These instructions provide a basic guide for provisioning your Active Directory using Samba. For more detailed explanations, please consult the official Samba wiki pages.
This guide will provision Samba as an AD-DC with internal DNS (and RFC 2307 extensions, which are part of the standard schema, no need for '--use-rfc2307' while provisioning, despite what you may find somewhere else).
The Domain Controller is named dc1.mad.caponato.es and has an ip address of 192.168.0.2.
Its hostname and hosts file have already been configured (see Preparing your server).
If you require guidance on installing additional DCs, please refer to the additional DC section. It is important to note that this howto should never be used for installing an additional DC.
systemctl stop samba-ad-dc.service
rm /run/samba/*.tdb \ /run/samba/*.ldb \ /var/lib/samba/*.tdb \ /var/lib/samba/*.ldb \ /var/cache/samba/*.tdb \ /var/cache/samba/*.ldb \ /var/lib/samba/private/*.tdb \ /var/lib/samba/private/*.ldb mv /etc/samba/smb.conf /etc/samba/smb.conf.bak mv /etc/krb5.conf /etc/krb5.conf.bak
See Installing and configuring Chrony to work with a Samba DC.
samba-tool domain provision --server-role=dc --dns-backend=SAMBA_INTERNAL --realm=MAD.CAPONATO.ES --domain=MAD --adminpass=Passw0rd --option="dns forwarder=8.8.8.8 1.1.1.1"
cp /var/lib/samba/private/krb5.conf /etc/
Please note, some people recommend having only the following lines in the Kerberos config:
[libdefaults] dns_lookup_realm = false dns_lookup_kdc = true default_realm = MAD.CAPONATO.ES
With you own address first then a second server of your choice in case Samba fails. In this case Google's 8.8.8.8
nameserver 192.168.0.2 nameserver 8.8.8.8 search mad.caponato.es
Samba, acting as a AD-DC, will start whatever services it needs its own, so lets mask other startup scripts.
systemctl unmask samba-ad-dc && systemctl enable samba-ad-dc systemctl mask smbd && systemctl mask nmbd && systemctl mask winbind reboot
host -t SRV _ldap._tcp.mad.caponato.es. _ldap._tcp.mad.caponato.es has SRV record 0 100 389 dc1.caponato.es. host -t SRV _kerberos._udp.mad.caponato.es. _kerberos._udp.mad.caponato.es has SRV record 0 100 88 dc1.caponato.es. host -t A dc1.mad.caponato.es. dc1.mad.caponato.es has address 192.168.0.2
samba-tool dns zonecreate 192.168.0.2 0.168.192.in-addr.arpa -U "MAD\Administrator" Password for [MAD\Administrator]: Zone 0.168.192.in-addr.arpa created successfully samba-tool dns add 192.168.0.2 0.168.192.in-addr.arpa 2 PTR dc1.mad.caponato.es -U "MAD\Administrator" Password for [MAD\Administrator]: Record added successfully
kinit administrator Password for administrator@MAD.CAPONATO.ES: Warning: Your password will expire in 41 days on Tue 14 Aug 2023 07:06:17 PM CET klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@MAD.CAPONATO.ES Valid starting Expires Service principal 09/16/2023 13:19:52 09/16/2023 23:19:52 krbtgt/MAD.MATER.INT@MAD.MATER.INT renew until 09/17/2023 13:19:49
smbclient -L localhost -N Anonymous login successful Sharename Type Comment --------- ---- ------- sysvol Disk netlogon Disk IPC$ IPC IPC Service (Samba 4.18.6-Debian) SMB1 disabled -- no workgroup available
An AD is easier to manage with RSAT tools for Windows. See installing Windows RSAT tools.
If you need to share files, set up a file server. Do not use a DC as a file server.
From now on, your AD network DNS servers must be the domain controller(s). Ensure you declare these DCs as DNS servers in your DHCP configuration.
If you plan on using Group Policy Objects (GPOs) in your Active Directory (AD), you will need to install the latest Microsoft ADMX templates on your first domain controller. These templates will be replicated to any other domain controllers you have via SysVol replication.
This process should be performed periodically, particularly if configuring a new item from the GPO tree that is not included in older ADMX definitions.
Download the latest here:
Administrative Templates files based on the operating system version
Currently, I am utilising the Administrative Templates (.admx) for Windows 10 2022 Update (22H2). (I recommend using the English version.) Download this file into your DC and rename it to templates.msi.
apt-get update && apt-get install msitools # If not installed. msiextract templates.msi samba-tool gpo admxload -U Administrator --admx-dir=/path/to/extracted/msi/Program\ Files/Microsoft\ Group\ Policy/Windows\ 10\ October\ 2022\ Update\ \(22H2\)/PolicyDefinitions/