Shurn the Awesomer
Setting up Active Directory with Samba on Ubuntu 16.04

Setting up Active Directory with Samba on Ubuntu 16.04

Written on Tue, 21 June 2016

The last time I set up Active Directory as primary controller service was on 14.04. Since then, Ubuntu has been updated to 16.04.

The installation this time round is much easier than I expected. So here goes!

Prerequisites:

  • You have Ubuntu 16.04 installed
  • You have knowledge of linux commands
  • You have some knowledge of how Samba works

We won't be using this server as file server. It's not recommended to put AD and file service in one server. That way, AD can continue to serve while file server is busy. It's not difficult to set up file server along with AD, but that won't be covered today. I'm just going to focus on setting up AD.

Most of the commands are done on root account. If you're not using root, be sure to add sudo before every command.

Setup Box Information


AD DC Hostname: ADSHURN
AD DNS Domain Name: shurn.me
Kerberos Realm: shurn.me
NT4 Domain Name/NetBIOS Name: shurn
IP Address: 10.0.0.2
Server Role: Domain Controller (DC)
Forwarder DNS Server: 10.0.0.1
File System: BTRFS

Your setup will be very different from mine, so you should adapt this tutorial to your own setup. I'll highlight the setup configuration with italics.

Step 1: Making sure Ubuntu is updated and current


It's always best to setup your AD on a well updated Ubuntu. Many bugs are fixed by the time you installed your Ubuntu.

apt-get update
apt-get dist-upgrade

Step 2: Download the required files

apt-get install attr build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl ntp ntpdate winbind

During Installation, your kerberos will ask you for information.

Realm=shurn.me
Server=shurn.me
Kerberos Login=shurn.me

Step 3: Setting up Static IP address


Active Directory requires static IP address.

nano /etc/network/interfaces

iface eth0 inet static
address 10.0.0.2
netmask 255.0.0.0
gateway 10.0.0.1
dns-nameservers 10.0.0.2 10.0.0.1
dns-search shurn.me


Later we will visit back this file to change the DNS information

Step 4: Setting up hostname

nano /etc/hostname


Put in the hostname of your AD

adshurn

Step 5: Reboot


Let's reboot the computer for all the configurations to take effect.

reboot

Step 6: Setting Host File


We need to make sure adshurn properly resolves to localhost at all times.

nano /etc/hosts

127.0.1.1 adshurn.shurn.me adshurn

Step 7: Setting up NTP


Network Time Protocol is the system that manages what time it is on your system, and it is important that our time is accurate for the proper functioning of Kerberos.

service ntp stop
ntpdate -B 0.ubuntu.pool.ntp.org
service ntp start

Step 8: Setting up Samba (finally)


So here's the main course of the entire tutorial. Let's install Samba.

apt-get install samba smbclient


We need to move the existing smb.conf file away so that we can properly generate a new file.

mv /etc/samba/smb.conf /etc/samba/smb.conf.orig


I usually use the interactive tool to set up Samba. You should too anyway.

samba-tool domain provision --use-rfc2307 --interactive

Realm: SHURN.ME
DOMAIN:''SHURN"
Server Role:dc
DNS backend:SAMBA_INTERNAL
DNS forwarder IP address:10.0.0.1
Administrator password: V3ryS3cur3P@$$w0rd

Step 9: Removing upstream DNS


Now, we remove the upstream DNS that we placed in the network configuration. resolv.conf is generated every time the system boots up so we need to ensure the next reboot, it searches the internal DNS. Samba is now managing all the DNS request.

nano /etc/network/interfaces

dns-nameservers 10.0.0.2

reboot

Step 10: Testing DNS works


Let's check that the DNS is working as expected. Remember to replace the setup information with yours.

host -t SRV _ldap._tcp.shurn.me
_ldap._tcp.shurn.mehas SRV record 0 100 389 adshurn.shurn.me

host -t SRV _kerberos._udp.shurn.me
_kerberos._udp.shurn.me has SRV record 0 100 88 adshurn.shurn.me

host -t A adshurn.shurn.me
adshurn.shurn.me has address 10.0.0.2

Step 11: Setting up Kerberos


As usual, let's move the original kerberos configuration to a safe place. Then we use the kerberos configuration provided by Samba.

mv /etc/krb5.conf /etc/krb5.conf.orig
ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf

Step 12: Testing Kerberos and Samba


Let's make sure kerberos is working as expected

kinit administrator@SHURN.ME


Enter the password you used during Samba setup

klist


You should see valid krbtgt ticket.

smbclient -L adshurn.shurn.me -U 'administrator'


You should see netlogon and sysvol listed.

smbclient //localhost/netlogon -U 'administrator'


You should be able to authenticate properly.

Congratulations!


You should now have a properly set up Active Directory working in your environment. Pretty easy and straight forward isn't it?