Distribution-specific Package Installation: Difference between revisions

From SambaWiki
m (Cleaned up the Ubuntu and Debian sections. Added some clarification regarding NTP and associated package installations)
m (Added some Ubuntu-specific information about dns resolutions)
(One intermediate revision by the same user not shown)
Line 1: Line 1:
= Introduction =
= Introduction =


The following is a distribution-specific list of commands to install Samba. There is a distinct difference between installing Samba, and provisioning/configuring of Samba. This page covers the installation-only, and is intended to be a short detour away from [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller|Setting up Samba as an Active Directory Domain Controller]] page.
The following is a distribution-specific list of commands to install Samba.


Note, that the list of commands is neither provided nor actively verified by the Samba team. If you see any missing packages or incorrect package names, please update the command or send the information to the [https://lists.samba.org/mailman/listinfo/samba Samba mailing list].
Note, that the list of commands is neither provided nor actively verified by the Samba team. If you see any missing packages or incorrect package names, please update the command or send the information to the [https://lists.samba.org/mailman/listinfo/samba Samba mailing list].


As a reminder, the following information about the domain and domain controller applies to these examples:


* Hostname = <code>DC1</code>

* DC local IP Address = <code>10.99.0.1</code>
* Authentication Domain = <code>SAMDOM.EXAMPLE.COM</code>
* Top level Domain = <code>EXAMPLE.COM</code>




Line 31: Line 35:
= Debian =
= Debian =


The following command will prompt you for Kerberos information, and hostname information for the domain controller. Example entries for the Kerberos 5 Realm, Kerberos servers for the realm and hostname of the administrator server are as follows:
The following command will prompt you for Kerberos information, and hostname information for the domain controller. Example entries for the Kerberos 5 Realm, Kerberos servers for the realm and hostname of the administrator server are as follows for a DC with the hostname <code>dc1</code> in the domain <code>SANDOM.EXAMPLE.COM</code>


- EXAMPLE.COM
* SANDOM.EXAMPLE.COM


- sandom.example.com
* dc1.sandom.example.com


- sandom.example.com
* dc1.sandom.example.com


# apt-get install acl attr samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user
# apt-get install acl attr samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user
Line 47: Line 51:
# apt-get install dnsutils
# apt-get install dnsutils


*Note3: For a DC to serve as the domain NTP server, you will also need <code>ntp</code> or <code>chrony</code>. '''However:''' This is not explicitly necessary for domain-joined machines to share a common NTP server. It is possible to define a Group Policy Object that synchronizes workstations with <code>time.windows.com</code> post installation. Either package can be installed via:
* '''Optional''' Note3: For a DC to serve as the domain NTP server, you will also need <code>ntp</code> or <code>chrony</code>. However this is not explicitly necessary for domain-joined machines to share a common NTP server. It is possible to define a Group Policy Object that synchronizes workstations with <code>time.windows.com</code> post installation. Either package can be installed via:


# apt-get install chrony
# apt-get install chrony
Line 57: Line 61:
= Ubuntu =
= Ubuntu =


==== Preparing the Installation Recap ====
The following command will prompt you for Kerberos information, and hostname information for the domain controller. Example entries for the Kerberos 5 Realm, Kerberos servers for the realm and hostname of the administrator server are as follows:


Before beginning the installation process, it is important that the prerequisites defined on the [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller|Setting up Samba as an Active Directory Domain Controller]] page are met:
- EXAMPLE.COM


# Define a DNS Domain
- sandom.example.com
# Define a hostname
# Select a static IP Address
# Disable <code>resolvconf</code> or make <code>/etc/resolv.conf</code> immutable
# Modify the <code>/etc/hosts</code> file to ensure the DC correctly resolves to itself at the fully-qualified domain name (FQDN) and short host name


Administrators may be unfamiliar with how to perform steps 4 and 5, so this section is intended to provide support:
- sandom.example.com

'''Perform Step 4: Disabling the DNS Resolver'''

Stop and Disable <code>systemd-resolved</code> service
$ sudo systemctl disable --now systemd-resolved

It is good practice to backup <code>resolv.conf</code> unlink it
$ sudo cp /etc/resolv.conf /etc/resolv.conf.backup
$ sudo unlink /etc/resolv.conf

Create a new, blank <code> resolv.conf</code>
$ sudo touch /etc/resolv.conf
$ sudo nano /etc/resolv.conf

With Nano open, copy the following contents and save this file:
# Samba server IP address
nameserver 10.99.0.1
# fallback resolver
nameserver 1.1.1.1
# main domain for Samba
search SAMDOM.EXAMPLE.COM

Ubuntu will attempt to automatically overwrite this file every time the system restarts. Thus we have to make this file immutable:
$ sudo chattr +i /etc/resolv.conf

'''Perform Step 5: Modify the <code>/etc/hosts</code> file'''

Open the hosts file with
$ sudo nano /etc/hosts

Modify and add the following line to the top
10.99.0.1 DC1.SAMDOM.EXAMPLE.COM DC1

With steps 4 and 5 completed, restart the machine
$ sudo shutdown now -r

==== Package Installation ====

With the above prerequisites met, it is now time to install the Samba and associated packages. The following command will prompt you for Kerberos information, and hostname information for the domain controller. Example entries for the Kerberos 5 Realm, Kerberos servers for the realm and hostname of the administrator server are as follows for a DC with the hostname <code>dc1</code> in the domain <code>SANDOM.EXAMPLE.COM</code>

* SANDOM.EXAMPLE.COM

* dc1.sandom.example.com

* dc1.sandom.example.com


$ sudo apt-get install acl attr samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user
$ sudo apt-get install acl attr samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user
Line 73: Line 128:
$ sudo apt-get install dnsutils
$ sudo apt-get install dnsutils


*Note3: For a DC to serve as the domain NTP server, you will also need <code>ntp</code> or <code>chrony</code>. '''However:''' This is not explicitly necessary for domain-joined machines to share a common NTP server. It is possible to define a Group Policy Object that synchronizes workstations with <code>time.windows.com</code> post installation. Either package can be installed via:
*'''Optional'' Note3: For a DC to serve as the domain NTP server, you will also need <code>ntp</code> or <code>chrony</code>. However this is not explicitly necessary for domain-joined machines to share a common NTP server. It is possible to define a Group Policy Object that synchronizes workstations with <code>time.windows.com</code> post installation. Either package can be installed via:


$ sudo apt-get install ntp
$ sudo apt-get install ntp
Line 80: Line 135:


For details about time synchronization, see [[Time_Synchronisation|Time Synchronization]].
For details about time synchronization, see [[Time_Synchronisation|Time Synchronization]].

==== Post Installation, Pre-Provisioning ====

As mentioned at the top of this page, there is a distinction between installing Samba and provisioning (configuring) it for your needs. Samba automatically creates some placeholder configuration files which are not useful and will break the automated configuration utilities. Thus we must delete those files before moving on.

* Temporary Stop and Disable Samba Services
$ sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
$ sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service

* Backup the original samba config file.
$ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.initial

* Unmask Samba service
$ sudo systemctl unmask samba-ad-dc

The next step will be to utilize <code>samba-tool</code> in interactive mode to automatically create your configuration files. Details on this can be found back on the main [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Provisioning_Samba_AD_in_Interactive_Mode|Setting up Samba as an Active Directory Domain Controller]] page. Open up that page in a new tab and follow the instructions for the interactive provisioning.

==== Post-Provisioning ====

Upon completion of provisioning, the following commands should be entered to restart Samba with the new configuration files:

$ sudo systemctl start samba-ad-dc.service
$ sudo systemctl enable samba-ad-dc.service

If all went well, your domain controller is up and running with a domain functional level of *Windows Server 2008 R2.* This can be verified with:

$ sudo samba-tool domain level show
$ sudo systemctl status samba-ad-dc.service

You now have a working domain controller for central authentication but no Group Policy Object support. This can be achieved by adding the following line to the <code>[globals]</code> section of the <code>/etc/samba/smb.conf</code> file:
allow group policies = yes

For additional information on this, navigate to [[Group_Policy#Winbind|Group Policy]].





Revision as of 18:50, 6 September 2022

Introduction

The following is a distribution-specific list of commands to install Samba. There is a distinct difference between installing Samba, and provisioning/configuring of Samba. This page covers the installation-only, and is intended to be a short detour away from Setting up Samba as an Active Directory Domain Controller page.

Note, that the list of commands is neither provided nor actively verified by the Samba team. If you see any missing packages or incorrect package names, please update the command or send the information to the Samba mailing list.

As a reminder, the following information about the domain and domain controller applies to these examples:

  • Hostname = DC1
  • DC local IP Address = 10.99.0.1
  • Authentication Domain = SAMDOM.EXAMPLE.COM
  • Top level Domain = EXAMPLE.COM


Red Hat Enterprise Linux / CentOS / Scientific Linux

Version 7 and 8

# yum install samba

The samba package only supports Samba as a domain member and NT4 PDC or BDC. Red Hat does not provide packages for running Samba as an AD DC. As an alternative:

  • Build Samba. For details, see Build Samba from Source.
  • Use 3rd-party packages with AD support from a trusted source.

Version 6

# yum install samba4

The samba4 package only supports Samba as a domain member and NT4 PDC or BDC. Red Hat does not provide packages for running Samba as an AD DC. As an alternative:

  • Build Samba. For details, see Build Samba from Source.
  • Use 3rd-party packages with AD support from a trusted source.


Debian

The following command will prompt you for Kerberos information, and hostname information for the domain controller. Example entries for the Kerberos 5 Realm, Kerberos servers for the realm and hostname of the administrator server are as follows for a DC with the hostname dc1 in the domain SANDOM.EXAMPLE.COM

  • SANDOM.EXAMPLE.COM
  • dc1.sandom.example.com
  • dc1.sandom.example.com
# apt-get install acl attr samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user
  • Note1: For a DC you do not need libpam-winbind libnss-winbind libpam-krb5, unless you require AD users to login
  • Note2: For a DC, which will become the new DNS server for the domain, install dnsutils with the following command:
# apt-get install dnsutils
  • Optional Note3: For a DC to serve as the domain NTP server, you will also need ntp or chrony. However this is not explicitly necessary for domain-joined machines to share a common NTP server. It is possible to define a Group Policy Object that synchronizes workstations with time.windows.com post installation. Either package can be installed via:
# apt-get install chrony

For details about time synchronization, see Time Synchronization.


Ubuntu

Preparing the Installation Recap

Before beginning the installation process, it is important that the prerequisites defined on the Setting up Samba as an Active Directory Domain Controller page are met:

  1. Define a DNS Domain
  2. Define a hostname
  3. Select a static IP Address
  4. Disable resolvconf or make /etc/resolv.conf immutable
  5. Modify the /etc/hosts file to ensure the DC correctly resolves to itself at the fully-qualified domain name (FQDN) and short host name

Administrators may be unfamiliar with how to perform steps 4 and 5, so this section is intended to provide support:

Perform Step 4: Disabling the DNS Resolver

Stop and Disable systemd-resolved service

$ sudo systemctl disable --now systemd-resolved

It is good practice to backup resolv.conf unlink it

$ sudo cp /etc/resolv.conf /etc/resolv.conf.backup
$ sudo unlink /etc/resolv.conf

Create a new, blank resolv.conf

$ sudo touch /etc/resolv.conf
$ sudo nano /etc/resolv.conf

With Nano open, copy the following contents and save this file:

# Samba server IP address
nameserver 10.99.0.1

# fallback resolver
nameserver 1.1.1.1

# main domain for Samba
search SAMDOM.EXAMPLE.COM

Ubuntu will attempt to automatically overwrite this file every time the system restarts. Thus we have to make this file immutable:

$ sudo chattr +i /etc/resolv.conf

Perform Step 5: Modify the /etc/hosts file

Open the hosts file with

$ sudo nano /etc/hosts

Modify and add the following line to the top

10.99.0.1 DC1.SAMDOM.EXAMPLE.COM DC1

With steps 4 and 5 completed, restart the machine

$ sudo shutdown now -r

Package Installation

With the above prerequisites met, it is now time to install the Samba and associated packages. The following command will prompt you for Kerberos information, and hostname information for the domain controller. Example entries for the Kerberos 5 Realm, Kerberos servers for the realm and hostname of the administrator server are as follows for a DC with the hostname dc1 in the domain SANDOM.EXAMPLE.COM

  • SANDOM.EXAMPLE.COM
  • dc1.sandom.example.com
  • dc1.sandom.example.com
$ sudo apt-get install acl attr samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user
  • Note1: For a DC you do not need libpam-winbind libnss-winbind libpam-krb5, unless you require AD users to login
  • Note2: For a DC, which will become the new DNS server for the domain, install dnsutils with the following command:
$ sudo apt-get install dnsutils
  • 'Optional Note3: For a DC to serve as the domain NTP server, you will also need ntp or chrony. However this is not explicitly necessary for domain-joined machines to share a common NTP server. It is possible to define a Group Policy Object that synchronizes workstations with time.windows.com post installation. Either package can be installed via:
$ sudo apt-get install ntp

or

$ sudo apt-get install chrony

For details about time synchronization, see Time Synchronization.

Post Installation, Pre-Provisioning

As mentioned at the top of this page, there is a distinction between installing Samba and provisioning (configuring) it for your needs. Samba automatically creates some placeholder configuration files which are not useful and will break the automated configuration utilities. Thus we must delete those files before moving on.

  • Temporary Stop and Disable Samba Services
$ sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
$ sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service
  • Backup the original samba config file.
$ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.initial
  • Unmask Samba service
$ sudo systemctl unmask samba-ad-dc

The next step will be to utilize samba-tool in interactive mode to automatically create your configuration files. Details on this can be found back on the main Setting up Samba as an Active Directory Domain Controller page. Open up that page in a new tab and follow the instructions for the interactive provisioning.

Post-Provisioning

Upon completion of provisioning, the following commands should be entered to restart Samba with the new configuration files:

$ sudo systemctl start samba-ad-dc.service
$ sudo systemctl enable samba-ad-dc.service

If all went well, your domain controller is up and running with a domain functional level of *Windows Server 2008 R2.* This can be verified with:

$ sudo samba-tool domain level show
$ sudo systemctl status samba-ad-dc.service

You now have a working domain controller for central authentication but no Group Policy Object support. This can be achieved by adding the following line to the [globals] section of the /etc/samba/smb.conf file:

allow group policies = yes

For additional information on this, navigate to Group Policy.


FreeBSD

# pkg install net/samba44

Note: If you want to use the idmap_ad Winbind back end (on e.g. an AD Member Server), you have to build the port by hand and select the EXP_MODULES configuration option!

SUSE Linux Enterprise / openSUSE

# zypper install samba samba-winbind samba-ad-dc