Difference between revisions of "Samba/Active Directory domain controller"

From ArchWiki
Jump to: navigation, search
(Link remaining Samba articles)
(Added /etc/profile.d/sambaldb.sh)
Line 190: Line 190:
  chgrp ntp /var/lib/samba/ntp_signd
  chgrp ntp /var/lib/samba/ntp_signd
  systemctl restart ntpd
  systemctl restart ntpd
Finally, if you intend to use the LDB utilities, you'll need to set the '''LDB_MODULES_PATH'''
echo "export LDB_MODULES_PATH=\"\${LDB_MODULES_PATH}:/usr/lib/samba/ldb\"" > /etc/profile.d/sambaldb.sh
chmod 0755 /etc/profile.d/sambaldb.sh
=Testing the Installation=
=Testing the Installation=

Revision as of 03:14, 13 November 2013

Template:Article summary start Template:Article summary text Template:Article summary heading Template:Article summary wiki Template:Article summary wiki Template:Article summary wiki Template:Article summary wiki Template:Article summary wiki Template:Article summary end This article explains how to setup a new Active Directory Domain Controller. It is assumed that all configuration files are in their unmodified, post-installation state. This article was written and tested on a fresh installation, with no modifications other than setting up a staic IPv4 network connection, assigning a hostname, and adding openssh (which should have no effect on the Samba configuration). Finally, most of the commands below will require elevated privileges. Despite conventional wisdom, it may be easier to run these short few commands from a root session as opposed to obtaining rights on an as needed basis.


A fully functional samba 4 DC requires several programs beyond those included with the Samba distribution. Install all needed packages with the following command:

pacman -S dnsutils krb5 ntp openldap samba

Additionally, Samba contains its own fully functional DNS server, but many admins prefer to use the ISC BIND package. If you need to maintain DNS zones for external domains, you are strongly encouraged to use BIND. If you'd like to use BIND, issue the following command:

pacman -S bind


The first step to creating an Active Directory domain is provisioning. If this is the first domain controller in a new domain (as this guide assumes), this involves setting up the internal LDAP, Kerberos, and DNS servers and performing all of the basic configuration needed for the directory. If you've set up a directory server before, you are undoubtedly aware of the potential for errors in making these individual components work together as a single unit. The difficulty in doing so is the very reason that the Samba developers chose not to use the MIT or Heimdal Kerberos server or OpenLDAP server, instead opting for internal versions of these programs. The sever packages above were installed only for the client utilities. Provisioning is quite a bit easier with Samba 4. Just issue the following command:

samba-tool domain provision --use-rfc2307 --interactive --use-xattrs=yes

Argument Explanations

this argument adds POSIX attributes (UID/GID) to the AD Schema. This will be necessary if you intend to authenticate Linux, BSD, or OS X clients (including the local machine) in addition to Microsoft Windows.
this argument enables the use of unix extended attributes (ACLs) for files hosted on this server. If you intend not have file shares on the domain controller, you can omit this switch (but this is not recommended). You should also ensure that any filesystems that will host Samba shares are mounted with support for ACLs.
this parameter forces the provision script to run interactively. Alternately, you can review the help for the provision step by running samba-tool domain provision --help.

Interactive Provision Explanations

INTERNAL.DOMAIN.COM - This should be the same as the DNS domain in all caps. It is common to use an internal-only sub-domain to separate your internal domain from your external DNS domains, but it is not required.
INTERNAL - This will be the NetBIOS domain name, usually the leftmost DNS sub-domain but can be anything you like. For example, the name INTERNAL would not be very descriptive. Perhaps company name or initials would be appropriate. This should be entered in all caps, and should have a 15 character maximum length for compatibility with older clients.
Server Role
dc - This article assumes that your are installing the first DC in a new domain. If you select anything different, the rest of this article will likely be useless to you.
DNS Backend
BIND9_DLZ or SAMBA_INTERNAL - This is down to personal preference of the server admin. Again, if you are hosting DNS for external domains, you are strongly encouraged to use the BIND9_DLZ backend so that flat zone files can continue to be used and existing transfer rules can co-exist with the internal DNS server. If unsure, use the BIND9_DLZ backend.
Administrator password
xxxxxxxx - You must select a strong password for the administrator account. The minimum requirements are one upper case letter, one number, and at least eight characters. If you attempt to use a password that does not meet the complexity requirements, provisioning will fail.

Configuring Daemons


Use the following commands to create a suitable NTP configuration for your network time server. See Ntpd for explanations of, and additional configuration options:

mv /etc/ntp.conf{,.default}
cat > /etc/ntp.conf << "EOF"
# Begin /etc/ntp.conf

# Associate to the public NTP pool servers
server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org

# Location of drift file
driftfile /var/lib/ntp/ntp.drift

# Location of the log file
logfile /var/log/ntp

# Location of the update directory
ntpsigndsocket /var/lib/samba/ntp_signd/

# Restrictions
restrict default kod nomodify notrap nopeer mssntp
restrict 0.pool.ntp.org mask nomodify notrap nopeer noquery
restrict 1.pool.ntp.org mask nomodify notrap nopeer noquery
restrict 2.pool.ntp.org mask nomodify notrap nopeer noquery

# End /etc/ntp.conf
install -d /var/lib/samba/ntp_signd
chown root:ntp /var/lib/samba/ntp_signd
chmod 0750 /var/lib/samba/ntp_signd
systemctl enable ntpd.service
systemctl start ntpd


If you elected to use the BIND9_DLZ DNS backend, execute the following commands to create a suitable BIND configuration. See Bind for explanations of, and additional configuration options. Be sure to replace the x characters with suitable values:

mv /etc/named.conf{,.default
cat > /etc/named.conf << "EOF"
//Begin /etc/named.conf

// Global options
options {
    auth-nxdomain yes;
    datasize default;
    directory "/var/named";
    empty-zones-enable no;
    pid-file "/run/named/named.pid";
    tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
    forwarders { xxx.xxx.xxx.xxx; xxx.xxx.xxx.xxx; };
//  Uncomment the next line to enable IPv6
//    listen-on-v6 { any; };
    notify no;
//  Add any subnets or hosts you want to allow to use this DNS server (use "; " delimiter)
    allow-query     { xxx.xxx.xxx.xxx/xx; };
//  Add any subnets or hosts you want to allow to use recursive queries
    allow-recursion { xxx.xxx.xxx.xxx/xx; };
//  Add any subnets or hosts you want to allow dynamic updates from
    allow-update    { xxx.xxx.xxx.xxx/xx; };
    version none;
    hostname none;
    server-id none;

//Root servers (required zone for recursive queries)
zone "." IN {
    type hint;
    file "root.hint";

//Required localhost forward-/reverse zones
zone "localhost" IN {
    type master;
    file "localhost.zone";
    allow-transfer { any; };
zone "0.0.127.in-addr.arpa" IN {
    type master;
    file "0.0.127.zone";
    allow-transfer { any; };

//Required zone for AD
dlz "AD DNS Zone" {
    database "dlopen /usr/lib/samba/bind9/dlz_bind9_9.so";

//Log settings
logging {
   channel xfer-log {
       file "/var/log/named.log";
       print-category yes;
       print-severity yes;
       print-time yes;
       severity info;
    category xfer-in { xfer-log; };
    category xfer-out { xfer-log; };
    category notify { xfer-log; };

//End /etc/named.conf
chgrp named /var/lib/samba/private/dns.keytab
chmod g+r /var/lib/samba/private/dns.keytab
systemctl enable named.service
systemctl start named

Good values for forwarders are your ISP's DNS servers. Google ( and and OpenDNS ( and provide suitable public DNS servers free of charge.

Appropriate values for subnets are specific to your network.

Kerberos Client Utilities

The provisioning step above created a perfectly valid krb5.conf file for use with a Samba 4 DC. Install it with the following commands:

mv /etc/krb5.conf{,.default}
cp /var/lib/samba/private/krb5.conf /etc


Finally, enable and start Samba. The NTP update directory created earlier must be removed or samba will fail to run. Execute the following commands to start the Samba services:

rm -rf /var/lib/samba/ntp_signd
systemctl enable samba.service
systemctl start samba

You'll also need to fix permissions on the newly created NTP update directory and restart NTPD:

chgrp ntp /var/lib/samba/ntp_signd
systemctl restart ntpd

Finally, if you intend to use the LDB utilities, you'll need to set the LDB_MODULES_PATH

echo "export LDB_MODULES_PATH=\"\${LDB_MODULES_PATH}:/usr/lib/samba/ldb\"" > /etc/profile.d/sambaldb.sh
chmod 0755 /etc/profile.d/sambaldb.sh

Testing the Installation


First, verify that DNS is working as expected. Execute the following commands substituting appropriate values for internal.domain.com and server:

host -t SRV _ldap._tcp.internal.domain.com.
host -t SRV _kerberos._udp.internal.domain.com.
host -t A server.internal.domain.com.

You should receive output similar to the following:

_ldap._tcp.internal.domain.com has SRV record 0 100 389 server.internal.domain.com.
_kerberos._udp.internal.domain.com has SRV record 0 100 88 server.internal.domain.com.
server.internal.domain.com has address xxx.xxx.xxx.xxx

NT Authentication

Next, verify that password authentication is working as expected:

smbclient //localhost/netlogon -U Administrator -c 'ls'

You will be prompted for a password (the one you selected earlier), and will get a directory listing like the following:

Domain=[INTERNAL] OS=[Unix] Server=[Samba 4.0.9]
  .                                   D        0  Wed Sep 25 19:43:30 2013
  ..                                  D        0  Wed Sep 25 19:43:35 2013
                40189 blocks of size 1048576. 36989 blocks available


Now verify that the KDC is working as expected. Be sure to replace INTERNAL.DOMAIN.COM and use upper case letters:

kinit administrator@INTERNAL.DOMAIN.COM

You should be prompted for a password and get output similar to the following:

Warning: Your password will expire in 41 days on Tue Nov  5 17:37:07 2013 

Verify that you actually got a ticket:


You should get output similar to below:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@INTERNAL.DOMAIN.COM
Valid starting     Expires            Service principal
09/24/13 19:10:01  09/25/13 05:10:01  krbtgt/INTERNAL.DOMAIN.COM@INTERNAL.DOMAIN.COM
        renew until 09/25/13 19:09:57
09/24/13 19:10:03  09/25/13 05:10:01  cifs/server@INTERNAL.DOMAIN.COM

As a final test, use smbclient with your recently acquired ticket. Replace server with the correct server name:

smbclient //server/netlogon -k -c 'ls'

The output should be the same as when testing password authentication above.

What to do Next

If you've made it this far without any unexpected output from the tests above, you are good to go. Congrats!

Related topics (need additional authors):

Place holder: "Samba4 DC management tools (covering RSAT and samba-tool)"

Place holder: "Samba4 *nix client configurations (including this DC)" - Most of the LinuxPAM info in this article can be reused or modified for this purpose.

Place holder: "Dynamic DNS updates with ISC DHCPD"

Place holder: "Adding mail handler schema extensions"

Place holder: "OpenChange Server setup"