How to deploy Samba on Linux as an Active Directory Domain Controller

Jack Wallen shows you how to deploy an Active Directory Domain Controller on Ubuntu Server 20.04, with the help of Samba.

sambahero.jpg

Image: Jack Wallen

Active Directory (AD) is Microsoft's way of making it possible to create and apply policies to machines associated with a network. It's a tool widely used by businesses and network administrators everywhere. 

Microsoft's solution is not the only means to make this happen; the open source Samba makes it possible to deploy an Active Directory Domain Controller. With this controller, you can then create users, and even set policies.

I will be writing a series of tutorials on this subject. In this first piece, we'll be deploying the Samba AD on an instance of Ubuntu Server 20.04.

SEE: Checklist: Server inventory (TechRepublic Premium)

What you'll need

  • A running instance of Ubuntu 20.04 
  • A user with sudo privileges

How to set the hostname

The first thing we need to do is set the hostname of our machine. We're going to call this server "dc1." To set the hostname, log in to your Ubuntu Server and issue the command:

sudo hostnamectl set-hostname dc1

Next, you'll need to add a line to the /etc/hosts file, to map the hostname to its IP address. Open the file for editing with the command:

sudo nano /etc/hosts

At the bottom of that file, add this line (editing the information to fit your IP address scheme and the REALM for your server):

192.168.1.100 dc1 dc1.example.com

Log out and log back in, so the hostname changes take effect.

How to install the necessary packages

Now we'll install all of the necessary software. From the terminal window, issue the command:

sudo apt install samba smbclient winbind libpam-winbind libnss-winbind krb5-kdc libpam-krb5 -y

During the installation, you'll be prompted to type the default Kerberos version 5 realm. Ignore this (and the ensuring errors), as we'll configure that later. Once the software installs, you're ready to configure your domain controller (DC).

How to configure Samba as the AD controller

First, we're going to move the original configuration files for both Samba and Kerberos. To do that, issue the following commands:

sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
sudo mv /etc/krb5.conf /etc/krb5.conf.bak

Samba comes with a handy setup command, which we'll use to configure the AD controller. Issue the command:

sudo samba-tool domain provision --use-rfc2307 --interactive

The command should pick up the default REALM and Domain from your host's file, so accept the defaults. You'll want to accept the defaults for the next two questions (Server Role, DNS Backend). When you reach DNS forwarder IP address, use a DNS service you trust, such as Cloudflare or Google. You'll finally be asked to create a password for the Administrator user. Make sure this password is strong and unique. 

Allow Samba to complete the configuration. 

The next step is to copy the Kerberos configuration file with the command:

sudo cp /var/lib/samba/private/krb5.conf /etc

How to enable Samba AD at boot

Finally, we must make sure everything starts should your server have to be restarted. To do this, we need to mask, stop and disable the smbd, nmbd, and winbind services and umask, start and enable the samba-ad-dc service. This is done with the following commands:

sudo systemctl mask smbd nmbd winbind
sudo systemctl disable smbd nmbd winbind
sudo systemctl stop smbd nmbd winbind
sudo systemctl unmask samba-ad-dc
sudo systemctl start samba-ad-dc
sudo systemctl enable samba-ad-dc

Once that completes, reboot the server again and prepare for testing.

How to test the DC configuration

At this point, your Samba Domain Controller is up and running, but there's a problem. As is, Samba is working without DNS because your server defaults to systemd-resolved. To bypass that issue we'll stop and disable systemd-resolved with the commands:

sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved

Next, we must unlink the /etc/resolv.conf file with the command:

sudo unlink /etc/resolv.conf

Finally, open the resolv.conf file with the command:

sudo nano /etc/resolv.conf

In that file, add the following:

nameserver SERVER
search DOMAIN

Where SERVER is the IP address of your Samba AD host and DOMAIN is the domain associated with the server.

Reboot your server.

Once the server has rebooted, test the AD connection with the commands:

sudo samba
host -t SRV _ldap._tcp.monkeypantz.lan

You should see something like:

_ldap._tcp.monkeypantz.lan has SRV record 0 100 389 dc1.monkeypantz.lan.

Next, test the Kerberos authentication with the command:

kinit Administrator

After typing the password you created during the Samba DC setup, you should see a warning that your password will expire in X number of days, as in:

Warning: Your password will expire in 41 days on Thu 17 Jun 2021 01:05:21 PM UTC

Congratulations, your Ubuntu Server is now acting as a domain controller. 

Subscribe to TechRepublic's How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.

Also see