Ubuntu: Samba 4 Active Directory Domain Master
Samba 4 has been released for a while now, and it is awesome. It can provide an active directory domain controller, complete with Kerberos and DNS. It pretends to be a Windows AD domain controller so well that you can use the Microsoft tools to administer the system. The Samba team have really produced a quality product here.
This document is a walkthrough of installing Samba 4 as a domain controller on Ubuntu. Most of the content will translate quite well to other distributions, but you will have to be aware that some steps might be different for you if you are not using the same distribution as I am.
[email protected]:~# cat /etc/issue Ubuntu 12.04 LTS \n \l
Check version in repository
[email protected]:~# apt-cache show samba4 Package: samba4 Priority: optional Section: universe/net Installed-Size: 11126 Maintainer: Ubuntu Developers <[email protected]> Original-Maintainer: Samba Debian Maintainers <[email protected]> Architecture: amd64 Version: 4.0.0~alpha18.dfsg1-4ubuntu2 Replaces: libsamdb0 (<< 4.0.0~alpha17~) Depends: python, python-dnspython, python-samba, samba4-common-bin (= 4.0.0~alpha18.dfsg1-4ubuntu2), tdb-tools, debconf (>= 0.5) | debconf-2.0, upstart-job, libasn1-8-heimdal (>= 1.4.0+git20110226), libbsd0 (>= 0.0), libc6 (>= 2.14), libcomerr2 (>= 1.01), libdcerpc-server0, libdcerpc0, libgensec0, libhdb9-heimdal (>= 1.4.0+git20110226), libkdc2-heimdal (>= 1.4.0+git20110226), libkrb5-26-heimdal (>= 1.4.0+git20110226), libldb1 (>= 0.9.21), libndr-standard0, libndr0, libpopt0 (>= 1.14), libpython2.7 (>= 2.7), libroken18-heimdal (>= 1.4.0+git20110226), libsamba-credentials0, libsamba-hostconfig0, libsamba-util0, libsamdb0, libsmbclient-raw0, libtalloc2 (>= 2.0.4~git20101213), libtdb1 (>= 1.2.7+git20101214), libtevent0 (>= 0.9.12) Recommends: attr, bind9utils, ldb-tools, samba-dsdb-modules, bind9 (>= 1:9.5.1) Suggests: phpldapadmin, samba-gtk, swat2 Conflicts: samba (<< 2:3.3.0~rc2-5), samba-tools Filename: pool/universe/s/samba4/samba4_4.0.0~alpha18.dfsg1-4ubuntu2_amd64.deb Size: 1661622 MD5sum: 0802b3cc115856f78f6876c8227a9fa7 SHA1: 72ec8d980e6cd9f72186ef80759858af95430c3e SHA256: 80d6b3e85fb44e52f12006869767bd2402d3379b3ea64db7bde3a641a8fcf8dc Description-en: SMB/CIFS file, NT domain and active directory server (version 4) Samba is an implementation of the SMB/CIFS protocol for Unix systems, providing support for cross-platform file sharing with Microsoft Windows, OS X, and other Unix systems. Samba can also function as a domain controller or member server in both NT4-style and Active Directory domains. . These packages contain snapshot versions of Samba 4, the next-generation version of Samba. These should be considered _experimental_, and should not be used in production. . This package contains the main daemon. Homepage: http://www.samba.org/ Description-md5: 8e84c4537b627401748d941b993c4481 Bugs: https://bugs.launchpad.net/ubuntu/+filebug Origin: Ubuntu
Set up alternate PPA
The biggest issue with installing Samba 4 is that the versions of official binary packages from the various distributions are quite old. This is true of Debian/Ubuntu which I use extensively, but the situation is only temporary. As you can see from the above command, the current version in the repository is 4.0.0~alpha18.dfsg1-4ubuntu2 and we really want a release version. The solution for this is to use the Sernet packages from sambaenterprise.com. You will need to sign up for a free account, as the downloads are authenticated. I have documented the procedure for Ubuntu 12.04 here, but they do have packages for other distributions, and the instructions are available at 
[email protected]:~# wget http://ftp.sernet.de/pub/sernet-samba-keyring_1.3_all.deb [email protected]:~# dpkg -i sernet-samba-keyring_1.3_all.deb [email protected]:~# vi /etc/apt/sources.list.d/samba4.list
# # SerNet Samba 4.0 Packages # # (ubuntu-precise) # deb https://USERNAME:[email protected]/packages/samba/4.0/ubuntu precise main deb-src https://USERNAME:[email protected]/packages/samba/4.0/ubuntu precise main
[email protected]:~# apt-get update Ign http://archive.ubuntu.com precise InRelease Ign http://archive.ubuntu.com precise-updates InRelease ... Fetched 2485 kB in 5s (423 kB/s) Reading package lists... Done
Pre install checks
Samba 4 relies on filesystem ACLs and therefore, you must be using a filesystem that supports ACLs and also ensure that ACLs are turned on. In my case, I am using ext3, so my fstab looks like this.
/dev/pve/data /var/lib/vz ext3 defaults,acl 0 1
You also need to make sure that your DNS domain matches what you want to use in your new Samba 4 AD domain.
[email protected]:/etc/samba# hostname -f server.office.domain.com.au
Do the install
[email protected]:~# apt-get install sernet-samba-ad
If you want to create a brand new domain, simply
- Select "Domain Controller"
- Specify the administrator password
Otherwise, follow the next section on migrating from Samba 3
Kerberos user tools
[email protected]:~# apt-get install krb5-user
It doesn't matter what you answer to the questions that apt asks you, we are going to replace the config file anyway.
[email protected]:~# mv /var/lib/samba/private/krb5.conf /etc/
Migrating from Samba 3 + OpenLDAP
Checking for duplicate SIDs
On the old server, run this quick Python script to check for duplicate SIDs
#!/usr/bin/python # A quick and dirty python script that checks for duplicat SID's using slapcat. import os data = os.popen("slapcat | grep sambaSID", 'r') line =  def anydup(thelist): dups = list(set([x for x in thelist if thelist.count(x) > 1])) for i in dups: print "Duplicate id: ", i for each_line in data: line.append(each_line.strip()) anydup(line)
Perform classic upgrade
You will need the following from the old server
- tdb files from /var/lib/samba
[email protected]:/# cd /root [email protected]:~# rsync -av [email protected]:/etc/samba/smb.conf . [email protected]'s password: receiving incremental file list smb.conf sent 30 bytes received 4220 bytes 257.58 bytes/sec total size is 4139 speedup is 0.97 [email protected]:~# rsync -av [email protected]:/var/lib/samba . [email protected]'s password: receiving incremental file list samba/ samba/account_policy.tdb samba/group_mapping.ldb samba/ntdrivers.tdb samba/ntforms.tdb samba/ntprinters.tdb samba/passdb.tdb samba/registry.tdb samba/schannel_store.tdb samba/secrets.tdb samba/share_info.tdb samba/wins.dat samba/wins.tdb samba/perfmon/ samba/printers/ samba/printers/COLOR/ samba/printers/IA64/ samba/printers/W32ALPHA/ samba/printers/W32MIPS/ samba/printers/W32PPC/ samba/printers/W32X86/ samba/printers/WIN40/ samba/printers/x64/ samba/usershares/ sent 287 bytes received 295864 bytes 23692.08 bytes/sec total size is 294723 speedup is 1.00
Make sure that you point ldap to where it actually is. We also want to trust the database
passdb backend = ldapsam:ldap://192.168.101.15/ ldapsam:trusted = yes
Do the upgrade
[email protected]:/# samba-tool domain classicupgrade --dbdir=/root/samba --use-xattrs=yes --realm=office.domain.com.au /root/smb.conf
Samba does a pretty good job of configuring itself. Below is a typical configuration file
# Global parameters [global] workgroup = DOMAIN realm = domain.local netbios name = SERVERNAME server role = active directory domain controller # # In case you are using bind9_dlz, you should uncomment "server services" to # disable the internal dns server from starting. # #server services = -dns idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/domain.local/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No