Turning Ubuntu Server into a domain controller using samba-tool
What if a domain controller is needed and I want to save? Today we will present to your attention one of the answers to this question. It’s about Samba, Ubuntu Server, and how to set it up quickly and correctly.
With Samba, you can turn a server running a Linux family of OS into a domain controller (Domain Controller, DC) Active Directory. The DC that we are going to raise can work as a Windows NT4 domain controller. It is suitable for centralized storage of user accounts and computers.
It should be noted that we will not talk about the task of creating a primary domain controller (Primary Domain Controller, PDC) Active Directory, although the Ubuntu Server / Samba bundle discussed here (with the addition of OpenLDAP) may well play such a role.
So, our goal is to get AD DC quickly and economically. The interactive tool
Let's start by installing the necessary software.
')
The first step is to install the Samba and Winbind packages on the server. You can do this with the following command:
Installation time is short, even considering that the system may need to download some dependencies.
After installation, you can proceed to the settings.
Before running the
Here
Next, you need to specify the node name for the server. As can be seen from the above fragment of the
After the server restarts, you need to delete the existing
The figure below shows the results of the execution of these commands, which can be used to remove unnecessary files. If such files in the system do not exist - you can immediately move on.
Search for files to delete
Now it's time to use the
Having
After the system receives answers to its questions, the
Take care of Samba user registration before proceeding. This step is very important - otherwise users will not be able to authenticate. This is done by the following commands:
Here
We need to use it as a DNS server on a domain controller. To do this, edit the
There are also settings for using a static IP address by the network interface. Please note that everything typed in CAPITAL letters must be configured in accordance with the parameters of your system.
After making the settings, restart the network services with this command:
In addition, edit the
Here, instead of
Kerberos has its own standard configuration file, which needs to be replaced with the
Please note that you may experience the absence of the
The hardest thing behind. Now everything is ready to test the newly created domain controller on Samba and connect to it. Quickly check whether everything works, you can use this command:
After entering the Samba user password, you should see a message about successful connection.
Successful connection
As you can see, when checking
Now the domain controller is ready to accept connections. However, it may turn out that you have to edit the
Dear readers! What are the most interesting and useful options for interaction between the Linux and Windows ecosystems?
With Samba, you can turn a server running a Linux family of OS into a domain controller (Domain Controller, DC) Active Directory. The DC that we are going to raise can work as a Windows NT4 domain controller. It is suitable for centralized storage of user accounts and computers.
It should be noted that we will not talk about the task of creating a primary domain controller (Primary Domain Controller, PDC) Active Directory, although the Ubuntu Server / Samba bundle discussed here (with the addition of OpenLDAP) may well play such a role.
So, our goal is to get AD DC quickly and economically. The interactive tool
samba-tool , which is designed for automated preparation of the server to work, will help us with this, namely, it allows you to create the configuration file /etc/smb.conf .Let's start by installing the necessary software.
')
Installation
The first step is to install the Samba and Winbind packages on the server. You can do this with the following command:
sudo apt install samba libpam-winbind Installation time is short, even considering that the system may need to download some dependencies.
After installation, you can proceed to the settings.
Preparing to set up
Before running the
samba-tool you need to check the /etc/hosts , namely, whether the FQDN and the IP address of the domain controller are correct. There you can find something like this: 127.0.0.1 localhost.localdomain IP_ADDRESS_OF_SERVER localhost IP_ADDRESS_OF_SERVER SAMBADOM.EXAMPLE.NET SAMBADOM Here
IP_ADDRESS_OF_SERVER is the real address of the Samba server. Check that the file contains actual data.Next, you need to specify the node name for the server. As can be seen from the above fragment of the
/etc/hosts , in our case the node name is SAMBADOM . To configure it, open the /etc/hostname file and change it accordingly. Next, restart the server.After the server restarts, you need to delete the existing
smb.conf file, as well as any Samba database files (these are .tdb and .ldb files). In order to find the directories containing these files, run the following commands: mbd -b | grep "CONFIGFILE" smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR" The figure below shows the results of the execution of these commands, which can be used to remove unnecessary files. If such files in the system do not exist - you can immediately move on.
Search for files to delete
Using samba-tool
Now it's time to use the
samba-tool . We will run this tool interactively by running the following command: sudo samba-tool domain provision --use-rfc2307 --interactive Having
--use-rfc2307 command with the key - --use-rfc2307 , we include the NIS extensions. Samba-tool offer to configure the following parameters:Realm. This is the full DNS domain name that is configured in thehosts. For example:SAMBADOM.EXAMPLE.NET.Domain. The domain name of the Samba NetBIOS server. Please note that it is recommended to use the first part of the DNS domain name here. For example,SAMBADOM.Server Role. This parameter is intended to indicate the type of server role. By default, thedcvalue is set here, it will suit us.DNS backend. This option allows you to configure a DNS server. Here we also leave the default parameter -SAMBA_INTERNAL.DNS forwarder IP address. This parameter allows you to specify the IP address of the DNS server to which requests will be redirected that the Samba server cannot allow. If you do not need to redirect DNS requests - do not enter anything in response to this question. Read more about it here .Administrator password. Here you must specify the domain administrator password.
After the system receives answers to its questions, the
samba-tool configure Samba as a domain controller. You can view the /etc/samba/smb.conf file and, if necessary, make changes to it.Take care of Samba user registration before proceeding. This step is very important - otherwise users will not be able to authenticate. This is done by the following commands:
smbpasswd -a USERNAME smbpasswd -e USERNAME Here
USERNAME is the name of an existing user to add to Samba. You will need to enter the password only after entering the first command. The first command adds a new user and asks for a password for it; the second one activates the created account.DNS server setup
We need to use it as a DNS server on a domain controller. To do this, edit the
/etc/network/interfaces file, bringing it to this form: auto INTERFACE_NAME iface INTERFACE_NAME inet static address IP_ADDRESS_FOR_SERVER netmask NETMASK gateway GATEWAY dns-nameservers IP_ADDRESS_FOR_SERVER There are also settings for using a static IP address by the network interface. Please note that everything typed in CAPITAL letters must be configured in accordance with the parameters of your system.
After making the settings, restart the network services with this command:
sudo service networking restart In addition, edit the
/etc/resolv.conf file, making changes that are consistent with those mentioned above. Namely, here we are interested in the following line: nameserver IP_ADDRESS_FOR_SERVER Here, instead of
IP_ADDRESS_FOR_SERVER , you need to enter the same address that was recorded in the dns-nameservers above.Kerberos Setup
Kerberos has its own standard configuration file, which needs to be replaced with the
krb5.conf file generated during Samba preparation. To do this, run the following commands: sudo mv /etc/krb5.conf /etc/krb5.conf.orig sudo ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf Please note that you may experience the absence of the
/etc/krb5.conf file in the system. If this is true, it suffices to execute only the second of the above commands.We test and connect
The hardest thing behind. Now everything is ready to test the newly created domain controller on Samba and connect to it. Quickly check whether everything works, you can use this command:
smbclient -L localhost -U% After entering the Samba user password, you should see a message about successful connection.
Successful connection
As you can see, when checking
smbclient , information about netlogon and sysvol as shared resources is sysvol . They are created by default and must exist on a domain controller. In addition, in /var/lib/samba/sysvol/REALM/scripts should place any login scripts that clients need. Here REALM corresponds to the REALM parameter that was specified during the work with the samba-tool command.Results
Now the domain controller is ready to accept connections. However, it may turn out that you have to edit the
/etc/samba/smb.conf file and enter data into it that reflects your server requirements. This file, generated by the samba-tool , is very concise, although it is a good starting point for fine tuning your AD DC, built on the basis of Samba and Ubuntu Server.Dear readers! What are the most interesting and useful options for interaction between the Linux and Windows ecosystems?
Source: https://habr.com/ru/post/323860/
All Articles