We lift the domain controller on Ubuntu Server
This option can be useful for small organizations with computers running Windows.
There is no need to purchase a cheap Windows Server for organizing AD and CAL licenses to access a domain controller.
In the end, we have AD buns: group policies, differentiation of access rights to resources, etc.
I tried to write a detailed algorithm of actions necessary for the organization of Active Directory (AD) Domain Controller (DC) based on Ubuntu Server.
Consider setting up a domain controller on the example of Ubuntu Server 12.04.4 LTS or Ubuntu Server 13.10, the instruction is suitable for both options without additional changes
I think installing Ubuntu-server will not cause problems even for most computer users.
When installing the OS, it is advisable to immediately specify the name of the machine on the network (hostname) with the domain specified (for example, I use dc1.domain.local ), so that later I would have to edit the configuration in the files less.
If there is no DHCP server on the network, the installer will prompt you to enter the IP address, network mask, gateway, and DNS.
During installation, it is also advisable to install an OpenSSH server in order to have remote access to the server, as well as correctly specify the time zone in which the machine is located.
')
Network settings are stored in the / etc / network / interfaces file
We edit it to your taste. As an editor, you can use nano, vi, etc.
To edit the files, you will need root rights, you can get them for example
The fact that you are working as a root user is indicated by a # sign at the command line prompt.
Or you can assign sudo before each command that requires root access.
Your network interface configuration is likely to be
In my case, they look like this:
If you still did not install the OpenSSH server in the first stage, you can do this with the command
Before installing anything, it is better to first upgrade the system and packages with the command
In order for the computers of the network to check the time on our server we will install the ntp-server
Samba4 will use the latest version and build from source, so we will need packages for its assembly and correct operation.
For Samba to work correctly, you will need vfs support at the file system level, for this we make changes in / etc / fstab, you need to add user_xattr, acl, barrier = 1 to the root partition settings /
Download the latest stable version of Samba from the GIT repository
configure, compile and install Samba
After Samba is assembled and installed (this is a long time), for ease of use, you need to set the paths to the executable files / usr / local / samba / sbin and / usr / local / samba / bin in the files / etc / sudoers variable secure_path and / etc / environment PATH variable, adding the line : / usr / local / samba / sbin: / usr / local / samba / bin
reboot again (just in case)
We will use Samba as the AD DNS server, so disable bind with the command
There is a samba-tool for manipulating AD in Samba.
For the initial Samba setup, enter the command
If at the first stage you specified the computer name correctly, all the settings that the program asks for can be left to the default.
During the configuration, the password of the Administrator user for AD will be requested, it must meet the password complexity requirements of the default: at least one upper case letter, at least one digit, at least 8 characters.
If the password did not come up in complexity and you saw an error like this:
If you need to change the password complexity, you can do this with the command
Next, you need to tweak the Samba settings and add the following lines to the [global] section
In the /etc/resolvconf/resolv.conf.d/head file, you must specify our DNS server, Samba 127.0.0.1
Also install the Kerberos client
To automatically start the Samba service, you need a script:
it must be made executable
and create default settings
Reboot the computer
We must have samba running after a reboot.
DNS server should work
AD network resources must be available.
Must connect Kerberos
Must be stored Ticket kerberos'a
Must pass through netlogon authentication
That's all.
You can enter in the client domain, get users.
You can manage AD:
partly with the samba-tool on Ubuntu
using the Administration Tools Pack on Windows XP
using Remote Server Administration Tools (RSAT) on Windows 7 and higher
This post can be considered a kind of translation of the official Samba wiki, which is located at:
wiki.samba.org/index.php/Samba_AD_DC_HOWTO , with my additions.
PS If it will be interesting to someone, I can still write a “manual” about the inclusion of a backup controller on Ubuntu in the domain.
There is no need to purchase a cheap Windows Server for organizing AD and CAL licenses to access a domain controller.
In the end, we have AD buns: group policies, differentiation of access rights to resources, etc.
I tried to write a detailed algorithm of actions necessary for the organization of Active Directory (AD) Domain Controller (DC) based on Ubuntu Server.
Consider setting up a domain controller on the example of Ubuntu Server 12.04.4 LTS or Ubuntu Server 13.10, the instruction is suitable for both options without additional changes
1. Installing Ubuntu
I think installing Ubuntu-server will not cause problems even for most computer users.
When installing the OS, it is advisable to immediately specify the name of the machine on the network (hostname) with the domain specified (for example, I use dc1.domain.local ), so that later I would have to edit the configuration in the files less.
If there is no DHCP server on the network, the installer will prompt you to enter the IP address, network mask, gateway, and DNS.
During installation, it is also advisable to install an OpenSSH server in order to have remote access to the server, as well as correctly specify the time zone in which the machine is located.
')
2. Configure Network Adapter Settings
Network settings are stored in the / etc / network / interfaces file
We edit it to your taste. As an editor, you can use nano, vi, etc.
To edit the files, you will need root rights, you can get them for example
sudo su The fact that you are working as a root user is indicated by a # sign at the command line prompt.
Or you can assign sudo before each command that requires root access.
sudo nano /etc/network/interfaces Your network interface configuration is likely to be
iface eth0 inet dhcplet's change the settings to use a static ip-address.
In my case, they look like this:
auto loAfter changing the network settings, you must restart the network service.
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.10.1
netmask 255.255.255.0
gateway 192.168.10.10
dns-nameservers 192.168.10.10
dns-search domain.local domain
/etc/init.d/networking restart 3. Install the necessary packages
If you still did not install the OpenSSH server in the first stage, you can do this with the command
apt-get install ssh Before installing anything, it is better to first upgrade the system and packages with the command
apt-get update && apt-get upgrade In order for the computers of the network to check the time on our server we will install the ntp-server
apt-get install ntp Samba4 will use the latest version and build from source, so we will need packages for its assembly and correct operation.
apt-get install git checkinstall build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr docbook-xsl libcups2-dev acl 4. Build Samba4
For Samba to work correctly, you will need vfs support at the file system level, for this we make changes in / etc / fstab, you need to add user_xattr, acl, barrier = 1 to the root partition settings /
nano /etc/fstab Should get a string, something like this:/ dev / mapper / dc1 - vg-root / ext4 user_xattr, acl, barrier = 1, errors = remount-ro 0 1after which you need to restart the computer
reboot Do not forget about root rights sudo su Download the latest stable version of Samba from the GIT repository
cd /usr/src git clone -b v4-1-stable git://git.samba.org/samba.git samba-v4-1-stable configure, compile and install Samba
cd samba-v4-1-stable && ./configure --enable-debug && make && checkinstall The --enable-debug parameter is required to display more detailed information in Samba logs.After Samba is assembled and installed (this is a long time), for ease of use, you need to set the paths to the executable files / usr / local / samba / sbin and / usr / local / samba / bin in the files / etc / sudoers variable secure_path and / etc / environment PATH variable, adding the line : / usr / local / samba / sbin: / usr / local / samba / bin
nano /etc/sudoers it should make something like this:Defaults secure_path = "/ usr / local / sbin: / usr / local / bin: / usr / sbin: / usr / bin: / sbin: / bin : / usr / local / samba / sbin: / usr / local / samba / bin "
nano /etc/environment it should make something like this:PATH = "/ usr / local / sbin: / usr / local / bin: / usr / sbin: / usr / bin: / sbin: / bin: / usr / games : / usr / local / samba / sbin: / usr / local / samba / bin "
reboot again (just in case)
reboot 5. Raise AD
We will use Samba as the AD DNS server, so disable bind with the command
service bind9 stop && update-rc.d bind9 disable There is a samba-tool for manipulating AD in Samba.
For the initial Samba setup, enter the command
samba-tool domain provision If at the first stage you specified the computer name correctly, all the settings that the program asks for can be left to the default.
During the configuration, the password of the Administrator user for AD will be requested, it must meet the password complexity requirements of the default: at least one upper case letter, at least one digit, at least 8 characters.
If the password did not come up in complexity and you saw an error like this:
ERROR (ldb): uncaught exception - 0000052D: Constraint violation - check_password_restrictions: the password is too short. It should be equal or longer than 7 characters!then before re-performing the initial configuration, you must delete the contents of the / usr / local / samba / private / and / usr / local / samba / etc / directories
If you need to change the password complexity, you can do this with the command
samba-tool domain passwordsettings set --min-pwd-length=6 --complexity=off --max-pwd-age=0 --min-pwd-age=0 this command disables the complexity requirement, disables password expiration, sets a minimum password length of 6 charactersNext, you need to tweak the Samba settings and add the following lines to the [global] section
nano /usr/local/samba/etc/smb.conf allow dns updates = nonsecure and secureThis will allow you to dynamically update the DNS records on the server when the workstation (under windows control) enters the domain and disable printing support, which constantly generates errors in the log.
printing = bsd
printcap name = / dev / null
In the /etc/resolvconf/resolv.conf.d/head file, you must specify our DNS server, Samba 127.0.0.1
echo "nameserver 127.0.0.1" >> /etc/resolvconf/resolv.conf.d/head and restart the resolvconf service service resolvconf restart Also install the Kerberos client
apt-get install krb5-user and configure it on AD using the file created at the stage of the samba-tool domain provision mv /etc/krb5.conf /etc/krb5.conf.old cp /usr/local/samba/private/krb5.conf /etc/krb5.conf To automatically start the Samba service, you need a script:
nano /etc/init.d/samba4 /etc/init.d/samba4
#! /bin/sh ### BEGIN INIT INFO # Provides: samba4 # Required-Start: $network $local_fs $remote_fs # Required-Stop: $network $local_fs $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: start Samba daemons ### END INIT INFO # # Start/stops the Samba daemon (samba). # Adapted from the Samba 3 packages. # PIDDIR=/var/run/samba SAMBAPID=$PIDDIR/samba.pid # clear conflicting settings from the environment unset TMPDIR # See if the daemon and the config file are there test -x /usr/local/samba/sbin/samba -a -r /usr/local/samba/etc/smb.conf || exit 0 . /lib/lsb/init-functions case "$1" in start) log_daemon_msg "Starting Samba 4 daemon" "samba" # Make sure we have our PIDDIR, even if it's on a tmpfs install -o root -g root -m 755 -d $PIDDIR if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/samba -- -D; then log_end_msg 1 exit 1 fi log_end_msg 0 ;; stop) log_daemon_msg "Stopping Samba 4 daemon" "samba" start-stop-daemon --stop --quiet --name samba $SAMBAPID # Wait a little and remove stale PID file sleep 1 if [ -f $SAMBAPID ] && ! ps h `cat $SAMBAPID` > /dev/null then # Stale PID file (samba was succesfully stopped), # remove it (should be removed by samba itself IMHO.) rm -f $SAMBAPID fi log_end_msg 0 ;; restart|force-reload) $0 stop sleep 1 $0 start ;; *) echo "Usage: /etc/init.d/samba4 {start|stop|restart|force-reload}" exit 1 ;; esac exit 0 it must be made executable
chmod 755 /etc/init.d/samba4 and create default settings
update-rc.d samba4 defaults Reboot the computer
reboot 6. We check server performance
We must have samba running after a reboot.
ps aux | grep samba root 865 0.3 3.0 95408 31748? Ss 18:59 0:00 / usr / local / samba / sbin / samba -D
DNS server should work
nslookup dc1 Server: 127.0.0.1
Address: 127.0.0.1 # 53
Name: dc1.domain.local
Address: 192.168.10.1
AD network resources must be available.
smbclient -L localhost -U% Domain = [DOMAIN] OS = [Unix] Server = [Samba 4.1.6]
Sharename Type Comment
- - - netlogon Disk
sysvol disk
IPC $ IPC IPC Service (Samba 4.1.6)
Domain = [DOMAIN] OS = [Unix] Server = [Samba 4.1.6]
Server Comment
- - Workgroup Master
- -------
Must connect Kerberos
kinit administrator Warning: Your password will expire in 41 days on Wed Apr 23 18:49:14 2014
Must be stored Ticket kerberos'a
klist Valid starting Expires Service principal
03/12/2014 19:17 03/13/2014 05:17 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
Must pass through netlogon authentication
smbclient //localhost/netlogon -UAdministrator -c 'ls' Domain = [DOMAIN] OS = [Unix] Server = [Samba 4.1.6]
. D 0 Wed Mar 12 18:46:48 2014
... D 0 Wed Mar 12 18:49:15 2014
That's all.
You can enter in the client domain, get users.
You can manage AD:
partly with the samba-tool on Ubuntu
using the Administration Tools Pack on Windows XP
using Remote Server Administration Tools (RSAT) on Windows 7 and higher
This post can be considered a kind of translation of the official Samba wiki, which is located at:
wiki.samba.org/index.php/Samba_AD_DC_HOWTO , with my additions.
PS If it will be interesting to someone, I can still write a “manual” about the inclusion of a backup controller on Ubuntu in the domain.
Source: https://habr.com/ru/post/215573/
All Articles