[Samba] Setup a new samba AD DC

Dario Lesca d.lesca at solinos.it
Tue Apr 25 12:07:05 UTC 2017 

I have setup a new Samba Active Directory DC on Fedora 25 and samba-
4.5.8-1.fc25.x86_64, rebuild from src.rpm with dc option enable.

This system (fedora-addc) is only an AD-DC. In the next days I will
deploy another Centos 7 samba member server with standard samba-4.4.4
rpm (without dc enabled) and join it to Fedora AD-DC for manage data
users.
 
After install bind dns and samba new rebuild rpms, I have follow this
howto and setting up the AD:  
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

I have use this samba tool deploy:

    samba-tool domain provision --realm=solinos.loc --domain=solinos \
     --dns-backend=BIND9_DLZ --use-rfc2307 \
     --server-role=dc --function-level=2008_R2 \
     --use-xattr=yes

This is my current automatic generate smb.conf file:

    # Global parameters
    [global]
    	    netbios name = FEDORA-ADDC
    	    realm = SOLINOS.LOC
    	    server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
    drepl, winbindd, ntp_signd, kcc, dnsupdate
    	    workgroup = SOLINOS
    	    server role = active directory domain controller
    	    idmap_ldb:use rfc2307 = yes

    	    template shell = /bin/bash
    	    template homedir = /home/%U

    [netlogon]
    	    path = /var/lib/samba/sysvol/solinos.loc/scripts
    	    read only = No

    [sysvol]
    	    path = /var/lib/samba/sysvol
    	    read only = No

I have also setup ntp like howto.

At this point, in this test environment, all work fine, I can manage
users, groups and dns entry, and join for test some windows client to
it, the new samba users are recognized from Linux:

    [    root at fedora-addc     ~]# id ospite
    uid=3000017(SOLINOS\ospite) gid=100(users)
    gruppi=100(users),3000017(SOLINOS\ospite),3000009(BUILTIN\users)

Now my question is:

There are other thinks I must to do on AD DC?

What parameter is better add to smb.conf?

Why administrator is mapped like root?:
    [    root at fedora-addc     ~]# id
    administrator
    uid=0(root) gid=0(root) gruppi=0(root)

and if I add administrator to "Domain Admins" nothing change 
    # samba-tool group addmembers 'Domain Admins' Administrator
    # samba-tool group listmembers 'Domain Admins'
    Administrator
    # id administrator
    uid=0(root) gid=0(root) gruppi=0(root)

Please, let me know, this is my first samba AD-DC + samba AD-Member
server implementation, and tomorrow I must deploy all into a servers
production.

Many thanks.

-- 
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)

More information about the samba mailing list