Samba can operate as a standalone file and print server for Windows and Linux clients through the\u00a0SMB\/CIFS<\/strong>protocol suite or can act as an\u00a0Active Directory Domain Controller<\/strong>\u00a0or joined into a\u00a0Realm<\/strong>\u00a0as a\u00a0Domain Member<\/strong>. The highest\u00a0AD DC<\/strong>\u00a0domain and forest level that currently\u00a0Samba4<\/strong>\u00a0can emulate is\u00a0Windows 2008 R2<\/strong>.<\/p>\n The series will be titled\u00a0Setting Up Samba4 Active Directory Domain Controller<\/strong>, which covers following topics for\u00a0Ubuntu<\/strong>,\u00a0CentOS<\/strong>, and\u00a0Windows<\/strong>:<\/p>\n This tutorial will start by explaining all the steps you need to take care off in order to install and configure\u00a0Samba4<\/strong>\u00a0as a\u00a0Domain Controller<\/strong>\u00a0on\u00a0Ubuntu 16.04<\/strong>\u00a0and\u00a0Ubuntu 14.04<\/strong>.<\/p>\n This configuration will provide a central management point for users, machines, volume shares, permissions and other resources in a mixed-up Windows \u2013 Linux infrastructure.<\/p>\n 1.<\/strong>\u00a0Before proceeding your\u00a0Samba4 AD DC<\/strong>\u00a0installation first let\u2019s run a few pre-required steps. First make sure the system is up to date with the last security features, kernels and packages by issuing the below command:<\/p>\n 2.<\/strong>\u00a0Next, open machine\u00a0\/etc\/fstab<\/strong>\u00a0file and assure that your partitions file system has\u00a0ACLs<\/strong>\u00a0enabled as illustrated on the below screenshot.<\/p>\n Usually, common modern Linux file systems such as\u00a0ext3<\/strong>,\u00a0ext4<\/strong>,\u00a0xfs<\/strong>\u00a0or\u00a0btrfs<\/strong>\u00a0support and have ACLs enabled by default. If that\u2019s not the case with your file system just open\u00a0\/etc\/fstab<\/strong>\u00a0file for editing and add\u00a0 Enable ACL\u2019s on Linux Filesystem<\/p>\n<\/div>\n 3.<\/strong>\u00a0Finally\u00a0setup your machine hostname<\/a>\u00a0with a descriptive name, such as\u00a0 A\u00a0reboot<\/strong>\u00a0is necessary after you\u2019ve changed your machine name in order to apply changes.<\/p>\n 4.<\/strong>\u00a0In order to transform your server into an\u00a0Active Directory Domain Controller<\/strong>, install\u00a0Samba<\/strong>\u00a0and all the required packages on your machine by issuing the below command with\u00a0root<\/strong>\u00a0privileges in a console.<\/p>\n Install Samba on Ubuntu<\/p>\n<\/div>\n 5.<\/strong>\u00a0While the installation is running a series of questions will be asked by the installer in order to configure the domain controller.<\/p>\n On the first screen you will need to add a name for\u00a0Kerberos<\/strong>\u00a0default\u00a0 Configuring Kerberos Authentication<\/p>\n<\/div>\n 6.<\/strong>\u00a0Next, enter the\u00a0hostname<\/strong>\u00a0of\u00a0Kerberos<\/strong>\u00a0server for your domain. Use the same name as for your domain, with lowercases this time and hit\u00a0Enter<\/strong>\u00a0to continue.<\/p>\n Set Hostname Kerberos Server<\/p>\n<\/div>\n 7.<\/strong>\u00a0Finally, specify the\u00a0hostname<\/strong>\u00a0for the administrative server of your\u00a0Kerberos<\/strong>\u00a0realm. Use the same as your domain and hit\u00a0Enter<\/strong>\u00a0to finish the installation.<\/p>\n Set Hostname Administrative Server<\/p>\n<\/div>\n 8.<\/strong>\u00a0Before starting to configure\u00a0Samba<\/strong>\u00a0for your domain, first run the below commands in order to stop and disable all samba daemons.<\/p>\n 9.<\/strong>\u00a0Next, rename or remove samba original configuration. This step is absolutely required before provisioning\u00a0Samba AD<\/strong>\u00a0because at the provision time\u00a0Samba<\/strong>\u00a0will create a new configuration file from scratch and will throw up some errors in case it finds an old\u00a0 10.<\/strong>\u00a0Now, start the domain provisioning interactively by issuing the below command with root privileges and accept the default options that Samba provides you.<\/p>\n Also, make sure you supply the IP address for a DNS forwarder at your premises (or external) and choose a strong password for Administrator account. If you choose a week password for Administrator account the domain provision will fail.<\/p>\n Samba Domain Provisioning<\/p>\n<\/div>\n 11.<\/strong>\u00a0Finally, rename or remove Kerberos main configuration file from\u00a0\/etc<\/strong>\u00a0directory and replace it using a symlink with Samba newly generated Kerberos file located in\u00a0\/var\/lib\/samba\/private<\/strong>\u00a0path by issuing the below commands:<\/p>\n Create Kerberos Configuration<\/p>\n<\/div>\n 12.<\/strong>\u00a0Start and enable\u00a0Samba Active Directory Domain Controller<\/strong>\u00a0daemons.<\/p>\n Enable Samba Active Directory Domain Controller<\/p>\n<\/div>\n 13.<\/strong>\u00a0Next,\u00a0use netstat command<\/a>\u00a0in order to verify the list of all services required by an\u00a0Active Directory<\/strong>\u00a0to run properly.<\/p>\n Verify Samba Active Directory<\/p>\n<\/div>\n 14.<\/strong>\u00a0At this moment\u00a0Samba<\/strong>\u00a0should be fully operational at your premises. The highest domain level\u00a0Samba<\/strong>\u00a0is emulating should be\u00a0Windows AD DC 2008 R2<\/strong>.<\/p>\n It can be verified with the help of\u00a0samba-tool<\/strong>\u00a0utility.<\/p>\n Verify Samba Domain Level<\/p>\n<\/div>\n 15.<\/strong>\u00a0In order for\u00a0DNS<\/strong>\u00a0resolution to work locally, you need to open end edit network interface settings and point the DNS resolution by modifying\u00a0dns-nameservers<\/strong>\u00a0statement to the IP Address of your\u00a0Domain Controller<\/strong>\u00a0(use\u00a0127.0.0.1<\/strong>\u00a0for local DNS resolution) and\u00a0dns-search<\/strong>\u00a0statement to point to your\u00a0realm<\/strong>.<\/p>\n Configure DNS for Samba AD<\/p>\n<\/div>\n When finished,\u00a0reboot<\/strong>\u00a0your server and take a look at your resolver file to make sure it points back to the right DNS name servers.<\/p>\n 16.<\/strong>\u00a0Finally, test the DNS resolver by issuing queries and pings against some\u00a0AD DC<\/strong>\u00a0crucial records, as in the below excerpt. Replace the domain name accordingly.<\/p>\n Check Samba AD DNS Records<\/p>\n<\/div>\n Run following few queries against Samba Active Directory Domain Controller..<\/p>\n 17.<\/strong>\u00a0Also, verify\u00a0Kerberos<\/strong>\u00a0authentication by requesting a ticket for the domain administrator account and list the cached ticket. Write the domain name portion with uppercase.<\/p>\n Check Kerberos Authentication on Domain<\/p>\n<\/div>\n That\u2019s all! Now you have a fully operational\u00a0AD Domain Controller<\/strong>\u00a0installed in your network and you can start integrate\u00a0Windows<\/strong>\u00a0or\u00a0Linux<\/strong>\u00a0machines into\u00a0Samba AD<\/strong>.<\/p>\n On the next series we\u2019ll cover other\u00a0Samba AD<\/strong>\u00a0topics, such as how to manage you\u2019re the domain controller from Samba command line, how to integrate Windows 10 into the domain name and manage Samba AD remotely using RSAT and other important topics.<\/p>\n This tutorial will cover\u00a0some basic daily commands<\/a>\u00a0you need to use in order to manage\u00a0Samba4 AD Domain Controller<\/strong>\u00a0infrastructure, such as adding, removing, disabling or listing users and groups.<\/p>\n We\u2019ll also take a look on how to manage domain security policy and how to bind AD users to local PAM authentication in order for AD users to be able to perform local logins on Linux Domain Controller.<\/p>\n 1.<\/strong>\u00a0Samba AD DC<\/strong>\u00a0can be managed through\u00a0samba-tool<\/strong>\u00a0command line utility which offers a great interface for administrating your domain.<\/p>\n With the help of samba-tool interface you can directly manage domain users and groups, domain Group Policy, domain sites, DNS services, domain replication and other critical domain functions.<\/p>\n To review the entire functionality of samba-tool just type the command with root privileges without any option or parameter.<\/p>\nRequirements:<\/h4>\n
\n
Step 1: Initial Configuration for Samba4<\/h3>\n
$ sudo apt-get update \r\n$ sudo apt-get upgrade\r\n$ sudo apt-get dist-upgrade\r\n<\/pre>\n
acl<\/code>\u00a0string at the end of third column and\u00a0reboot<\/strong>\u00a0the machine in order to apply changes.<\/p>\n![\"Enable](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2016\/11\/Enable-ACL-on-Linux-Filesystem.png\")
<\/a><\/p>\nadc1<\/code>\u00a0used in this example, by editing\u00a0\/etc\/hostname<\/strong>\u00a0file or by issuing.<\/p>\n$ sudo hostnamectl set-hostname adc1\r\n<\/pre>\n
Step 2: Install Required Packages for Samba4 AD DC<\/h3>\n
$ sudo apt-get install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind\r\n<\/pre>\n
![\"Install](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2016\/11\/Install-Samba-on-Ubuntu.png\")
<\/a><\/p>\nREALM<\/code>\u00a0in uppercase. Enter the name you will be using for your domain in uppercase and hit\u00a0Enter<\/strong>\u00a0to continue..<\/p>\n![\"Configuring](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2016\/11\/Configuring-Kerberos-Authentication.png\")
<\/a><\/p>\n![\"Set](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2016\/11\/Set-Hostname-Kerberos-Server.png\")
<\/a><\/p>\n![\"Set](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2016\/11\/Set-Hostname-Administrative-Server.png\")
<\/a><\/p>\nStep 3: Provision Samba AD DC for Your Domain<\/h3>\n
$ sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service\r\n$ sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service\r\n<\/pre>\n
smb.conf<\/code>\u00a0file.<\/p>\n$ sudo mv \/etc\/samba\/smb.conf \/etc\/samba\/smb.conf.initial\r\n<\/pre>\n
$ sudo samba-tool domain provision --use-rfc2307 --interactive\r\n<\/pre>\n
![\"Samba](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2016\/11\/Samba-Domain-Provisioning.png\")
<\/a><\/p>\n$ sudo mv \/etc\/krb5.conf \/etc\/krb5.conf.initial\r\n$ sudo ln \u2013s \/var\/lib\/samba\/private\/krb5.conf \/etc\/\r\n<\/pre>\n
![\"Create](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2016\/11\/Create-Kerberos-Configuration.png\")
<\/a><\/p>\n$ sudo systemctl start samba-ad-dc.service\r\n$ sudo systemctl status samba-ad-dc.service\r\n$ sudo systemctl enable samba-ad-dc.service\r\n<\/pre>\n
![\"Enable](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2016\/11\/Enable-Samba-AD-DC.png\")
<\/a><\/p>\n$ sudo netstat \u2013tulpn| egrep \u2018smbd|samba\u2019\r\n<\/pre>\n
![\"Verify](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2016\/11\/Verify-Samba-Active-Directory.png\")
<\/a><\/p>\nStep 4: Final Samba Configurations<\/h3>\n
$ sudo samba-tool domain level show\r\n<\/pre>\n
![\"Verify](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2016\/11\/Verify-Samba-Domain-Level.png\")
<\/a><\/p>\n$ sudo cat \/etc\/network\/interfaces\r\n$ sudo cat \/etc\/resolv.conf\r\n<\/pre>\n
![\"Configure](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2016\/11\/Configure-DNS-for-Samba-AD.png\")
<\/a><\/p>\n$ ping \u2013c3 tecmint.lan #Domain Name<\/strong>\r\n$ ping \u2013c3 adc1.tecmint.lan #FQDN<\/strong>\r\n$ ping \u2013c3 adc1 #Host<\/strong>\r\n<\/pre>\n
![\"Check](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2016\/11\/Check-Samba-AD-DNS-Records.png\")
<\/a><\/p>\n$ host \u2013t A tecmint.lan\r\n$ host \u2013t A adc1.tecmint.lan\r\n$ host \u2013t SRV _kerberos._udp.tecmint.lan # UDP Kerberos SRV record\r\n$ host -t SRV _ldap._tcp.tecmint.lan # TCP LDAP SRV record\r\n<\/pre>\n
$ kinit administrator@TECMINT.LAN\r\n$ klist\r\n<\/pre>\n
![\"Check](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2016\/11\/Check-Kerberos-Authentication-on-Domain.png\")
<\/a><\/p>\nHow to Manage Samba4 AD Infrastructure from Linux Command Line \u2013 Part 2<\/h1>\n
Requirements<\/h4>\n
\n
Step 1: Manage Samba AD DC from Command Line<\/h3>\n
# samba-tool -h\r\n<\/pre>\n
![\"samba-tool](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2016\/11\/Samba-Administration-Tool.png\")
<\/a><\/p>\n