Version 6 (modified by 11 years ago) ( diff ) | ,
---|
This page is meant to give a platform to develop and to collect infos and hints for the way to setup an AD-DC using Samba 4.
Prerequisites
OpenLDAP
The build instructions in the book are pretty fine. Samba4 brings its own LDAP compatible implementation. The support of other LDAP backends is not maintained any longer *).
NTP
The switch --enable-ntp-signd
must be added
BIND (DNS)
The Samba4 comes with an internal DNS server, too. Its up to us which way to go, using Bind or the internal DNS. AFAIK, when using Bind, the instructions in the book should be ok.
To be honest, I've currently no idea for what the options like --dns-backend=SAMBA_INTERNAL etc. are good for. Leaving them out, the resulting Samba4 supports all(?) of them.
Kerberos
As for now, it's the best way to have no Kerberos installation around. Samba4 comes with an own Heimdal-based Kerberos implementation. Even Samba4 compiles fine against MIT-Krb5, the AD controller functionality gets disabled. This is not what we want to have. But, the Kerberos tools (kinit, klist ...) should be installed as the bundled Heimdal packet does not include them. For this, even MIT-krb5 is good to use. Just make sure that the Kerberos-server does not start or is not started as the Kerberos server function will be provided by Samba4.
Miscellaneous
For testing, I add following options
options_misc="--with-ads --with-swat --with-winbind --enable-gnutls"
Building Samba4
CPPFLAGS="-I/usr/include/tirpc" CFLAGS="-I/usr/include/tirpc" \ LINKFLAGS="-ltirpc" \ ./configure --prefix=/usr \ --sysconfdir=/etc \ --localstatedir=/var \ --with-piddir=/run \ --enable-fhs \ --enable-nss-wrapper \ --enable-socket-wrapper \ --disable-rpath-install \ $options_misc && make && make install
Setting up the domain
before you try a provisioning, make sure that the realm specified in the /etc/samba/smb.conf
is the same as you want to use. Best is to move the /etc/samba/smb.conf
out of the way if exist.
Start provisioning by running samba-tool domain provision. You should have an idea of what you will configure for the realm, the domainname, the server role, the type of DNS backend and (if using Sambas DNS server) what your DNS forwarding should look like (usually the IP address of your ISP DNS server):
[root@io ~]# samba-tool domain provision Realm [<your-dns-domain>]: Domain [<first-part-of-dns-domain>]: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: DNS forwarder IP address (write 'none' to disable forwarding) [<ip-of-a-dns>]: Administrator password: Retype password: Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=<your-domain-components> Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=<your-domain-components> Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: <hostname> NetBIOS Domain: <domainname> DNS Domain: <dns-domain-name> DOMAIN SID: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx