[Samba] [Solved] Windows 8.1, Windows 10 integration with Samba AD DC

Nadir Latif nadir at bipmedia.com
Mon Dec 15 08:21:57 MST 2014


I was able to configure Samba AD DC on Centos 6.5. I successfully connected it to windows 8.1 and 10 servers. I wrote a short howto. See following:

Installing an Active Directory Domain Controller on a Linux based server running Samba is very simple. Installing and configuring the Samba server and configuring a Windows server to authenticate against the Samba server takes less than 20 minutes. Instructions on configuring Active Directory on Samba are given on the Samba Wiki here. Instructions on connecting a Windows client to a Samba AD DC are given here. Of course if you have specific requirements then you can read the articles on the Samba Wiki or read the Samba mailing archives. To install Samba and configure it as a Domain Controller follow these steps:

Install Samba. I used the samba package repository provided by SerNet. SerNet provides package repositories for the major Linux distributions. Create an account on https://portal.enterprisesamba.com. Then download and install the package repository and package signing key. Follow the given instructions. Then install the Samba packages. For Centos enter the following command: yum install -y sernet-samba sernet-samba-ad  sernet-samba-client. Enter following commands to verify correct installation. Samba -V and smbclient -V. These commands return the version of Samba server and Samba client that was installed. Its best to install the latest version.
Provisioning The Samba Active Directory. This configures Active Directory Domain Controller. It also configures Kerberos on the server. Kerberos is a mechanism for encrypting authentication information. It is used by Active Directory Domain Controller to provide secure authentication to the domain clients. You can read more about Kerberos here. To start the Samba AD DC provisioning enter the following command:  samba-tool domain provision --use-rfc2307 --interactive. You will then be asked about the following: Samba Realm (Set this to a sub domain of your main domain. e.g WIN.EXAMPLE.COM), Domain (Set this to the first part of your Samba Realm. e.g WIN), Server Role (Set this to dc since we are trying to set up a domain controller), DNS Backend (Set this to SAMBA_INTERNAL), DNS forwarder IP address (Set this to NONE or the ip address of your DNS forwarder), Administrator password (Set this to the admin password for your domain controller). If all goes well the command will end without errors. You can read more about the Provisioning command here.
Start samba. Setup a startup script for Samba. You can get it from here. Start Samba. e.g on Centos enter the command:  service Samba start.
Test Samba Domain Controller. Enter the command: smbclient -L localhost -U%. It should return some information about your Samba configuration. Enter the command: smbclient //localhost/netlogon -UAdministrator -c 'ls'. This command  will connect you to the netlogon share, using the Domain Administrator account, created during provisioning. If these commands fail then check the Samba AD DC Troubleshooting guide.
Configure DNS configuration file. Add the ip address of your DNS server. This DNS server must have the correct DNS records created. Following DNS records need to be created for your DNS zone. Your DNS zone is same as the Realm name you gave during provisioning. Login to your DNS server and create the following records for your DNS zone.Create a record with the name _ldap._tcp and type SRV. use priority 0, weight 100, port 389 and the name of your Samba server.
Create a record with the name _kerberos._udp and type SRV. use priority 0, weight 100, port 88 and the name of your Samba server.
Create a record with the host name of your Samba server and type A. Use the ip address of your Samba server.
Create a record with the name _ldap._tcp.dc._msdcs and type SRV. use priority 0, weight 100, port 389 and the name of your Samba server.

Verify DNS configuration. Enter the following commands on your Samba server to verify correct working of the DNS. If you receive any errors, check your system log.host -t SRV _ldap._tcp.WIN.EXAMPLE.COM.
host -t SRV _kerberos._udp.WIN.EXAMPLE.COM.
host -t A addc.WIN.EXAMPLE.COM.

Kerberos Configuration. Kerberos configuration can be quite complex. Thankfully the Provisioning tool takes care of the Kerberos configuration. During provisioning the file /usr/local/samba/private/krb5.conf is generated. Location of this file can vary depending on your system. Copy the file krb5.conf to /etc/krb5.conf. This is the main kerberos configuration file. You can read more about configuring Kerberos here
Testing Kerberos. Obtain a Kerberos ticket by using the kinit command. Enter following: kinit administrator at WIN.EXAMPLE.COM. You will then have to enter the administrator password that you gave during provisioning. To verify that the command worked enter the command: klist. It should return the Kerberos ticket that you just created.
Time Synchronization. Use NTP (Network time protocol) on your Samba server and Windows clients. This ensures that the time on the Server and Clients is synchronized. This is very important for correct working of Kerberos.

Nadir Latif

Sent from Windows Mail

More information about the samba mailing list