[Samba] debian wheezy, sernet samba 4.1.3 join Windows 2008R2 AD as DC. Success ( basic Howto included )
L.P.H. van Belle
belle at bazuin.nl
Mon Dec 23 00:48:19 MST 2013
Hai,
After serveral setups and testing if completed a successfull install of sernet samba 4.1.3 which joined a windows 2008R2 AD domain.
You can use this also on on ubuntu 12.04.
This is the "HowTo" how i did my setup.
questions improvements, please add them and share them.
# ( date 23-12-2013 )
# Sernet samba 4.1.3 on debian Wheezy
# Windows 2008R2 AD DC , with dhcp and dns.
# SETUP : Samba 4 AD DC with bind9 DLZOPEN , joined as DC.
#
# info found on these site linkes:
#
# https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC
# http://wiki.samba.org/index.php/Dns-backend_bind
# https://wiki.samba.org/index.php/Configure_NTP
# https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
#
# and lots of info for the mailing list users, thank you guys and girls.
#
#
# PRE SETUP !
# Im adding the linux hostname and IP adres in the dns server of windows in front installing debian.
#
# Install a minimal debian wheezy with only ssh-server installed from the installer menu.
# use hostname AND domainname, and keep the same as windows server dns.
#
# remove the line cdrom ( or put # infront ) of /etc/apt/sources.list if needed.
apt-get update
apt-get install apt-transport-https mc zip bzip2 arj
update-alternatives --config editor
# ( im choosing mcedit as default, it's what you prefer. )
#
# setup apt : create file :
mcedit /etc/apt/sources.list.d/sernet-samba-4.1.list
#
# add the sernet lines to it, you need to register at sernet for this, its free.
# go to http://www.enterprisesamba.com/samba/
#
# install de sernet keys for authenticity:
wget http://ftp.sernet.de/pub/sernet-samba-keyring_1.4_all.deb
dpkg -i sernet-samba-keyring_1.4_all.deb
rm sernet-samba-keyring_1.4_all.deb
#
apt-get update
apt-get upgrade
# if ok, nothing to do, if not update before proceding.
#
#
# check the hostname and domainname of the server.
hostname -f
# ( gives hostname.mainoffice.domain.tld )
hostname -s
# ( gives hostname )
hostname -d
# ( gives mainoffice.domain.tld )
#
# check : /etc/hosts file.
cat /etc/hosts
# you should not have 127.0.1.1 servername.domain.tld
# change the 127.0.1.1 to the correct ip ( as in DNS exists )
# check : /etc/resolve.conf
cat /etc/resolve.conf
# this is minimal
# domain subdomain.domain.tld
# search subdomain.domain.tld
# nameserver IP_OF_AD_SERVER ( or an other server wich kan resovle the windows dns and AD )
# ( you can have 3 nameservers ips! )
# also im use-ing domain and search, because i have multiple domains in my dns server.
# with search and domain i always have the main domain to search in first.
#
reboot
# ( just to be sure. )
#
# Setup samba as DC in windows domain.
apt-get install sernet-samba-ad bind9 acl attr quota fam libnet-ldap-perl krb5-user ntp
#
# After install rights to watch out for.
ls -al /var/lib/samba/
# drwxr-x--- 2 root root 4096 Dec 7 20:46 private
# i.m.o. this should be drwxr-xr-x ( 755 )
# now bind cannot acces private folder and we need to access it.
# ( we will do this AFTER the join, because the join wil reset rights also )
ls -al /var/lib/samba/private
# ( at this point empty )
#
# stop some services before we change them.
/etc/init.d/bind9 stop
/etc/init.d/ntp stop
#
# so at this point almost nothing is running, only ssh-server ( syslog fam )
#
#
# ---- SETUP Time: service NTP
# http://wiki.samba.org/index.php/Configure_NTP
# setup time server for the samba server.
# edit /etc/ntp.conf
mcedit /etc/ntp.conf
# add at least.:
server IP_OF_AD_server
# If your use-ing a windows server as time source, do not add external of other time server in the config.
# 1 server has external source, all other connect to the internal server ( the windows AD server )
#
# and i added
server my_time_ad_windows_server_IP_adres
ntpsigndsocket /var/lib/samba/ntp_signd/
restrict default kod nomodify notrap nopeer mssntp
# start ntp
/etc/init.d/ntp start
#
# time wil sync, if you have more then 5 min difference, set the time manualy the first time.
# reboot the server if you did set the time manual.
# on my server the bios time is set to UTC.
# on the os the time is set to UTC +1 hours ( for me, depends on you time zone )
# ( set time: date -s "2 OCT 2006 18:00:00" )
# ( set clock to hardware bios: hwclock --systohc --utc )
#
# reboot and check again if you changed your time. !
#
#
# ---- SETUP bind9: service DNS
# http://wiki.samba.org/index.php/Dns-backend_bind
# change in /etc/bind/named.options.conf
mcedit /etc/bind/named.options.conf
# change auth-nxdomain yes
# add allow-transfer { none; };
# notify no;
# empty-zones-enable no;
#
# allow-query {
# 127.0.0.1/32;
# 192.168.1.0/24; <=change to your ip range
# };
#
# allow-recursion {
# 127.0.0.1/32;
# 192.168.1.0/24; <=change to your ip range
# };
#
# // DNS dynamic updates via Kerberos (optional, but recommended)
# // added before we need it, therefore the // in the next line.
# // tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
#
# ##
#
# change /etc/bind/named.options.local
mcedit /etc/bind/named.options.local
# So now just add in named.conf.local these lines: ( keep the // , we remove it later )
# // adding the dlopen ( Bind DLZ ) module for samba
# //include "/var/lib/samba/private/named.conf";
#
# ok bind is setup is ready, test it.
# start bind :
/etc/init.d/bind9 start
#
# test bind :
host 127.0.0.1 127.0.0.1
host localhost. 127.0.0.1
#
# ----- SETUP / CHECK krb5.conf
# the debian default works out of the box, IF you set the domainname correct at install of the server.
# test kerberos:
type: kinit administrator
type: klist
#
# -------------------------------------------------------
#
# ---- SETUP SAMBA: service ad / smb /nmbd
# enabled ad in /etc/default/sernet-samba for the AD server.
mcedit /etc/default/sernet-samba
# change this to : SAMBA_START_MODE="ad"
# change : SAMBA_RESTART_ON_UPDATE="yes"
#
# Do not start samba yet.
#
#
# Join the domain.
samba-tool domain join SUBDOMAIN.DOMAIN.TLD DC -Uadministrator --realm=SUBDOMAIN.DOMAIN.TLD --dns-backend=BIND9_DLZ
# and at the end you see:
# Joined domain ROTTERDAM (SID S-1-5-21-3130855540-2228390408-1497266713) as a DC
#
# Now we recheck the rights of folders and files in /var/lib/samba/private/
#
ls -al /var/lib/samba ( about the same before joining)
# The important folder :
ls -al /var/lib/samba/private/
# drwxrwx--- 3 root bind 4096 Dec 20 11:36 dns
# -rw------- 1 root root 947 Dec 20 11:36 dns.keytab
# -rw-r--r-- 1 root root 2270 Dec 20 11:36 dns_update_list
# -rw------- 1 root root 1286144 Dec 20 11:36 hklm.ldb
# -rw------- 1 root root 1286144 Dec 20 11:36 idmap.ldb
# -rw-r--r-- 1 root root 100 Dec 20 11:36 krb5.conf
# -rw-r--r-- 1 root root 575 Dec 20 11:36 named.conf
# -rw-r--r-- 1 root root 2204 Dec 20 11:36 named.txt
# -rw------- 1 root root 1286144 Dec 20 11:36 privilege.ldb
# -rw------- 1 root root 4251648 Dec 20 11:36 sam.ldb
# drwxr-x--- 2 root bind 4096 Dec 20 11:36 sam.ldb.d
# -rw------- 1 root root 1367 Dec 20 11:36 secrets.keytab
# -rw------- 1 root root 1286144 Dec 20 11:36 secrets.ldb
# -rw------- 1 root root 430080 Dec 20 11:36 secrets.tdb
# -rw------- 1 root root 1286144 Dec 20 11:36 share.ldb
# -rw-r--r-- 1 root root 955 Dec 20 11:36 spn_update_list
# drwx------ 2 root root 4096 Dec 20 11:36 tls
#
#
# The files generated are in /var/lib/samba/private/
# i changed the rights on the private folder so its accessable for bind.
# chmod 755 /var/lib/samba/private
#
# read /var/lib/samba/private/named.txt and for debian/ubuntu we change the group from named to bind
chgrp bind /var/lib/samba/private/dns.keytab
chmod g+r /var/lib/samba/private/dns.keytab
#
# compaire the sam database folders
# root at mysamba4servername:/var/lib/samba/private# ls -al dns/sam.ldb.d/
# total 27932
# drwxrwx--- 2 root bind 4096 Dec 20 11:36 .
# drwxrwx--- 3 root bind 4096 Dec 20 11:36 ..
# -rw-rw---- 1 root bind 8183808 Dec 20 11:36 CN=CONFIGURATION,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
# -rw-rw---- 1 root bind 8986624 Dec 20 11:36 CN=SCHEMA,CN=CONFIGURATION,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
# -rw-rw---- 2 root bind 5398528 Dec 20 11:36 DC=DOMAINDNSZONES,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
# -rw-rw---- 2 root bind 4317184 Dec 20 11:36 DC=FORESTDNSZONES,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
# -rw-rw---- 1 root bind 1286144 Dec 20 11:36 DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
# -rw-rw---- 2 root bind 421888 Dec 20 11:36 metadata.tdb
#
# root at mysamba4servername:/var/lib/samba/private# ls -al sam.ldb.d/
# total 34724
# drwxr-x--- 2 root bind 4096 Dec 20 11:36 .
# drwxr-x--- 5 root root 4096 Dec 20 11:36 ..
# -rw------- 1 root root 10547200 Dec 20 11:36 CN=CONFIGURATION,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
# -rw------- 1 root root 10547200 Dec 20 11:36 CN=SCHEMA,CN=CONFIGURATION,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
# -rw-rw---- 2 root bind 5398528 Dec 20 11:36 DC=DOMAINDNSZONES,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
# -rw-rw---- 2 root bind 4317184 Dec 20 11:36 DC=FORESTDNSZONES,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
# -rw------- 1 root root 4317184 Dec 20 11:36 DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
# -rw-rw---- 2 root bind 421888 Dec 20 11:36 metadata.tdb
#
# 3 should be the same, these are hardlinked. ( info see wiki.samba.org )
# -rw-rw---- 2 root bind 421888 Dec 20 11:36 metadata.tdb
# -rw-rw---- 2 root bind 5398528 Dec 20 11:36 DC=DOMAINDNSZONES,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
# -rw-rw---- 2 root bind 4317184 Dec 20 11:36 DC=FORESTDNSZONES,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
#
#
#
# stop bind:
/etc/init.d/bind9 stop
# enable the keytab line : tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
# remove the // infront .
# enable the include "/var/lib/samba/private/named.conf";
#
#
# start bind:
/etc/init.d/bind9 start
# check logs :
cat /var/log/daemon.log | grep named
#look for ( like) :
# Dec 20 12:56:36 mysamba4servername named[12362]: Loading 'AD DNS Zone' using driver dlopen
# Dec 20 12:56:36 mysamba4servername named[12362]: samba_dlz: started for DN DC=SUBDOMAIN,DC=DOMAIN,DC=TLD
# Dec 20 12:56:36 mysamba4servername named[12362]: samba_dlz: starting configure
# Dec 20 12:56:36 mysamba4servername named[12362]: samba_dlz: configured writeable zone '249.168.192.in-addr.arpa'
# Dec 20 12:56:36 mysamba4servername named[12362]: samba_dlz: configured writeable zone 'SUBDOMAIN.DOMAIN.TLD'
# Dec 20 12:56:36 mysamba4servername named[12362]: samba_dlz: configured writeable zone '_msdcs.SUBDOMAIN.DOMAIN.TLD'
# and
# Dec 20 12:56:36 mysamba4servername named[12362]: running
#
# start samba
/etc/init.d/sernet-samba-ad start
# check logs.
cat /var/log/daemon.log
# Dec 20 12:58:34 mysamba4servername smbd[12520]: [2013/12/20 12:58:34.159605, 0] ../source3/printing/print_cups.c:151(cups_connect)
# Dec 20 12:58:34 mysamba4servername smbd[12520]: Unable to connect to CUPS server localhost:631 - Connection refused
# Dec 20 12:58:34 mysamba4servername smbd[12519]: [2013/12/20 12:58:34.160474, 0] ../source3/printing/print_cups.c:528(cups_async_callback)
# Dec 20 12:58:34 mysamba4servername smbd[12519]: failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
#
# to disable these printing messages.
# add in smb.conf ( global )
# ---- disable printing completely
# load printers = no
# printing = bsd
# printcap name = /dev/null
# disable spoolss = yes
#
# I prefer a seperated server which is only printserver.
#
## samba created the ntp_signd folder in /var/lib/samba
# now correct the rights so ntp can access it.
#
chgrp ntp /var/lib/samba/ntp_signd
#
/etc/init.d/sernet-samba-ad restart
#
# test
samba-tool drs showrepl ( wil resolve the windows server )
samba-tool drs showrepl mysamba4servername ( wil resolve over the sambaserver server )
#
# you can ignore:
# Warning: No NC replicated for Connection!
# ( see faq, below on wiki https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC )
#
# This done, now you have a basic setup for samba4 is running without errors.
# this server wil be DC only, only going to use the netlogon ( and sysvol ) for this setup.
# user wil login on the server, only connect to sysvol/netlogon
# so no need for getent wbinfo ( etc etc )
#
# for your info : getent passwd gives only my linux users back.
# : wbinfo -u ( -g ) gives only my windows AD users.
# for users, config your nsswitch.conf in /etc/ but you better do this on the "file/member" server.
#
#
More information about the samba
mailing list