[Samba] Setup a new samba AD DC

Rowland Penny rpenny at samba.org
Tue Apr 25 12:26:36 UTC 2017 

On Tue, 25 Apr 2017 14:07:05 +0200
Dario Lesca via samba <samba at lists.samba.org> wrote:

> I have setup a new Samba Active Directory DC on Fedora 25 and samba-
> 4.5.8-1.fc25.x86_64, rebuild from src.rpm with dc option enable.
> 
> This system (fedora-addc) is only an AD-DC. In the next days I will
> deploy another Centos 7 samba member server with standard samba-4.4.4
> rpm (without dc enabled) and join it to Fedora AD-DC for manage data
> users.
>  
> After install bind dns and samba new rebuild rpms, I have follow this
> howto and setting up the AD:  
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
> 
> I have use this samba tool deploy:
> 
>     samba-tool domain provision --realm=solinos.loc --domain=solinos \
>      --dns-backend=BIND9_DLZ --use-rfc2307 \
>      --server-role=dc --function-level=2008_R2 \
>      --use-xattr=yes
> 
> At this point, in this test environment, all work fine, I can manage
> users, groups and dns entry, and join for test some windows client to
> it, the new samba users are recognized from Linux:
> 
>     [    root at fedora-addc     ~]# id ospite
>     uid=3000017(SOLINOS\ospite) gid=100(users)
>     gruppi=100(users),3000017(SOLINOS\ospite),3000009(BUILTIN\users)
> 

This is ONLY on the Samba AD DC, when you come to setup a Unix domain
member you will need to set it up so that the OS can recognise the AD
users, all the info is the wiki.

> Now my question is:
> 
> There are other thinks I must to do on AD DC?

Only if you are going to use the DC as a fileserver as well.
 
> 
> What parameter is better add to smb.conf?

Do not add anything until you have researched it properly and only then
if you are 100% sure you need it and you probably don't need to add
anything.

> 
> Why administrator is mapped like root?:
>     [    root at fedora-addc     ~]# id
>     administrator
>     uid=0(root) gid=0(root) gruppi=0(root)

So that Administrator can do the things that root can do.

> 
> and if I add administrator to "Domain Admins" nothing change 

That was a waste of time, Administrator was already a member of Domain
Admins.

>     # samba-tool group addmembers 'Domain Admins' Administrator
>     # samba-tool group listmembers 'Domain Admins'
>     Administrator
>     # id administrator
>     uid=0(root) gid=0(root) gruppi=0(root)
> 
> Please, let me know, this is my first samba AD-DC + samba AD-Member
> server implementation, and tomorrow I must deploy all into a servers
> production.
> 

You seem to be doing okay at the moment, next stop the Unix domain
member ;-)

Rowland

More information about the samba mailing list