Iñaki Spinardi
Iñaki Spinardi

Samba 4

This document explains how to implement a Linux machine as an Active Directory controller.

Previous steps

Network

To carry out this exercise, the machines, a Windows 10 client and a Linux server, Lubuntu, will be on the same virtualized LAN network, SAMBA_LAN.

The network will be 10.0.0.0/24, and both machines will have a static IP. The DC controller will have 10.0.0.10 and the client will have 10.0.0.20.

In addition, both machines will use the DC, 10.0.0.10, as DNS.

Name resolution

In the Linux server’s /etc/hosts file:

10.0.0.10 smb-dc.inaki.lan smb-dc

Where smb-dc.inaki.lan and smb-dc are the server’s NetBIOS names.

Installation

A set of packages must be installed. Depending on the distribution, this will be done in one way or another. For an Ubuntu-based distribution:

sudo apt update && sudo apt upgrade
sudo apt install samba krb5-config winbind smbclient

During the Kerberos installation, it will ask for the realm INAKI.LAN, the Kerberos server name SMB-DC.INAKI.LAN, and the administrative server name SMB-DC.INAKI.LAN.

Once the installation is finished, it is necessary to move the /etc/samba/smb.conf file in order to proceed with the configuration:

sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.old

Next, the machine must be promoted as a domain controller. To do this, run the following command:

sudo samba-tool domain provision

The values to enter are:

  • Realm: INAKI.LAN
  • Domain: INAKI
  • Server Role: dc
  • DNS backend: SAMBA_INTERNAL
  • DNS forwarder IP address: 127.0.0.53

Finally, copy the Kerberos configuration file:

sudo cp /var/lib/samba/private/krb5.conf /etc/

Additional settings

Next, adjust name resolution. First, stop the related services:

sudo systemctl stop smbd nmbd winbind systemd-resolved

Then disable them so that they do not start automatically after a reboot:

sudo systemctl disable smbd nmbd winbind systemd-resolved

It is important to run both commands and make sure they execute correctly.

Next, make sure that the samba-ad-dc service can start without issues by removing any existing masking:

sudo systemctl unmask samba-ad-dc

Run the command to verify that there are no errors.

Then delete the resolv.conf file. To check it, view its directory entry:

sudo ls -l /etc/resolv.conf

If the check is correct, remove the link with:

sudo rm /etc/resolv.conf

And create a new resolv.conf file:

domain inaki.lan
nameserver 127.0.0.1

Finally, start and enable the samba-ad-dc service:

sudo systemctl start samba-ad-dc
sudo systemctl enable samba-ad-dc

Checks

If everything has gone correctly, a Windows client can be joined to the domain.

Image of the Windows machine in the domain

Users, groups and GPOs

Once inside the domain, the next step will be to create users, groups, OUs and GPOs.

To do this, the following capability must be enabled from PowerShell:

Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online

Active Directory Users and Computers

After installing the tools, the Active Directory controller can be managed directly from the Windows client using the Administrator user:

Image of the company OU and the pepe user

GPOs

In the same way, it is possible to create and link group policies:

Image of a GPO

Prev
RAID5
Next
Wi-Fi Networks

Update content

Edit content/_index.md to see this page change.

Add new content

Add Markdown files to content to create new pages.

Configure your site

Edit your config in config/_default/params.toml.

Read the docs

Learn more in the Docs.