Configure Samba AD DC on Ubuntu Link to heading

Set up Link to heading

  • Virtual machines:
AD DC Server
OSUbuntu 16.04.3 LTS
Hostnamesamba
IP address10.0.0.100/24
  • Domain name: flemingcollege.ca
  • Reaml: FLEMINGCOLLEGE.CA

1. Install some packages. Link to heading

root@samba:~$ apt-get -y install samba krb5-config winbind
# Set Realm
Configuring Kerberos Authentication
When users attempt to use Kerberos and specify a principal or user name
without specifying what administrative Kerberos realm that principal
belongs to, the system appends the default realm.  The default realm may
also be used as the realm of a Kerberos service running on the local
machine.  Often, the default realm is the uppercase version of the local
DNS domain.

Default Kerberos version 5 realm:
FLEMINGCOLLEGE.CA_________________________________________________________________________________________________

<Ok>

# Specify the hostname
Configuring Kerberos Authentication
Enter the hostnames of Kerberos servers in the FLEMINGCOLLEGE.CA Kerberos
realm separated by spaces.

Kerberos servers for your realm:
samba.flemingcollege.ca___________________________________________________________________________________________

<Ok>

 

# Specify the hostname
Configuring Kerberos Authentication
Enter the hostname of the administrative (password changing) server for
the FLEMINGCOLLEGE.CA Kerberos realm.

Administrative server for your Kerberos realm:
samba.flemingcollege.ca___________________________________________________________________________________________

<Ok>

2. Configure Samba. Link to heading

# Rename or remove the default SMB config file
root@samba:~$ mv /etc/samba/smb.conf /etc/samba/smb.conf.org

root@samba:~$ samba-tool domain provision
Realm: FLEMINGCOLLEGE.CA # Specify Realm
Domain [FLEMINGCOLLEGE]: # Enter with default
Server Role (dc, member, standalone) [dc]: # Enter with default because it sets DC
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: # Enter with default because it uses Built-in DNS
DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]: # Confirm DNS setting and Enter if it's OK
Administrator password: # Set admin password
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
...
...

A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role:          active directory domain controller
Hostname:             samba
NetBIOS Domain:       FLEMINGCOLLEGE
DNS Domain:           flemingcollege.ca
DOMAIN SID:           S-1-5-21-3389486828-2521778182-4128056284

# Copy Kerberos config file to /etc/
root@samba:~$ cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

# Restart samba services
root@samba:~$ systemctl restart smbd samba-ad-dc

3. Confirm doman level and add Domain user. Link to heading

# Confirm doman level
root@samba:~$ samba-tool domain level show
Domain and forest function level for domain 'DC=flemingcollege,DC=ca'

Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2

# Add a user in domain
root@samba:~$ samba-tool user add ubuntu
New Password:
Retype Password:
User 'ubuntu' created successfully

# Reboot to apply changes
root@samba:~$ reboot

4. (Optional) Install and configure ntpd on AD DC Server for time synchronization. Link to heading

root@samba:~$ apt-get -y install ntp
root@samba:~$ chkconfig ntp on
root@samba:~$ vi /etc/ntp.conf
# Line 18: comment out
# pool 0.ubuntu.pool.ntp.org iburst
# pool 1.ubuntu.pool.ntp.org iburst
# pool 2.ubuntu.pool.ntp.org iburst
# pool 3.ubuntu.pool.ntp.org iburst
# pool ntp.ubuntu.com

# Add servers of your timezone for time synchronization
server ntp1.jst.mfeed.ad.jp iburst
server ntp2.jst.mfeed.ad.jp iburst
server ntp3.jst.mfeed.ad.jp iburst

# Line 50: add the network range you allow to receive requests
restrict 10.0.0.0 mask 255.255.255.0 nomodify notrap

# Restart ntp service
root@samba:~$ systemctl restart ntp

# Show status
root@samba:~# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*ntp1.jst.mfeed. 133.243.236.17   2 u    8   64    3   17.613    3.116   2.670
 ntp2.jst.mfeed. .INIT.          16 u    -   64    0    0.000    0.000   0.000
+ntp3.jst.mfeed. 133.243.236.17   2 u    3   64    3   18.134    2.303   3.591

CentOS Joins Ubuntu AD DC with Samba Winbind Link to heading

Set up Link to heading

  • Virtual machines:
AD DC ServerClient
OSUbuntu 16.04.3 LTSCentOS 6.9
Hostnamesambacentos
IP address10.0.0.100/2410.0.0.200/24
  • Domain name: flemingcollege.ca
  • Reaml: FLEMINGCOLLEGE.CA

1. Open smb.conf and krb5.conf file on AD DC Server to save information. Link to heading

root@samba:~$ cat /etc/krb5.conf
[libdefaults]
        default_realm = FLEMINGCOLLEGE.CA
        dns_lookup_realm = false
        dns_lookup_kdc = true

root@samba:~$ cat /etc/samba/smb.conf
[global]
        workgroup = FLEMINGCOLLEGE
        realm = FLEMINGCOLLEGE.CA
        netbios name = SAMBA
        server role = active directory domain controller
        dns forwarder = 8.8.8.8

2. Install and configure Winbind on Client. Link to heading

[root@centos ~]$ yum -y install samba-winbind samba-winbind-clients pam_krb5 krb5-libs

[root@centos ~]$ chkconfig winbind on

[root@centos ~]$ vi /etc/sysconfig/network-scripts/ifcfg-eth0
# Change the DNS to AD's one
DNS1=10.0.0.100

[root@centos ~]$ vi /etc/resolv.conf
# Change the domain and DNS to AD's one
domain flemingcollege.ca
nameserver 10.0.0.100

# Restart network service
[root@centos ~]$ service network restart

# Take information from AD Server
[root@centos ~]$ authconfig \
--enablekrb5 \
--krb5kdc=samba.flemingcollege.ca \ # Information from krb5.conf
--krb5adminserver=samba.flemingcollege.ca\
--krb5realm=FLEMINGCOLLEGE.CA\
--enablewinbind \
--enablewinbindauth \
--smbsecurity=ads \
--smbrealm=FLEMINGCOLLEGE.CA\ # Information from smb.conf
--smbservers=SAMBA \
--smbworkgroup=FLEMINGCOLLEGE \
--winbindtemplatehomedir=/home/%U \
--winbindtemplateshell=/bin/bash \
--enablemkhomedir \
--enablewinbindusedefaultdomain \
--update

Starting Winbind services: [ OK ]

3. Edit hostname for client identity before joining in domain. Link to heading

[root@centos ~]$ vi /etc/hosts
# Add lines (127.0.0.1 hostname.domain.local hostname.domain.com hostname)
127.0.0.1       centos.flemingcollege.ca   centos
10.0.0.100     samba.flemingcollege.ca   samba

# Check hostname again
[root@centos ~]$ hostname -f
centos.flemingcollege.ca

4. Synchronize time with AD DC Server. Link to heading

[root@centos ~]$ yum -y install ntpdate

[root@centos ~]$ chkconfig ntpdate on

[root@centos ~]$ ntpdate 10.0.0.100
20 Oct 21:29:41 ntpdate[18757]: adjust time server 10.0.0.100 offset 0.002364 sec
 
[root@centos ~]$ service ntpdate start
ntpdate: Synchronizing with time server: [  OK  ]

5. Join in AD DC Server. Link to heading

# Join in AD (net ads join -U [AD's admin user])

[root@centos ~]$ net ads join -U Administrator
Using short domain name -- FLEMINGCOLLEGE
Joined 'CENTOS' to dns domain 'flemingcollege.ca'.
 
# Display AD users list
[root@centos ~]$ wbinfo -u
administrator
krbtgt
ubuntu
guest

# Switch to a user in AD
[root@centos ~]$ su - ubuntu
Creating directory '/home/ubuntu'.