SMB4 AD and Bind

“Ubuntu 14.04 LTS”

See DNS/DHCP page for domain info.

sudo apt-get update
sudo apt-get update && sudo apt-get upgrade

Install the acl

sudo apt-get install acl attr

Configure acl in the /etc/fstab

sudo nano /etc/fstab
/dev/mapper/vg0-lv_data   /   ext4 user_xattr,acl,barrier=1,noatime  0  0
mount -a

Reboot

Installing Samba software

sudo apt-get install samba smbclient  build-essential libacl1-dev libattr1-dev \
   libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev \
   python-dnspython gdb pkg-config libpopt-dev libldap2-dev \
   dnsutils libbsd-dev krb5-user docbook-xsl libcups2-dev ldb-tools

During the installation process you will be asked some questions:

  • Kerberos Authentication: MYDC.ABC.LAN
  • hostname of Kerberos server: dcsrv.abc.lan
  • hostname of the Administrative: dcsrv.abc.lan
Remove your old smb.conf
sudo rm /etc/samba/smb.conf

Provision  AD:

sudo samba-tool domain provision --use-rfc2307 --interactive

Input the following:

  • Realm: MYDC.ABC.LAN
  • DNS Backend: BIND9_DLZ
Realm: MYDC.ABC.LAN
 Domain [MYDC]: 
 Server Role (dc, member, standalone) [dc]: 
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ
Administrator password: 
Retype password: 
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=mydc,DC=abc,DC=lan
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=mydc,DC=abc,DC=lan
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
See /var/lib/samba/private/named.conf for an example configuration include file for BIND
and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: dcsrv
NetBIOS Domain: MYDC
DNS Domain: mydc.abc.lan
DOMAIN SID: S-1-5-21-416587768-2115368124-2463890298

Disable Domain administrator pasword from expiring. Note: its two dashes on noexpiry

sudo samba-tool user setexpiry Administrator –noexpiry

Configuring Samba and Bind.

Edit the file /etc/samba/smb.conf and add the following lines to the end of the [global] section.

sudo nano /etc/samba/smb.conf
       allow dns updates = nonsecure and secure 
       dns forwarder = 10.0.2.99
       printing = CUPS
       printcap name = /dev/null

Add the following to /etc/bind/named.conf.options at the end of the options. You may need to remove any duplicate existing lines.

sudo nano /etc/bind/named.conf.options
   auth-nxdomain yes;  
   empty-zones-enable no;
   tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

Choose your version of BIND by removing comment (see example below).

sudo nano /var/lib/samba/private/named.conf
dlz "AD DNS Zone" {
    # For BIND 9.8.0
#    database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";
 
    # For BIND 9.9.0
     database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
};

Add the following to /etc/bind/named.conf as the second line in the included section.

sudo nano /etc/bind/named.conf
include "/var/lib/samba/private/named.conf";

Add the following apparmor rules to the end of /etc/apparmor.d/usr.sbin.named inside the { }

sudo nano /etc/apparmor.d/usr.sbin.named
   /usr/lib/x86_64-linux-gnu/samba/** rwmk,
   /usr/lib/x86_64-linux-gnu/ldb/** rwmk,
   /var/lib/samba/private/dns/** rwmk,
   /var/lib/samba/private/named.conf r,
   /var/lib/samba/private/dns.keytab rk,
 
   /dev/urandom rw,

Static IP should be set from the DNS/DHCP tutorial.  You will need to change the DNS name server to localhost 127.0.0.1

auto eth0
iface eth0 inet static
   address 10.1.200.3
   gateway 10.1.200.1
   netmask 255.255.255.0
   dns-nameservers 127.0.0.1
   dns-search abc.lan

reboot

Done.