Setting Up A Samba4 Domain Controller

Setting Up A Samba4 Domain Controller

I’ve been doing a fair amount of work lately setting up Samba4 domains and can tell you from experience that it can be a pain. I started out using 64 bit Debian 7 installer and compiling Samba4 from source. This method is frustrating to say the least, there is a lot to go wrong if you don’t have your methods down solid. After setting up a few domains this way, I began looking around for a better way. That better way is the Sernet Samba4 appliance, available at http://www.enterprisesamba.com/samba4app/

The Sernet appliance is built on Debian and works fairly well. The issues I ran into with the Sernet appliance .iso however made it impractical. I found that the .iso installer has issues with some non-free drivers (NIC drivers on my dell server), and with XENserver 6 (display issues and trouble with XORG). After fighting with the issues for a while and not making much headway I looked for another way. In my searching I found angryelectrons automate script available at http://angryelectron.com/samba4-notes/

I ran angryelectron’s script on a vanilla 32 bit Debian 7 install and it works without much fuss, both in xenserver and on bare metal. The only issues I’ve found is a real lack of documentation or forums regarding Sernet’s appliance as far as installing and configuring Samba4. Below are some useful things I found while setting things up that may be useful to others who want to try building their own Samba4 domain.

Running angryelectrons automate script will ask you a few basic questions about your domain. After running the script I checked DNS resolution for my domain server by running the following commands (swapping mydomain for what you named your domain in the setup):
#host -t SRV _ldap._tcp.mydomain.local.
result: _ldap._tcp.mydomain.local has SRV record 0 100 389 samba.mydomain.local.
#host -t A samba.mydomain.local.
result: samba.mydomain.local has address 192.168.1.10
Where I ran int trouble was with the Kerberos config. The automate script doesn’t seem to complete the Kerberos setup and when I ran:
#kinit administrator
I received an error that a KDC could not be found for the domain. Checking the Kerberos config:
#vi /etc/kerb5.conf
I found it was not fully configured with only the following in the file:

[libdefaults]
default_realm = MYDOMAIN.LOCAL
dns_lookup_kdc = true
dns_lookup_realm = false

To get the Kerberos setup completed I added the following lines to the bottom:

[realms]
MYDOMAIN.LOCAL = {
kdc = server.mydomain.local
default_domain = mydomain.local
}

[domain_realm]
.mydomain.local = MYDOMAIN.LOCAL
mydomain.local = MYDOMAIN.LOCAL

After adding those lines to my krb5.conf I got the expected output from:
#kinit administrator
result: Warning: Your password will expire in 41 days on Tue Mar 5 15:23:03 2013
From here its just a matter of editing your smb.conf to add shares and printing if you so desire. This is where I ran into another little hiccup that I couldn't find any documentation on, namely which smb.conf the Sernet appliance uses. I ran:
#locate smb.conf
and got 4 or 5 files in response. After some trial and error I found the Sernet appliance uses the smb.conf located at:
#/opt/samba/etc/smb.conf
and to restart the Sernet appliance Samba:
#/etc/init.d/sernet-samba4 restart

After these minor things I was able to get my Samba4 domain up and running in under 20 minutes, not bad for a free Active Directory domain. Once everything is up you can you the standard microsoft RSAT to add users, logon scripts, share permissions and all the usual fun stuff.

Santa Barbara Hackerspace
About The Author

2 Comments:


  • By my slackware samba kdc works now! 28 Sep 2014

    your krb.conf realm additions worked for me THANKS!!!

    samba4 Version 4.1.11 slackware 14.1

    migrating w2k AD domain to Linux and everything worked but the samba4 kdc would not work for me no kinit
    no joy

    To get the Kerberos setup completed I added the following lines to the bottom: and ther was much joy!!!!

    [realms]
    MYDOMAIN.LOCAL = {
    kdc = server.mydomain.local
    default_domain = mydomain.local
    }
    [domain_realm]
    .mydomain.local = MYDOMAIN.LOCAL
    mydomain.local = MYDOMAIN.LOCAL

    THANK YOU !!!

    • By MBales 29 Sep 2014

      Glad someone was able to put this to use! Thanks for the reply.
      -Swiss

What is the Hackerspace?

We are a group of makers and developers in the Santa Barbara community who love building things. The Hackerspace has a Makerbot printer, piles of Arduinos, and much, much more. Learn More →
Become a Member

Membership Levels
Location

5782 Thornwood Dr
Goleta CA 93117

Contact Us

Current Status

Current status of the Hackerspace: "awesome".
Twitter Feed

Find out what's happening, right now, with the people and organizations you care about.


Bad Authentication data.
Copyright 2012 Builder - Company. Design by OrangeIdea