[Samba] Ubuntu 14.04 as an Active Directory Domain Controller

Peter Serbe peter at serbe.ch
Thu Oct 30 00:36:46 MDT 2014 

> First, give your system a static IP address. 

good idea. I think a server never should rely on DHCP anyway. 

> I recommend removing the avahi-daemon package.  Not terribly sure it 
> conflicts with Samba, but at the very least it sounds like a security 
> nightmare.  

I had troubles with it, when I named my DNS zone SAMDOM.local. Later I 
was pointed to the fact, that the *.local domain has a special meaning 
when resolving printers and other commodity units. Switching over to 
a different toplevel entity (even *.lokal would be OK) resolved the issue.

> Disable dnsmasq by removing or commenting out this line in in 
> /etc/NetworkManager/NetworkManager.conf.  This program conflicts with 
> the internal Samba DNS server/proxy.

Get rid of NetworkManager. All it can do for You on the server is 
making troubles.

> The order of removing dnsmasq and installing/changing everything else is 
> a bit tricky.  Try to make sure you have all of the packages downloaded 
> you need before disabling dnsmasq but before enabling Samba.  The system 
> will be without DNS resolution between these two events.

Point resolv.conf to some other DNS while installing Samba. Later Samba 
will be the DNS master. I like BIND9_DLZ as I have enough experience with 
bind. It is easy to get secondary DNS servers using bind. Just one tip 
here - on my file server, which is also the secondary DNS server, I have 
this zone statement:

# forward lookup
zone "internal.serbe.ch" {
        type slave;
        masters { 192.168.1.1;};
        file "/etc/bind/namedb/bak.internal.serbe.ch";
        forwarders{};
};

The important line is: forwarders{} - this ensures, that my internal 
network DNS is shielded from the default of the external one, which 
runs on the machine of my internet provider. 

> I think those are the most important details that have been left out of 
> the HOWTO.

The quality of the wiki documentation is massively improved by the 
documentation team over the course of the last six month. 

> Also, to me, the daemon/init process is a bit funky and convoluted in 
> Ubuntu.  It took me a bit of tinkering to make sure that everything came 
> up correctly on a reboot.

As a novice Linux user I had my own bag of troubles with this, too. 
I now got two scripts for starting samba as DC and as member server 
on Debian (Jessie). I could publish these, but I fear they are better 
suited as bad examples... Anyway, it might be 

> I welcome further refinements.  These are just some of my notes :).

You're welcome! ;-) 
Oh, and a big thank You to the documentation team. You have really 
done a great job! I decided to go off Microsoft two years ago, and 
by then the Samba docu was much more cryptic and incomplete than it 
is now. 

Best regards
Peter


PS: there is one additional tip from my side. In fact have learned this 
the hard way... When ever SSSD is behaving erratic and crazy: be sure to 
have a good keytab file. If in doubt, export a fresh one. And be sure 
to completely erase the cache. In fact to make it work on my Raspi 
I had to remove and recreate the /var/lib/sss/db directory - and the 
troubles went away. I have no clue what happened...

More information about the samba mailing list