The Samba AD provisioning process creates the AD databases and adds initial records, such as the domain administrator account and required DNS entries. Samba comes with a built in command lined tool called samba-tool which can be used to automatically configure your smb.conf when ran in interactive mode.
As mentioned above, samba-tool when ran as route will automatically configure your smb.conf to build a domain controller. Interactive Mode will not automatically enable Group Policy support. However this can be added in afterwards by manually editing the smb.conf to add it in later. Open the Group Policy page in a new tab for later reading
You should be aware that if wish to use a vfs object on a DC share e.g. recycle, you must not just set vfs objects = recycle in the share. Doing this will turn off the default vfs objects dfs_samba4 and acl_xattr. You must set vfs objects = dfs_samba4 acl_xattr recycle.
A fully functional samba domain controller requires several programs beyond those included with the Samba distribution. Install the krb5, ntp, python-dnspython, openresolv and samba packages from the official repositories.
TLS support is not enabled by default, however, a default certificate was created when the DC was brought up. With the release of Samba 4.3.8 and 4.2.2, unsecured LDAP binds are disabled by default, and you must configure TLS to use Samba as an authentication source (without reducing the security of your Samba installation). To use the default keys, append the following lines to the "[global]" section of the /etc/samba/smb.conf file:
This will generate a file /var/lib/samba/private/idmap.ldb.bak, transfer this file to the new server in the /var/lib/samba/private directory, removing the .bak extension. If you intend to keep multiple DCs, you will need to automate this process going forward using one of the methods listed on the Samba website here. This also applies to transferring the idmap from Windows DCs.
By default, a Samba server, when configured as a domain controller, does not enable printing by default. You will need to add the following lines to the global section of the /etc/samba/smb.conf file:
Create an unprivileged user in AD for performing the updates. When prompted for password, use a secure password. 63 random, mixed case, alpha-numeric characters is sufficient. Optionally samba-tool also takes a random argument:
Modify the dhcpd-update-samba-dns.conf file with the following commands (substituting correct values for server, internal.domain.tld, and INTERNAL.DOMAIN.TLD):
To run a Samba DC and running with SELinux in enforcing mode, it is necessary to set some samba booleans for SELinux to on. After these booleans are set, it should not be necessary to disable SELinux.
Then, we proceeded to cover how to have Samba up and running alongside Fedora Linux security features, like having it working with firewalld and SELinux enabled. We did some important testing to make sure everything was fine and ended by showing a bit on how to administrate users using samba-tool.
I had a similar issue. In my case I had other DNS servers listed in /etc/resolv.conf left over from installation, but you should only see your own Samba server. I edited /etc/systemd/resolved.conf to list my samba server as the only DNS provider and restarted systemd-resolved, and that solved it for me.
both of you gave the right hints, but nevertheless after I got DNS resolve-stuff running I cannot get kerberos to fly:kinit: krb5_parse_name_flags: unable to find realm of host dc1As the advise was to check the time on both server and client I can confirm both do have the same time. Plus I double-checked /etc/krb5.conf.d/samba-dc and there seems nothing to be wrong.
The lmhosts file should be created and placed in /etc/samba/lmhosts. The content of lmhosts file is similar to /etc/resolv.conf file, except that you need to register the Netbios name instead of the host name. For example, if your PDC has an IP address 10.10.101.1 with sambadomain as workgroup name, and sambapdc as the Netbios name, the content of the lmhosts file should look like the following:
Apparently samba active directory domain controller uses/requires a different implementation of kerberos (heimdahl) than distributed RPM packages on RHEL and CentOS use (MIT). Not sure that is still the case.
Finally, we must make sure everything starts should your server have to be restarted. To do this, we need to mask, stop and disable the smbd, nmbd, and winbind services and umask, start and enable the samba-ad-dc service. This is done with the following commands:
6. After the Samba installation, run the following command to stop and disable services that the Samba Active Directory server does not require smbd, nmbd, and winbind. The server only needs the samba-ac-dc to serve as Active Directory and domain controller.
1. Run the below commands to change the default permission and ownership of the directory /var/lib/samba/ntp_signd/ntp_signed. The user/group _chrony must have read permission to the ntp_signed directory.
2. Now, open the configuration file /etc/chrony/chrony.conf in a text editor and add the following configuration to the bottom of the file. This configuration enables chrony NTP server and points the NTP socket location to /var/lib/samba/ntp_signd. Save the configuration file and exit the editor.
Edit: The workstations are not currently on a domain. What ever active directory/samba configuration I introduce will be our group's initial foray into centralized authentication. This means setting up a Windows Server domain controller is a feasible option, but I'd prefer to do it with Samba as I am more Linux savy.
I'm not sure where to find such a point-by-point comparison. I've done a quick search and I'm not coming uo with much. There is some comparison in the official Samba HOWTO at: -HOWTO-Collection/samba-pdc.html
[global] # Who are we workgroup = EXAMPLE server string = "Example PDC" netbios name = pdc netbios aliases = pdc.example.com os level = 65 # How do we find others name resolve order = lmhosts wins host bcast # WINS support: You have two options you can make # the server do WINS, or you can use another WINS server # If you are not the WINS server set: # wins support = no # wins server = ip.to.wins.server # If you want to be your own WINS server set: # wins support = yes # and remove the 'wins server' line. # DNS support dns proxy = no # What do we provide to whom smb ports = 445 139 hosts allow = 192.168. interfaces = lo, eth0 bind interfaces only = yes # Where do we write what we do log file = /var/log/samba/%m.log log level = 1 max log size = 500 syslog = 0 # What is our role local master = yes domain master = yes preferred master = yes domain logons = yes # How do we handle UIDs and GIDs map to guest = bad user # How must users login encrypt passwords = yes security = user password server = pdc.example.com # Tell our users where their stuff is logon drive = z: logon home = \\fs03.example.com\%U logon path = \\fs03.example.com\%U\profile logon script = logon.bat # Printing load printers = no # Some optimizations oplocks = no level2 oplocks = no socket options = TCP_NODELAY SO_RCVBUF=32768 SO_SNDBUF=32768 # dead time Default is 0 dead time = 15 getwd cache = yes # Backend setup passdb backend = ldapsam:ldap://ldap.example.com ldap ssl = off ldap admin dn = cn=manager,dc=example,dc=com ldap suffix = dc=example,dc=com ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Devices idmap backend = ldap:ldap://ldap.example.com ldap idmap suffix = ou=idmap ldap delete dn = no ldapsam:trusted = yes ldap passwd sync = yes[netlogon] # Each PDC and BDC must provide the netlogon share comment = Network Logon Service path = /data/netlogon browseable = no guest ok = yes read only = yesNOTE 1: We made a PDC that does only the bare minimum, meaning our Home shares and Profiles are located on another server (fs03.example.com). We chose to provide the profile directory to be part of the users Home share. This means that when the user logs in through SSHFS, they can also access the documents on their "Desktop".NOTE 2: Because we want the PDC to do the bare minimum, it will also not support printing.
Samba configuration is straightforward. All modifications to Samba are done in the /etc/samba/smb.conf configuration file. Although the default smb.conf file is well documented,it does not address complex topics such as LDAP, Active Directory, and the numerous domain controller implementations.
The entire configuration of the Samba server always resides in the /etc/samba/smb.conf file. To configure Samba as a PDC, you need the settings from Listing 1. In addition to these parameters, you might also want to enter the first shares. The NetBIOS name of the Windows domain, which is defined by workgroup **= ADMINDOM is an important parameter.
If you have the samba-doc package installed in addition to SWAT, help is available for each parameter. SWAT includes its own web server, but it cannot be started autonomously. SWAT relies on xinetd to start, which in turn means having a suitable configuration file stored in the /etc/xinetd.d directory (Listing 3).
I've installed Ubuntu Server 10.04 + OpenLDAP + Samba PDC + Gosa (for managment). It works fine with windows clients, but macintosh machines don't want to bind for some reasons:1. Binding to OpenLDAD. It requires some apple schemes. When i try to add converted schemas from mac os (/etc/openldap/schema/apple.schema) it says i haven't necessary objectClasses. As i understood it needs apple samba schema, but i have already installed own schemes.2. Binding to Samba PDC as AD It requires Kerberos. In this case i don't know what should i do? How should i install it: as a backend for samba, where should i hold principal base, etc...? 2b1af7f3a8