Samba 4.1 as Active Directory configuration guide

Jun 5, 2013 · Linux · 8 min read

I have written one more article with the  steps to configure FreeIPA server and client which can also act as an alternate to Microsoft Active Directory. And since FreeIPA is a GUI based, it can be a better alternative then Samba4.
In my earlier post I had shown you the steps to install and configure Samba 4.0 but since then the Samba4 developers have upgraded the Samba version from 4.0 to 4.1. I will be releasing my post for upgrading Samba 4 very soon but in the mean time for the new users planning to configure Samba 4.1 in their machine. Please follow the below steps.
You can look out for the pre-requisites before installing Samba 4.1
Samba 4.1 AD OS Requirements
In my case I am using CentOS 6.2 and have verified all the pre requisite rpms and conditions.

NOTE:

Make sure you have python version more than 2.5 installed in your machine

For configuring Samba 4.0 follow this link
Samba 4.0 as Active Directory
 
In case you are planning to configure a secondary domain controller for your Samba4 and Windows Server 2008 AD
How to configure Secondary Domain Controller using Samba 4

NOTE:

Make sure you don't have any earlier version of Samba installed

Downloading Samba 4.1 package

NOTE: You can download the Samba4 package from their source directory of Samba. BUT using the below command you will download the latest release of Samba4 available. If you want to download a specific version of Samba4. I suggest you to download the package manually.
Automatic download of Samba 4.X

# git clone git://git.samba.org/samba.git samba-master

In case you get
-bash: git command not found

In RedHat, fedora and CentOS

**NOTE:**On RHEL system you must have an active subscription to RHN or you can configure a local offline repository using which "yum" package manager can install the provided rpm and it's dependencies.
 

# yum install git

Or you can manually download git package from the below location
Download GIT rpm
Manually download Samba 4.1 package
Samba Official Website
Once the package is completely downloaded

# cd samba-master  (Name of home directory may differ as per the package downloaded)
# ./configure  (Read below note before running this command)
# make

NOTE:

You can run the above configure step with additional options

  1. If you run the configure command without any extra parameter then samba will be installed by default inside /usr/local/samba or else use --prefix option to specify different installation directory
  2. You can also use --enable-debug and --enable-selftest for Samba as it will include extra debug information that can help you diagnose the problem or you can also contact Samba4 developers with the output errors.
# make install

If the above steps complete without any error then you can move ahead for provisioning step
Add the new path location to your bash file for samba

# vi ~/.bashrc
export PATH=$PATH:/usr/local/samba/sbin:/usr/local/samba/bin

# . .bashrc

Before running the provision step make sure the following things are in place

# vi /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.10.20.42 test test.example.com

# vi /etc/resolv.conf
search example.com
nameserver 10.10.20.42
# hostname
test.example.com

Provision Samba

# samba-tool domain provision
Realm [EXAMPLE.COM]: EXAMPLE.COM 
Domain [EXAMPLE]: EXAMPLE 
Server Role (dc, member, standalone) [dc]: dc 
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_FLATFILE 
Administrator password: [Give Administrator Password]
Retype password: [Retype Administrator Password]
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=example,DC=com
Adding configuration container Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=example,DC=com
See /usr/local/samba/private/named.conf for an example configuration include file for BIND and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller
Hostname: test NetBIOS Domain: EXAMPLE DNS Domain: example.com DOMAIN SID: S-1-5-21-3668134952-3729197751-3642420208

Once you successfully run the provision step, Its time to run and test your samba

# samba

# ps -ef | grep samba
root 20465 1 0 10:26 ? 00:00:00 samba
root 20466 20465 0 10:26 ? 00:00:00 samba
root 20467 20465 0 10:26 ? 00:00:00 samba
root 20468 20465 0 10:26 ? 00:00:00 samba
root 20469 20465 0 10:26 ? 00:00:00 samba
root 20470 20465 0 10:26 ? 00:00:00 samba
root 20471 20465 0 10:26 ? 00:00:00 samba
root 20472 20466 0 10:26 ? 00:00:00 /usr/local/samba/sbin/smbd -D --option=serverrole check:inhibit=yes --foreground
root 20473 20465 0 10:26 ? 00:00:00 samba
root 20474 20465 0 10:26 ? 00:00:00 samba
root 20475 20465 0 10:26 ? 00:00:00 samba
root 20476 20465 0 10:26 ? 00:00:00 samba
root 20477 20465 0 10:26 ? 00:00:00 samba
root 20478 20465 0 10:26 ? 00:00:00 samba
root 20481 20472 0 10:26 ? 00:00:00 /usr/local/samba/sbin/smbd -D --option=serverrole check:inhibit=yes --foreground
root 21502 21310 0 11:15 pts/2 00:00:00 grep samba

So our samba has started as you can see above
Check the version

# samba -V
Version 4.1.0pre1-GIT-55add52

Once you run the provision command following files should be automatically created.

  • /usr/local/samba/private/named.conf
  • /usr/local/samba/private/dns/example.com.zone
  • /usr/local/samba/private/krb5.conf

Now check if you are able to connect your samba server using smbclient.

# smbclient -L localhost -U% 
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-55add52]
        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        IPC$            IPC       IPC Service (Samba 4.1.0pre1-GIT-55add52)
 Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-55add52]
        Server               Comment
        ---------            -------
        Workgroup            Master
        --------        ------

When you run the mentioned command you should get the above output.

NOTE:

In case you are getting any error make sure all the pre-requisites are fulfilled correctly and your hostname and all files are proper. Check your SeLinux and firewall as in my case I have disabled both of them

To configure iptables for Samba4 follow the below link
iptables rules for Samba 4 in Red Hat Linux

Configure your BIND server

NOTE:

Make sure your bind version is 9.8/9.9

# rpm -q bind
bind-9.8.2-0.17.rc1.el6_4.4.i686

This is a copy of my named.conf file
In the allow-query section below either you can use "any"argument or mention the subnet of the network where the DNS server is to be used for eg: 192.168.0.0/24

# vi /etc/named.conf
 options {
        listen-on port 53 { 127.0.0.1; 10.10.20.42; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        forwarders { 8.8.8.8; 8.8.4.4; };
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; any; };
        recursion yes;
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
        managed-keys-directory "/var/named/dynamic";
 };
 logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
 };
 zone "." IN {
        type hint;
        file "named.ca";
 };
 include "/etc/named.rfc1912.zones";
 include "/etc/named.root.key";
 include "/usr/local/samba/private/named.conf";

Restart your named server

# service named restart

Check if your DNS server is working on localhost

# ping google.com
PING google.com (74.125.236.32) 56(84) bytes of data.
64 bytes from maa03s04-in-f0.1e100.net (74.125.236.32): icmp_seq=1 ttl=56 time=19.1 ms
64 bytes from maa03s04-in-f0.1e100.net (74.125.236.32): icmp_seq=2 ttl=56 time=18.7 ms

In case you get

unknown host google.com

Check your bind configuration files again. Make sure the Time zone setting and time is properly set in your linux machine as in some cases that is another reason for failure of DNS server.
Verify if your Samba server is listening to DNS server

# host -t SRV _kerberos._udp.example.com.
_kerberos._udp.example.com has SRV record 0 100 88 test.example.com.
# host -t SRV _ldap._tcp.example.com.
_ldap._tcp.example.com has SRV record 0 100 389 test.example.com.
# host -t A samba.example.com.
samba.example.com has address 10.10.20.42

NOTE:

In case you get error while using the last command above

Host samba.example.com. not found: 3(NXDOMAIN)

then follow the below mentioned steps

# vi /usr/local/samba/private/dns/example.com.zone
Add a last line
samba IN A 10.10.20.42

Restart your bind server and try the above command again. You should get a positive reply.

Configure Kerberos

Replace your krb5.conf file inside /etc with the file krb5.conf created after provision step
Sample krb

# vi /etc/krb5.conf
[libdefaults]
default_realm = ${REALM}
dns_lookup_realm = false
dns_lookup_kdc = true

Testing kerberos

# kinit administrator@EXAMPLE.COM
Password:
Warning: Your password will expire in 41 days on Wed Jul 17 10:26:06 2013

To join a Windows Client to join Samba 4
Configuring a Windows Client for Samba 4 AD
To join a Linux client to Samba 4
How to configure Linux client to join samba4 domain
 
Related Articles
Changing password for Administrator in Samba4
Configure NTP server for Samba4
iptables rules for Samba 4 in Red Hat Linux
How to configure a Clustered Samba share using ctdb in Red Hat Cluster
Create Roaming Profiles in Samba4
Samba 4 as Active Directory configuration guide
How to configure Samba 4 Secondary Domain Controller
How to configure Samba 3 as Primary Domain Controller in Red Hat Linux