Introduction

The Samba Active Directory provisioning process creates the AD databases and adds initial records, such as the domain administrator account and required DNS entries.

Provision the Active Directory

We are going to provision our AD with the following command: 

# samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=OFFICE.LAN --domain=office.lan --adminpass=Passw0rd

Configuring the DNS Resolver

Domain members in an AD use DNS to locate services, such as LDAP and Kerberos. For that, they need to use a DNS server that is able to resolve the AD DNS zone.

We are now going to set the nameserver parameter of the /etc/resolv.conf file: 

# sudo nano /etc/resolv.conf

In that file, we are going to set the following parameters: 

search office.lan
nameserver 192.168.1.2

Save the file

Create a reverse zone

We will add the reverse zone using the following command: 

# samba-tool dns zonecreate 192.168.1.2 0.99.10.in-addr.arpa
Password for [administrator@OFFICE.LAN]:
Zone 0.99.10.in-addr.arpa created successfully

Configuring Kerberos

In an AD, Kerberos is used to authenticate users, machines, and services.

During the provisioning, Samba created a Kerberos configuration file for your DC. Copy this file to your operating system's Kerberos configuration. For example: 

# cp /usr/local/samba/private/krb5.conf /etc/krb5.conf

Testing your Samba AD DC

We are now going to perform a series of tests to ensure the domain is working correctly.

Anonymouse Log-in test

The first test you should do is to test that you can anonymously log in. You can do that using the following command: 

# smbclient -L localhost -N
Anonymous login successful

    Sharename       Type      Comment
    ---------       ----      -------
    sysvol          Disk      
    netlogon        Disk      
    IPC$            IPC       IPC Service (Samba 4.12.6-Ubuntu)
SMB1 disabled -- no workgroup available

The netlogon and sysvol shares were auto-created during the provisioning process.

Verify Authentication

To verify authentication, we will connect to the netlogon share using the domain administrator account: 

# smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter Administrator's password: 
Domain=Office.lan OS=[Unix] Server=[Samba 4.12.6]
 .                                   D        0  Tue Mar  16 08:40:00 2021
 ..                                  D        0  Tue Mar  16 08:40:00 2021

               49386 blocks of size 524288. 42093 blocks available

If these all check out, then its time to move on to the next set of tests.

Verifying DNS

To verify that your AD DNS configuration works correctly, we will query some DNS records.

First, we will query the tcp-based _ldap SRV record in the domain using the following command: 

# host -t SRV _ldap._tcp.office.lan
_ldap._tcp.office.lan has SRV record 0 100 389 dc1.office.lan.

Next, we will query the udp-based _kerberos SRV resource record in the domain by using the following command: 

# host -t SRV _kerberos._udp.office.lan.
_kerberos._udp.office.lan has SRV record 0 100 88 dc1.office.lan.

Next, we will query the A record of the domain controller: 

# host -t A dc1.office.lan.
dc1.office.lan has address 192.168.1.2

If these all check out, then its time to move on to the next set of tests.

Verifying Kerberos

Our first Kerberos test will ne to request a Kerberos ticket for the domain administrator account using the following command: 

# kinit administrator
Password for administrator@OFFICE.LAN:

Next, we will list the cached Kerberos tickets: using the following command: 

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@SAMDOM.EXAMPLE.COM

Valid starting       Expires              Service principal
01.11.2021 08:45:00  12.11.2021 18:45:00  krbtgt/OFFICE.LAN@OFFICE.LAN
        renew until 02.11.2021 08:44:59

If one or more tests fail, see Troubleshooting.

Configuring Time Synchronisation

Kerberos requires synchronized time on all domain members. We will use the NTP server daemon for this processes.

you installed the NTP server as part of the SAMBA install, so lets take a moment to make sure its working properly. You can do that by running the following command: 

# sudo service ntp status

The output from that command should show the service as running.

Next, we need to allow NTP traffic. We can do that with the following command: 

# sudo ufw allow from any to any port 123 proto udp

Final thoughts

This completes the basic setup of Samba and your new domain. The next tutorial in this series will cover some of the more advanced configuration options in the Samba Configuration file.

SmallBusinessServer/SAMBA/Configure (last edited 2021-03-19 11:46:31 by 5g3-steven-7tv)