Setting up an Active Directory Domain Controller using Samba on Ubuntu Server

Tutorial Difficulty Level    

This tutorial documents the steps to get Samba 4 working as a Active Directory Domain Controller using Ubuntu 16.04.

This is just a reference as some of these will be unique to your setup.

AD DC Hostname: DC1

AD DNS Domain Name: mydomain.net

Kerberos Realm: mydomain.net

NT4 Domain Name/NetBIOS Name: mydomain

IP Address: 192.168.0.200

Server Role: Domain Controller (DC)

Forwarder DNS Server: 192.168.0.1

First make sure everything is up to date and install some pre-requisites. You may want to reboot if your kernel updates.

During the installation of Kerberos, it may ask you what your Kerberos realm as well as the name of this server. This is our Kerberos Realm and AD DC Hostname from above:


Setting a static IP

It is important for our server to have a static IP, mostly because DNS is so important to the configuration of Samba


Setting your hostname


Setting file system parameters

Because samba makes use of some extended filesystem attributes that EXT3/4 don’t normally support we have to set them in fstab. Not that the packages acl and attr are required for this to work.

We need to reboot for the changes to take effect.


Setting hosts file

We need to be certain that dc1 always resolves to localhost.


Setting NTP

Network Time Protocol is the system that manages what time it is on your system, and it is important that our time is accurate for the proper functioning of Kerberos. Note that the ntp server in DkIT is ntp.dkit.ie


Setting up Samba

This is where we actually install Samba. The default smb.conf file needs to be moved elsewhere so that Samba doesn’t try to use it. It will generate its own during the provisioning process. I like to run samba-tool in interactive mode because it gives you suggestions, though if you prefer you can specify all of the parameters in one command.


Removing Upstream DNS

We now want to remove the upstream DNS server from our network config, so that when resolv.conf is generated at boot it only points dns at ourselves. We do this because Samba is now managing DNS and forwarding any external requests to the upstream DNS server.


Testing DNS

It is very important that DNS is working well for Samba to function correctly, therefore we should test it to make sure that it is working correctly. These three tests ensure A records are resolving and that Kerberos and LDAP SRV records are resolving to the proper server(s). The results should include the server that you are on.


Setting up Kerberos

Samba generated us a Kerberos config file, but Kerberos also comes with a default configuration file that we need to move before using the Samba one. We use a symbolic link so that if samba does any updates to the config file we don’t have to do this again.


Testing Kerberos and authentication

We want to make sure that Kerberos is actually handing out tickets(authentication tokens) and that we can actually authenticate using these tokens.