This page is meant to give a platform to develop and to collect infos and hints for the way to setup an AD-DC using Samba 4. == Prerequisites == === OpenLDAP === ~~The build instructions in the book are pretty fine.~~ Samba4 brings its own LDAP compatible implementation. The support of other LDAP backends is not maintained any longer ^*)^. === NTP === The switch `--enable-ntp-signd` must be added === BIND (DNS) === The Samba4 comes with an internal DNS server, too. Its up to us which way to go, using Bind or the internal DNS. AFAIK, when using Bind, the instructions in the book should be ok. To be honest, I've currently no idea for what the options like --dns-backend=SAMBA_INTERNAL etc. are good for. Leaving them out, the resulting Samba4 supports all(?) of them. === Kerberos === As for now, it's the best way to have no Kerberos installation around. Samba4 comes with an own Heimdal-based Kerberos implementation. Even Samba4 compiles fine against MIT-Krb5, the AD controller functionality gets disabled. This is not what we want to have. But, the Kerberos tools (kinit, klist ...) should be installed as the bundled Heimdal packet does not include them. For this, even MIT-krb5 is good to use. Just make sure that the Kerberos-server does not start or is not started as the Kerberos server function will be provided by Samba4. === Miscellaneous === For testing, I add following options {{{ options_misc="--with-ads --with-swat --with-winbind --enable-gnutls" }}} == Building Samba4 == {{{ CPPFLAGS="-I/usr/include/tirpc" CFLAGS="-I/usr/include/tirpc" \ LINKFLAGS="-ltirpc" \ ./configure --prefix=/usr \ --sysconfdir=/etc \ --localstatedir=/var \ --with-piddir=/run \ --enable-fhs \ --enable-nss-wrapper \ --enable-socket-wrapper \ --disable-rpath-install \ $options_misc && make && make install }}} == Setting up the domain == before you try a provisioning, make sure that the realm specified in the {{{/etc/samba/smb.conf}}} is the same as you want to use. Best is to move the {{{/etc/samba/smb.conf}}} out of the way if exist. Start provisioning by running **samba-tool domain provision**. You should have an idea of what you will configure for the realm, the domainname, the server role, the type of DNS backend and (if using Sambas DNS server) what your DNS forwarding should look like (usually the IP address of your ISP DNS server): {{{ [root@io ~]# samba-tool domain provision Realm []: Domain []: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: DNS forwarder IP address (write 'none' to disable forwarding) []: Administrator password: Retype password: Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC= Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC= Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: NetBIOS Domain: DNS Domain: DOMAIN SID: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx }}} == Resources == * http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO * ^*)^ http://wiki.samba.org/index.php/Samba4/LDAP_Backend