samba4 – BLFS Trac

Context Navigation

Version 8 (modified by thomas, 11 years ago) ( diff )
--

This page is meant to give a platform to develop and to collect infos and hints for the way to setup an AD-DC using Samba 4.

Prerequisites

OpenLDAP

~~The build instructions in the book are pretty fine.~~ Samba4 brings its own LDAP compatible implementation. The support of other LDAP backends is not maintained any longer ^*). But having the LDAP package around is mandatory.

NTP

The switch --enable-ntp-signd must be added.

BIND (DNS)

The Samba4 comes with an internal DNS server, too. Its up to us which way to go, using Bind or the internal DNS. AFAIK, when using Bind, the instructions in the book should be ok.

To be honest, I've currently no idea for what the options like --dns-backend=SAMBA_INTERNAL etc. are good for. Leaving them out, the resulting Samba4 supports all(?) of them.

Kerberos

As for now, it's the best way to have no Kerberos installation around. Samba4 comes with an own Heimdal-based Kerberos implementation. Even Samba4 compiles fine against MIT-Krb5, the AD controller functionality gets disabled. This is not what we want to have. But, the Kerberos tools (kinit, klist ...) should be installed as the bundled Heimdal packet does not include them. For this, even MIT-krb5 is good to use. Just make sure that the Kerberos-server does not start or is not started as the Kerberos server function will be provided by Samba4.

Miscellaneous

For testing, I add following options

options_misc="--with-ads --with-swat --with-winbind --enable-gnutls"

Building Samba4

CPPFLAGS="-I/usr/include/tirpc" CFLAGS="-I/usr/include/tirpc" \
LINKFLAGS="-ltirpc" \
./configure --prefix=/usr \
            --sysconfdir=/etc \
            --localstatedir=/var \
            --with-piddir=/run \
            --enable-fhs \
            --enable-nss-wrapper \
            --enable-socket-wrapper \
            --disable-rpath-install \
            $options_misc &&
make &&
make install

Setting up the domain

before you try a provisioning, make sure that the realm specified in the /etc/samba/smb.conf is the same as you want to use. Best is to move the /etc/samba/smb.conf out of the way if exist.

Start provisioning by running samba-tool domain provision. You should have an idea of what you will configure for the realm, the domainname, the server role, the type of DNS backend and (if using Sambas DNS server) what your DNS forwarding should look like (usually the IP address of your ISP DNS server):

[root@io ~]# samba-tool domain provision
Realm [<your-dns-domain>]:
 Domain [<first-part-of-dns-domain>]: 
 Server Role (dc, member, standalone) [dc]:
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
 DNS forwarder IP address (write 'none' to disable forwarding) [<ip-of-a-dns>]: 
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=<your-domain-components>
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=<your-domain-components>
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              <hostname>
NetBIOS Domain:        <domainname>
DNS Domain:            <dns-domain-name>
DOMAIN SID:            S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx

Note: When using Bind as DNS backend, make sure to review the /var/lib/samba/private/named.conf file. It gets created and overwritten each time you provision the domain. As we have Bind-9.9.x in the book, the default in that file is not valid! ^**)

Resources

^*) As stated in the LDAP_Backend page of the Samba wiki
^**) Maybe we can make a sed for this

Note: See TracWiki for help on using the wiki.

Download in other formats:

Plain Text