My SAMBA4 Active Directory DC

Zedicus · August 18, 2021, 3:10am

one of the other forums i frequent is getting rather political, so i am relocating. Here is a build that i did a while back. though i need to move it to Debian 11 at some point.

my original debian AD DC is based on Debian 6 and it has been upgraded a couple times but is starting to show wierd errors, time to just build a new one. problem is none of the ubuntu guides work out of the box on debian. so this is my alterations to build a Debian 9.4 AD DC.

samba4 samba 4 active directory domain controller guide (REAL ACTIVE DIRECTORY, NOT LDAP)

built on a Debian 9.4 install, BASE SYSTEM ONLY.

first boot, apt-get install acl attr ntp ntpdate openssh-server dnsutils

Nano /etc/fstab
add user_xattr,acl,barrier=1,noatime options on disks where samba connects
mount -a (no errors reboot)

apt -y install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind
NOTE: borking this step causes unfixable failure and needs reinstall
screen 1 needs CAPS DOMAIN.NAME
screen 2 needs no caps FQDN servername.domain.name
screen 3 needs no caps FQDN servername.domain.name

systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service

mv /etc/samba/smb.conf /etc/samba/smb.old

samba-tool domain provision --use-rfc2307 --interactive
defaults

mv /etc/krb5.conf /etc/krb5.old
mv /var/lib/samba/private/krb5.conf /etc/krb5.conf

FIXING ALL THE CONFIGS
nano /etc/hosts add 127.0.0.1 domain.name servername and ipaddy FQDN servername do not remove anything
nano /etc/network/interfaces – add lines dns-nameservers ‘your-ip’ dns-search ‘domain.name’
nano /etc/hostname 'may or may not need fixed
nano /etc/resolv.conf will need ‘fixed’ lots of options for this
nano /etc/samba/smb.conf in global add “server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns, s3fs” no quotes (it will NOT work correctly with out this and you will be confused by the errors, you have been warned)

systemctl unmask samba-ad-dc.service
systemctl start samba-ad-dc.service
systemctl enable samba-ad-dc.service
systemctl status samba-ad-dc.service

samba-tool domain level show should = windows 2008R2

REBOOT

TESTING

ping FQDN, domain.name, server name

host –t A tecmint.lan
host –t A adc1.tecmint.lan
host –t SRV _kerberos._udp.tecmint.lan # UDP Kerberos SRV record
host -t SRV _ldap._tcp.tecmint.lan # TCP LDAP SRV record

kinit administrator
kinit [email protected]
klist

finally test joining some windows machines too the domain

this system can be managed by a windows machine running RSAT. DNS, gp, active directory all functional normally in RSAT. DHCP MUST be handled by a different system.

in DNS make sure to create your reverse lookup zones.

boot issue samba-ad-dc needs delay added post net

nano /lib/systemd/system/samba-ad-dc.service add
After=network-online.target
Wants=network-online.target

systemctl daemon-reload
systemctl restart samba-ad-dc

Mastic_Warrior · August 21, 2021, 6:31pm

Nice post.

I also run this on a first gen raspberry pi for the one MS Windows machine in our house. The pi has died and I have debated picking up another 4 to handle this as well as run a few other “domain-like” services.

By chance, would you be able to tell me what you are running this on?

Zedicus · August 25, 2021, 6:27pm

i have it in a Proxmox VM. the specs on the VM are very low, it should run on about anything you have laying around. i have my VM set with 2gb ram and a 60gb drive and i am not using 10% of either.

the only note about using a Proxmox VM as a domain controller, you MUST pass a real NIC through to the VM. The DC services will not respond on a virtual nic, with out a lot of extra work.

Mastic_Warrior · August 26, 2021, 6:36am

Thanks for the heads up.

jblack · August 31, 2021, 12:46am

I work for <400 employee company that I manage their samba DCs for and I appreciate that people are still using it as it is just easier and more reliable that Windows machines.

If you can though, try and add bind9 to this so you can have round-robin and reverse DNS. I might be able to through a version of my configs here

Zedicus · September 1, 2021, 7:20pm

the built in DNS of samba4 supports reverse dns.

for a SMALL AD environment, i would hazard against BIND9. The built in SAMBA4 DNS can be managed by the windows RSAT plugin. BIND9 can not, and is several times more complex than is needed in most environments.

oO.o · September 1, 2021, 11:14pm

Nice. I didn’t realize Debian was packaging the AD DC functionality in samba. I used to compile it.

Somewhat old now, but if you ever want to do it in Fedora…

My understanding of dns is better now than it was when I wrote that. I believe I left out the reverse zone in the bind config.

This bit in particular I found when trying to establish one-way trust with a FreeIPA DC. I’m not sure it’s important for any other functionality but it took a while to nail down.

oO.o's Fedora 30 Samba AD DC Guide

# add missing service records
samba-tool dns add 127.0.0.1 _msdcs."$(hostname -d)" _kerberos._udp.dc SRV "$(hostname -f) 88 0 100"
samba-tool dns add 127.0.0.1 _msdcs."$(hostname -d)" _kerberos._udp."$(hostname -d | cut -d '.' -f 2 | tr [a-z] [A-Z])"._sites.dc SRV "$(hostname -f) 88 0 100"

Zedicus · September 2, 2021, 12:56pm

as you discovered, in BIND9 you need to completely build out the initial DNS records from scratch.

i still only recommend BIND9 if you have a REAL reason to use it. The most likely reason would be multiple PRIMARY DNS sites. Short of that, the built in SAMBA4 DNS is more than capable of thousands of clients, with reverse DNS.

oO.o · September 2, 2021, 3:44pm

It’s been a while but the records for the zone are generated by samba, you just point bind to the db file samba generates. I think you’re right about the ptr zone though which would be a huge headache to maintain.

If I were to do this now, I would use the built in resolver and use it as stub zones in unbound.