samba - Oct 2014 - Ubuntu 14.04 as an Active Directory Domain Controller

To start, I've been using Samba for almost 20 years.
I wanted to use Samba as an AD DC for my businesss.
Ubuntu 14.04 comes with Samba 4.1.6.  This is a little out of date right 
now as 4.1.13 is available and 4.2 is in release candidate status, but 
it works.
I used the Samba AD DC Howto 
(https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO) as an aid to get it 
going, but there were some things that weren't quite clear.
I started with a fresh install and things weren't quite right.
There are several things that need to be changed immediately to set up 
Ubuntu 14.04 as an AD DC.
First, give your system a static IP address.  I use the GUI's network 
interface tool.
There are several packages that need to be installed.
Kerberos 5 (krb5-kdc) needs to be installed and running.  Leave out the 
kadmind package.  The Samba process does that itself.
I left the krb5.conf that krb5_newrealm created, with the exception that 
I added these two lines from Samba's krb5.conf to it at the beginning:
         dns_lookup_realm = false
         dns_lookup_kdc = true

Then set up the realm, using the same domain as your Samba AD DC will 
use (SAMDOM.EXAMPLE.COM from the Howto, for example)
I recommend removing the avahi-daemon package.  Not terribly sure it 
conflicts with Samba, but at the very least it sounds like a security 
nightmare.  Not really necessary or desirable for a server machine anyway.
Also, the ssh server isn't installed by default.
Disable dnsmasq by removing or commenting out this line in in 
/etc/NetworkManager/NetworkManager.conf.  This program conflicts with 
the internal Samba DNS server/proxy.
dns=dnsmasq

I changed the DNS search domain the same as my AD DC domain and set the 
DNS server to 127.0.0.1.
The order of removing dnsmasq and installing/changing everything else is 
a bit tricky.  Try to make sure you have all of the packages downloaded 
you need before disabling dnsmasq but before enabling Samba.  The system 
will be without DNS resolution between these two events.
Right now it works.  I've joined one of my PCs to the domain controller 
and can log in to the domain from it.  I can also use the Microsoft 
RSAT  (Remote Server Administration Tool) to add users.
I think those are the most important details that have been left out of 
the HOWTO.
Also, to me, the daemon/init process is a bit funky and convoluted in 
Ubuntu.  It took me a bit of tinkering to make sure that everything came 
up correctly on a reboot.
I welcome further refinements.  These are just some of my notes :).

> First, give your system a static IP address. 
good idea. I think a server never should rely on DHCP anyway. 
> I recommend removing the avahi-daemon package.  Not terribly sure it 
> conflicts with Samba, but at the very least it sounds like a security 
> nightmare.  
I had troubles with it, when I named my DNS zone SAMDOM.local. Later I 
was pointed to the fact, that the *.local domain has a special meaning 
when resolving printers and other commodity units. Switching over to 
a different toplevel entity (even *.lokal would be OK) resolved the issue.
> Disable dnsmasq by removing or commenting out this line in in 
> /etc/NetworkManager/NetworkManager.conf.  This program conflicts with 
> the internal Samba DNS server/proxy.
Get rid of NetworkManager. All it can do for You on the server is 
making troubles.
> The order of removing dnsmasq and installing/changing everything else is 
> a bit tricky.  Try to make sure you have all of the packages downloaded 
> you need before disabling dnsmasq but before enabling Samba.  The system 
> will be without DNS resolution between these two events.
Point resolv.conf to some other DNS while installing Samba. Later Samba 
will be the DNS master. I like BIND9_DLZ as I have enough experience with 
bind. It is easy to get secondary DNS servers using bind. Just one tip 
here - on my file server, which is also the secondary DNS server, I have 
this zone statement:

# forward lookup
zone "internal.serbe.ch" {
        type slave;
        masters { 192.168.1.1;};
        file "/etc/bind/namedb/bak.internal.serbe.ch";
        forwarders{};
};

The important line is: forwarders{} - this ensures, that my internal 
network DNS is shielded from the default of the external one, which 
runs on the machine of my internet provider. 
> I think those are the most important details that have been left out of 
> the HOWTO.
The quality of the wiki documentation is massively improved by the 
documentation team over the course of the last six month. 
> Also, to me, the daemon/init process is a bit funky and convoluted in 
> Ubuntu.  It took me a bit of tinkering to make sure that everything came 
> up correctly on a reboot.
As a novice Linux user I had my own bag of troubles with this, too. 
I now got two scripts for starting samba as DC and as member server 
on Debian (Jessie). I could publish these, but I fear they are better 
suited as bad examples... Anyway, it might be 
> I welcome further refinements.  These are just some of my notes :).
You're welcome! ;-) 
Oh, and a big thank You to the documentation team. You have really 
done a great job! I decided to go off Microsoft two years ago, and 
by then the Samba docu was much more cryptic and incomplete than it 
is now. 

Best regards
Peter


PS: there is one additional tip from my side. In fact have learned this 
the hard way... When ever SSSD is behaving erratic and crazy: be sure to 
have a good keytab file. If in doubt, export a fresh one. And be sure 
to completely erase the cache. In fact to make it work on my Raspi 
I had to remove and recreate the /var/lib/sss/db directory - and the 
troubles went away. I have no clue what happened...

If you use samba on ubuntu, and you want no hassle with programs etc.

Do a minimal install and strip it untill it looks like a Debian server.

Now, your ubuntu is ready for samba. I bet! if you setup like this, 
you ubuntu server is about 10-20% faster in responding on console. 
Overal server performance increased about 5-10%. Test is your self.. 

In a few days in up to my setup at home, which is running ubuntu ( because of
xbmc )
I'll write a short howto, how to maximize your ubuntu performance.

Ubuntu is imo not a good server os, for that you need debian.
Why is ubuntu scarry, well, you can end up with a not working system, after
upgrades.
....
>PS: there is one additional tip from my side. In fact have 
>learned this 
>the hard way... When ever SSSD is behaving erratic and crazy: 
>be sure to 
>have a good keytab file. If in doubt, export a fresh one. And be sure 
>to completely erase the cache. In fact to make it work on my Raspi 
>I had to remove and recreate the /var/lib/sss/db directory - and the 
>troubles went away.  I have no clue what happened... 
....Rest my case. 

yesterday i had one also "again" grr... but .. i need ubuntu for my
htpc..
mysql crashed, sshd crashed, reinstalled again, but not working anymore... , 
Just out of the blue.. and for this i hate ubuntu..
again here ... I also have no clue what happened...  
not hardware failures, nothing in logs, cant even start sshd manualy.. .

So thats just for people to know, ubuntu is build base on "Debian
test/Sid" for who does not know.
So becarefull with ubuntu, and make lots of backups.

Louis

>-----Oorspronkelijk bericht-----
>Van: peter at serbe.ch [mailto:samba-bounces at lists.samba.org] 
>Namens Peter Serbe
>Verzonden: donderdag 30 oktober 2014 7:37
>Aan: samba at lists.samba.org; eric at knudstrup.org
>Onderwerp: Re: [Samba] Ubuntu 14.04 as an Active Directory 
>Domain Controller
>
>> First, give your system a static IP address. 
>
>good idea. I think a server never should rely on DHCP anyway. 
>
>> I recommend removing the avahi-daemon package.  Not terribly sure it 
>> conflicts with Samba, but at the very least it sounds like a 
>security 
>> nightmare.  
>
>I had troubles with it, when I named my DNS zone SAMDOM.local. Later I 
>was pointed to the fact, that the *.local domain has a special meaning 
>when resolving printers and other commodity units. Switching over to 
>a different toplevel entity (even *.lokal would be OK) 
>resolved the issue.
>
>> Disable dnsmasq by removing or commenting out this line in in 
>> /etc/NetworkManager/NetworkManager.conf.  This program 
>conflicts with 
>> the internal Samba DNS server/proxy.
>
>Get rid of NetworkManager. All it can do for You on the server is 
>making troubles.
>
>> The order of removing dnsmasq and installing/changing 
>everything else is 
>> a bit tricky.  Try to make sure you have all of the packages 
>downloaded 
>> you need before disabling dnsmasq but before enabling Samba. 
> The system 
>> will be without DNS resolution between these two events.
>
>Point resolv.conf to some other DNS while installing Samba. 
>Later Samba 
>will be the DNS master. I like BIND9_DLZ as I have enough 
>experience with 
>bind. It is easy to get secondary DNS servers using bind. Just one tip 
>here - on my file server, which is also the secondary DNS 
>server, I have 
>this zone statement:
>
># forward lookup
>zone "internal.serbe.ch" {
>        type slave;
>        masters { 192.168.1.1;};
>        file "/etc/bind/namedb/bak.internal.serbe.ch";
>        forwarders{};
>};
>
>The important line is: forwarders{} - this ensures, that my internal 
>network DNS is shielded from the default of the external one, which 
>runs on the machine of my internet provider. 
>
>> I think those are the most important details that have been 
>left out of 
>> the HOWTO.
>
>The quality of the wiki documentation is massively improved by the 
>documentation team over the course of the last six month. 
>
>> Also, to me, the daemon/init process is a bit funky and 
>convoluted in 
>> Ubuntu.  It took me a bit of tinkering to make sure that 
>everything came 
>> up correctly on a reboot.
>
>As a novice Linux user I had my own bag of troubles with this, too. 
>I now got two scripts for starting samba as DC and as member server 
>on Debian (Jessie). I could publish these, but I fear they are better 
>suited as bad examples... Anyway, it might be 
>
>> I welcome further refinements.  These are just some of my notes :).
>
>You're welcome! ;-) 
>Oh, and a big thank You to the documentation team. You have really 
>done a great job! I decided to go off Microsoft two years ago, and 
>by then the Samba docu was much more cryptic and incomplete than it 
>is now. 
>
>Best regards
>Peter
>
>
>PS: there is one additional tip from my side. In fact have 
>learned this 
>the hard way... When ever SSSD is behaving erratic and crazy: 
>be sure to 
>have a good keytab file. If in doubt, export a fresh one. And be sure 
>to completely erase the cache. In fact to make it work on my Raspi 
>I had to remove and recreate the /var/lib/sss/db directory - and the 
>troubles went away. I have no clue what happened... 
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>