What:
Linux Ubuntu 14.04 server with samba 4
Challenge:
Replace Windows Server "Active Directory Domain Controller" with a free Linux alternative.
Solution:
Log on to your Ubuntu, "sudo su -" and follow below steps.
1. Configure network with a static ip address
edit /etc/network/interfacesauto eth0
iface eth0 inet static
address 192.168.1.250
netmask 255.255.255.0
gateway 192.168.1.1
network 192.168.1.0
broadcast 192.168.1.255
dns-nameservers 8.8.8.8 #the nameserver, we will change it later to point at itself
dns-search test.local
2. Name your domain controller
hostname pdc
echo "pdc" > /etc/hostname
edit /etc/hosts and make sure below 3 lines look as follow:
127.0.0.1 localhost
127.0.1.1 pdc.test.local pdc
192.168.1.250 pdc.test.local pdc
Bring system up to date
apt-get update && apt-get upgrade
reboot
3. Install packages ntp, acl, samba + tools
apt-get install ntp acl samba krb5-user smbclient
The kerberos package will prompt you for some values.
Your realm: TEST.LOCAL
Kerberos servers for your realm: pdc.test.local
Administrative server: pdc.test.local
4. Configure samba
Remove automatically created configuration
rm /etc/samba/smb.conf
Configure samba with samba-tool
samba-tool domain provision --realm test.local --domain TEST --adminpass Password123 --server-role=dcAdministrator's password can't be to simple as there's a password strength check applied and the command will fail if you choose something weak.
Run below command to set properly acl's
samba-tool ntacl sysvolreset
5. Configure DNS
For large, complex deployments you should use BIND, but in my scenario "built in" samba dns is good enough.
edit /etc/samba/smb.conf and add
dns forwarder = 8.8.8.8
allow dns updates = nonsecure
Update network configuration to use our new dns
edit /etc/network/interfaces
dns-nameservers 192.168.1.250
reboot
6. Test your new domain controller
Make sure all below commands return no errors.
host -t SRV _ldap._tcp.test.local.
host -t SRV _kerberos._udp.test.local.
host -t A pdc.test.local.
Test if you can log on as domain administrator
kinit administrator
klist
Make sure smbclient can communicate with new DC
smbclient -L localhost -U%and
smbclient //localhost/netlogon -U 'administrator'
quit
7. Manage your new domain controller
Recommended way of managing your server is to use "Remote Server Administration Tools", which you can install on Windows 7 desktop pc as a feature.You can also manage users & groups with samba-tool
samba-tool user add john --surname=Smith --given-name=John
samba-tool group add test_group
samba-tool group addmembers test_group john
samba-tool user list
getent passwd john
id john
TIP
Ubuntu desktop:
To make linux workstation work with Windows domain edit /etc/nsswitch.conf and replace hosts line:
hosts: files mdns4_minimal [NOTFOUND=return] dnswith
hosts: files dns mdns4_minimal [NOTFOUND=return]
This will only affect .local domains and will resolve them using dns instead of mdns4_minimal.
In /etc/resolv.conf you should have below entry, which can be propagated with your DHCP server.
search test.local
No comments:
Post a Comment