[Samba] samba 4, joining a windows 2008R2 domain as DC. ubuntu 12.04 withsernet packages ( small howto ) W.I.P.
L.P.H. van Belle
belle at bazuin.nl
Thu Oct 24 03:56:19 MDT 2013
Hello,
This is a quick and dirty setup, it can be used as guideline for an "debian/ubuntu" based install
with use of the sernet samba packages. Since this was a bit hard to figure out, i'm sharing this.
Please correct the wrongs in this setup if you found some to make it a better and easy to read setup.
( and please correct my typos ;-) )
This server wil join a windows 2008 R2 AD Domain, ( which is running in 2003 compatiblity modes. )
My windows server is and keeps running the DHCP and DNS !!!!
This setup is for a samba4 server which is joining as extra Domain Controller !
And im using samba4 with bind9 in this example.
Yes, this below can be very much improved, please do so, add things, and share it again please,
this way we make everyone happy.
My goal is to have some good and simple guidelines to install samba4 without compiling anything,
since I dont want any compiling software on productions servers.
Why like this, and not fully samba4 domain.
In my case due to a windows VIOP solution, i must used 2 windows server, to bad, but so be it.
I'm still working and testing my setup, i will go transfer the FSMO roles, setup replication of netlogon and sysvol also,
but thats not ( yet ) in this setup.
Ok, lets start...
------- the howto -------
I installed Ubuntu 12.04 als minimal server, with ssh server, in expert mode. This is just the server install, you know this (i hope).
First go here :
http://www.enterprisesamba.com/samba/
and register and login, to get the samba4 info and packages access.
instruktions are on the website.
Some instuktions were bit unclear on the wiki when you use the sernet packages for samba 4,
this is how i did it, i followed the wiki as much as i could.
Follow the wiki, i started to read http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC ,
i sniped parts from it.
- Getting ready for joining Samba as a DC to an existing domain
You need to install Samba as a DC, as described in the Samba AD DC HowTo,
but don't do the provision/classicupgrade step.
so now ...
- go here: http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
- Installing Samba ( the sernet packages) apt-get install sernet-samba-ad bind9 acl attr quota fam libnet-ldap-perl
! if your only using 1 server and thats samba4, than remember this is about joining a windows 2008R2 AD domain.
Thats on my next todo for my home server.
The there is a bug in the sernet package , and because of that there is a fail with the join of the domain,
fix found here: https://attachments.samba.org/attachment.cgi?id=9210
nano /usr/share/pyshared/samba/join.py and change the lines. as stated in the patch of use the patch program.
I just changed the lines, since it was just a few. (remove the - and add the + lines)
( my version was : dpkg -l | grep sernet-samba-ad => sernet-samba-ad 99:4.0.10-6 )
enabled ad in /etc/default/sernet-samba for the AD server.
change this to : SAMBA_START_MODE="ad"
Do not start samba yet.
test samba: samba -V if its installed.
and you something like : Version 4.0.10-SerNet-Ubuntu-6.precise
now we to : Configure DNS ( read the other stuff but dont change things on the server ( yet ).
configure bind, part 1. BIND as DNS backend.
go read this : http://wiki.samba.org/index.php/Dns-backend_bind
- Installing Bind
Bind as backend for your Samba Active Directory Domain Controller is currently supported in version 9.8 and 9.9 only!
bind9 from Ubuntu 12.04.3 LTS works out of the box. ( apt-get install bind9 )
in the /etc/bind8/named.conf.options, change the following, you can take the settings of the website (wiki)
keep directory "/var/cache/bind";
change: auth-nxdomain yes;
add:
allow-query {
127.0.0.1/32;
( and your network range)
};
allow-recursion {
127.0.0.1/32;
( and your network range)
};
The root server part and localhost is already in the ubuntu config, dont add it.
its always good to allow your server to resolve over localhost, at least give it access.
its not on the wiki, but when you test it with this, host 127.0.0.1 127.0.0.1, it wil fail, because
localhost isnt allowed to have access.
restart bind. ( service bind9 restart )
test it, type :
host localhost. 127.0.0.1
host 127.0.0.1 127.0.0.1
Should work, since this is default in the ubuntu config.
- goto Configuring Bind as Samba Active Directory backend
.... but wait, ... from the wiki ...
!!! During provisioning/upgrading, a file ('/usr/local/samba/private/named.conf') was created,
!!! that must be included in your Bind named.conf:
( that file can be found after provisioning in /var/lib/samba/private for debian/ubuntu)
.... but we did not provision yet !!
So now just add in named.conf.local these lines: ( keep the // , we remove it later )
// adding the dlopen ( Bind DLZ ) module for samba
//include "/var/lib/samba/private/named.conf";
Optional but recommend, i just added it. ( add to /etc/bind8/named.conf.options )
// DNS dynamic updates via Kerberos (optional, but recommended)
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
( do not restart bind )
now go back to http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC
- and start from : Getting ready for joining Samba as a DC to an existing domain
check if /etc/krb5.conf exists and review it.
if it does not exists in my case, install krb5-user, apt-get install krb5-user
( I think this should be a samba dependecy but it wasn't )
i didnt change any thing after install. make sure you check it. !!
For me everything was ok after install. again check it!
testing it.
type: kinit administrator
type: klist and if ok, go on with the wiki.
YES, the real thing... now we are ready to join the windows AD domain.
- on the wiki, goto Join the server as DC to the 2008R2 windows Domain.
type : ( and change the domain thingy to your needs )
samba-tool domain join DOMAINNAME.TLD DC -Uadministrator --realm=DOMAINNAME.TLD --dns-backend=BIND9_DLZ
and continue with following the wiki.
configure bind, part 2, now files are generated, ( check with ls -al /var/lib/samba/private/ )
you can add them to bind ( in not done yet) and set some rights.
now also in : named.conf.local enable the line:
include "/var/lib/samba/private/named.conf"; ( remove // )
The files generated are in /var/lib/samba/private/
i changed the rights on the private folder so its accessable.
chmod 755 /var/lib/samba/private , if you dont do this, bind wont be able to access the files.
read /var/lib/samba/private/named.txt and for debian/ubuntu we change the group from named to bind
chgrp bind /var/lib/samba/private/dns.keytab
chmod g+r /var/lib/samba/private/dns.keytab
check and change rights if needed ( ls -al /var/lib/samba/private/dns )
chgrp bind /var/lib/samba/private/dns
chmod g+w /var/lib/samba/private/dns
restart bind ( service bind9 restart )
check if bind started ok. ( cat /var/log/syslog )
wel, if ok, its done, jour server has joined the windows domain, you can start samba now.
service sernet-samba-ad start
check your logs, and read the wiki for some extra testing.
and browse to your server and have fun.
Yes, lots to do from here, but thats your choice, im still working on my server, its not finished.
At the and this server will be Samba 4 DC, secondary DC, and im adding zarafa mail server to it, and im going to try to enable Single Sign On.
( info here: https://community.zarafa.com/pg/plugins/project/9588/developer/tdeklein/samba4-ad-integration-for-zarafa )
( and here: https://community.zarafa.com/pg/blog/read/18332/zarafa-outlook-amp-webaccess-sso-with-samba4 )
My goal is :
Samba4 DC,'s Zarafa mail, Squid proxy, SSO for Squid and Zarafa, Authorisation on other webservers and samba member servers.
So this is a W.I.P. ( Work In Progress ) ;-)
Did you find nice things, add it, share it, mail me or the samba list.
Thanks to the people who already helped me.
Best regards,
Louis
More information about the samba
mailing list