||<
><>|| = Introduction = The Samba Active Directory provisioning process creates the AD databases and adds initial records, such as the domain administrator account and required DNS entries. = Provision the Active Directory = We are going to provision our AD with the following command: {{{ # samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=OFFICE.LAN --domain=office.lan --adminpass=Passw0rd }}} ---- == Configuring the DNS Resolver == Domain members in an AD use DNS to locate services, such as LDAP and Kerberos. For that, they need to use a DNS server that is able to resolve the AD DNS zone. We are now going to set the nameserver parameter of the /etc/resolv.conf file: {{{ # sudo nano /etc/resolv.conf }}} In that file, we are going to set the following parameters: {{{ search office.lan nameserver 192.168.1.2 }}} Save the file ---- == Create a reverse zone == We will add the reverse zone using the following command: {{{ # samba-tool dns zonecreate 192.168.1.2 0.99.10.in-addr.arpa Password for [administrator@OFFICE.LAN]: Zone 0.99.10.in-addr.arpa created successfully }}} ---- == Configuring Kerberos == In an AD, Kerberos is used to authenticate users, machines, and services. During the provisioning, Samba created a Kerberos configuration file for your DC. Copy this file to your operating system's Kerberos configuration. For example: {{{ # cp /usr/local/samba/private/krb5.conf /etc/krb5.conf }}} ---- = Testing your Samba AD DC = We are now going to perform a series of tests to ensure the domain is working correctly. == Anonymouse Log-in test == The first test you should do is to test that you can anonymously log in. You can do that using the following command: {{{ # smbclient -L localhost -N Anonymous login successful Sharename Type Comment --------- ---- ------- sysvol Disk netlogon Disk IPC$ IPC IPC Service (Samba 4.12.6-Ubuntu) SMB1 disabled -- no workgroup available }}} The netlogon and sysvol shares were auto-created during the provisioning process. ---- == Verify Authentication == To verify authentication, we will connect to the netlogon share using the domain administrator account: {{{ # smbclient //localhost/netlogon -UAdministrator -c 'ls' Enter Administrator's password: Domain=Office.lan OS=[Unix] Server=[Samba 4.12.6] . D 0 Tue Mar 16 08:40:00 2021 .. D 0 Tue Mar 16 08:40:00 2021 49386 blocks of size 524288. 42093 blocks available }}} If these all check out, then its time to move on to the next set of tests. ---- == Verifying DNS == To verify that your AD DNS configuration works correctly, we will query some DNS records. First, we will query the tcp-based _ldap SRV record in the domain using the following command: {{{ # host -t SRV _ldap._tcp.office.lan _ldap._tcp.office.lan has SRV record 0 100 389 dc1.office.lan. }}} Next, we will query the udp-based _kerberos SRV resource record in the domain by using the following command: {{{ # host -t SRV _kerberos._udp.office.lan. _kerberos._udp.office.lan has SRV record 0 100 88 dc1.office.lan. }}} Next, we will query the A record of the domain controller: {{{ # host -t A dc1.office.lan. dc1.office.lan has address 192.168.1.2 }}} If these all check out, then its time to move on to the next set of tests. ---- == Verifying Kerberos == Our first Kerberos test will ne to request a Kerberos ticket for the domain administrator account using the following command: {{{ # kinit administrator Password for administrator@OFFICE.LAN: }}} Next, we will list the cached Kerberos tickets: using the following command: {{{ # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@SAMDOM.EXAMPLE.COM Valid starting Expires Service principal 01.11.2021 08:45:00 12.11.2021 18:45:00 krbtgt/OFFICE.LAN@OFFICE.LAN renew until 02.11.2021 08:44:59 }}} If one or more tests fail, see Troubleshooting. = Configuring Time Synchronisation = Kerberos requires synchronized time on all domain members. We will use the NTP server daemon for this processes. you installed the NTP server as part of the SAMBA install, so lets take a moment to make sure its working properly. You can do that by running the following command: {{{ # sudo service ntp status }}} The output from that command should show the service as running. Next, we need to allow NTP traffic. We can do that with the following command: {{{ # sudo ufw allow from any to any port 123 proto udp }}} ---- = Final thoughts = This completes the basic setup of Samba and your new domain. The next tutorial in this series will cover some of the more [[SmallBusinessServer/SAMBA/Advanced_Configuration|advanced configuration]] options in the Samba Configuration file.