Installing Samba as Active Directory Domain Controller Using Internal DNS on Ubuntu 18.04

Prerequisites

  • Samba 4.7.6
  • Ubuntu 18.04
  • Samba Internal DNS
Set your IP Address
# sudo nano /etc/netplan/50-cloud-init.yaml
network:
ethernets:
ens18:
addresses:
- 10.10.10.10/24
dhcp4: false
gateway4: 10.10.10.254
nameservers:
addresses:
- 8.8.8.8
search: []
version: 2

Get fresh sources
# sudo apt-get update

Get fresh updates
# sudo apt-get upgrade

Locale error!
perl: warning: Falling back to a fallback locale (“en_US.UTF-8”).
locale: Cannot set LC_ALL to default locale: No such file or directory

If you got locale error, here is the solution:
# sudo su
# export LANGUAGE=”en_US.UTF-8″
# echo ‘LANGUAGE=”en_US.UTF-8″‘ >> /etc/default/locale
# echo ‘LC_ALL=”en_US.UTF-8″‘ >> /etc/default/locale
# reboot

Install Samba, Kerberos, winbind, smbclient

# sudo apt -y install samba krb5-config winbind smbclient

Set Realm
Default Kerberos version 5 realm: DC.COM

Specify the hostname
Kerberos servers for your realm: addc.dc.com

Specify the hostname
Administrative server for your Kerberos realm: addc.dc.com

Configure Samba AD DC

Rename or remove the default config
# sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.org

Setup Samba Provision
# sudo samba-tool domain provision
--start--
Specify Realm
Realm: DC.COM
Domain [DC]: DC
Server Role (dc, member, standalone) [dc]: dc
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: SAMBA_INTERNAL
DNS forwarder IP address (write 'none' to disable forwarding) [127.0.0.53]: none
Administrator password:
Retype password:

A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Once the above files are installed, your Samba AD server will be ready to use
Server Role: active directory domain controller
Hostname: addc
NetBIOS Domain: DC
DNS Domain: dc.com
DOMAIN SID: S-1-5-21-1101332558-2985550191-2366278001
--end--

Copy krb5.conf
# sudo cp /var/lib/samba/private/krb5.conf /etc/

Stop system resolved, supaya etc/resolve.conf ga berubah2, jadi static
# sudo systemctl stop smbd nmbd winbind systemd-resolved
# sudo systemctl disable smbd nmbd winbind systemd-resolved

Remove /etc/systemd/system/samba-ad-dc.service.
# sudo systemctl unmask samba-ad-dc

Hosts nya belum bener
# sudo nano /etc/hosts
---start---
127.0.0.1 localhost.localdomain localhost
10.68.29.50 addc.dc.com addc
--end--

Remove the link of resolv.conf and create new one
# sudo ls -l /etc/resolv.conf
--start--
lrwxrwxrwx 1 root root 39 Jul 25 22:59 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
--end--
# sudo rm /etc/resolv.conf
# sudo nano /etc/resolv.conf

Replace the domain name to your own environment
--start--
domain dc.com
nameserver 127.0.0.1
--end--

Start & enable samba-ad-dc
# systemctl start samba-ad-dc
# systemctl enable samba-ad-dc

Confirm doman level and add a Domain user

Confirm doman level
# sudo samba-tool domain level show
--start--
Domain and forest function level for domain 'DC=dc,DC=com'
Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2
--end--

Add a domain user
# sudo samba-tool user create ubuntu
New Password:
User 'ubuntu' created successfully

Verifying DNS

The tcp-based _ldap SRV record in the domain:
# host -t SRV _ldap._tcp.dc.com.
_ldap._tcp.dc.com has SRV record 0 100 389 addc.dc.com.

The udp-based _kerberos SRV resource record in the domain:
# host -t SRV _kerberos._udp.dc.com.
_kerberos._udp.dc.com has SRV record 0 100 88 addc.dc.com.

The A record of the domain controller:
# host -t A addc.dc.com.
addc.dc.com has address 10.10.10.10

Testing DNS

From another PC
# nslookup
> server 10.68.29.50
Default server: 10.68.29.50
Address: 10.68.29.50#53
> set type=SRV
> _ldap._tcp.dc.com
Server: 10.68.29.50
Address: 10.68.29.50#53
_ldap._tcp.dc.com service = 0 100 389 addc.dc.com.
>

Testing Kerberos and authentication

Try to connect to the server we are on using smbclient
# sudo smbclient -L addc.dc.com -U 'administrator'
--start--
Enter BC\administrator's password:
Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.7.6-Ubuntu)
Reconnecting with SMB1 for workgroup listing.
Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP ADDC
---end---

Test authentication with smblient
# sudo smbclient //localhost/netlogon -U 'administrator'
--start--
Enter BC\administrator's password:
Try "help" to get a list of possible commands.
smb: >
--end--

Now verify current samba settings by running the command below.
# testparm
atau yg lebih lengkap
# samba-tool testparm -v

Basic User Management

# sudo su

Display domain users list
root@smb:~# samba-tool user list

Add a domain user
root@smb:~# samba-tool user create ubuntu

Delete a domain user
root@smb:~# samba-tool user delete ubuntu

Reset password for a user
root@smb:~# samba-tool user setpassword ubuntu

Set expiry for a user
root@smb:~# samba-tool user setexpiry ubuntu --days=7

Disable/Enable user account
root@smb:~# samba-tool user disable ubuntu

Display domain groups list
root@smb:~# samba-tool group list

Display members in a group
root@smb:~# samba-tool group listmembers "Domain Users"

Add a domain group
root@smb:~# samba-tool group add ServerWorld

Delete a domain group
root@smb:~# samba-tool group delete ServerWorld

Add a member from a domain group.
root@smb:~# samba-tool group addmembers ServerWorld ubuntu

Remove members to group ServerWorld
root@smb:~# samba-tool group removemembers ServerWorld ubuntu

Change Domain User Password
# sudo smbpasswd -a username
[sudo] password for admin:
New SMB password:
Retype new SMB password:

Samba AD DC Port Usage

Service Port Protocol
DNS * 53 tcp/udp
Kerberos 88 tcp/udp
ntp ** 123 udp
End Point Mapper (DCE/RPC Locator Service) 135 tcp
NetBIOS Name Service 137 udp
NetBIOS Datagram 138 udp
NetBIOS Session 139 tcp
LDAP 389 tcp/udp
SMB over TCP 445 tcp
Kerberos kpasswd 464 tcp/udp
LDAPS *** 636 tcp
Global Catalog 3268 tcp
Global Catalog SSL *** 3269 tcp
Dynamic RPC Ports **** 49152-65535 tcp

About AD Password

To see GPO info in windows client
gpresult /v

Samba Active Directory domain can be usually fully configured without any issues using RSAT, it seems that the password policy is one of these very few things where this doesn't work, or at least not in its entirety.

--complexity=COMPLEXITY
The password complexity (on | off | default). Defaultis 'on'
# sudo samba-tool domain passwordsettings set --complexity=off

--history-length=HISTORY_LENGTH
The password history length ( integer | default). Default is 24.
# sudo samba-tool domain passwordsettings set --history-length=0

--min-pwd-length=MIN_PWD_LENGTH
The minimum password length ( integer | default). Default is 7.
# sudo samba-tool domain passwordsettings set --min-pwd-length=3

--min-pwd-age=MIN_PWD_AGE
The minimum password age ( integer | default). Default is 1.
# sudo samba-tool domain passwordsettings set --min-pwd-age=0

--max-pwd-age=MAX_PWD_AGE
The maximum password age ( integer |default). Default is 43.
# sudo samba-tool domain passwordsettings set --max-pwd-age=0

Restart samba
# sudo /etc/init.d/smbd restart

Or reboot server
# sudo reboot

Windows side
# gpupdate /force

Restarted Samba, did a gpupdate /force on the windows workstation, and it worked. No need to set up a GPO (although that would sometimes be preferable).

See here, https://wiki.samba.org

That’s it, hope it helps.
Terry

Leave a Reply