Ubuntu: Samba 4 Active Directory Domain Master

From ReceptiveIT
Jump to: navigation, search

Samba 4 has been released for a while now, and it is awesome. It can provide an active directory domain controller, complete with Kerberos and DNS. It pretends to be a Windows AD domain controller so well that you can use the Microsoft tools to administer the system. The Samba team have really produced a quality product here.

Assumptions

This document is a walkthrough of installing Samba 4 as a domain controller on Ubuntu. Most of the content will translate quite well to other distributions, but you will have to be aware that some steps might be different for you if you are not using the same distribution as I am.

[email protected]:~# cat /etc/issue
Ubuntu 12.04 LTS \n \l

Install Samba

Check version in repository

[email protected]:~# apt-cache show samba4
Package: samba4
Priority: optional
Section: universe/net
Installed-Size: 11126
Maintainer: Ubuntu Developers <[email protected]>
Original-Maintainer: Samba Debian Maintainers <[email protected]>
Architecture: amd64
Version: 4.0.0~alpha18.dfsg1-4ubuntu2
Replaces: libsamdb0 (<< 4.0.0~alpha17~)
Depends: python, python-dnspython, python-samba, samba4-common-bin (= 4.0.0~alpha18.dfsg1-4ubuntu2), tdb-tools, debconf (>= 0.5) | debconf-2.0, upstart-job, libasn1-8-heimdal (>= 1.4.0+git20110226), libbsd0 (>= 0.0), libc6 (>= 2.14), libcomerr2 (>= 1.01), libdcerpc-server0, libdcerpc0, libgensec0, libhdb9-heimdal (>= 1.4.0+git20110226), libkdc2-heimdal (>= 1.4.0+git20110226), libkrb5-26-heimdal (>= 1.4.0+git20110226), libldb1 (>= 0.9.21), libndr-standard0, libndr0, libpopt0 (>= 1.14), libpython2.7 (>= 2.7), libroken18-heimdal (>= 1.4.0+git20110226), libsamba-credentials0, libsamba-hostconfig0, libsamba-util0, libsamdb0, libsmbclient-raw0, libtalloc2 (>= 2.0.4~git20101213), libtdb1 (>= 1.2.7+git20101214), libtevent0 (>= 0.9.12)
Recommends: attr, bind9utils, ldb-tools, samba-dsdb-modules, bind9 (>= 1:9.5.1)
Suggests: phpldapadmin, samba-gtk, swat2
Conflicts: samba (<< 2:3.3.0~rc2-5), samba-tools
Filename: pool/universe/s/samba4/samba4_4.0.0~alpha18.dfsg1-4ubuntu2_amd64.deb
Size: 1661622
MD5sum: 0802b3cc115856f78f6876c8227a9fa7
SHA1: 72ec8d980e6cd9f72186ef80759858af95430c3e
SHA256: 80d6b3e85fb44e52f12006869767bd2402d3379b3ea64db7bde3a641a8fcf8dc
Description-en: SMB/CIFS file, NT domain and active directory server (version 4)
 Samba is an implementation of the SMB/CIFS protocol for Unix systems,
 providing support for cross-platform file sharing with Microsoft Windows, OS X,
 and other Unix systems.  Samba can also function as a domain controller
 or member server in both NT4-style and Active Directory domains.
 .
 These packages contain snapshot versions of Samba 4, the next-generation
 version of Samba. These should be considered _experimental_, and should
 not be used in production.
 .
 This package contains the main daemon.
Homepage: http://www.samba.org/
Description-md5: 8e84c4537b627401748d941b993c4481
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Origin: Ubuntu

Set up alternate PPA

The biggest issue with installing Samba 4 is that the versions of official binary packages from the various distributions are quite old. This is true of Debian/Ubuntu which I use extensively, but the situation is only temporary. As you can see from the above command, the current version in the repository is 4.0.0~alpha18.dfsg1-4ubuntu2 and we really want a release version. The solution for this is to use the Sernet packages from sambaenterprise.com. You will need to sign up for a free account, as the downloads are authenticated. I have documented the procedure for Ubuntu 12.04 here, but they do have packages for other distributions, and the instructions are available at [1]

[email protected]:~# wget http://ftp.sernet.de/pub/sernet-samba-keyring_1.3_all.deb 
[email protected]:~# dpkg -i sernet-samba-keyring_1.3_all.deb
[email protected]:~# vi /etc/apt/sources.list.d/samba4.list
#
# SerNet Samba 4.0 Packages
#
# (ubuntu-precise)
#
deb https://USERNAME:[email protected]/packages/samba/4.0/ubuntu precise main
deb-src https://USERNAME:[email protected]/packages/samba/4.0/ubuntu precise main
[email protected]:~# apt-get update
Ign http://archive.ubuntu.com precise InRelease
Ign http://archive.ubuntu.com precise-updates InRelease
...
Fetched 2485 kB in 5s (423 kB/s)
Reading package lists... Done

Pre install checks

Samba 4 relies on filesystem ACLs and therefore, you must be using a filesystem that supports ACLs and also ensure that ACLs are turned on. In my case, I am using ext3, so my fstab looks like this.

/dev/pve/data /var/lib/vz ext3 defaults,acl 0 1

You also need to make sure that your DNS domain matches what you want to use in your new Samba 4 AD domain.

[email protected]:/etc/samba# hostname -f
server.office.domain.com.au

Do the install

Samba 4

[email protected]:~# apt-get install sernet-samba-ad

If you want to create a brand new domain, simply

  • Select "Domain Controller"
  • Specify the administrator password

Otherwise, follow the next section on migrating from Samba 3

Kerberos user tools

[email protected]:~# apt-get install krb5-user

It doesn't matter what you answer to the questions that apt asks you, we are going to replace the config file anyway.

[email protected]:~# mv /var/lib/samba/private/krb5.conf /etc/

Migrating from Samba 3 + OpenLDAP

Checking for duplicate SIDs

On the old server, run this quick Python script to check for duplicate SIDs

#!/usr/bin/python
# A quick and dirty python script that checks for duplicat SID's using slapcat.
import os
 
data = os.popen("slapcat | grep sambaSID", 'r')
line = []
 
def anydup(thelist):
        dups = list(set([x for x in thelist if thelist.count(x) > 1]))
        for i in dups:
                print "Duplicate id: ", i
 
for each_line in data:
        line.append(each_line.strip())
 
anydup(line)

Perform classic upgrade

You will need the following from the old server

  • smb.conf
  • tdb files from /var/lib/samba
[email protected]:/# cd /root
[email protected]:~# rsync -av [email protected]:/etc/samba/smb.conf .
[email protected]'s password:
receiving incremental file list
smb.conf

sent 30 bytes  received 4220 bytes  257.58 bytes/sec
total size is 4139  speedup is 0.97

[email protected]:~# rsync -av [email protected]:/var/lib/samba .
[email protected]'s password:
receiving incremental file list
samba/
samba/account_policy.tdb
samba/group_mapping.ldb
samba/ntdrivers.tdb
samba/ntforms.tdb
samba/ntprinters.tdb
samba/passdb.tdb
samba/registry.tdb
samba/schannel_store.tdb
samba/secrets.tdb
samba/share_info.tdb
samba/wins.dat
samba/wins.tdb
samba/perfmon/
samba/printers/
samba/printers/COLOR/
samba/printers/IA64/
samba/printers/W32ALPHA/
samba/printers/W32MIPS/
samba/printers/W32PPC/
samba/printers/W32X86/
samba/printers/WIN40/
samba/printers/x64/
samba/usershares/

sent 287 bytes  received 295864 bytes  23692.08 bytes/sec
total size is 294723  speedup is 1.00

Make sure that you point ldap to where it actually is. We also want to trust the database

passdb backend = ldapsam:ldap://192.168.101.15/
ldapsam:trusted = yes

Do the upgrade

[email protected]:/# samba-tool domain classicupgrade --dbdir=/root/samba --use-xattrs=yes --realm=office.domain.com.au /root/smb.conf

Configure Samba

Samba does a pretty good job of configuring itself. Below is a typical configuration file

# Global parameters
[global]
        workgroup = DOMAIN
        realm = domain.local
        netbios name = SERVERNAME
        server role = active directory domain controller
        #
        # In case you are using bind9_dlz, you should uncomment "server services" to
        # disable the internal dns server from starting.
        #
        #server services = -dns
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /var/lib/samba/sysvol/domain.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No