Distribution-specific Package Installation: Difference between revisions
From SambaWiki
m (Added some Ubuntu-specific information about dns resolutions) |
m (/* Removed extraneous information, I will find a better place for it.) |
||
| Line 33: | Line 33: | ||
= Debian = |
= Debian/Ubuntu = |
||
# apt-get install acl attr samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind krb5-config krb5-user dnsutils |
|||
The following command will prompt you for Kerberos information, and hostname information for the domain controller. Example entries for the Kerberos 5 Realm, Kerberos servers for the realm and hostname of the administrator server are as follows for a DC with the hostname <code>dc1</code> in the domain <code>SANDOM.EXAMPLE.COM</code> |
|||
* Note1: A DC only requires the libpam-winbind and libnss-winbind packages if your AD users will login to the DC. |
|||
* SANDOM.EXAMPLE.COM |
|||
* Note2: A samba DC usually serves as a domain NTP server, to do this you will also need to install an NTP server, either <code>ntp</code> or <code>chrony</code>. However is it not explicitly necessary for domain-joined machines to share a common NTP server, though it is best practice. If you do not wish to install and maintain an NTP server, you can define a Group Policy Object that synchronizes workstations with <code>time.windows.com</code> post installation. If you do want to install either package, they can be installed via: |
|||
* dc1.sandom.example.com |
|||
# apt-get install ntp |
|||
* dc1.sandom.example.com |
|||
Or |
|||
# apt-get install acl attr samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user |
|||
*Note1: For a DC you do not need libpam-winbind libnss-winbind libpam-krb5, unless you require AD users to login |
|||
*Note2: For a DC, which will become the new DNS server for the domain, install <code>dnsutils</code> with the following command: |
|||
# apt-get install dnsutils |
|||
* '''Optional''' Note3: For a DC to serve as the domain NTP server, you will also need <code>ntp</code> or <code>chrony</code>. However this is not explicitly necessary for domain-joined machines to share a common NTP server. It is possible to define a Group Policy Object that synchronizes workstations with <code>time.windows.com</code> post installation. Either package can be installed via: |
|||
# apt-get install chrony |
# apt-get install chrony |
||
| Line 57: | Line 49: | ||
For details about time synchronization, see [[Time_Synchronisation|Time Synchronization]]. |
For details about time synchronization, see [[Time_Synchronisation|Time Synchronization]]. |
||
= Ubuntu = |
|||
==== Preparing the Installation Recap ==== |
|||
Before beginning the installation process, it is important that the prerequisites defined on the [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller|Setting up Samba as an Active Directory Domain Controller]] page are met: |
|||
# Define a DNS Domain |
|||
# Define a hostname |
|||
# Select a static IP Address |
|||
# Disable <code>resolvconf</code> or make <code>/etc/resolv.conf</code> immutable |
|||
# Modify the <code>/etc/hosts</code> file to ensure the DC correctly resolves to itself at the fully-qualified domain name (FQDN) and short host name |
|||
Administrators may be unfamiliar with how to perform steps 4 and 5, so this section is intended to provide support: |
|||
'''Perform Step 4: Disabling the DNS Resolver''' |
|||
Stop and Disable <code>systemd-resolved</code> service |
|||
$ sudo systemctl disable --now systemd-resolved |
|||
It is good practice to backup <code>resolv.conf</code> unlink it |
|||
$ sudo cp /etc/resolv.conf /etc/resolv.conf.backup |
|||
$ sudo unlink /etc/resolv.conf |
|||
Create a new, blank <code> resolv.conf</code> |
|||
$ sudo touch /etc/resolv.conf |
|||
$ sudo nano /etc/resolv.conf |
|||
With Nano open, copy the following contents and save this file: |
|||
# Samba server IP address |
|||
nameserver 10.99.0.1 |
|||
# fallback resolver |
|||
nameserver 1.1.1.1 |
|||
# main domain for Samba |
|||
search SAMDOM.EXAMPLE.COM |
|||
Ubuntu will attempt to automatically overwrite this file every time the system restarts. Thus we have to make this file immutable: |
|||
$ sudo chattr +i /etc/resolv.conf |
|||
'''Perform Step 5: Modify the <code>/etc/hosts</code> file''' |
|||
Open the hosts file with |
|||
$ sudo nano /etc/hosts |
|||
Modify and add the following line to the top |
|||
10.99.0.1 DC1.SAMDOM.EXAMPLE.COM DC1 |
|||
With steps 4 and 5 completed, restart the machine |
|||
$ sudo shutdown now -r |
|||
==== Package Installation ==== |
|||
With the above prerequisites met, it is now time to install the Samba and associated packages. The following command will prompt you for Kerberos information, and hostname information for the domain controller. Example entries for the Kerberos 5 Realm, Kerberos servers for the realm and hostname of the administrator server are as follows for a DC with the hostname <code>dc1</code> in the domain <code>SANDOM.EXAMPLE.COM</code> |
|||
* SANDOM.EXAMPLE.COM |
|||
* dc1.sandom.example.com |
|||
* dc1.sandom.example.com |
|||
$ sudo apt-get install acl attr samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user |
|||
*Note1: For a DC you do not need libpam-winbind libnss-winbind libpam-krb5, unless you require AD users to login |
|||
*Note2: For a DC, which will become the new DNS server for the domain, install <code>dnsutils</code> with the following command: |
|||
$ sudo apt-get install dnsutils |
|||
*'''Optional'' Note3: For a DC to serve as the domain NTP server, you will also need <code>ntp</code> or <code>chrony</code>. However this is not explicitly necessary for domain-joined machines to share a common NTP server. It is possible to define a Group Policy Object that synchronizes workstations with <code>time.windows.com</code> post installation. Either package can be installed via: |
|||
$ sudo apt-get install ntp |
|||
or |
|||
$ sudo apt-get install chrony |
|||
For details about time synchronization, see [[Time_Synchronisation|Time Synchronization]]. |
|||
==== Post Installation, Pre-Provisioning ==== |
|||
As mentioned at the top of this page, there is a distinction between installing Samba and provisioning (configuring) it for your needs. Samba automatically creates some placeholder configuration files which are not useful and will break the automated configuration utilities. Thus we must delete those files before moving on. |
|||
* Temporary Stop and Disable Samba Services |
|||
$ sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service |
|||
$ sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service |
|||
* Backup the original samba config file. |
|||
$ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.initial |
|||
* Unmask Samba service |
|||
$ sudo systemctl unmask samba-ad-dc |
|||
The next step will be to utilize <code>samba-tool</code> in interactive mode to automatically create your configuration files. Details on this can be found back on the main [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Provisioning_Samba_AD_in_Interactive_Mode|Setting up Samba as an Active Directory Domain Controller]] page. Open up that page in a new tab and follow the instructions for the interactive provisioning. |
|||
==== Post-Provisioning ==== |
|||
Upon completion of provisioning, the following commands should be entered to restart Samba with the new configuration files: |
|||
$ sudo systemctl start samba-ad-dc.service |
|||
$ sudo systemctl enable samba-ad-dc.service |
|||
If all went well, your domain controller is up and running with a domain functional level of *Windows Server 2008 R2.* This can be verified with: |
|||
$ sudo samba-tool domain level show |
|||
$ sudo systemctl status samba-ad-dc.service |
|||
You now have a working domain controller for central authentication but no Group Policy Object support. This can be achieved by adding the following line to the <code>[globals]</code> section of the <code>/etc/samba/smb.conf</code> file: |
|||
allow group policies = yes |
|||
For additional information on this, navigate to [[Group_Policy#Winbind|Group Policy]]. |
|||
Revision as of 17:51, 18 October 2022
Introduction
The following is a distribution-specific list of commands to install Samba. There is a distinct difference between installing Samba, and provisioning/configuring of Samba. This page covers the installation-only, and is intended to be a short detour away from Setting up Samba as an Active Directory Domain Controller page.
Note, that the list of commands is neither provided nor actively verified by the Samba team. If you see any missing packages or incorrect package names, please update the command or send the information to the Samba mailing list.
As a reminder, the following information about the domain and domain controller applies to these examples:
- Hostname =
DC1 - DC local IP Address =
10.99.0.1 - Authentication Domain =
SAMDOM.EXAMPLE.COM - Top level Domain =
EXAMPLE.COM
Red Hat Enterprise Linux / CentOS / Scientific Linux
Version 7 and 8
# yum install samba
The samba package only supports Samba as a domain member and NT4 PDC or BDC. Red Hat does not provide packages for running Samba as an AD DC. As an alternative:
- Build Samba. For details, see Build Samba from Source.
- Use 3rd-party packages with AD support from a trusted source.
Version 6
# yum install samba4
The samba4 package only supports Samba as a domain member and NT4 PDC or BDC. Red Hat does not provide packages for running Samba as an AD DC. As an alternative:
- Build Samba. For details, see Build Samba from Source.
- Use 3rd-party packages with AD support from a trusted source.
Debian/Ubuntu
# apt-get install acl attr samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind krb5-config krb5-user dnsutils
- Note1: A DC only requires the libpam-winbind and libnss-winbind packages if your AD users will login to the DC.
- Note2: A samba DC usually serves as a domain NTP server, to do this you will also need to install an NTP server, either
ntporchrony. However is it not explicitly necessary for domain-joined machines to share a common NTP server, though it is best practice. If you do not wish to install and maintain an NTP server, you can define a Group Policy Object that synchronizes workstations withtime.windows.compost installation. If you do want to install either package, they can be installed via:
# apt-get install ntp
Or
# apt-get install chrony
For details about time synchronization, see Time Synchronization.
FreeBSD
# pkg install net/samba44
Note: If you want to use the idmap_ad Winbind back end (on e.g. an AD Member Server), you have to build the port by hand and select the EXP_MODULES configuration option!
SUSE Linux Enterprise / openSUSE
# zypper install samba samba-winbind samba-ad-dc