[Samba] 4.2 on Raspberry Pi as AD DC - success !

[Matthias Busch]

after the last few days playing around with 4.1.17 I decided to start 
new and try 4.2

--- Hardware, OS:
Pi B+, Raspbian 2015-02-16

--- Getting packages:

- install packages: build-essential libacl1-dev libattr1-dev 
libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev 
python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils 
libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl libkrb5-dev
- install more packages: acl python-xattr util-linux gnutls-bin 
python-setproctitle
- (did NOT install slapd docbook xsltproc cups *)
- wget samba..., tar -xvzf samba-4.2.0.tar.gz (rc5?)

* my previous tests suggest that those packages may cause problems.
- openldap may bind to 389 before samba is started and cause sambaldap 
to fail.
- cups installs a LOT of stuff (also avahi-daemon) which did cause 
trouble but may have been related to me chosing .local domain. I do not 
plan to use the pi as print server.
- without docbook and xsltproc man pages will not be created during 
make. with them make aborted for me, at least 4.1.17 did

--- pre-setup:
(will cause pi to lose internet - or rather dns)

- static ip, dns-nameservers [pi ip] [googledns], dns-search my-domain.home
- hostname adserver.my-domain.home
- hosts: 127.0.0.1 localhost localhost.my-domain and [pi ip] adserver 
adserver.my-domain.home
- resolv.conf: nameserver [pi ip], domain my-domain.home
- reboot :)

--- building samba:
- configure /--prefix=/usr/local/samba 
//--with-piddir=/usr/local/samba/var/run //--with-syslog //--with-quotas 
//--with-acl-support
- make
- make install
(together >6 hours...)

--- add /usr/local/samba/bin and /usr/local/samba/sbin to $PATH (see 
/etc/profile)

--- samba-tool domain provision --use-rfc230 --interactive
I was able to use default (just press enter) everywhere except for the 
DNS forwarder. type in the dns of your router or a public dns like 
google (8.8.8.8)

--- copy the krb5.conf provided by samba (in /usr/local/samba/private) 
to /etc/krb5.conf

--- run samba
(internet should be back)

--- get init.d script for samba-ad-dc, edit it according to the guide, 
make executeable, run update-rc.d

--- reboot

--- test:
- kinit administrator at MY-DOMAIN.HOME: works, no errors
- samba_dnsupdate --verbose: no errors
- samba_upgradedns: no errors
- host -t ... : no errors
- dns forwarder: ping google.com : good

--- test2:
- added win7 pro to domain: no error, login with admin: ok
- download and install rsat: ok

--- further settings to test soon:
- create a testing share
- SeDiskOperatorPrivilege for administrator
(see 
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs 
)
(unclear if required!)

--- test3 (with rsat)
- added user to domain
- added OU to domain, moved pc in new ou
- added gpo (flash player.msi install) to OU
- connect to adserver with computer management, edit share settings 
(read/write etc)
- gpupdate /force : looks good
- reboot

--- test4
- login with new user: good
- msi installed: good
- test fileshare settings

--- logs:
- get lots of errors about printer list: as expected without cups
- get lots of errors binding to :::[PORT] failing --> still seems to be 
something up with ipv6

--- the end?
further testing and finetuning will definately be required.
I will try to add ntp-server, dhcp (with dynamic dns update), and radius 
server next (not in that order)

--- what I learned which was not clear through all the documentation I 
found when looking around

- stay clear of the "AD member server" guide, stick with "the ad dc howto"
- winbindd and stuff seems not to be neccesary (or is configured 
correctly out of the box) for "just ad dc"
- openldap/slapd is NOT required
- you guys rock. i had much help to get where it actually works... hope 
this summary with "success" helps other people!






/