= Building the AD Controller = This page is meant to give a platform to develop and to collect infos and hints for the way to setup an AD-DC using Samba 4. == Prerequisites == === OpenLDAP === ~~The build instructions in the book are pretty fine.~~ Samba4 brings its own LDAP compatible implementation. The support of other LDAP backends is not maintained any longer ^*)^. But having the LDAP package around is mandatory. === NTP === The switch `--with-sntp` as well as `--enable-ntp-signd` must be added. {{{ ./configure --prefix=/usr --sysconfdir=/etc \ --with-binsubdir=sbin \ --with-sntp --enable-ntp-signd }}} In the configuration file two options needs to be added. That is a argument to `restrict`, enabling signed ntp and one option to specify a socket name the AD controller and the NTP daemon will communicate. Your `/etc/ntp.conf` may than look like: {{{ # Begin /etc/ntp.conf server 0.de.pool.ntp.org server 1.de.pool.ntp.org server 2.de.pool.ntp.org server 3.de.pool.ntp.org # Only allow localhost and our LAN to access restrict default nopeer mssntp restrict 127.0.0.1 restrict 192.168.1.0 mask 255.255.255.0 # Location of drift and log files driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp.log logconfig +clockall +peerall +sysall +syncall # Signed ntp ntpsigndsocket /var/lib/samba/ntp_signd/ # End /etc/ntp.conf }}} Note that NTP will add "socket" automatically to the path given at `ntpsignsocket`. That means in turn, the argument to `ntpsignsocket` must be a directory and not the full name. Samba4 will place a socket in `/var/lib/samba/ntp_signd/` so we add this name to the `ntp.conf`. === BIND (DNS) === The Samba4 comes with an internal DNS server, too. Its up to us which way to go, using Bind or the internal DNS. AFAIK, when using Bind, the instructions in the book should be ok. To be honest, I've currently no idea for what the options like --dns-backend=SAMBA_INTERNAL etc. are good for. Leaving them out, the resulting Samba4 supports all(?) of them. === Kerberos === As for now, it's the best way to have no Kerberos installation around. Samba4 comes with an own Heimdal-based Kerberos implementation. Even Samba4 compiles fine against MIT-Krb5, the AD controller functionality gets disabled. This is not what we want to have. But, the Kerberos tools (kinit, klist ...) should be installed as the bundled Heimdal packet does not include them. For this, even MIT-krb5 is good to use. Just make sure that the Kerberos-server does not start or is not started as the Kerberos server function will be provided by Samba4. === Miscellaneous === For testing, I add following options {{{ options_misc="--with-ads --with-swat --with-winbind --enable-gnutls" }}} == Building Samba4 == {{{ CPPFLAGS="-I/usr/include/tirpc" CFLAGS="-I/usr/include/tirpc" \ LINKFLAGS="-ltirpc" \ ./configure --prefix=/usr \ --sysconfdir=/etc \ --localstatedir=/var \ --with-piddir=/run \ --enable-fhs \ --enable-nss-wrapper \ --enable-socket-wrapper \ --disable-rpath-install \ $options_misc && make && make install }}} The permissions of the directory mentioned above at NTP may be not usable for the user which is running ntp. To solve this change ownership so it is readable for the ntp-user too: {{{ chgrp ntp /var/lib/samba/ntp_signd }}} == Setting up the domain == before you try a provisioning, make sure that the realm specified in the {{{/etc/samba/smb.conf}}} is the same as you want to use. Best is to move the {{{/etc/samba/smb.conf}}} out of the way if exist. Start provisioning by running **samba-tool domain provision**. You should have an idea of what you will configure for the realm, the domainname, the server role, the type of DNS backend and (if using Sambas DNS server) what your DNS forwarding should look like (usually the IP address of your ISP DNS server): {{{ [root@io ~]# samba-tool domain provision Realm []: Domain []: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: DNS forwarder IP address (write 'none' to disable forwarding) []: Administrator password: Retype password: Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC= Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC= Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: NetBIOS Domain: DNS Domain: DOMAIN SID: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx }}} **Note:** When using Bind as DNS backend, make sure to review the /var/lib/samba/private/named.conf file. It gets created and overwritten each time you provision the domain. As we have Bind-9.9.x in the book, the default in that file is not valid! ^!**)^ == Resources == * http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO * http://wiki.samba.org/index.php/Samba4/LDAP_Backend ^*)^ As stated in the LDAP_Backend page of the Samba wiki \\ ^!**)^ Maybe we can make a sed for this = Some notes = Here comes a few notes in no order regarding AD. Needs to be sorted somehow. == DNS register fails while joining domain == {{{ [root@ganymed ~]# net ads dns register No DNS domain configured for . Unable to perform DNS Update. DNS update failed! }}} Check your /etc/hosts file. There must be a full qualified name for your machine. {{{localhost.localdomain}}} is not enough. ---- ,,Thomas Trepl (thomas at linuxfromscratch dot org, irc:Moody),,