How to install Samba as PDC on Ubuntu Server 16.04

Post Reply
User avatar
LHammonds
Site Admin
Site Admin
Posts: 584
Joined: Fri Jul 31, 2009 6:27 pm
Are you a filthy spam bot?: No
Location: Behind You
Contact:

How to install Samba as PDC on Ubuntu Server 16.04

Post: # 551Post LHammonds
Wed Nov 08, 2017 9:01 am

Currently researching this topic

Do not attempt to follow any notes typed up so far

GOALS:
* Create an Active Directory Domain Controller
* Allow Windows PCs to authenticate against the domain
* Allow Windows PCs to join the domain
* Share files on Linux to Windows PCs

Outline
  1. DONE - Install Ubuntu Server
  2. DONE - Prerequisites
  3. DONE - Samba PDC Install
  4. NOT STARTED - Samba BDC Install
  5. DONE - Domain user management
  6. DONE - Setup file shares
  7. NOT STARTED - Backup / Restore domain
  8. NOT STARTED - DNS
  9. NOT STARTED - DHCP
  10. NOT STARTED - ?
Might need to break it out into phases:
  1. Phase 1 = PDC
  2. Phase 2 = DNS
  3. Phase 3 = DHCP
  4. Phase 4 = File Shares
  5. Phase 5 = BDC
  6. Phase 6 = Backups

BeyondTrust direct download (Likewise-Open) - GitHub

Old Outline when I "thought" I would be doing OpenLDAP and Samba Active Directory:
  1. IN PROGRESS - Directory Design
  2. DONE - Install Ubuntu Server
  3. DONE - Prerequisites
    • DONE - Hostname / Domain name resolution
    • DONE - Install Apache web server
    • NOT STARTED - Create self-signed SSL certificate
    • NOT STARTED - Apply SSL to Apache
  4. DONE - Install OpenLDAP
  5. IN PROGRESS - Configure OpenLDAP
  6. NOT STARTED - Configure organizational units via command-line
  7. NOT STARTED - Configure organizational units via web-interface
  8. NOT STARTED - Configure users via command-line
  9. NOT STARTED - Configure users via web-interface
  10. NOT STARTED - Join Windows computers to the domain
  11. NOT STARTED - Join Linux computers to the domain
  12. NOT STARTED - Backup / Restore
  13. NOT STARTED - Redundant server
--------------------------------------------------------------------------------------------------------------

Greetings and salutations,

I hope this thread will be helpful to those who follow in my foot steps as well as getting any advice based on what I have done / documented.

To discuss this thread, please participate here: Ubuntu Forums >>need to create thread<<

High-level overview

This thread will cover installation of a dedicated Ubuntu server as an Active Directory server. Samba will be used as the authentication and file-sharing service. The server will be installed inside a virtual machine in vSphere running on ESXi servers. Notes will also be supplied for doing the same thing for VirtualBox on a Windows 7/8/10 PC. Although there are some VMware-specific and VirtualBox-specific steps, they are very few and the majority of this documentation will work for other Virtual Machines or even directly installed onto a physical machine (e.g. bare-metal install). If you have any advice on doing things better, please let me know by replying to >>this thread on the Ubuntu forums<< (need to create).

Tools utilized in this process
Helpful links

The list below are sources of information that was helpful in the creation of this document.
  • Ubuntu Documentation
  • Ubuntu Firewall Basics
  • Samba Documentation
  • Samba File Permissions

    Assumptions

    This documentation will need to make use of some very-specific information that will most-likely be different for each person / location. And as such, this information will be noted in this section. They will be highlighted in red throughout the document as a reminder that you should plug-in your own value rather than actually using these "place-holder" values.

    Under no circumstance should you use the actual values listed below. They are place-holders for the real thing. This is just a checklist template you need to have answered before you start the install process.

    Wherever you see RED in this document, you need to substitute it for you will use in your environment.
    • Domain Name: mydomain.local
    • Ubuntu Server name: dc1
    • Server FQDN: dc1.mydomain.local
    • Domain Admin Password: MyDomainAdminPass
    • Internet domain: mydomain.local
    • Ubuntu Server IP address: 192.168.107.99
    • Ubuntu Server IP subnet mask: 255.255.255.0
    • Ubuntu Server IP gateway: 192.168.107.1
    • Internal DNS Server 1: 192.168.107.212
    • Internal DNS Server 2: 192.168.107.213
    • External DNS Server 1: 8.8.8.8
    • Ubuntu Admin ID: administrator
    • Ubuntu Admin Password: myadminpass
    • Email Server (remote): 192.168.107.25
    It is also assumed the reader knows how to use the VI editor. If not, you will need to beef up your skill set or use a different editor in place of it.

User avatar
LHammonds
Site Admin
Site Admin
Posts: 584
Joined: Fri Jul 31, 2009 6:27 pm
Are you a filthy spam bot?: No
Location: Behind You
Contact:

Install Ubuntu Server

Post: # 553Post LHammonds
Fri Dec 15, 2017 8:59 am

Install Ubuntu Server

The Ubuntu Server Long-Term Support (LTS) is free but we have the option of buy support and that is the main reason this server was selected.

The steps for setting up the base server are covered in this article: How to install and configure Ubuntu Server

It is assumed that the server was configured according to that article with the exceptions that the assumptions in red (variables above) are used instead of the assumptions in that document since we are building a Samba server.

User avatar
LHammonds
Site Admin
Site Admin
Posts: 584
Joined: Fri Jul 31, 2009 6:27 pm
Are you a filthy spam bot?: No
Location: Behind You
Contact:

Re: How to install Samba as PDC on Ubuntu Server 16.04

Post: # 554Post LHammonds
Fri Dec 15, 2017 9:07 am

Prerequisites

Code: Select all

vi /etc/hosts
127.0.0.1 localhost localhost.localdomain 192.168.107.99 dc1.mydomain.local dc1

Code: Select all

vi /etc/hostname
dc1
Make sure to add "acl" to the options for each partition in /etc/fstab

Code: Select all

vi /etc/fstab

Code: Select all

# <file system> <mount point>   <type>  <options>       <dump>  <pass>
/dev/mapper/dc1--vg-root /               ext4    errors=remount-ro,acl 0       1
NOTE: If you made any changes to fstab, reboot for it to take effect.

User avatar
LHammonds
Site Admin
Site Admin
Posts: 584
Joined: Fri Jul 31, 2009 6:27 pm
Are you a filthy spam bot?: No
Location: Behind You
Contact:

Re: How to install Samba as PDC on Ubuntu Server 16.04

Post: # 555Post LHammonds
Fri Dec 15, 2017 9:09 am

Install Samba

Install the following packages and answer the questions below when prompted:

Code: Select all

apt-get install samba winbind libnss-winbind libpam-winbind krb5-user krb5-config
Make sure the Kerberos realm is in all CAPS:
MYDOMAIN.LOCAL
Make sure the hostname for the Kerberos server is lowercase and same as your domain name:
mydomain.local
Make sure the hostname for administrative server is lowercase and same as your domain name:
mydomain.local

User avatar
LHammonds
Site Admin
Site Admin
Posts: 584
Joined: Fri Jul 31, 2009 6:27 pm
Are you a filthy spam bot?: No
Location: Behind You
Contact:

Configure Samba

Post: # 556Post LHammonds
Fri Dec 15, 2017 9:16 am

NOTE: Samba will need to be wiped to a clean state...otherwise it will fail upon initial provisioning when it tries to create a new smb.conf file.

Shutdown all Samba-related services

Code: Select all

systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service
Verify that no Samba processes are running:

Code: Select all

ps ax | egrep "samba|smbd|nmbd|winbindd"
Find the current Samba the configuration file:

Code: Select all

smbd -b | grep "CONFIGFILE"
If the above output was "/etc/samba/smb.conf" then issue the below command to rename the configuration file:

Code: Select all

mv /etc/samba/smb.conf /etc/samba/smb.bak
Find all Samba database files:

Code: Select all

smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"
Remove the .tdb and .ldb database files based on the above output.

Code: Select all

rm /var/run/samba/*.[t,l]db
rm /var/lib/samba/*.[t,l]db
rm /var/cache/samba/*.[t,l]db
rm /var/lib/samba/private/*.[t,l]db
Provision the domain with the following command and answer the questions as noted below:

Code: Select all

samba-tool domain provision --use-rfc2307 --interactive
Realm: MYDOMAIN.LOCAL
Domain: MYDOMAIN
Server Role: dc
DNS backend: SAMBA_INTERNAL
DNS forwarder IP address: 192.168.107.1
Administrator password: MyDomainAdminPass

Rename the existing Kerberos configuration file.

Code: Select all

mv /etc/krb5.conf /etc/krb5.bak
Symlink the Kerberos main configuration file to the Samba Kerberos file.

Code: Select all

ln --symbolic /var/lib/samba/private/krb5.conf /etc/
ls -l /etc/krb*
Start and enable Samba Active Directory Domain Controller daemons:

Code: Select all

systemctl start samba-ad-dc.service
systemctl enable samba-ad-dc.service
Check on the status of the service...make sure it shows "active (running)"

Code: Select all

systemctl status samba-ad-dc.service
Example output:

Code: Select all

samba-ad-dc.service - LSB: start Samba daemons for the AD DC
   Loaded: loaded (/etc/init.d/samba-ad-dc; bad; vendor preset: enabled)
   Active: active (running) since Fri 2017-12-15 15:56:04 CST; 2min 28s ago
     Docs: man:systemd-sysv-generator(8)
   CGroup: /system.slice/samba-ad-dc.service
           ├─2795 /usr/sbin/samba -D
           ├─2796 /usr/sbin/samba -D
           ├─2797 /usr/sbin/samba -D
           ├─2798 /usr/sbin/samba -D
           ├─2799 /usr/sbin/samba -D
           ├─2800 /usr/sbin/samba -D
           ├─2801 /usr/sbin/samba -D
           ├─2802 /usr/sbin/samba -D
           ├─2803 /usr/sbin/smbd -D --option=server role check:inhibit=yes --for
           ├─2804 /usr/sbin/samba -D
           ├─2805 /usr/sbin/samba -D
           ├─2806 /usr/sbin/samba -D
           ├─2807 /usr/sbin/samba -D
           ├─2808 /usr/sbin/samba -D
           ├─2809 /usr/sbin/samba -D
           ├─2810 /usr/sbin/winbindd -D --option=server role check:inhibit=yes -
           ├─2814 /usr/sbin/smbd -D --option=server role check:inhibit=yes --for
           ├─2815 /usr/sbin/winbindd -D --option=server role check:inhibit=yes -
lines 1-23
If you do not have a long list like the above, it is entirely possible your password was not "complex" enough. Scroll up and see if you notice that kind of message when provisioning the domain. If the password is the issue, start this section over and wipe out all the Samba settings and then use an appropriately complex password.

Verify the list of all services required by an Active Directory to run properly.

Code: Select all

netstat –tulpn| egrep 'smbd|samba'
Example output:

Code: Select all

unix  2      [ ]         DGRAM                    20120    /var/lib/samba/private/msg.sock/2806
unix  2      [ ]         DGRAM                    20122    /var/lib/samba/private/msg.sock/2807
unix  2      [ ]         DGRAM                    20124    /var/lib/samba/private/msg.sock/2808
unix  2      [ ]         DGRAM                    20128    /var/lib/samba/private/msg.sock/2809
unix  2      [ ]         DGRAM                    20166    /var/lib/samba/private/msg.sock/2803
unix  2      [ ]         DGRAM                    20172    /var/lib/samba/private/msg.sock/2810
unix  2      [ ]         DGRAM                    20187    /var/lib/samba/private/msg.sock/2814
unix  2      [ ]         DGRAM                    20190    /var/lib/samba/private/msg.sock/2815
unix  2      [ ]         DGRAM                    20225    /var/lib/samba/private/msg.sock/2818
unix  2      [ ]         DGRAM                    20235    /var/lib/samba/private/msg.sock/2819
unix  2      [ ]         DGRAM                    20248    /var/lib/samba/private/msg.sock/2820
unix  2      [ ]         DGRAM                    20051    /var/lib/samba/private/msg.sock/2795
unix  2      [ ]         DGRAM                    20069    /var/lib/samba/private/msg.sock/2797
unix  2      [ ]         DGRAM                    20070    /var/lib/samba/private/msg.sock/2796
unix  2      [ ]         DGRAM                    20074    /var/lib/samba/private/msg.sock/2799
unix  2      [ ]         DGRAM                    20075    /var/lib/samba/private/msg.sock/2798
unix  2      [ ]         DGRAM                    20083    /var/lib/samba/private/msg.sock/2801
unix  2      [ ]         DGRAM                    20088    /var/lib/samba/private/msg.sock/2802
unix  2      [ ]         DGRAM                    20090    /var/lib/samba/private/msg.sock/2800
unix  2      [ ]         DGRAM                    20115    /var/lib/samba/private/msg.sock/2805
unix  2      [ ]         DGRAM                    20119    /var/lib/samba/private/msg.sock/2804
unix  3      [ ]         STREAM     CONNECTED     20204    /var/lib/samba/winbindd_privileged/pipe

User avatar
LHammonds
Site Admin
Site Admin
Posts: 584
Joined: Fri Jul 31, 2009 6:27 pm
Are you a filthy spam bot?: No
Location: Behind You
Contact:

More Configuration

Post: # 557Post LHammonds
Fri Dec 15, 2017 9:26 am

Samba local Linux authentication using AD accounts

Code: Select all

vi /etc/samba/smb.conf
Add the following under the [global] section:

Code: Select all

winbind enum users = yes
winbind enum groups = yes
Modify PAM to allow AD authentication and open sessions

Run the PAM configuration utility:

Code: Select all

pam-auth-update
Set the following and press ENTER

Code: Select all

[*] Unix authentication
[*] Winbind NT/Active Directory authentication
[*] Register user sessions in the systemd control group hierarchy
[*] Create home directory on login
[*] Inheritable Capabilities Management
    <Ok>    <Cancel>

Code: Select all

vi /etc/nsswitch.conf
change:

Code: Select all

passwd:         compat
group:          compat
to:

Code: Select all

passwd:         compat winbind
group:          compat winbind

Code: Select all

vi /etc/pam.d/common-password
change:

Code: Select all

password        [success=1 default=ignore]      pam_winbind.so use_authtok try_first_pass
to:

Code: Select all

password        [success=1 default=ignore]      pam_winbind.so try_first_pass
Repeat the above removal of "use_authtok" each time PAM updates are installed and each time you execute "pam-auth-update"

Edit the Samba configuration and make it look like the following:

Code: Select all

vi /etc/samba/smb.conf
# Global parameters [global] workgroup = MYDOMAIN realm = MYDOMAIN.LOCAL netbios name = DC1 server role = active directory domain controller dns forwarder = 192.168.107.1 idmap_ldb:use rfc2307 = yes winbind enum users = yes winbind enum groups = yes winbind use default domain = true winbind offline logon = false winbind nss info = rfc2307 winbind use default domain = yes template shell = /bin/bash template homedir = /home/%D/%U restrict anonymous = 2 idmap config *:range = 5000-9999 idmap config CB:backend = ad idmap config CB:schema_mode = rfc2307 idmap config CB:range = 10000-29999 ## To disable Roaming profiles, comment out "logon path" and "logon home" ## logon path places Windows profile into their home directory # logon path = \\%N\%U\profile ## logon home specifies the home directory location # logon home = \\%N\%U ## domain logons provides netlogon causing Samba to act as a DC domain logons = yes logon drive = H: ## logon script are the commands that run once user is logged in logon script = logon.cmd ## add machine script automatically creates the Machine Trust Account ## needed for a workstation to join the domain add machine script = sudo /usr/sbin/useradd -N -g machines -c Machine -d /var/lib/samba -s /bin/false %u [netlogon] path = /var/lib/samba/sysvol/mydomain.local/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [share] path = /srv/samba/share read only = no writeable = yes directory mode = 777 create mode = 777 comment = "Shared data directory"
After changing smb.conf, restart the necessary services for the changes to take effect:

Code: Select all

service winbind stop
service samba-ad-dc restart
service winbind start

User avatar
LHammonds
Site Admin
Site Admin
Posts: 584
Joined: Fri Jul 31, 2009 6:27 pm
Are you a filthy spam bot?: No
Location: Behind You
Contact:

Common Commands

Post: # 558Post LHammonds
Fri Dec 15, 2017 9:30 am

Common command line usage

Show Groups

Code: Select all

samba-tool group list
wbinfo -g
getent group | grep MYDOMAIN
Show Users

Code: Select all

samba-tool user list
wbinfo -u
getent passwd | grep MYDOMAIN
Show user profile info

Code: Select all

wbinfo -i JohnDoe
Show members in a group

Code: Select all

samba-tool group listmembers "Domain Users"
Create/delete a domain user

Code: Select all

samba-tool user add JohnDoe --given-name=John --surname=Doe --mail-address=John.Doe@gmail.com --login-shell=/bin/false
samba-tool user delete JohnDoe
Reset password

Code: Select all

samba-tool user setpassword JohnDoe
Disable/Enable domain user

Code: Select all

samba-tool user disable JohnDoe
samba-tool user enable JohnDoe
Create/Delete a domain group

Code: Select all

samba-tool group add MyGroup
samba-tool group delete MyGroup
Add/Remove domain user to a group

Code: Select all

samba-tool group addmembers MyGroup JohnDoe
samba-tool group removemembers MyGroup JohnDoe
Show domain password settings

Code: Select all

samba-tool domain passwordsettings show
Modify password settings

Code: Select all

samba-tool domain passwordsettings set --complexity=on
samba-tool domain passwordsettings set --history-length=3
samba-tool domain passwordsettings set --min-pwd-age=0
samba-tool domain passwordsettings set --max-pwd-age=90
samba-tool domain passwordsettings set --min-pwd-length=7
Add a domain user to the sudo group for root privileges

Code: Select all

usermod -aG sudo 'MYDOMAIN\JohnDoe'

Post Reply