Saturday, April 19, 2014

Basic Samba4 Domain Controler on Ubuntu 14.04

Thanks to the release of Ubuntu 14.04 server, setting up a Samba4 active directory domain controller has never been easier. Whether you need a path out of Windows Server 2003 (EOL in mid 2015) or you've been left out in the cold by Microsoft's decision to drop Small Business Server, Samba4 may be the light at the end of a very dark licencing tunnel. If you're not already using Active Directory due to costs, complexity, or whatever you no longer have a valid excuse.

Networking Assumptions:
  • Server Hostname: pdc
  • DNS Domain: mydomain.local
  • NETBIOS Domain: MYDOMAIN
  • IP Address:  10.0.0.5
  • Subnet Mask: 255.0.0.0
  • Default Gateway: 10.0.0.1


Disclaimer
The following information is provided strictly as a guide for getting started with Samba4 on Ubuntu 14.04 Server and is by no means a complete solution. I make no claims as to the security or stability of the following configuration. In other words, (as always) you are responsible for the security and stability of your own servers/network/data. That said, I've made every effort to provide the best info I could scrape together from various blogs, how-tos, wikis, and personal experience. Please feel free to comment on anything that can be improved.


Select Your Environment
If you're just trying this out, then I'd recommend using a paravirtualization hypervisor like KVM, Hyper-V, ESXi, or even VirtualBox due to the fact that we will be using some filesystem extensions. Either that or just install on an actual physical machine. About 10GB of storage and 2GB of RAM should do it for basic testing, but double that if you can. For production, Samba will make full use of lots of threads if you let it since it spawns a new process for each active connection. I would also generally try to stay out of swap if you can (RAM is cheap people). Kerberos/Active Directory are quite time sensitive and I'll wager you're probably not interested in hunting down intermittent timeout errors.

This guide is intended for Ubuntu 14.04, as many companies require/prefer an OS from a vendor with direct commercial support. For a Samba4 install that doesn't require compiling from source or installing and configuring dependencies manually you're pretty much limited to Ubuntu 14.04 or Red Hat/CentOS 7 (the only major distros which play nice with Samba4 out of the box) anyway. You could make it work with Debian Wheezy but you'll need to compile Samba from source and configure some things manually. Any Debian 7 or Ubuntu 12.04 based adventure should start here: http://www.jadota.com/2013/01/installing-samba4-on-ubuntu-12-04/.

Install and Configure Ubuntu 14.04
Start by downloading the latest ISO of Ubuntu 14.04 here. Be sure the only optional package you install is openssh-server. The default network setup uses DHCP so log in and note the IP address before you walk away from a bare-metal (physical server) installation. Connect via SSH using PuTTY (Windows) or the SSH terminal command (*nix/OSX).

Let's start by making sure everything is up-to-date:
sudo apt-get update

sudo apt-get upgrade

Reboot to restart all services and verify that your GRUB and BIOS are set up correctly:
sudo reboot

This is as good a time as any to help protect the root user by setting a nice long password.
sudo passwd root

 If you're using a server in a public cloud or similar then you should also get public/private key authentication set up for SSH, disable root logins, and such before proceeding.

Set a Static IP
Next we'll edit /etc/network/interfaces to specify our IP and other basic network information. You'll want to tailor this to your own network setup (and choose a domain/hostname you like) of course. I've specified Google DNS (8.8.8.8) and pdc.mydomain.local, but feel free to swap that out too. Note that we've already set this machine/VM as its own primary DNS server.
sudo nano /etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 10.0.0.5
netmask 255.0.0.0
gateway 10.0.0.1
dns-nameservers 10.0.0.5 8.8.8.8
dns-search mydomain.local

Specify Hostname and Domain
Your server's hostname was set during install, but let's double check it by opening /etc/hostname
sudo nano /etc/hostname

Here we'll enter your hostname without the domain:
pdc

The fully qualified domain name (FQDN) is set via /etc/hosts. We'll just leave the IPv6 stuff alone and edit the values we're interested in. Be sure to put FQDN first, then hostname.
sudo nano /etc/hosts

127.0.0.1 localhost
127.0.1.1 pdc.mydomain.local pdc

10.0.0.5 pdc.mydomain.local pdc

Configure NTP
Having the correct time set on both client and server is critical for Kerberos, and by extension Samba4, to authenticate smoothly. Let's install the NTP server:
sudo apt-get install ntp


Now we'll stop the NTP server, update time manually, and start the NTP service back up. I've used the default Ubuntu NTP pool but you can use an NTP server on your LAN if you already have one (say installed on a router or something).
sudo service ntp stop

sudo ntpdate -B 0.ubuntu.pool.ntp.org

sudo service ntp start

Set Up Required Filesystem Options
There are a few filesystem options (mostly related to file and folder permissions) which Samba4 requires. Before we start installing packages lets be sure these are in place. First, edit /etc/fstab:
sudo nano /etc/fstab

Now find the disk or array where / is mounted and edit the attributes which start just after "ext4":
UUID=blahblahmoomoowhatnot  / ext4 user_xattr,acl,barrier=1,errors=remount-ro,relatime 0 1
user_xattr, acl, and barrier=1 are all specified in the Samba4 documentation, while relatime and remount-ro I've added here for performance and data integrity respectively. I've seen actual fistfights over these sorts of things so go with what you know if you have a strong preference. Barrier, acl, and xattr are non-negotiable though. You'll also want all three on any other volumes you want to use as Samba4 shares.

While all other filesystem attributes are supported out of the box in Ubuntu 14.04, you need to install a service for ACL to work properly:
sudo apt-get install acl


Now we'll mount all filesystems to be sure it works. As is typical with Linux, no feedback is good. You'll get an error telling you what attribute it didn't like if something goes wrong:
sudo mount -a

Do not continue until "mount -a" goes through without errors.

Install and Provision Samba
There are only three packages to specify here (and two are for testing to verify your installation), which seems crazy if you ever had the pleasure of installing from source prior to the release of 14.04 server. The krb5-user package will prompt you to input a few values. It should already know your realm but you'll need to enter you NetBIOS domain and tell kerberos that your server's hostname is the server and administrative server as well.
sudo apt-get install samba krb5-user smbclient

Before we can provision Samba we need to remove the /etc/samba/smb.conf file that was created during install.
sudo rm /etc/samba/smb.conf

Now we will generate our own via smb-tools.
sudo /usr/bin/samba-tool domain provision --realm mydomain.local --domain MYDOMAIN --adminpass Test1234Lol --server-role=dc

DNS Considerations
DNS is critical to the fucntioning of an Active Directory domain. Your Samba server will need to be the primary DNS server for all hosts on your network for them to interact via Active Directory. For larger installs of Samba as a Domain Controller you will want to use Bind9 as your DNS server, but since our focus here is on smaller deployments and testing we can use the built in Samba DNS. It's worth mentioning that it is entirely possible, and not terribly complicated, to upgrade to Bind9 after you're already up and running. Samba recommends Bind9 for any "complexer DNS setup" so if that sounds like you then maybe just bite the bullet and set up Bind out of the gate.

Let's edit your new /etc/samba/smb.conf to specify the DNS server IP Samba should use for hosts outside the AD domain.
sudo nano /etc/samba/smb.conf

We have to tell Samba who to ask if it can't resolve a DNS request on its own. We'll set our gateway router as the DNS forwarder to enable some level of caching. We also need to add a line the global section to allow "nonsecure" DNS updates from our router since it won't be part of the new AD domain. You might consider stetting up a separate vLAN (or at least an IP subnet) to keep this DNS traffic confined from the rest of your local network.
dns forwarder = 10.0.0.1
allow dns updates = nonsecure and secure

Now to update /etc/network/interfaces so use Samba DNS exclusively.
sudo nano /etc/network/interfaces

Just remove the secondary entry pointing to Google DNS.
dns-nameservers 10.0.0.5

And restart the whole server to reload Samba, networking, and everything else. This will also allow us to be sure all the correct services load correctly in the event of a reboot/power failure/etc.
sudo reboot

Final Testing
At this point Samba should be all set and ready for management via the normal Microsoft Active Directory tools. Before we go and set up group policies, network printers, and everything else we should make sure Samba and Kerberos are in good working order.

First we'll use some host lookups to determine that your server can find itself, and is on the correct domain. If any of these fail then you need to look at /etc/networking/interfaces, /etc/hosts, and /etc/hostname. Reboot again once you've fixed any issues you find there.
host -t SRV _ldap._tcp.mydomain.local.

host -t SRV _kerberos._udp.mydomain.local.

host -t A pdc.mydomain.local.

Now that we know your server can find itself, lets be sure the AD administrator can log in with the password we specified when we provisioned Samba.
kinit administrator

Let's also ensure SMB clients can communicate with our Samba installation.
sudo /usr/bin/smbclient -L localhost -U%

And finally, we'll have a client request an SMB connection and fully authenticate. This is the real test as it needs all component services to be working in concert.
sudo /usr/bin/smbclient //localhost/netlogon -U 'administrator'

Once you're in and see that it works, just quit smbclient.
quit

That's it! You've now got a working Samba4 Domain Controller. The easiest way to manage Active Directory is via Microsoft's own AD Management tools. The Samba wiki has an excellent article about getting those installed here: https://wiki.samba.org/index.php/Samba_AD_management_from_windows



Special thanks to "Just an Admin" for the excellent Installing Samba4 on Ubuntu 12.04 LTS article which served as my initial framework and really helped me to get my feet wet with Samba4. This post started out life as a Samba + 12.04 guide. In addition, the Samba Wiki has been an invaluable resource for determining such things as required file system attributes and dependencies.




28 comments:

  1. Update: Fixed a typo on the final smbclient test and added a note about a prompt when installing krb4-user.

    ReplyDelete
  2. It is looks like this is not correct:

    UUID=blahblahmoomoowhatnot / ext4 user_xattr,acl,barrier=1,errors=remount-ro,relatime 0 1

    In my UBUNTU 14.04 fstab file I have mostly something like this UUID=xxxxx/boot ext2 .....

    Moreover, according this: https://wiki.samba.org/index.php/OS_Requirements#fstab_2
    I have it like this:
    /dev/mapper/ubuntu--vg-root / ext4 errors=remount-ro,acl,user_xattr,barrier=1 1 1

    Please, correct me if I am wrong!

    ReplyDelete
  3. Very nice! Your procedure works like a charm! Except when we have IPv6 enabled at /etc/network/interfaces && /etc/hosts... Then, Samba4 does not work at all... It does not listen on 53, on 389... :-(
    Thank you for sharing!

    ReplyDelete
  4. Hi,
    the configuration of the /etc/hosts/:
    127.0.0.1 localhost
    127.0.1.1 pdc.mydomain.local pdc

    10.0.0.5 pdc.mydomain.local pdc

    delivers in log folowing error:
    /usr/sbin/samba_dnsupdate: ; Communication with 127.0.1.1#53 failed: operation canceled

    after commenting the string:
    # 127.0.1.1 pdc.mydomain.local pdc
    everything works fine.

    At this moment I have problem here:
    /usr/sbin/samba_dnsupdate: RuntimeError: kinit for SRV01$@DOT.LAN failed (Cannot contact any KDC for requested realm)

    I hope to solve, shortly. Thank you.

    ReplyDelete
    Replies
    1. Strange, your two issues are definitely related. I have the 127.0.1.1 entry on multiple servers with totally different hardware configurations (single nic, bonded interface, etc) and no issues with dnsupdate. Do yo have multiple nics active? Have you added anything in iptables that could be a problem? Was the 127.0.1.1 address populated when the server was initially set up (as mine was in both 14.04 and 12.04)?

      Delete
  5. Just for the record, I just filled a BUG at launchpad about Samba4 with IPv6: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1335502

    ReplyDelete
    Replies
    1. Thanks for the update, I'm hoping to improve this article soon as I've been playing with CUPS and most of active directory on Samba4 a lot lately. I've honestly avoided using IPv6 myself as IPv4 sub-netting is an easy way to segregate LAN traffic (especially on lower end networking gear lacking VLAN support).

      I have found that on a LAN where there is already a windows server PDC with IPv6 enabled it's basically impossible to move clients over to a Samba PDC without first disabling IPv6 on the client. This, even after setting the DNS server on the client to the Samba PDC. Kind of a kludge for sure, but it does seem to get the job done. I'll look into getting IPv6 working and update the article (hopefully soon).

      Delete
    2. I resolve CUPS errors in log like this: samba-tool domain provision \--realm=DOT.LAN \--domain=DOT \--adminpass='Pa77w0rd' \--dns-backend=BIND9_DLZ \--server-role=dc \--use-xattr=yes \--use-rfc2307 \--function-level=2008_R2 \--use-ntvfs

      --use-ntvfs sources:

      https://wiki.samba.org/index.php/Samba4/s3fs
      https://lists.samba.org/archive/samba-technical/2011-December/080784.html

      Maybe it will be helpful.

      Delete
    3. Thank you Roswebnet! You enlightened me! To make Samba4 AD DC work with IPv6, we just need to append "--function-level=2008_R2"...

      But then, after a server reboot, Samba4 got stucked, we need to manually kill it, and do a "service samba-ad-dc start" to bring it back again... Something is wrong with its init scripts... Nevertheless, it seems to be working with IPv6! YAY!! :-D

      Delete
  6. This comment has been removed by the author.

    ReplyDelete
  7. Thank you for you tutorial. Clear and simple.
    I did got through most of it without problem till the kinit administrator part. It returned the following error
    kinit: Invalid argument while getting initial credentials
    Since in the provision process we do not refer to any specific dns source, I went on googling and found the following option I added --dns-backend=SAMBA_INTERNAL. It sounded logical since we are not using BIND9 (so far).
    I removed the smb.conf and reprovisioned.
    Result: the same thing.
    Any idea how to move forward ? Thanks

    ReplyDelete
    Replies
    1. Hi,
      Once I got the same thing and I killed many hours for searching a problem. Try those steps:

      service smbd stop
      service nmbd stop
      service samba stop
      service apparmor stop

      rm /etc/samba/smb.conf
      rm -R /var/lib/samba/private/*
      rm -R /var/lib/samba/sysvol/*

      apt-get remove --purge krb5-config

      please check that in /etc/ no krb5.conf !

      I strongly advice to use something like this for default version of samba package in Ubuntu 14.04:

      samba-tool domain provision \--realm=DOT.LAN \--domain=DOT \--adminpass='Pa77w0rd' \--dns-backend=SAMBA_INTERNAL \--server-role=dc \--use-xattr=yes \--use-rfc2307 \--function-level=2008_R2 \--use-ntvfs

      Check and update your /etc/smb.conf if needed. Use wiki: https://wiki.samba.org/index.php/DNS#Configuration

      Optional (please check for Internal DNS the samba wiki!)
      In apparmor: /etc/apparmor.d/usr.sbin.named add something like this:

      # Samba4 DLZ and Active Directory Zones
      /var/tmp/** rw,
      /var/lib/samba/private/** rkw,
      /var/lib/samba/private/dns/** rkw,
      /var/lib/samba/private/sam.ldb.d/** k,
      /usr/lib/x86_64-linux-gnu/samba/bind9/** rm,
      /usr/lib/x86_64-linux-gnu/samba/gensec/** rm,
      /usr/lib/x86_64-linux-gnu/samba/ldb/** rm,
      /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm,
      }

      Check careful your network configuration. Reboot.

      Run test (please change name to represented one):

      host -t SRV _ldap._tcp.dot.lan.
      host -t SRV _kerberos._tcp.dot.lan.
      host -t A srv01.dot.lan

      then apt-get install krb5-user
      Mostly if steps above configured correctly this package will not ask any additional info. However you can write if it will ask something like this (Please change name and IP to your recent data):

      DOT.LAN
      x.x.x.x
      SRV01.DOT.LAN

      Hope it will help you.

      Delete
    2. That did it. It all went well, except for the apparmor part. I added the code you provided to a new usr.sbin.named file but it seems there must be more to it, as apparmor refuses to reload. I guess you just gave me an extract and I must be missing the first lines... Anyhow, even without that part it works.
      Thanks a lot.

      Delete
    3. This comment has been removed by the author.

      Delete
    4. You must add this lines to existing usr.sbin.named at the end. But pay attention this is for Bind9 version. As I reed it here:
      https://wiki.samba.org/index.php/DNS_Backend_BIND#Interaction_with_AppArmor_or_SELinux

      Add the following to the end of /etc/apparmor.d/local/usr.sbin.named (create it if it doesn't already exist).
      # Samba4 DLZ and Active Directory Zones (default source installation)
      /usr/local/samba/lib/** rm,
      /usr/local/samba/private/dns.keytab r,
      /usr/local/samba/private/named.conf r,
      /usr/local/samba/private/dns/** rwk,

      It should work for samba DNS. Attention they give patch /usr/local/samba you need to find what patch uses Ubuntu 14.04. Use commands like updatedb and than find xxxxx. Where xxxxx is folder or file. But test it careful before go in production!

      Delete
    5. This comment has been removed by the author.

      Delete
  8. Thank you very much for this guide. worked great for me.

    ReplyDelete
  9. Mindblowing Post that You have shared here, This is an amazing superb article Keep Sharing this...
    Thanks thanks a lotttttttt!!!!

    Italy VPS Hosting

    ReplyDelete
  10. Outstanding and mindblowing, this information is very much help full for me. I love this blog posting. I wanna say thanks for sharing your information, keep it up.
    Germany VPS Hosting

    ReplyDelete
  11. Very Nice Blog, You are spreading very good information among us… Yes Web Hosting plays very important role in business world. And it is important to have the best hosting services.
    UK VPS Hosting

    ReplyDelete
  12. Loved your blog as it is well researched and offered a knowledgeable resource. I have read all your posts and all are very informative. Thanks for sharing and keep it up like this.
    Book Domain Name

    ReplyDelete
  13. Great! You express very well. Nowadays it is very important to take the right information Online Services. If you want to know about Spain Dedicated Server Hosting you can ask us for more details and services. thanks !!!!

    ReplyDelete
  14. Great Article… I love to read your articles because your writing style is too good, it is very helpful for all of us and I never get bored while reading your article. I also want to share some of the best Sweden Dedicated Server Hosting services for your website at a reasonable price.

    ReplyDelete
  15. This blog is very attractive you are proving good information from this article. Keep sharing this kind of post. Your post is very well for everyone. if you wanna some important thing. Here are mention some most valuable guidelines. Dubai Dedicated Server hosting which is unique to other hosting provider customers where get brilliant server plans for all Customers.

    ReplyDelete
  16. Awesome blog doing well work on the blog. I am glad about it. and I really enjoyed it. Also, I want to share some information's about dedicated Hosting. So Interested People come to our site Spain Dedicated Server.

    ReplyDelete
  17. First of all, I would like to say thank you for all the wonderful and great information you sent to all of us and this is very useful for people, Again thanks for the blog. I also want to share some of the best Sweden Dedicated Server Hosting services for your website at a reasonable price.

    ReplyDelete
  18. WOW!! Interesting, I enjoyed reading your blog. I learned new information from your article, you are doing a great job. If you want to buy the best web hosting server for the application then choose Ukraine Dedicated Server you can ask us for more details.

    ReplyDelete