The last time I set up Active Directory as primary controller service was on 14.04. Since then, Ubuntu has been updated to 16.04.
The installation this time round is much easier than I expected. So here goes!
We won't be using this server as file server. It's not recommended to put AD and file service in one server. That way, AD can continue to serve while file server is busy. It's not difficult to set up file server along with AD, but that won't be covered today. I'm just going to focus on setting up AD.
Most of the commands are done on root account. If you're not using root, be sure to add sudo before every command.
AD DC Hostname: ADSHURN
AD DNS Domain Name: shurn.me
Kerberos Realm: shurn.me
NT4 Domain Name/NetBIOS Name: shurn
IP Address: 10.0.0.2
Server Role: Domain Controller (DC)
Forwarder DNS Server: 10.0.0.1
File System: BTRFS
Your setup will be very different from mine, so you should adapt this tutorial to your own setup. I'll highlight the setup configuration with italics.
It's always best to setup your AD on a well updated Ubuntu. Many bugs are fixed by the time you installed your Ubuntu.
apt-get update
apt-get dist-upgrade
apt-get install attr build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl ntp ntpdate winbind
During Installation, your kerberos will ask you for information.
Realm=shurn.me
Server=shurn.me
Kerberos Login=shurn.me
Active Directory requires static IP address.
nano /etc/network/interfaces
iface eth0 inet static
address 10.0.0.2
netmask 255.0.0.0
gateway 10.0.0.1
dns-nameservers 10.0.0.2 10.0.0.1
dns-search shurn.me
Later we will visit back this file to change the DNS information
nano /etc/hostname
Put in the hostname of your AD
adshurn
Let's reboot the computer for all the configurations to take effect.
reboot
We need to make sure adshurn properly resolves to localhost at all times.
nano /etc/hosts
127.0.1.1 adshurn.shurn.me adshurn
Network Time Protocol is the system that manages what time it is on your system, and it is important that our time is accurate for the proper functioning of Kerberos.
service ntp stop
ntpdate -B 0.ubuntu.pool.ntp.org
service ntp start
So here's the main course of the entire tutorial. Let's install Samba.
apt-get install samba smbclient
We need to move the existing smb.conf file away so that we can properly generate a new file.
mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
I usually use the interactive tool to set up Samba. You should too anyway.
samba-tool domain provision --use-rfc2307 --interactive
Realm: SHURN.ME
DOMAIN:''SHURN"
Server Role:dc
DNS backend:SAMBA_INTERNAL
DNS forwarder IP address:10.0.0.1
Administrator password: V3ryS3cur3P@$$w0rd
Now, we remove the upstream DNS that we placed in the network configuration. resolv.conf is generated every time the system boots up so we need to ensure the next reboot, it searches the internal DNS. Samba is now managing all the DNS request.
nano /etc/network/interfaces
dns-nameservers 10.0.0.2
reboot
Let's check that the DNS is working as expected. Remember to replace the setup information with yours.
host -t SRV _ldap._tcp.shurn.me
_ldap._tcp.shurn.mehas SRV record 0 100 389 adshurn.shurn.me
host -t SRV _kerberos._udp.shurn.me
_kerberos._udp.shurn.me has SRV record 0 100 88 adshurn.shurn.me
host -t A adshurn.shurn.me
adshurn.shurn.me has address 10.0.0.2
As usual, let's move the original kerberos configuration to a safe place. Then we use the kerberos configuration provided by Samba.
mv /etc/krb5.conf /etc/krb5.conf.orig
ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
Let's make sure kerberos is working as expected
kinit administrator@SHURN.ME
Enter the password you used during Samba setup
klist
You should see valid krbtgt ticket.
smbclient -L adshurn.shurn.me -U 'administrator'
You should see netlogon and sysvol listed.
smbclient //localhost/netlogon -U 'administrator'
You should be able to authenticate properly.
You should now have a properly set up Active Directory working in your environment. Pretty easy and straight forward isn't it?