Samba 4 as Active Directory Server

Posted in Linux at 2:18 pm by alfi

Samba 4.0.0alpha6 was released on 2009/01/19 and while the final release (probably) is still a far way off, I thought it was time to find out how to setup Samba as an ADS.

My test system (or rather my test VM) was a clean Debian etch (4.0r6) AMD64 installation, which I dist-upgrade’d to lenny before beginning my quest.

1. Building Samba 4

There are Samba 4 packages in experimental, but I went for building my own fresh packages instead:

To be able to build Samba 4, some additional packages are required:

apt-get install build-essential svn-buildpackage git-core quilt autoconf fakeroot debhelper libparse-yapp-perl docbook-xsl docbook-xml xsltproc po-debconf libgnutls-dev libreadline5-dev libpam0g-dev libblkid-dev libattr1-dev flex bison tdb-dev libtalloc-dev libtalloc1 python2.5-dev libpopt-dev

Time to build the packages (as described here):

svn co svn://svn.debian.org/pkg-samba/trunk/samba4 samba4/debian
cd samba4/debian
./debian/rules get-orig-source
mkdir ../tarballs && mv *.orig.tar.gz ../tarballs
svn-buildpackage -rfakeroot

2. Installing Samba 4

Assuming the packages were built successfully (I had this fail when I tried it on a different machine a day after my first installation — but what do you expect building from GIT), we can now proceed to installing them… right after we fixed all the dependencies:

apt-get install libglib2.0-0 libglib2.0-data pkg-config python-tdb

cd ../build-area
dpkg -i *.deb

For me this went without a hitch..and without any configuration dialog asking for workgroup/domain as one has come to expect from installing Debian Samba packages.

So it came as not much of a surprise that the generated /etc/samba/smb.conf was pretty much useless. I just deleted it (provision will then create a new one).
The Samba 4 init script (at /etc/init.d/samba4) was equally useless. It still checked for the existence and tried to start smbd (the executable has been renamed to samba ). This is easily fixed by just replacing all occurences of smbd with samba.

3. Configuring Samba 4 as ADS

First make sure that the server’s entry in /etc/hosts points a real IP (and not just as the installer sets it) or the DNS zone files generated by the provision script will be pretty useless.

If you want provision to create a smb.conf for you (which you probably do at this point), make sure that it doesn’t already exist.

/usr/share/samba/setup/provision --realm=SAMBA4.MYDOMAIN.ORG --domain=SAMBA4DOM --adminpass=samba4 --server-role='domain controller'

Now you can fire up Samba with

/etc/init.d/samba4 restart

and you’re almost done xylocaine sans ordonnance.

What’s left is setting up DNS by installing bind9 (if necessary) and integrating the files generated by the provision script:

apt-get install bind9
cp /var/lib/samba/private/samba4.mydomain.org.zone /etc/bind/
cat /var/lib/samba/private/named.conf >> /etc/bind/named.conf.local

Now edit /etc/bind/named.conf.local and fix the path to the zone file (from /var/lib/samba/private to /etc) and restart BIND:

/etc/init.d/bind9 restart

Check /etc/resolv.conf and make sure that the local DNS server is the first one listed there. If the machine gets its IP/DNS via DHCP (as mine does) then edit /etc/dhcp3/dhclient.conf (if you’re using dhcp3-client) and make sure there is a line like

prepend domain-name-servers;

in there (it’s commented by default) or you will just lose the change on the next renewal of the lease.

There is more stuff you can do (read /var/lib/samba/private/named.txt and/or Samba 4 HOWTO), but this enough to get things running.

At this point you join machines to the new domain (don’t forget to add the new server as the first DNS server or joining the domain might fail).

4. Administrating the Samba 4 ADS

Having set up a Samba 4 ADS is nice and all, but it’s pretty much useless without adding users and such. This is where it gets a bit tricky, because of the things that Samba 4 is still lacking is administrative tools/frontends.

First of all, you need UNIX users (same as you did when running Samba 3 as PDC) for all the users you want to create in the AD.
New AD users can then be added with the newuser script:

/usr/share/samba/setup/newuser --unixname my_unix_user my_samba_user my_pass

The unixname option can be omitted if the AD username is identical to the UNIX username and if you don’t specify the password the script will ask for it.

From here on out it’s a lot easier to just install the Windows 2003 Administration Pack on a Windows XP Pro box (or VM) and do the administrative stuff from there. For more information see the Samba 4 HOWTO.

You can log on to the domain with users created this way. You can add those users to groups (using dsa.msc from the Admin Pack). You can set file/directory permissions with those users/groups.

This is were my little experiment ended. I’ll probably try something like this again in another alpha or two and I really hope they add some way to properly administer this thing till then (if that doesn’t happen I will have to figure out how to change things using ldbedit).

Comments are closed.