Eric Knudstrup
2014-Oct-29 22:15 UTC
[Samba] Ubuntu 14.04 as an Active Directory Domain Controller
To start, I've been using Samba for almost 20 years. I wanted to use Samba as an AD DC for my businesss. Ubuntu 14.04 comes with Samba 4.1.6. This is a little out of date right now as 4.1.13 is available and 4.2 is in release candidate status, but it works. I used the Samba AD DC Howto (https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO) as an aid to get it going, but there were some things that weren't quite clear. I started with a fresh install and things weren't quite right. There are several things that need to be changed immediately to set up Ubuntu 14.04 as an AD DC. First, give your system a static IP address. I use the GUI's network interface tool. There are several packages that need to be installed. Kerberos 5 (krb5-kdc) needs to be installed and running. Leave out the kadmind package. The Samba process does that itself. I left the krb5.conf that krb5_newrealm created, with the exception that I added these two lines from Samba's krb5.conf to it at the beginning: dns_lookup_realm = false dns_lookup_kdc = true Then set up the realm, using the same domain as your Samba AD DC will use (SAMDOM.EXAMPLE.COM from the Howto, for example) I recommend removing the avahi-daemon package. Not terribly sure it conflicts with Samba, but at the very least it sounds like a security nightmare. Not really necessary or desirable for a server machine anyway. Also, the ssh server isn't installed by default. Disable dnsmasq by removing or commenting out this line in in /etc/NetworkManager/NetworkManager.conf. This program conflicts with the internal Samba DNS server/proxy. dns=dnsmasq I changed the DNS search domain the same as my AD DC domain and set the DNS server to 127.0.0.1. The order of removing dnsmasq and installing/changing everything else is a bit tricky. Try to make sure you have all of the packages downloaded you need before disabling dnsmasq but before enabling Samba. The system will be without DNS resolution between these two events. Right now it works. I've joined one of my PCs to the domain controller and can log in to the domain from it. I can also use the Microsoft RSAT (Remote Server Administration Tool) to add users. I think those are the most important details that have been left out of the HOWTO. Also, to me, the daemon/init process is a bit funky and convoluted in Ubuntu. It took me a bit of tinkering to make sure that everything came up correctly on a reboot. I welcome further refinements. These are just some of my notes :).
Peter Serbe
2014-Oct-30 06:36 UTC
[Samba] Ubuntu 14.04 as an Active Directory Domain Controller
> First, give your system a static IP address.good idea. I think a server never should rely on DHCP anyway.> I recommend removing the avahi-daemon package. Not terribly sure it > conflicts with Samba, but at the very least it sounds like a security > nightmare.I had troubles with it, when I named my DNS zone SAMDOM.local. Later I was pointed to the fact, that the *.local domain has a special meaning when resolving printers and other commodity units. Switching over to a different toplevel entity (even *.lokal would be OK) resolved the issue.> Disable dnsmasq by removing or commenting out this line in in > /etc/NetworkManager/NetworkManager.conf. This program conflicts with > the internal Samba DNS server/proxy.Get rid of NetworkManager. All it can do for You on the server is making troubles.> The order of removing dnsmasq and installing/changing everything else is > a bit tricky. Try to make sure you have all of the packages downloaded > you need before disabling dnsmasq but before enabling Samba. The system > will be without DNS resolution between these two events.Point resolv.conf to some other DNS while installing Samba. Later Samba will be the DNS master. I like BIND9_DLZ as I have enough experience with bind. It is easy to get secondary DNS servers using bind. Just one tip here - on my file server, which is also the secondary DNS server, I have this zone statement: # forward lookup zone "internal.serbe.ch" { type slave; masters { 192.168.1.1;}; file "/etc/bind/namedb/bak.internal.serbe.ch"; forwarders{}; }; The important line is: forwarders{} - this ensures, that my internal network DNS is shielded from the default of the external one, which runs on the machine of my internet provider.> I think those are the most important details that have been left out of > the HOWTO.The quality of the wiki documentation is massively improved by the documentation team over the course of the last six month.> Also, to me, the daemon/init process is a bit funky and convoluted in > Ubuntu. It took me a bit of tinkering to make sure that everything came > up correctly on a reboot.As a novice Linux user I had my own bag of troubles with this, too. I now got two scripts for starting samba as DC and as member server on Debian (Jessie). I could publish these, but I fear they are better suited as bad examples... Anyway, it might be> I welcome further refinements. These are just some of my notes :).You're welcome! ;-) Oh, and a big thank You to the documentation team. You have really done a great job! I decided to go off Microsoft two years ago, and by then the Samba docu was much more cryptic and incomplete than it is now. Best regards Peter PS: there is one additional tip from my side. In fact have learned this the hard way... When ever SSSD is behaving erratic and crazy: be sure to have a good keytab file. If in doubt, export a fresh one. And be sure to completely erase the cache. In fact to make it work on my Raspi I had to remove and recreate the /var/lib/sss/db directory - and the troubles went away. I have no clue what happened...
L.P.H. van Belle
2014-Oct-30 08:01 UTC
[Samba] Ubuntu 14.04 as an Active Directory Domain Controller
If you use samba on ubuntu, and you want no hassle with programs etc. Do a minimal install and strip it untill it looks like a Debian server. Now, your ubuntu is ready for samba. I bet! if you setup like this, you ubuntu server is about 10-20% faster in responding on console. Overal server performance increased about 5-10%. Test is your self.. In a few days in up to my setup at home, which is running ubuntu ( because of xbmc ) I'll write a short howto, how to maximize your ubuntu performance. Ubuntu is imo not a good server os, for that you need debian. Why is ubuntu scarry, well, you can end up with a not working system, after upgrades. ....>PS: there is one additional tip from my side. In fact have >learned this >the hard way... When ever SSSD is behaving erratic and crazy: >be sure to >have a good keytab file. If in doubt, export a fresh one. And be sure >to completely erase the cache. In fact to make it work on my Raspi >I had to remove and recreate the /var/lib/sss/db directory - and the >troubles went away. I have no clue what happened.......Rest my case. yesterday i had one also "again" grr... but .. i need ubuntu for my htpc.. mysql crashed, sshd crashed, reinstalled again, but not working anymore... , Just out of the blue.. and for this i hate ubuntu.. again here ... I also have no clue what happened... not hardware failures, nothing in logs, cant even start sshd manualy.. . So thats just for people to know, ubuntu is build base on "Debian test/Sid" for who does not know. So becarefull with ubuntu, and make lots of backups. Louis>-----Oorspronkelijk bericht----- >Van: peter at serbe.ch [mailto:samba-bounces at lists.samba.org] >Namens Peter Serbe >Verzonden: donderdag 30 oktober 2014 7:37 >Aan: samba at lists.samba.org; eric at knudstrup.org >Onderwerp: Re: [Samba] Ubuntu 14.04 as an Active Directory >Domain Controller > >> First, give your system a static IP address. > >good idea. I think a server never should rely on DHCP anyway. > >> I recommend removing the avahi-daemon package. Not terribly sure it >> conflicts with Samba, but at the very least it sounds like a >security >> nightmare. > >I had troubles with it, when I named my DNS zone SAMDOM.local. Later I >was pointed to the fact, that the *.local domain has a special meaning >when resolving printers and other commodity units. Switching over to >a different toplevel entity (even *.lokal would be OK) >resolved the issue. > >> Disable dnsmasq by removing or commenting out this line in in >> /etc/NetworkManager/NetworkManager.conf. This program >conflicts with >> the internal Samba DNS server/proxy. > >Get rid of NetworkManager. All it can do for You on the server is >making troubles. > >> The order of removing dnsmasq and installing/changing >everything else is >> a bit tricky. Try to make sure you have all of the packages >downloaded >> you need before disabling dnsmasq but before enabling Samba. > The system >> will be without DNS resolution between these two events. > >Point resolv.conf to some other DNS while installing Samba. >Later Samba >will be the DNS master. I like BIND9_DLZ as I have enough >experience with >bind. It is easy to get secondary DNS servers using bind. Just one tip >here - on my file server, which is also the secondary DNS >server, I have >this zone statement: > ># forward lookup >zone "internal.serbe.ch" { > type slave; > masters { 192.168.1.1;}; > file "/etc/bind/namedb/bak.internal.serbe.ch"; > forwarders{}; >}; > >The important line is: forwarders{} - this ensures, that my internal >network DNS is shielded from the default of the external one, which >runs on the machine of my internet provider. > >> I think those are the most important details that have been >left out of >> the HOWTO. > >The quality of the wiki documentation is massively improved by the >documentation team over the course of the last six month. > >> Also, to me, the daemon/init process is a bit funky and >convoluted in >> Ubuntu. It took me a bit of tinkering to make sure that >everything came >> up correctly on a reboot. > >As a novice Linux user I had my own bag of troubles with this, too. >I now got two scripts for starting samba as DC and as member server >on Debian (Jessie). I could publish these, but I fear they are better >suited as bad examples... Anyway, it might be > >> I welcome further refinements. These are just some of my notes :). > >You're welcome! ;-) >Oh, and a big thank You to the documentation team. You have really >done a great job! I decided to go off Microsoft two years ago, and >by then the Samba docu was much more cryptic and incomplete than it >is now. > >Best regards >Peter > > >PS: there is one additional tip from my side. In fact have >learned this >the hard way... When ever SSSD is behaving erratic and crazy: >be sure to >have a good keytab file. If in doubt, export a fresh one. And be sure >to completely erase the cache. In fact to make it work on my Raspi >I had to remove and recreate the /var/lib/sss/db directory - and the >troubles went away. I have no clue what happened... > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
Reasonably Related Threads
- dns/ad domain provisioning and naming
- Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)
- dns/ad domain provisioning and naming
- dns/ad domain provisioning and naming
- NetworkManager frustration...