Caponato's Notebook

This is my notebook where I aim to create a simplified approach to deploy a Samba AD infrastructure, specifically for Debian. I hope this will be useful for you.

Most samba info is here on the Official Samba Wiki, and much of it has been used for this wiki, this is just presented in a different fashion.

Before I begin, I want to thank Rowland Penny (and others) from the Samba Team for his invaluable help and feedback to these pages.

Windows Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is used to manage and organize a network’s resources, such as users, computers, and other devices, in a centralized and secure manner.

A Domain Controller is a server that responds to security authentication requests within a Windows (and Linux when using Samba) Server domain. It is a critical component of the Active Directory (AD) environment. The main functions of a DC include:

• Authentication and Authorization: DCs authenticate and authorize users and computers in a Windows domain. This involves verifying usernames and passwords, and granting access to resources based on permissions.

• Centralized Management: DCs provide centralized management of users, groups, and computers. Administrators can create and manage user accounts, enforce security policies, and deploy software updates.

• Replication: DCs replicate directory information across all DCs in a domain, ensuring consistency and redundancy. This means changes made on one DC are propagated to other DCs.

• Active Directory Services: DCs run Active Directory services, which include managing domain-related objects (like users, computers, and groups) and providing LDAP (Lightweight Directory Access Protocol) services for querying and modifying directory services.

A Member Server is any server within a domain that is not a Domain Controller. These servers do not perform the functions of a DC but are joined to the domain and can leverage the centralized services provided by the DC. The main characteristics of a Member Server include:

• Role-Specific Functions: Member servers are typically assigned specific roles, such as file servers, application servers, radius servers, or print servers. They provide services and applications to users and other computers in the domain.

• No Authentication Role: Unlike DCs, member servers do not authenticate or authorize domain users. They rely on the DCs for authentication and then provide access to resources based on the permissions set by the DC.

• Resource Management: Member servers manage resources like files, applications, and printers. They can have local user accounts and security policies, but domain-wide user management is handled by the DC.

• Communication with DCs: Member servers communicate with DCs for user authentication and to apply group policies. They are part of the domain but do not hold or replicate directory information.

In summary, Domain Controllers are the backbone of the Active Directory environment, providing essential authentication and directory services, while Member Servers are specialized servers that rely on the DC for user authentication and focus on delivering specific services to the network.

“Samba is an Open Source / Free Software suite that has, since 1992, provided file and print services to all manner of SMB/CIFS clients, including the numerous versions of Microsoft Windows operating systems. Samba is freely available under the GNU General Public License.”

Since SAMBA 4.0, the suite can also emulate a Windows Active Directory infrastructure, providing Domain Controller and member server features.

Samba can manage Linux and Windows machines, offering users endless ways for configuration and utilization. To help beginners handle the complexity of Samba, I created a straightforward wiki on deploying it for a common practice - serving as an Active Directory infrastructure for Windows clients. This involves domain controllers, file servers, and print servers.

Because I want to keep it simple and straightforward, I am taking some decisions along the way that may not be very well explained. Please see the official Samba Wiki.

1. I will use - and recommend using - Debian (12, Bookworm at the time of writing).
2. No X, no X tools.
3. Using vanilla binaries. No self-compiling Samba.
4. Using internal Samba DNS backend (yes, it's good enough for most applications).
5. Use Chrony as the time server, it's simple and it just works. (NPTsec is giving problems with Samba lately.)
6. For member servers (file and print servers), use the 'rid' idmap backend. (Instructions for AD idmap backend also provided)

1. Use KVM virtual machines at least for your Domain Controllers.
2. Use two physical machines away from each other if possible.

First things first: Preparing your Debian server for Samba

Caponato's Samba notebook. Start here or else Main menu