Install Samba4 as Active Directory Server

Since version 4.0, Samba can, additionally to an NT4 PDC, act as a Domain Controller that is compatible with Microsoft Active Directory. In the following, we explain how to set up Samba as an Active Directory Domain Controller from scratch.

  • Turn off SELINUX
# vi /etc/sysconfig/selinux
SELINUX=disabled
[sourcecode language='css']
setenforce 0
  • Set your IP to host-name as like below:
# vim /etc/hosts
192.168.1.13 samba4.example.com samba4
  • Set your hostname in /etc/sysconfig/network file:
# vim /etc/sysconfig/network
HOSTNAME=samba4.example.com
  • Install below packages by using Yum.
yum install bind bind-utils bind-chroot openldap openldap-devel libacl-devel libblkid-devel gnutls-devel readline-devel python-devel gdb pkgconfig krb5-workstation zlib-devel setroubleshoot-server setroubleshoot-plugins policycoreutils-python libsemanage-python setools-libs-python setools-libs popt-devel libpcap-devel sqlite-devel libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel keyutils-libs-devel cyrus-sasl-devel wget gcc
  • Follow the below steps:
mkdir samba4
cd samba4/
wget --no-check-certificate https://download.samba.org/pub/samba/samba-latest.tar.gz
tar -zxvf samba-latest.tar.gz
cd samba-*
./configure.developer
make && make install

Now samba4 now has been installed, create /etc/init.d/samba file and copy below scripts in to that file:

Since version 4.0, Samba can, additionally to an NT4 PDC, act as a Domain Controller that is compatible with Microsoft Active Directory. In the following, we explain how to set up Samba as an Active Directory Domain Controller from scratch.

  • Turn off SELINUX
# vi /etc/sysconfig/selinux
SELINUX=disabled
[sourcecode language='css']
setenforce 0
  • Set your IP to host-name as like below:
# vim /etc/hosts
192.168.1.13 samba4.example.com samba4
  • Set your hostname in /etc/sysconfig/network file:
# vim /etc/sysconfig/network
HOSTNAME=samba4.example.com
  • Install below packages by using Yum.
yum install bind bind-utils bind-chroot openldap openldap-devel libacl-devel libblkid-devel gnutls-devel readline-devel python-devel gdb pkgconfig krb5-workstation zlib-devel setroubleshoot-server setroubleshoot-plugins policycoreutils-python libsemanage-python setools-libs-python setools-libs popt-devel libpcap-devel sqlite-devel libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel keyutils-libs-devel cyrus-sasl-devel wget gcc
  • Follow the below steps:
mkdir samba4
cd samba4/
wget --no-check-certificate https://download.samba.org/pub/samba/samba-latest.tar.gz
tar -zxvf samba-latest.tar.gz
cd samba-*
./configure.developer
make && make install

Now samba4 now has been installed, cerate /etc/init.d/samba file and copy below scripts in to that file:

# vim /etc/init.d/samba

#Copy below script:
[sourcecode language='css']
#!/bin/bash
#
# samba4 This shell script takes care of starting and stopping
# samba4 daemons.
#
# chkconfig: - 58 74
# description: Samba 4.0 will be the next version of the Samba suite
# and incorporates all the technology found in both the Samba4 alpha
# series and the stable 3.x series. The primary additional features
# over Samba 3.6 are support for the Active Directory logon protocols
# used by Windows 2000 and above.

### BEGIN INIT INFO
# Provides: samba4
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $network $local_fs $remote_fs
# Should-Start: $syslog $named
# Should-Stop: $syslog $named
# Short-Description: start and stop samba4
# Description: Samba 4.0 will be the next version of the Samba suite
# and incorporates all the technology found in both the Samba4 alpha
# series and the stable 3.x series. The primary additional features
# over Samba 3.6 are support for the Active Directory logon protocols
# used by Windows 2000 and above.
### END INIT INFO

# Source function library.
. /etc/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

prog=samba
prog_dir=/usr/local/samba/sbin/
lockfile=/var/lock/subsys/$prog

start() {
[ "$NETWORKING" = "no" ] && exit 1
# [ -x /usr/sbin/ntpd ] || exit 5

# Start daemons.
echo -n $"Starting samba4: "
daemon $prog_dir/$prog -D
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch $lockfile
return $RETVAL
}

stop() {
[ "$EUID" != "0" ] && exit 4
echo -n $"Shutting down samba4: "
killproc $prog_dir/$prog
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f $lockfile
return $RETVAL
}

# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status $prog
;;
restart)
stop
start
;;
reload)
echo "Not implemented yet."
exit 3
;;
*)
echo $"Usage: $0 {start|stop|status|restart|reload}"
exit 2
esac
  • Make it executable and restart samba services
chmod +x /etc/init.d/samba
/etc/init.d/samba restart
  • Run following command and configure Samba4
/usr/local/samba/bin/samba-tool domain provision --use-rfc2307 --interactive
  • Fill like following example
Realm : Your domain. Example example.com
Domain : Your Workgroup (Usually domain name without TLD). Example example
Server Role : dc
DNS backend : BIND9_DLZ
Password : [email protected] (fill password with minimum length of 8 characters, 1 upper case, 1 lowercase and 1 number)
  • Restart Saba Service
/etc/init.d/samba restart
  • Test configuration Via below command
/usr/local/samba/bin/smbclient //localhost/netlogon -Uadministrator%[email protected]
  • Open /etc/named.conf file and change like below
listen-on port 53 { 127.0.0.1; any; };
allow-query { localhost; any; };
  • Also add following line on the bottom:
include "/usr/local/samba/private/named.conf";
  • Open /etc/sysconfig/named file and add below line on the bottom
NAMED_RUN_CHROOTED="no"
  • And also remove or comment below line:
ROOTDIR=/var/named/chroot
  • Change ownership to named by below command
chown named:named /usr/local/samba/private/named.conf
  • Restart and enable Samba Service
/etc/init.d/named restart
chkconfig named on

//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js

(adsbygoogle = window.adsbygoogle || []).push({});

  • Test configuration by following commands
host -t SRV _ldap._tcp.example.com.
host -t SRV _kerberos._udp.example.com.
host -t A example.com.
  • The result will be like below
[[email protected] ~]# host -t SRV _ldap._tcp.example.com.
_ldap._tcp.example.com. has SRV record 0 100 389 samba4.example.com.
[[email protected] ~]# host -t SRV _kerberos._udp.example.com.
_kerberos._udp.example.com. has SRV record 0 100 88 samba4.example.com.
[[email protected] ~]# host -t A example.com.
example.com has address 192.168.1.13
  • Copy files like below
cp /etc/krb5.conf /etc/krb5.conf.ori
cp /usr/local/samba/private/krb5.conf /etc/krb5.con
  • Testing Kerberos
kinit administrator
klist -e
  • Configure kerberos DNS dynamic updates (Optional)

This configuration is optional. You can apply or skip this section. For configuration, adding this line tkey-gssapi-keytab “/usr/local/samba/private/dns.keytab”; on named.conf in the options section. See the following example

# vi /etc/named.conf
options {
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
  • Run the following command to change owner and access on dns.keytab file
chgrp named /usr/local/samba/private/dns.keytab
chmod g+r /usr/local/samba/private/dns.keytab
  • Check whether any updates about dynamic DNS with the following command
usr/local/samba/sbin/samba_nsupdate --verbose
  • Configure NTP Server (Optional)
yum install ntp
  • Open file /etc/ntp.conf and add the following line in the bottom
server 0.id.pool.ntp.org
server 1.id.pool.ntp.org
server 2.id.pool.ntp.org
server 3.id.pool.ntp.org
  • Restart and enable NTP service
/etc/init.d/ntpd restart
chkconfig ntpd on
ntpq -p
  • Make samba-tool to be run directly
cp -rvp /usr/local/samba/bin/samba-tool /usr/bin/
chmod +x /usr/bin/samba-tool
  • Create Samba User account by below command
samba-tool user create pradeep [email protected]

You can successfully installed samba4 Like AD. You can now join Windows client in to Domain.

/etc/init.d/samba file and copy below scripts in to that file:

# vim /etc/init.d/samba

#Copy below script:
[sourcecode language='css']
#!/bin/bash
#
# samba4 This shell script takes care of starting and stopping
# samba4 daemons.
#
# chkconfig: - 58 74
# description: Samba 4.0 will be the next version of the Samba suite
# and incorporates all the technology found in both the Samba4 alpha
# series and the stable 3.x series. The primary additional features
# over Samba 3.6 are support for the Active Directory logon protocols
# used by Windows 2000 and above.

### BEGIN INIT INFO
# Provides: samba4
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $network $local_fs $remote_fs
# Should-Start: $syslog $named
# Should-Stop: $syslog $named
# Short-Description: start and stop samba4
# Description: Samba 4.0 will be the next version of the Samba suite
# and incorporates all the technology found in both the Samba4 alpha
# series and the stable 3.x series. The primary additional features
# over Samba 3.6 are support for the Active Directory logon protocols
# used by Windows 2000 and above.
### END INIT INFO

# Source function library.
. /etc/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

prog=samba
prog_dir=/usr/local/samba/sbin/
lockfile=/var/lock/subsys/$prog

start() {
[ "$NETWORKING" = "no" ] && exit 1
# [ -x /usr/sbin/ntpd ] || exit 5

# Start daemons.
echo -n $"Starting samba4: "
daemon $prog_dir/$prog -D
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch $lockfile
return $RETVAL
}

stop() {
[ "$EUID" != "0" ] && exit 4
echo -n $"Shutting down samba4: "
killproc $prog_dir/$prog
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f $lockfile
return $RETVAL
}

# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status $prog
;;
restart)
stop
start
;;
reload)
echo "Not implemented yet."
exit 3
;;
*)
echo $"Usage: $0 {start|stop|status|restart|reload}"
exit 2
esac
  • Make it executable and restart samba services
chmod +x /etc/init.d/samba
/etc/init.d/samba restart
  • Run following command and configure Samba4
/usr/local/samba/bin/samba-tool domain provision --use-rfc2307 --interactive
  • Fill like following example
Realm : Your domain. Example example.com
Domain : Your Workgroup (Usually domain name without TLD). Example example
Server Role : dc
DNS backend : BIND9_DLZ
Password : [email protected] (fill password with minimum length of 8 characters, 1 upper case, 1 lowercase and 1 number)
  • Restart Saba Service
/etc/init.d/samba restart
  • Test configuration Via below command
/usr/local/samba/bin/smbclient //localhost/netlogon -Uadministrator%[email protected]
  • Open /etc/named.conf file and change like below
listen-on port 53 { 127.0.0.1; any; };
allow-query { localhost; any; };
  • Also add following line on the bottom:
include "/usr/local/samba/private/named.conf";
  • Open /etc/sysconfig/named file and add below line on the bottom
NAMED_RUN_CHROOTED="no"
  • And also remove or comment below line:
ROOTDIR=/var/named/chroot
  • Change ownership to named by below command
chown named:named /usr/local/samba/private/named.conf
  • Restart and enable Samba Service
/etc/init.d/named restart
chkconfig named on

//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js

(adsbygoogle = window.adsbygoogle || []).push({});

  • Test configuration by following commands
host -t SRV _ldap._tcp.example.com.
host -t SRV _kerberos._udp.example.com.
host -t A example.com.
  • The result will be like below
[[email protected] ~]# host -t SRV _ldap._tcp.example.com.
_ldap._tcp.example.com. has SRV record 0 100 389 samba4.example.com.
[[email protected] ~]# host -t SRV _kerberos._udp.example.com.
_kerberos._udp.example.com. has SRV record 0 100 88 samba4.example.com.
[[email protected] ~]# host -t A example.com.
example.com has address 192.168.1.13
  • Copy files like below
cp /etc/krb5.conf /etc/krb5.conf.ori
cp /usr/local/samba/private/krb5.conf /etc/krb5.con
  • Testing Kerberos
kinit administrator
klist -e
  • Configure kerberos DNS dynamic updates (Optional)

This configuration is optional. You can apply or skip this section. For configuration, adding this line tkey-gssapi-keytab “/usr/local/samba/private/dns.keytab”; on named.conf in the options section. See the following example

# vi /etc/named.conf
options {
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
  • Run the following command to change owner and access on dns.keytab file
chgrp named /usr/local/samba/private/dns.keytab
chmod g+r /usr/local/samba/private/dns.keytab
  • Check whether any updates about dynamic DNS with the following command
usr/local/samba/sbin/samba_nsupdate --verbose
  • Configure NTP Server (Optional)
yum install ntp
  • Open file /etc/ntp.conf and add the following line in the bottom
server 0.id.pool.ntp.org
server 1.id.pool.ntp.org
server 2.id.pool.ntp.org
server 3.id.pool.ntp.org
  • Restart ans enable NTP service
/etc/init.d/ntpd restart
chkconfig ntpd on
ntpq -p
  • Make samba-tool to be run directly
cp -rvp /usr/local/samba/bin/samba-tool /usr/bin/
chmod +x /usr/bin/samba-tool
  • Create Samba User account by below command
samba-tool user create pradeep [email protected]

You can successfully installed samba4 Like AD. You can now join Windows client in to Domain.

Leave a Comments

3 thoughts on “Install Samba4 as Active Directory Server”

%d bloggers like this: