Caponato's Notebook

User Tools

Site Tools

samba:provision-dc

Provision your Active Directory on a new DC

These instructions provide a basic guide for provisioning your Active Directory using Samba. For more detailed explanations, please consult the official Samba wiki pages.

This guide will provision Samba as an AD-DC with internal DNS (and RFC 2307 extensions, which are part of the standard schema, no need for '--use-rfc2307' while provisioning, despite what you may find somewhere else).

The Domain Controller is named dc1.mad.caponato.es and has an ip address of 192.168.0.2.

Its hostname and hosts file have already been configured (see Preparing your server).

If you require guidance on installing additional DCs, please refer to the additional DC section. It is important to note that this howto should never be used for installing an additional DC.

Make sure Samba is stopped.

systemctl stop samba-ad-dc.service

Remove all old databases and config files.

rm /run/samba/*.tdb \
/run/samba/*.ldb \
/var/lib/samba/*.tdb \
/var/lib/samba/*.ldb \
/var/cache/samba/*.tdb \
/var/cache/samba/*.ldb \
/var/lib/samba/private/*.tdb \
/var/lib/samba/private/*.ldb

mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
mv /etc/krb5.conf /etc/krb5.conf.bak

Configure the Time Service.

See Installing and configuring Chrony to work with a Samba DC.

Provision your Samba AD (in this case DNS forwarders are 1.1.1.1 and 8.8.8.8).

samba-tool domain provision --server-role=dc --dns-backend=SAMBA_INTERNAL --realm=MAD.CAPONATO.ES --domain=MAD --adminpass=Passw0rd --option="dns forwarder=8.8.8.8 1.1.1.1"

Once your AD has been provisioned, copy your newly generated Kerberos conf file to /etc/

cp /var/lib/samba/private/krb5.conf /etc/

Please note, some people recommend having only the following lines in the Kerberos config: 

[libdefaults]
  dns_lookup_realm = false
  dns_lookup_kdc = true
  default_realm = MAD.CAPONATO.ES

Reconfigure your /etc/resolv.conf file.

With you own address first then a second server of your choice in case Samba fails. In this case Google's 8.8.8.8 

nameserver 192.168.0.2
nameserver 8.8.8.8
search mad.caponato.es

Unmask and enable Samba AD DC service, disable other Samba services, and reboot.

Samba, acting as a AD-DC, will start whatever services it needs its own, so lets mask other startup scripts. 

systemctl unmask samba-ad-dc && systemctl enable samba-ad-dc
systemctl mask smbd && systemctl mask nmbd && systemctl mask winbind
reboot

Verify DNS is working correcly.

host -t SRV _ldap._tcp.mad.caponato.es.
_ldap._tcp.mad.caponato.es has SRV record 0 100 389 dc1.caponato.es.

host -t SRV _kerberos._udp.mad.caponato.es.
_kerberos._udp.mad.caponato.es has SRV record 0 100 88 dc1.caponato.es.

host -t A dc1.mad.caponato.es.
dc1.mad.caponato.es has address 192.168.0.2

Create DNS reverse zone for your network, and your DC1's PTR record:

samba-tool dns zonecreate 192.168.0.2 0.168.192.in-addr.arpa -U "MAD\Administrator"
Password for [MAD\Administrator]:
Zone 0.168.192.in-addr.arpa created successfully

samba-tool dns add 192.168.0.2 0.168.192.in-addr.arpa 2 PTR dc1.mad.caponato.es -U "MAD\Administrator"
Password for [MAD\Administrator]:
Record added successfully

Test Kerberos.

kinit administrator
Password for administrator@MAD.CAPONATO.ES:
Warning: Your password will expire in 41 days on Tue 14 Aug 2023 07:06:17 PM CET

klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MAD.CAPONATO.ES
Valid starting       Expires              Service principal
09/16/2023 13:19:52  09/16/2023 23:19:52  krbtgt/MAD.MATER.INT@MAD.MATER.INT
renew until 09/17/2023 13:19:49

Test Samba.

smbclient -L localhost -N
Anonymous login successful

Sharename       Type      Comment
---------       ----      -------
sysvol          Disk      
netlogon        Disk      
IPC$            IPC       IPC Service (Samba 4.18.6-Debian)
SMB1 disabled -- no workgroup available

Congratulations: You have a working AD DC installation!

An AD is easier to manage with RSAT tools for Windows. See installing Windows RSAT tools.

If you need to share files, set up a file server. Do not use a DC as a file server.

Remember to update your DNS servers in DHCP.

From now on, your AD network DNS servers must be the domain controller(s). Ensure you declare these DCs as DNS servers in your DHCP configuration.

Installing Microsoft's ADMX templates for your GPOs.

If you plan on using Group Policy Objects (GPOs) in your Active Directory (AD), you will need to install the latest Microsoft ADMX templates on your first domain controller. These templates will be replicated to any other domain controllers you have via SysVol replication.

This process should be performed periodically, particularly if configuring a new item from the GPO tree that is not included in older ADMX definitions.

Download the latest here:

Administrative Templates files based on the operating system version

Currently, I am utilising the Administrative Templates (.admx) for Windows 10 2022 Update (22H2). (I recommend using the English version.) Download this file into your DC and rename it to templates.msi. 

apt-get update && apt-get install msitools # If not installed.
msiextract templates.msi
samba-tool gpo admxload -U Administrator --admx-dir=/path/to/extracted/msi/Program\ Files/Microsoft\ Group\ Policy/Windows\ 10\ October\ 2022\ Update\ \(22H2\)/PolicyDefinitions/

Consider Hardening the Samba server

See this article for some ideas

Caponato's Samba notebook. Start here or else Main menu

samba/provision-dc.txt ยท Last modified: 2024/06/14 14:19 by caponato