/krb5.conf.

cat /var/lib/samba/private/krb5.conf

But the krb5.conf file must be in /etc/krb5.conf for the Kerberos to function properly, so let’s move it!

sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

Start the samba-ad-dc service and confirm that it is running.

sudo systemctl start samba-ad-dc

sudo systemctl status samba-ad-dc

You should see that the Samba AD Daemon status is active (running).

Lastly, confirm the domain level of the Samba Active Directory Domain Controller. You should see that the lowest level is equivalent to Windows 2008 R2.

Verify Samba Active Directory

Now, let’s perform some verification steps to confirm that Samba Active Directory is fully functional.

Test the Default Shares

Run the command below to test whether you can list the shares. Replace dc1.demo.int with your Samba server’s FQDN.

smbclient -L dc1.demo.int -N

As you can see below, the command listed the default shares.

Next, test whether the Administrator account can authenticate and list the contents of the sysvol share. Type the administrator account password when prompted.

smbclient //dc1.demo.int/sysvol -U Administrator -c 'ls'

Verify the Samba Server DNS Records

Run these commands to confirm that the DNS name resolution works as expected.

# Lookup the Samba Server A record
host -t A dc1.demo.int.
# Lookup the Kerberos service record
host -t SRV _kerberos._udp.demo.int.
# Lookup the LDAP service record
host -t SRV _ldap._tcp.demo.int.

Test the Kerberos Authentication

Test the administrator account login.

kinit administrator

If the authentication passes, you’ll see a similar message to the one below.

List the cached Kerberos tickets.

klist

Create a New User

Now, let’s create a new user in the Samba Active Directory called devuser1 with Polyester@Left2@Stimuli as the password.

sudo samba-tool user create devuser1 Polyester@Left2@Stimuli

List all the users and confirm that devuser1 is on the list.

sudo samba-tool user list

Join a Windows Computer to the Domain

If you have a Windows PC that you want to join the Samba Active Directory Domain, follow these steps.

Open PowerShell administrator on the Windows computer and run this command to find the network adapter name and index.

Get-NetAdapter -Name "*"

Once you know the network adapter index, run this command to change the DNS server IP address and point them to the Samba server. Make sure to replace the -InterfaceIndex and -ServerAddresses values accordingly.

Set-DNSClientServerAddress `
-InterfaceIndex 6 `
-ServerAddresses '10.0.0.6','1.1.1.1'

Confirm that the computer can resolve the Samba Server name and IP address.

Resolve-DnsName -Type A -Name dc1.demo.int

Now that the computer knows how to locate the Samba Active Directory server, let’s add the computer as a domain member.

Add-Computer -DomainName 'demo.int' -Restart

Type in the administrator account name and password and click OK. If the domain join process is successful, the computer will automatically reboot.

While waiting for the computer to boot into Windows, run the below command in the Ubuntu terminal.

sudo samba-tool computer list

This command will list all the member computers, and you should see the Windows PC you recently joined.

Now, log in to Windows using the domain user account (devuser1@demo.int).

Once logged in, open PowerShell and run the below commands to confirm the user login context.

$env:USERDNSDOMAIN
whoami
query user

That’s it! You successfully joined a Windows computer to the Samba Active Directory domain and logged in as a domain user.