Posted: Wed Aug 30, 2017 3:57 pm Post subject: Setting up Samba as an Active Directory Domain Controller
Hi guys,
i wanna share my HowTo for SAMBA4 AC/DC with Samba 4.6.6 and Dynamic DNS Updates.
I managed it with the Gentoo wiki a Book for Samba 4.3 and some diffrent random Pages accros the web.
My Howto is more like a copy paste instruction then a full Howto where is all explained.
But with that i got a running envoiroment where all works what i wrote here
The complete Test enviorment works properly well and stable since 4 Weeks.
Feel Free to ask if something is not clear
i dont take any warranty if you do this in live envoirments
you do it all by yourself
typos? Have fun with it
XEN Host:
Kernel 4.12.2
GCC 6.3.0
XEN 4.8.1-r2
Server1 and Server 2
Kernel Kernel 4.12.2
Samba 4.6.6
GCC 6.3.0
Windows Client to Configure the AD via RAST Tools (Windows10 1703)
Gentoo Client
Kernel 4.12.8
GCC 6.4.0
Samba 4.6.7
configure /etc/dhcp/dhcpd.conf
configure /etc/bind/named.conf
but if you have a NT Style Domain take the dhcp/bind configs for testing, some modify needed)
cant copy example config at moment cause not cleaned for public
*maybe comming later*
## USE flags
emerge -pv samba bind bind-tools
Code: | net-fs/samba-4.6.6::gentoo USE="acl addc addns ads client cluster cups fam gnutls ldap pam python syslog systemd winbind -dmapi -gpg -iprint -quota (-selinux) (-system-heimdal) -system-mitkrb5 {-test} -zeroconf" ABI_X86="32 (64) (-x32)" PYTHON_TARGETS="python2_7" 0 KiB
net-dns/bind-9.11.1_p3::gentoo USE="berkdb caps dlz gssapi idn ipv6 ldap libressl postgres ssl static-libs zlib -dnstap -doc -filter-aaaa -fixed-rrset -geoip -gost -json -lmdb -mysql -nslint -odbc -python -rpz (-seccomp) (-selinux) -threads -urandom -xml" PYTHON_TARGETS="python2_7 python3_5 python3_6 -python3_4" 0 KiB
net-dns/bind-tools-9.11.1_p3::gentoo USE="gssapi idn ipv6 libressl readline seccomp ssl -doc -gost -urandom -xml" 0 KiB |
emerge -a samba bind bind-tools
## Create Samba Domain
read the wiki before start here
samba-tool domain provision --use-rfc2307 --interactive
systemctl enable samba
systemctl start samba
## create inital domain admin
samba-tool user create $USER --given-name=$USER --surname=$USERNAME
samba-tool user enable $USER
samba-tool group addmembers "Domain Admins" $USER
samba-tool group listmembers administrators
## ACL allow for domain admins
net rpc rights grant "EXAMPLE\domain admins" SeDiskOperatorPrivilege -U administrator
## resov.conf
Code: | # Generated by resolvconf
nameserver |
## link krb5.conf
ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
## kinit test
kinit administrator@DOMAIN
## check if ticket exists
## rsyncd for sysvol
ssh key share with second DC
nano /etc/rsyncd.conf
Code: | [SysVol]
path = /var/lib/samba/sysvol/
comment = Samba Sysvol Share
hosts allow =
uid = root
gid = root
read only = yes
systemctl enable rsyncd
systemctl start rsyncd
## NTP setup
rm /etc/ntp.conf
nano /etc/ntp.conf
Code: | server
fudge stratum 10
server iburst prefer
server iburst prefer
server iburst prefer
server iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /var/lib/samba/ntp_signd/
restrict default kod nomodify notrap nopeer mssntp
restrict [::1]
restrict mask nomodify notrap nopeer noquery
restrict mask nomodify notrap nopeer noquery
restrict mask nomodify notrap nopeer noquery
restrict 3 mask nomodify notrap nopeer noquery |
chgrp ntp /var/lib/samba/ntp_signd
chmod g+rx /var/lib/samba/ntp_signd
systemctl restart ntpd
## check ntp
ntpq -p
## nsswitch.conf
vi /etc/nsswitch.conf
Code: | passwd: compat winbind
shadow: compat
group: compat winbind
## Cups Server on ADDC
# tryed at Member server but was not really sucessful
# at ADDC all works fine
mkdir -p /var/spool/samba
chmod 1777 /var/spool/samba
mkdir -p /var/lib/samba/drivers/
chgrp -R 'domain admins' /var/lib/samba/drivers/
chmod -R g+w /var/lib/samba/drivers/
net rpc rights grant 'domain admins' SePrintOperatorPrivilege -U Administrator
net conf addshare printers /var/spool/samba writeable=y guest_ok=n "Druckerspooling"
net conf setparm pritners "browsable" "yes"
net conf setparm pritners "printable" "yes"
net conf setparm pritners "create mask" "0700"
## Add Printers
Add Printers to cups # i think u know how this works
## usefull help for printers
grep Info /etc/cups/printers.conf|cut -d" " -f2> /root/printers.txt
## bashcript for printers.conf generation
# quick and dirty but works for me
Code: | !/bin/bash
printerlist=$(cat /root/printers.txt)
for i in printerlist;do
echo "[$i]" >> /etc/samba/printers.conf
echo " path = /var/spool/samba/" >> /etc/samba/printers.conf
echo " printable = yes">> /etc/samba/printers.conf
echo " printer name = $i">> /etc/samba/printers.conf
echo " read only = No">> /etc/samba/printers.conf
echo " create mask = 0700">> /etc/samba/printers.conf
echo " browsable = yes">> /etc/samba/printers.conf
echo " Use client driver = no">> /etc/samba/printers.conf
done |
## include printers.conf in samba
vi /etc/samba/smb.conf
Code: | [GLOBAL]
include = /etc/samba/printers.conf
.... |
## print sssd pool
vi /etc/samba/smb.conf
Code: | [GLOBAL]
load printers = no
spoolss: architecture = Windows x64
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
spoolssd:prefork_min_children = 5
spoolssd:prefork_max_children = 25
spoolssd:prefork_spawn_rate = 5
spoolssd:prefork_max_allowed_clients = 100
spoolssd:prefork_child_min_life = 60
## Printserver (windows)
read the wiki before start here
## Profiles
read the wiki before start here
mkdir -p /path/for/you/profiles
chgrp -R "Domain Users" /path/for/you/profiles
chmod 2750 /path/for/you/profiles
net conf addshare profiles /profiles writeable=y guest_ok=no "User Profiles"
net conf setparm profiles "browsable" "no"
net conf setparm profiles "profile acls" "yes"
net rpc registry enumerate HKLM\\software\\samba\\smbconf\\profiles -Uadministrator -S FQDN.DOMAIN.TLD
create the GPOs like in the wiki
smbcontrol all reload-config
## Homes
read the wiki before start here
mkdir -p /path/for/you/home/
chgrp -R "Domain Users" /path/for/you/home/
chmod 2750 /path/for/you/home/
net conf addshare users /path/for/you/home/ writeable=y guest_ok=no "Home-Dirs"
net conf setparm users "browsable" "no"
net conf setparm users "create mask" "700"
net conf setparm users "directory mask" "700"
net rpc registry enumerate HKLM\\software\\samba\\smbconf\\users -Uadministrator -S FQDN.DOMAIN.TLD
more infos follow the wiki
smbcontrol all reload-config
## Shares
read the wiki before start here
chown root:"Domain Admins" /path/for/you
chmod -R 0770 /path/for/you/customers
## Password Rules
Code: | samba-tool domain passwordsettings show
samba-tool user setexpiry Administrator --noexpiry
samba-tool domain passwordsettings set --history-length=10
samba-tool domain passwordsettings set --min-pwd-age=80
samba-tool domain passwordsettings set --max-pwd-age=90
samba-tool domain passwordsettings set --min-pwd-length=8
## Change Passwords
Code: | linux client remote
smbpasswd -r SERVER -U username
as user X
smbpasswd -r SERVER
## Dynamic DNS Updates
vi /etc/bind/named.conf
Code: | options{
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
include "/var/lib/samba/private/named.conf"; |
## info for PTR set
PTR entry
The clients can also tigger the PTR registration themselves if Use this
connection's DNS suffix in DNS registration is selected in adapter properties.
The GPO which does the exact same thing is located in
Computer Configuration
-> Administrative Templates
-> Network
-> DNS Client and is called Register
DNS records with connection-specific DNS suffix.
Info area
## GPOs
acls must be ownd by:
uid: 3000008
TEST strings
## get msdcs uuids
ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid
## Verifying the File Server
smbclient -L localhost -U%
smbclient //localhost/netlogon -UAdministrator -c 'ls'
## GPOs
# my experince after add new gpos or change some at gpos
# run the check everytime if there is an error.
# most failuers are wrong acls...
# Repair it
## Rerpair
samba-tool ntacl sysvolreset
## check
samba-tool ntacl sysvolcheck
## FSMO roles
samba-tool fsmo show
## check DB for failuers
samba-tool dbcheck --cross-ncs --fix
## Info site with a lot help
## Info area END
smb.conf at Server1
# Global parameters
Code: | [global]
netbios name = EXAMPLE
realm = EXAMPLE
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = EXAMPLE
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
# log level = 5
winbind refresh tickets= yes
template shell = /bin/bash
template shell = /bin/bash
template homedir = /part/for/you/home/%ACCOUNTNAME%
## print sssd pool
load printers = no
spoolss: architecture = Windows x64
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
spoolssd:prefork_min_children = 5
spoolssd:prefork_max_children = 25
spoolssd:prefork_spawn_rate = 5
spoolssd:prefork_max_allowed_clients = 100
spoolssd:prefork_child_min_life = 60
include = /etc/samba/printers.conf
path = /var/lib/samba/sysvol/example/scripts
read only = No
path = /var/lib/samba/sysvol
read only = No
path = /var/spool/samba/
printable = yes
read only = No
create mask = 0700
browsable = No
Use client driver = no
create mask = 0755
inherit permissions = Yes
write list = adrfuchs , Administrator
writable = yes
path = /path/for/you/home
comment = Home-Dirs
guest ok = no
read only = no
hide unreadable = yes
browseable = no
create mask = 700
directory mask = 700
path = /path/for/you/profiles
comment = User Profiles
guest ok = no
read only = no
browseable = no
profile acls = yes
path = /path/for/you/public
read only = no
browseable = yes
path = /path/for/you/internal
read only = no
browseable = yes
path = /path/for/you/customers
read only = no
browseable = yes |
DC 2 Server2
Backup DC
## set krb5.conf
nano /etc/krb5.conf
Code: | [libdefaults]
default_realm = EXAMPLE
dns_lookup_realm = true
dns_lookup_kdc = true |
Code: | scp root@server1:/var/lib/samba/private/krb5.conf /etc/ |
## DNS Forwarder
vi /etc/samba/smb.conf > add dns forwarder
Code: | dns forwarder = IPSERVER1 |
## Resolv.conf
Code: | # Generated by resolvconf
search EXAMPLE
# nameserver IPSERVER1 # enabeld once for domain join after that remove or disable it |
## Domain Join
Code: | samba-tool domain join EXAMPLE DC -U administrator
systemctl enable samba
systemctl start samba
## DRS Test
# check at booth servers
samba-tool drs showrepl
## test the replication
samba-tool user create $USER
New Password:
Retype Password:
User '$USER' created successfully
## check the db
samba-tool dbcheck
if booth servers have the same ammount of entrys all works well
## Rsync sysvol
Code: | echo "*/5 * * * * root rsync -XAavz --delete-after rsync://root@IPSERVER1:/SysVol/ /var/lib/samba/sysvol/">> /etc/crontab |
systemctl restart vixie-cron
## NTP
like server1 look up
smb.conf Server2
Code: | # Global parameters
netbios name = XINEOHP
realm = EXAMPLE
workgroup = EXAMPLE
server role = active directory domain controller
dns forwarder = IPSERVER1
path = /var/lib/samba/sysvol/EXAMPLE/scripts
read only = No
path = /var/lib/samba/sysvol
read only = No |
Gentoo Client with lxdm kerberos integration and samba share auto mount at login
mostly is copied from
## client smb.conf
Code: | [global]
workgroup = EXAMPLE
realm = EXAMPLE
security = ADS
server string = (Samba %v)
obey pam restrictions = Yes
guest account = nobody
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
winbind refresh tickets = true
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
lanman auth = No
max protocol = SMB3
min protocol = NT1
# syslog = 1
log level = 0 winbind:6 auth:7
log file = /var/log/samba/%m.log
max log size = 100
debug uid = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# printcap name = cups
# dns proxy = No
idmap config * : backend = tdb
idmap config *:range = 10000-19999
idmap config EXAMPLE : backend = rid
idmap config EXAMPLE : range = 1000000 - 1999999
template homedir = /home/%U
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind offline logon = Yes
winbind expand groups = 2
ea support = Yes
store dos attributes = Yes
dos filemode = Yes
unix extensions = no
follow symlinks = yes
wide links = yes
veto files = /.*/
## Client Domain Join
net ads info
net ads join -U AD_username_with_computer_account_create_rights
net ads testjoin
getent passwd
systemctl start winbindd
systemctl enable winbindd
## i changed local users group to ad users group to enable easy sudo rights for users
## if there is a better way please tell me
vi /etc/group
Code: | #users:x:100:
users:x:1000513: |
## Pam settings
krb5_ccache_type=FILE for login if no Domain / eth available
Code: |
auth required
auth sufficient krb5_auth krb5_ccache_type=FILE
auth sufficient likeauth nullok try_first_pass
auth sufficient use_first_pass
auth required
account sufficient
account required
password required retry=3
password sufficient nullok use_authtok md5 shadow
password optional
session required skel=/etc/skel/ umask=0022
session required
session required
session required debug |
## krb5.conf
# yes again
nano /etc/krb5.conf
Code: |
default_realm = EXAMPLE
dns_lookup_realm = false
dns_lookup_kdc = true |
## Pam winbind config
vi /etc/security/pam_winbind.conf
Code: | [global]
# turn on debugging
debug = yes
# turn on extended PAM state debugging
debug_state = yes
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
cached_login = yes
# authenticate using kerberos
krb5_auth = yes
# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
krb5_ccache_type = file
# make successful authentication dependend on membership of one SID
# (can also take a name)
;require_membership_of =
# password expiry warning period in days
;warn_pwd_expire = 14
# omit pam conversations
;silent = no
# create homedirectory on the fly
mkhomedir = yes |
## testing
Now Login with your AD account
(i use sddm and with lxde)
open your prefered terminal > klist
if it now shows you a kerberos ticket "you did it"
samba with AD/DC at gentoo with an gentoo Domain Client
second test
open your prefered file browser
if you can access these shares without any Password question
## samba auto mount
# (little goody to replace smb4k and kwallet for our employees
Code: | %users ALL=(ALL) NOPASSWD:/bin/mount
%users ALL=(ALL) NOPASSWD:/bin/umount
vi /etc/xdg/autostart/
Code: | #!/bin/bash
# to do, create logoff script for umount at logoff or user swap
useruid=$(wbinfo -i $USER|cut -d : -f 3)
## create mount folders
if [ ! -d /home/$USER/internal ]; then
mkdir /home/$USER/internal
if [ ! -d /home/$USER/customers ]; then
mkdir /home/$USER/customers
## mount the shares
sudo mount -t cifs -o username=$USER,uid=$useruid,forceuid,gid=1000513,forcegid,sec=krb5i,cruid=$USER //IPSERVER1/internal /home/$USER/internal
sudo mount -t cifs -o username=$USER,uid=$useruid,forceuid,gid=1000513,forcegid,sec=krb5i,cruid=$USER //IPSERVER1/customers /home/$USER/customers
exit |
## nice little GUI for Password change via gentoo
vi /etc/portage/make.conf
add to global use
emerge pexpect python-ldap dev-lang/tk
emerge --newuse world
this tool need python-2.7 as active
eslect python list *
eselecth python set (2.7 version)
Code: | git clone |
Code: | cd adpassword && python build && python install |
if there are still missing python packages in your system please install them
Last edited by jodalein on Tue Sep 05, 2017 12:42 pm; edited 2 times in total |
This is awesome!
