projectz

Tech, Gadgets, Photography, Social Media and Poor Spelling

Creating an AD Server for Free using Ubuntu and Samba

While being a huge fan of the GNU/Linux OS I do also live in the real world which means using Active Directory Domain Controllers and Windows networks. this week however I’ve had to build for a project a stand alone AD network. This got me thinking to a project I built for a school 6 uears ago which I did the same thing with Samba on Fedora.

To this day it still amazed me i could create a simple Windows AD infrastrutture for a set of Windows PC’s in a class to logon to, and use a batch file to apply drive mappings and the like for the students on Windows workstations. And for small businesses this is a potentially great way to get the company networked on the cheap..

The instructions in the most part were obtained from

Egon Rath’s Notes

Who has put together a pretty good guide on using the latest Ubuntu 12.04 and Samba 4 to get your AD server up and running. I’ve added some comments which assisted me.

The Guide used Ubuntu 12.04 server and if your not sure how to install that head over to this article on howtoforge and complete pages 1 to 3 finishing at step 5

Also if you want to use your own subnet and IP addressing scheme do so, just not where it is used before, same with the domain and name

Network parameters we will use are:

Network name:demo.local
IP Range:192.168.99.0/24

Base System and Samba 4

Step 1: Install a Ubuntu 12.04 System (as above)
Step 2: Configure the Network to use a static address. Edit /etc/network/interfaces:

1
2
3
4
5
6
7
8
9
auto lo eth0
iface lo inet loopback
iface eth0 inet static
address 192.168.99.200
netmask 255.255.255.0
gateway 192.168.99.254
dns-nameservers 192.168.99.200 192.168.99.254
dns-search demo.local

Step 3: Add the basic host entries to resolve without DNS

Edit /etc/hosts and insert:

1
2
127.0.0.1       localhost
192.168.99.200  vupapsam401 vupapsam401.demo.local

 

I should note here, if you don’t cemplete steps 1 to 3 then the rest of this won’t work, the hostname has to work correctly and the server has to have a static IP Address. I also found on Ubuntu 12.04 I had to do this.

/etc/hosts

127.0.0.1       localhost.localdomain   localhost
192.168.99.200   vupapsam401.demo.local vupapsam401
# The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters

Now run

echo vupapsam401.demo.local > /etc/hostname

/etc/init.d/hostname restart

Step 4: Install the Samba 4 Packages

apt-get install samba4

The installation will throw out an error and apt will set the package to half installed. As the error isn’t relevant to us, we have to fix the package by manually setting the package to installed.

  1. Edit /var/lib/dpkg/status and search for “Package: samba4″
  2. Replace “half-configured” with “installed”

Now we are going to build the Active Directory Domain:

rm /etc/samba/smb.conf
/usr/share/samba/setup/provision --realm=demo.local --domain=DEMO --adminpass='Test123' --server-role=dc

This will set up all stuff needed for running a Domain (LDAP, Kerberos, …)

Next step is to start Samba:

initctl start samba4

Step 5: Testing out our installation

apt-get install samba4-clients
smbclient -L localhost -U%

The last command should display the currently defined and served shares on the server. Should look something like:

1
2
3
4
5
Sharename       Type       Comment
---------       ----       -------
netlogon        Disk
sysvol          Disk
IPC$            IPC        IPC Service

Bind Name Server

We also need a naming service in our network to resolve hosts and services. Active Directory uses DNS to discover a huge amount of services, so here we go:

Step 1: Install Bind

1
apt-get install bind9

Step 2: Configure Bind

Now you need to edit the bind configuration file to include the necessary configurations for Samba – Active Directory relies heavily on special DNS entries to find various services on the network.

Edit /etc/bind/named.conf and append the following line at the end:

1
include "/var/lib/samba/private/named.conf"

Step 3: Adapt the AppArmor configuration

As Ubuntu is securing it’s services using AppArmor we need to make sure that Bind has the rights to access the files provided by Samba.

Edit /etc/apparmor.d/usr.sbin.named and append the following entries:

1
2
3
4
5
6
/var/lib/samba/private/** rkw,
/var/lib/samba/private/dns/** rkw,
/usr/lib/x86_64-linux-gnu/samba/bind9/** rm,
/usr/lib/x86_64-linux-gnu/samba/gensec/** rm,
/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm,
/usr/lib/x86_64-linux-gnu/samba/ldb/** rm,

Now reload the configuration to take effect:

1
/etc/init.d/apparmor reload

Step 4: Start and test Bind

Run the following command to start Bind:

1
/etc/init.d/bind9 start

To make sure that everything worked as expected, run the following commands and watch their output. It should return a result on every command:

If you didn’t set the hostname right and hostname and hostname -f dont give you the full hostname vupapsam401.demo.local then the next step won’t work

1
2
3
host -t SRV _ldap._tcp.demo.local.
root@vupapsam401:/var/lib/samba/private# host -t SRV _kerberos._tcp.demo.local.
root@vupapsam401:/var/lib/samba/private# host -t A vupapsam401.demo.local.

The output should something like:

1
2
3
_ldap._tcp.biomerx.local has SRV record 0 100 389 vupapsam401.demo.local.
_kerberos._tcp.biomerx.local has SRV record 0 100 88 vupapsam401.demo.local.
vupapsam401.biomerx.local has address 192.168.99.200

Step 5: Allow dynamic DNS updates

We want our clients to be able to update their DNS entries automatically. Edit /etc/bind/named.conf and append the following line:

1
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

Step 6: Configure Bind as a Forwarder

If you have another DNS Server (like a SOHO ROuter) on your Network which provides DNS Service to resolve external names (like http://www.google.com), you’ll need to configure Bind to use this DNS to resolve entries.

First we need to disable IPv6 in Bind by editing /etc/default/bind9 and appending:

1
OPTIONS="-4 -u bind"

Now modify /etc/bind/named.conf to include the following directives in the options
section:

1
2
3
4
allow-query { any; };
allow-recursion { any; };
forwarders { 192.168.99.254; };
dnssec-validation no;

Kerberos

Step 1: Install the Kerberos Utilities

1
apt-get install krb5-user

When asked for the default realm, enter demo.local and ‘vupapsam401′ as the host. Test out if Kerberos works by executing:

1
kinit administrator@DEMO.LOCAL

The Domain Name needs to be written in UPPERCASE letters. If the command succeeds, run the following command to check if we have gotten a kerberos ticket:

1
klist -e

Network Time Protocol

As Samba provides the correct time to it’s domain members we want to make sure that our host has the correct time. We do so by installing and configuring NTP to retrieve the time from internet time servers.

Step 1: Install NTP

1
apt-get install ntp

Step 2: Configure NTP

Edit /etc/ntp.conf and replace the ‘server’ line with the NTP Timeserver of your choice. I used my border gateway as it provides NTP:

1
server vupapgate01.demo.local

Now, do a initial time setup:

1
2
3
service ntp stop
ntpdate -B vupapgate01.demo.local
service ntp start

Check if everything works with:

1
ntpq -p

Other configuration items and Troubleshooting

ACL Support

To make sure that your operating system can support Access control lists (Samba
uses them for storing Windows permissions) do the following

1
apt-get install attr

Test out if your filesystem supports ACL’s (most should):

1
2
3
4
5
touch test.txt
setfattr -n user.test -v test test.txt
setfattr -n security.test -v test2 test.txt
getfattr -d test.txt
getfattr -n security.test -d test.txt

Conclusion

Using this i was then able to add a Win2008 Server and several Win 7 Desktops 32 and 64 bit to the Server however when you add to the domain use UPPERCASE for the domain name.

 

Advertisements

16 comments on “Creating an AD Server for Free using Ubuntu and Samba

  1. Pingback: AD with Ubuntu & Samba « Rick's Tech Stuff

  2. Vincent
    December 12, 2012

    I assume building this server is independant of building an LDAP server for user administration?

  3. Simon
    January 17, 2013

    Great instructions. I assume I can disable DNS functions of this PDC and point this to our existing DNS/ DHCP server

    • projectzme
      January 17, 2013

      Yes, you can, however make sure it’s got the correct dns for AD propergation

  4. Ihaveone
    March 15, 2013

    hi , first thanks for this guide.
    I’m trying to set it up in ubuntu 12.04 but BIND NAME SERVER Step 4 Fails for me everytime no matter what I do…
    Host {….} not found: 3(NXDOMAIN)
    I was never able to complete it sucessfully.
    any idea?
    thanks.

    • projectzme
      March 16, 2013

      open up a 2nd console, type

      tail -f /var/log/syslog

      this should set the syslog rolling in the console

      go back to the first console then run

      service bind9 restart

      the second console should start displaying the syslog of bind starting, and should explain why it is failing, if it does, copy the syslog output up here and we can look at it.

  5. Ihaveone
    March 18, 2013

    Hi,
    sorry for the delay. I have had a crash on my VM, so I started a brand new one with clean install etc. only for Samba4 and can not reproduce the error because I’m now stuck at “smbclient -L localhost -U%” returning me:
    Unknown parameter encoutered:”server role”
    Ignoring parameter :”server role”
    Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED).

    So right now, I really don’t know what to do about that.

    Thanks again.

  6. projectzme
    March 18, 2013

    You may be suffering with bugs in the code of Samba4 right now, usually anything i’ve ever had with Samba3 or 4 causing a problem relates to DNS, or not using static IP Addresses, check your /etc/hosts file, ensure you have a static IP Address etc..

  7. Ihaveone
    March 18, 2013

    everything seems to be ok. I’ll try with samba 4.0.3 from source.
    I’ll let you know.

  8. Ihaveone
    March 24, 2013

    HI,

    Compiling from source worked like a charm. My Samba4 (4.0.4) DC runs flawlessly, DNS is ok, even replication with a 2008_R2 DC.Joining machines to your domain whatever OS runs on it works just perfect .
    Your guide was very helpful to set it up correctly on Ubuntu 12.04
    And Although I’m (was?) more of a Windows System Admin, I find Samba-tool and other Samba and generally linux command infinitely more intuitive and powerful.

    Also for anyone who wants to try , just be sure you meet the Samba4/OS requirements from the Samba4 How to guide.
    Now it’s time for me to struggle with setting up Archipel for my KVM server.

    I can’t thank you enough for your help and for the last days I have been recommending your blog to everyone I know who is interested in System Administration.
    I have now a new Reference Blog (yours) I will follow closely.

  9. IronHorse
    April 24, 2013

    @Ihaveone. Check to make sure your include “/var/lib/samba/private/named.conf”; has a ; after it. I missed it and BIND9 would never restart for me.

    Second thing is the “tkey-gssapi-keytab “/var/lib/samba/private/dns.keytab”;” had to go in named.conf.options

    Thanks projectzme!

  10. Corehazard
    April 30, 2013

    Great article though I would like to know if it’s possible to apply a group policy to the Domain.

  11. 12000mah行動電源
    June 21, 2013

    This can be a really great tip especially to these fresh towards the blogosphere. Short but very correct information… Many thanks for sharing this 1. A must read article!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: