Setting up Samba as an Active Directory Domain Controller

Revision as of 01:30, 12 February 2008 by LapTop006 (talk | contribs) (Step 5: Setting up DNS Server for samba 4 in Ubuntu 7.04: Fix bits that should have been mono)

Samba4 developer howto

tridge@samba.org, December 2004


This is a very basic document on how to setup a simple Samba4 server. This is aimed at developers who are already familiar with Samba3 and wish to participate in Samba4 development. This is not aimed at production use of Samba4.


Step 1: download Samba4

There are 2 methods of doing this:

 method 1:  "rsync -avz samba.org::ftp/unpacked/samba_4_0_test samba4"
 method 2:  "git clone git://git.samba.org/samba.git samba4; cd samba4 && git checkout -b v4-0-test origin/v4-0-test; cd .."

both methods will create a directory called "samba4" in the current directory. If you don't have rsync or svn then install one of them.

Since only released versions of Samba contain a pregenerated configure script, you will have to generate it by hand:

$ cd samba4/source
$ ./autogen.sh

Note that the above rsync command will give you a checked out svn repository. So if you also have svn you can update it to the latest version at some future date using:

 $ cd samba4
 $ git pull origin v4-0-test

Step 2: compile Samba4

Recommended optional development libraries: - acl and xattr development libraries - gnutls - readline

Run this:

 $ cd samba4/source
 $ ./configure
 $ make proto all

If you have gcc 3.4 or newer, then substitute "pch" for "proto" to greatly speed up the compile process (about 5x faster).

Step 3: install Samba4

Run this as a user who have permission to write to the install directory (defaults to /usr/local/samba). Use --prefix option to configure above to change this.

 # make install


Step 4: provision Samba4

The "provision" step sets up a basic user database. Make sure your smbscript binary is installed in a directory listed in your PATH environment variable. It is presumed it's available just like any other commands from your shell. Must be run as a user with permission to write to the install directory.

 # cd source
 # ./setup/provision --realm=YOUR.REALM --domain=YOURDOM --adminpass=SOMEPASSWORD --server-role='domain controller'

'YOURDOM' is the NT4 style domain name. 'YOUR.REALM' is your kerberos realm, which is typically your DNS domain name.

Step 5: Create a simple smb.conf

The provisioning will create a very simple smb.conf with no shares by default. You will need to update it to add at least one share. For example:

 [test]
       path = /data/test
       read only = no


Step 6: starting Samba4

The simplest is to just run "smbd", but as a developer you may find the following more useful:

  # smbd -i -M single

that means "start smbd without messages in stdout, and running a single process. That mode of operation makes debugging smbd with gdb particularly easy.

Note that now it is no longer necessary to have an instance of nmbd from Samba 3 running. If you are running any smbd or nmbd processes they need to be stopped before starting smbd from Samba 4.

Make sure you put the bin and sbin directories from your new install in your $PATH. Make sure you run the right version!


Step 7: testing Samba4

try these commands:

    $ smbclient //localhost/test -Uadministrator%SOMEPASSWORD

or

    $ ./script/tests/test_posix.sh //localhost/test administrator SOMEPASSWORD


NOTE about filesystem support

To use the advanced features of Samba4 you need a filesystem that supports both the "user" and "system" xattr namespaces.

If you run Linux with a 2.6 kernel and ext3 this means you need to include the option "user_xattr" in your /etc/fstab. For example:

/dev/hda3 /home ext3 user_xattr 1 1

You also need to compile your kernel with the XATTR and SECURITY options for your filesystem. For ext3 that means you need:

  CONFIG_EXT3_FS_XATTR=y
  CONFIG_EXT3_FS_SECURITY=y

If you are running a Linux 2.6 kernel with CONFIG_IKCONFIG_PROC defined you can check this with the following command:

  $ zgrep CONFIG_EXT3_FS /proc/config.gz

If you don't have a filesystem with xattr support, then you can simulate it by using the option:

  posix:eadb = /usr/local/samba/eadb.tdb

that will place all extra file attributes (NT ACLs, DOS EAs, streams etc), in that tdb. It is not efficient, and doesn't scale well, but at least it gives you a choice when you don't have a modern filesystem.

Testing your filesystem

To test your filesystem support, install the 'attr' package and run the following 4 commands as root:

 # touch test.txt
 # setfattr -n user.test -v test test.txt
 # setfattr -n security.test -v test2 test.txt
 # getfattr -d test.txt
 # getfattr -n security.test -d test.txt

You should see output like this:

 # file: test.txt
 user.test="test"
 # file: test.txt
 security.test="test2"

If you get any "Operation not supported" errors then it means your kernel is not configured correctly, or your filesystem is not mounted with the right options.

If you get any "Operation not permitted" errors then it probably means you didn't try the test as root.


Testing Samba4 Active Directory in Ubuntu 7.04 howto

kstan79@gmail.com, 18-August-2007

    • When you see this message, it mean following page still under construction and the documentation at bottom maybe not work 100%. You have been tell. **

Step 1: Install required package

Ubuntu Feisty (7.04), by default not yet install required package for samba 4. To install all required package(We will remove bind8), type this command:-

 $sudo /etc/init.d/bind stop
 $sudo apt-get remove bind
 $sudo apt-get install autoconf bind9 libc6-dev subversion gettext

It will ask you to install additional package, simply press 'y' to accept it.

Step 2: Download samba 4 latest source code

Type this command to get latest source (subversion)

 $cd /usr/src
 $sudo svn co svn://svnanon.samba.org/samba/branches/SAMBA_4_0 samba4

You will see the terminal start to download the source code, leave it until the end. When the samba4 source code is download completed, you will found a 'samba4' folder appear in /usr/src

Step 3: Synchronize your samba 4 source code to the svn server

Samba 4 development is quite fast, you always can see something within a week. To update the latest source code:

 $cd /usr/src/samba4
 $sudo svn update

Step 4: To compile and install samba 4 into Ubuntu 7.04

To compile and install samba 4, we force it to install at /usr/local,

 $cd /usr/src/samba4/source
 $sudo ./configure --prefix=/usr/local
 $sudo make pch all
 $sudo make install
 $sudo ./setup/provision --realm=TESTING1.ORG --domain=TESTING1 --adminpass=testing1

If you use gcc older than 3.4, use 'make proto all' rather than 'make pch all'. If there is no error, your samba 4 is install successfully.

Step 5: Setting up DNS Server for samba 4 in Ubuntu 7.04

Samba 4 work as Windows Active Directory Server, and DNS Server is critical component in active directory. During compilation and installation, the samba4 help us to create a standard DNS zone.

 $sudo cp /usr/local/testing1.org.zone /etc/bind
 $sudo gedit /etc/bind/named.conf.local

At following line into the bottom of file:


zone "testing1.org" {
       type master;
       file "/etc/bind/testing1.org.zone";
};

Double check the testing1.org.zone whether feed your configuration(If you use vmware which will add in 2 more network interface, you need to edit it manually) Base on setting inside my computer, Ip Address = 192.168.141.1, hostname = mis1.testing1.org Check the bold text whether it correctly configured.

 $sudo gedit /etc/bind/testing1.org.zone



; -*- zone -*-
; generated by provision.pl
$ORIGIN testing1.org.
$TTL 1W
@               IN SOA  @   mis1.testing1.org. (
                               2007071516   ; serial
                               2D              ; refresh
                               4H              ; retry
                               6W              ; expiry
                               1W )            ; minimum
  IN NS	mis1
  IN A	192.168.141.1
;
 mis1		IN A	192.168.141.1
 1846d80a-02c6-4bdb-8f1b-7d95d7a85024._msdcs	IN CNAME mis1
;
; global catalog servers
_gc._tcp		IN SRV 0 100 3268	mis1
_ldap._tcp.gc._msdcs	IN SRV 0 100 389	mis1
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs	IN SRV 0 100 389 mis1
;
; ldap servers
_ldap._tcp		IN SRV 0 100 389	mis1
_ldap._tcp.dc._msdcs	IN SRV 0 100 389	mis1
_ldap._tcp.pdc._msdcs	IN SRV 0 100 389	mis1
_ldap._tcp.b15dc010-f593-4a5b-acf2-d0b2c1d1beef.domains._msdcs		IN SRV 0 100 389 mis1
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs	IN SRV 0 100 389 mis1
;
; krb5 servers
_kerberos._tcp		IN SRV 0 100 88		mis1
_kerberos._tcp.dc._msdcs	IN SRV 0 100 88	mis1
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs	IN SRV 0 100 88 mis1
_kerberos._udp		IN SRV 0 100 88		mis1
; MIT kpasswd likes to lookup this name on password change
_kerberos-master._tcp		IN SRV 0 100 88		mis1
_kerberos-master._udp		IN SRV 0 100 88		mis1
;
; kpasswd
_kpasswd._tcp		IN SRV 0 100 464	mis1
_kpasswd._udp		IN SRV 0 100 464 	mis1
;
; heimdal 'find realm for host' hack
_kerberos		IN TXT	TESTING1.ORG

Step 6: Bring up the DNS server

Edit the /etc/resolv.conf, then your computer will query DNS from itself

 $sudo echo "nameserver 127.0.0.1" > /etc/resolv.conf
 $sudo echo "nameserver your-isp-dns-ipaddress" >> /etc/resolv.conf

You need to restart the DNS server in order to bing up the new zone

 $sudo /etc/init.d/bind9 restart

if you able to ping the mis1.testing1.org (change mis1 to feed your setting), then it mean the dns server is ready. Please don't proceed to next step if your DSN server is not ready. Because your client PC won't able to join the domain.

Step 7: Fire up samba 4 Services

Before we start up the samba 4 services, we need to check the server time zone, you must make sure server and client must use the same time zone. I use Asia/Kuala_Lumpur

 $sudo tzconfig


To monitor samba 4 activity easier, I don't use daemon mode to start the samba 4 services.

 $sudo /usr/local/sbin/smbd -i -d 5 

Now your samba 4 is ready, open this url at mozilla firefox to see new SWAT.

http://localhost:901 SWAT Screen Shoot

If you see the swat, then the samba 4 server is work. Then we ready to configure client computer.

Configure Windows XP Pro client to join Samba 4 Active Directory

Active Directory is a powerful administration servers which able to centralize manage all Windows 2000, windows XP Pro, all Windows 2003, and Windows Vista Business Edition effectively. To test the real samba 4 capability, we use Windows XP Pro as testing environment (Windows XP Pro won't work with Active Directory).

To allow Samba 4 Active Directory or Microsoft Active Directory to manage a computer, we need to join the computer into the active directory. It involve:-

1. Configure DNS Setting
2. Configure date/time and time zone
3. Joining into domain

Step 1: Configure DNS Setting for Windows XP Pro

Before we configure the DNS setting, verified whether you able to ping the Ubuntu 7.04 Server's IP Address. If you not able to ping the server, verified your IP address, Ubuntu's Firewall and etc.

Once the network is ready between server and client,

 1. Right Click My Network Places -> Properties
 2. Double click local area network->Properties
 3. Double click tcp/ip
 4. Use static dns server, add the Samba 4 server's ip address inside the primary dns server column. Configure DNS Screen Shoot
 5. Press ok, ok, ok again until finish.
 6. Open a command prompt, type

'ping mis1.testing1.org' (change mis1 to suit your custom setting)

If you get correct reply, then it mean you Windows XP setting is correct and Ubuntu Server's DNS services is working well.

Step 2: Configure date/time and time zone

Active Directory using kerberos as backend for authentication. In order to let the authentication working well the date/time difference between the server and client must less than 5 minute.

 1. Change the timezone in Windows XP Pro so that server and client using same time zone. In my computer, I use Asia/Kuala_Lumpur (I come from Malaysia).Changing Time Zone Screen Shoot
 2. Change the date/time so the client have same HH:MM with the server Changing Date/Time Screen Shoot

Step 3: Joining windows XP Pro into Domain

Now your Windows XP Pro is ready to join the active directory domain,

As administrator:-

 1. Right Click my Computer-> Properties
 2. Choose Computer Name, click change..
 3. Click option 'Domain', insert testing1.org (if you failed, try testing1)(screen shoot)
 4. When it request username/password, type administrator as username, testing1 as password(Refer Testing Samba4 Active Directory in Ubuntu 7.04 howto).
 5. It will tell you the Windows XP has successfully join into Active Directory Domain, and you need to restart.
 6. After restart, before login you can press option to choose either you want to login to testing1 domain or mis1 (localhost).
 7. Choose domain testing1, insert username 'administrator', password = 'testing1'
 8. If you login successfully, then you able to enjoy samba 4 active directory services at next section.

Viewing Samba 4 Active Directory object from Windows XP Pro

Due to Samba 4 SWAT is not yet ready for production, we need install windows 2003 adminpak into windows XP in order to manage the domain(It is user friendly). Before begin, make sure the domain administrator have administrative right to control your computer.(To give any user administrative right, in Windows XP Pro, right click my computer, press manage-> choose groups-> doble click administrators and add members from domain into the member list. During you add member from active directory as member, it will prompt you to enter active directory username/password).

Step 1: Installing windows 2003 adminpak and support tools into windows XP Pro

 1. In Windows XP, download adminpak and supporttools from 
 http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en
 http://download.microsoft.com/download/3/e/4/3e438f5e-24ef-4637-abd1-981341d349c7/WindowsServer2003-KB892777-SupportTools-x86-ENU.exe

 2. Install it until it tell you the program is install successfully.
 3. Press start->run, type 'dsa.msc', if a window 'active directory users and computers' prompt up, it mean you had install adminpak it successfully.
 4 Go to c:\Program Files\Support Tools to check whether the support is existing or not, if yes then your windows XP Pro is ready to manage the samba 4 active directory.


Step 2: Viewing samba 4 active directory content

 1. Login as domain 'testing1.org' administrator, press start->run.
 2. type dsa.msc.Screen Shoot
 3  Expand the testing1.org tree to see existing object in domain. Active Directory Screen Shoot

Managing Samba 4 Active Directory From WIndows XP Pro

Due to Samba 4 Swat is not ready, managing samba 4 now is a little bit tricky. Most of the configuration we can done easily with active directory users and computers (dsa.msc), for adding a new users we need to use Windows 2003 support tools.


Step 1: Adding user into Samba 4 Active Directory

Same with samba 3, samba 4 need an existing unix user before samba 4 user. Basically this task involve 3 jobs.

 1. Add Unix User in Ubuntu Feisty.
 $sudo useradd demo
 $sudo passwd demo (type whatever password you like)
 2. Using SWAT to add samba user.
   2.1 Open up mozilla-firefox
   2.2 open url http://samba-4-server-ip:901
   2.3 User = administrator, password = testing1, domain = testing,->Login. 
   2.4 click installation-> new user.
   2.5 type username=demo, unix name = demo, password you like twice Screen shoot for add user using swat

Modify the user from Windows XP.

   2.1 Start -> run -> dsa.msc
   2.2 Open testing1.org tree, click container 'users'-> double click 'demo'.
   2.3 Edit first name, lastname and username Screen shoot for edit general user info with dsa.msc
   2.4 Go to account tab, fill in 'demo' in both username logon name, choose domain (not the pre-win 2000) column.Screen shoot for edit user account
   2.5  set password never expired if you more convenient with it.
   2.6  Apply, then try to login with new user.

If you able to login, then mean the user is successfully created.

Step 2: Adding groups into Samba 4 Active Directory

To manage resource more effectively, we need to use groups. Same with users we need to have a unix group and samba groups. I haven't test whether the groups is working properly, but I guess more or less this method is correct(Please feed back if you found any error).

 1. Creating Unix Groups
   $sudo groupadd grpdemo
   $sudo gedit /etc/group
   
   we can add user into group with following syntax:- 
   grpdemo:x:1007:demo, user1, user2
 2. Adding group into samba 4 active directory
   2.1 As domain testing1.org administrator, start->run->dsa.msc.
   2.2 Open tree testing1.org, right click 'users' container->new->groups
   2.3 type group name 'grpdemo' in both column->ok (others leave default)
 3. Link the Unix groups to samba groups
   3.1 Start mozilla-firefox (or IE), open url : http://samba-svr-ip:901
   3.2 Username=administrator, password = testing1, domain = testing1
   3.3 Choose preview of new swat-> modules -> LDB Browser
   3.4 Open up sam.ldb tree, open up dc=testing1,dc=org, open cn=users
   3.5 Click CN= grpdemo-> press modify button
   3.6 At bottom most of right side, press '+' (Which is adding a new field)
   3.7 Put field name(left text box) = 'unixName', data(right text box) = 'grpdemo' -> ok

Adding organization unit (ou) into samba 4 domain

Organizational Unit (ou), is a most powerful feature I found in active directory. Basically this is some kind of container which allow us to drag & drop users,computers into it.

we can link several kind of group policy (You can consider it is a graphical setting) to an ou, and the setting will deploy to all users/computers under the ou. With a single domain we can have many ou and sub ou. So the result is it greatly reduce administrative afford because we able to manage everything via ou. The implementation of group policy will discuss at next chapter.

Before we create an ou, we must know how ou look likes? By default we can see a sample ou 'Domain Controllers', it looks difference with 'users' and 'computers' container right? We can deploy group policy to users or computers container.

 1. To create an ou, as testing1 domain administrator, start -> run -> dsa.msc
 2. right click testing1.org.
 3. choose new -? organizationalunit
 4. type 'oudemo'
 5. Then you will see an new ou appear, with the name 'oudemo'.
 6. You can drag user 'demo' into the new ou (Don't move other users! Unless you want to get stuck!)
 7. Right Click the 'oudemo', you can click sub ou with method 3.

Normaly we create ou base on total department we have, what branch we have and etc. Don't confuse between groups and ou, groups use to control the permission, ou use for deploy setting to all users/computers under it.

Implementing Group Policy (GPO) into samba 4 domain

 Recently Samba 4 Active Directory had support group policy, and we can create the group policy on the fly. The basic ideal of group policy is:-
 1. Group Policy have 2 kind of settings, computers and users.
 2. Computer setting apply to computer, user setting apply to user
 3. We link the group policy to particular ou, and the group policy will effect all computers/users under the ou.
 1. To add a group policy, right click 'oudemo' ou->properties
 2. Choose group policy
 3. Press new, name as 'gpoudemo'
 4. Press edit to edit the policy.
 5. Here will demonstrate how to block user from access the control panel. Open the tree 'User Configuration'->'control paner'.
 6. Double click prohibit access to the control panel
 7. Press enable and then press ok. Now the all users under 'oudemo' won't able to access the control panel.
 8. Make sure user demo is inside the 'oudemo'(You can drag and drop it). 
 9. Logout and login as user 'demo'
 10. You'll find user demo not able to access control panel
 * User configuration will effect once we logout and login.
 * Computer configuration will effect once restart computer

To learn more how to manage, implementing organizational unit, group policy, active directory. Google for Windows 2003 Active Directory implementation.

Thanks for great efford samba development team, Good luck everybody End  :)