You’re mistaken if you think Active Directory and Domain Controller are words associated exclusively with Windows. It may be surprising for some, but it is possible to set up a Linux domain controller with Samba Active Directory.
The best deal is Samba Active Directory is free. Let’s go over the process of installing and configuring a Samba Active Directory Domain Controller in this post.
Before installing Samba, there are some requirements you must meet.
- A Linux server, such as RHEL, Debian, Ubuntu, and their derivatives. This post will use Ubuntu Server 20.04.
- The server must have a static IP address. The server in this post will have an IP address of 10.0.0.6.
- A DNS domain. This post uses a non-internet facing domain name demo.int.
Configure the Server Hostname and FQDN
As part of the preparation for the Samba Active Directory installation, let’s set up the server’s identity in the network by configuring its name and FQDN.
On your terminal, run the command below to change the server name. In this example, the server name is dc1.
sudo hostnamectl set-hostname dc1
Next, open the /etc/hosts file in a text editor like nano.
sudo nano /etc/hosts
Append the host entry below. Make sure to replace the IP address, domain, and hostname.
# IP, FQDN, and hostname 10.0.0.6 dc1.demo.int dc1
The file would look similar to the screenshot below. Save the file and exit the editor.
Confirm that the short name and FQDN changes were successful by running this command:
# Get the short name hostname # Get the FQDN hostname -f
Disable the Default DNS Resolver
On Ubuntu, the systemd-resolved service manages the DNS resolution on the system. Before installing Samba Active Directory, we want to disable the default DNS manager so that we can point the DNS resolver to the server itself.
First, disable the systemd-resolved service.
sudo systemctl disable --now systemd-resolved
Next, remove the link of the /etc/resolv.conf file to the /run/systemd/resolve/stub-resolv.conf so that we can replace it.
sudo unlink /etc/resolv.conf
Let’s create a new /etc/resolv.conf file using the text editor now.
sudo nano /etc/resolv.conf
Populate the file with the below values. Make sure to replace the first nameserver IP address with your server’s IP address and the search domain with your DNS domain. You may leave the second nameserver IP address to 22.214.171.124, which is the Cloudflare Public DNS resolver.
# The Samba server's static IP address nameserver 10.0.0.6 # The fallback DNS resolver IP address nameserver 126.96.36.199 # The Samba DNS domain search demo.int
Save the file and exit the text editor.
Make the /etc/resolv.conf immutable. This is to prevent Ubuntu from overwriting it during a system reboot and any changes to be written to it.
sudo chattr +i /etc/resolv.conf
Finally, restart the server.
After rebooting, log in to your server again and follow these steps to install Samba.
Update the local package index cache.
sudo apt-get update
Install Samba and its required packages.
sudo apt-get install -y acl attr samba samba-dsdb-modules samba-vfs-modules smbclient winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user dnsutils chrony net-tools
The package configuration automatically starts. The first page asks you to specify the default Kerberos realm, which is the DNS domain. If you followed the preparation steps, the domain should already be indicated. If not, type in the domain and press Enter.
On the next page, enter the hostname of the Kerberos server and press Enter. In this case, we only have one server.
Type your server name at the prompt asking for the administrative server name and press Enter. Wait for the installation to finish.
Run the below command to disable unnecessary services for the Samba Active Directory Domain Controller server.
sudo systemctl stop --now smbd nmbd winbind sudo systemctl disable --now smbd nmbd winbind
The installation process creates a placeholder configuration that can break the Samba Active Directory Domain Controller provisioning process. This file is in /etc/samba/smb.conf. So before we proceed, let’s rename this file first.
sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
Lastly, enable the samba-ad-dc service, which is crucial to running a Samba Active Directory Domain Controller.
sudo systemctl unmask samba-ad-dc sudo systemctl enable samba-ad-dc
Configure the Samba Active Directory Domain Controller
Installing Samba doesn’t automatically make it usable as a domain controller. There are a few more steps before the Samba Active Directory Domain Controller is fully functional.
Domain provisioning is done using the samba-tool command, and you can do it in a non-interactive and interactive way. But for the sake of this demonstration, let’s perform interactive provisioning.
Run the following command in the terminal. The –use-rfc2307 parameter enables the NIS extensions to properly handle Unix user attributes.
sudo samba-tool domain provision --use-rfc2307 --interactive
The tool will ask you to enter/confirm information, such as:
- Realm — Your full domain. Press Enter to accept the default.
- Demo — The domain base name. You probably better know this as NetBIOS. Press Enter to accept the default.
- Server role — The Samba server role. The default selection is dc. Press Enter to accept.
- DNS backend — The default option is SAMBA_INTERNAL, which means you’ll use Samba as the DNS server. Press Enter.
- DNS forwarder IP address — This defaults to the server’s internal IP address. In this case, enter a public DNS resolver to where Samba will forward queries it cannot handle internally. For example, type 188.8.131.52 and press Enter.
- Administrator password — The default Samba Administrator account password. The password must be at least 7 characters long.
- At the end of the provisioning, you’ll see a result similar to the below screenshot.
So what has happened at this point? The samba-tool created the Samba configuration file at /etc/samba/smb.conf. You can inspect its contents like so.
Also, the Kerberos configuration file at /var/lib/samba/private/krb5.conf.
But the krb5.conf file must be in /etc/krb5.conf for the Kerberos to function properly, so let’s move it!
sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
Start the samba-ad-dc service and confirm that it is running.
sudo systemctl start samba-ad-dc
sudo systemctl status samba-ad-dc
You should see that the Samba AD Daemon status is active (running).
Lastly, confirm the domain level of the Samba Active Directory Domain Controller. You should see that the lowest level is equivalent to Windows 2008 R2.
Verify Samba Active Directory
Now, let’s perform some verification steps to confirm that Samba Active Directory is fully functional.
Test the Default Shares
Run the command below to test whether you can list the shares. Replace dc1.demo.int with your Samba server’s FQDN.
smbclient -L dc1.demo.int -N
As you can see below, the command listed the default shares.
Next, test whether the Administrator account can authenticate and list the contents of the sysvol share. Type the administrator account password when prompted.
smbclient //dc1.demo.int/sysvol -U Administrator -c 'ls'
Verify the Samba Server DNS Records
Run these commands to confirm that the DNS name resolution works as expected.
# Lookup the Samba Server A record host -t A dc1.demo.int. # Lookup the Kerberos service record host -t SRV _kerberos._udp.demo.int. # Lookup the LDAP service record host -t SRV _ldap._tcp.demo.int.
Test the Kerberos Authentication
Test the administrator account login.
If the authentication passes, you’ll see a similar message to the one below.
List the cached Kerberos tickets.
Create a New User
Now, let’s create a new user in the Samba Active Directory called devuser1 with Polyester@Left2@Stimuli as the password.
sudo samba-tool user create devuser1 Polyester@Left2@Stimuli
List all the users and confirm that devuser1 is on the list.
sudo samba-tool user list
Join a Windows Computer to the Domain
If you have a Windows PC that you want to join the Samba Active Directory Domain, follow these steps.
Open PowerShell administrator on the Windows computer and run this command to find the network adapter name and index.
Get-NetAdapter -Name "*"
Once you know the network adapter index, run this command to change the DNS server IP address and point them to the Samba server. Make sure to replace the -InterfaceIndex and -ServerAddresses values accordingly.
Set-DNSClientServerAddress ` -InterfaceIndex 6 ` -ServerAddresses '10.0.0.6','184.108.40.206'
Confirm that the computer can resolve the Samba Server name and IP address.
Resolve-DnsName -Type A -Name dc1.demo.int
Now that the computer knows how to locate the Samba Active Directory server, let’s add the computer as a domain member.
Add-Computer -DomainName 'demo.int' -Restart
Type in the administrator account name and password and click OK. If the domain join process is successful, the computer will automatically reboot.
While waiting for the computer to boot into Windows, run the below command in the Ubuntu terminal.
sudo samba-tool computer list
This command will list all the member computers, and you should see the Windows PC you recently joined.
Now, log in to Windows using the domain user account (firstname.lastname@example.org).
Once logged in, open PowerShell and run the below commands to confirm the user login context.
$env:USERDNSDOMAIN whoami query user
That’s it! You successfully joined a Windows computer to the Samba Active Directory domain and logged in as a domain user.
Interesting, how did you get the ‘server services’ line in the DC’s smb.conf when you used ‘SAMBA_INTERNAL’ during provision ?
That is a good question. the dns entry is missing in the service line of the screenshot too. Maybe it’s (another) quirk of linux on azure :)
Would be interesting to now.
The ‘server services’ line shows the services of the Samba server. You will not see “SAMBA_INTERNAL” as the service. It is only the name used in the provisioning process, but the actual service name is winbindd (which you can find on that line) and not to be confused with winbind.