• VMware

    Learn about VMware virtualization for its products like vsphere ESX and ESXi, vCenter Server, VMware View, VMware P2V and many more

  • Linux

    Step by step configuration tutorials for many of the Linux services like DNS, DHCP, FTP, Samba4 etc including many tips and tricks in Red Hat Linux.

  • Database

    Learn installation and configuration of databases like Oracle, My SQL, Postgresql, etc including many other related tutorials in Linux.

  • Life always offers you a second chance ... Its called tomorrow !!!

    Friday, August 10, 2012

    Samba 4 as Active Directory configuration guide

    What is Samba4 meant to accomplish? In simplest terms, Samba4 is an ambitious, yet achievable, reworking of the Samba code.

    Major features for Samba4 already include:
    • Support for the 'Active Directory' logon and administration protocols that support Windows XP, Windows7, and Mac OS X clients
    • Support for Group Policy definitions
    • New 'full coverage' testsuites
    • Full NTFS semantics for sharing backends
    • An internal LDAP server, with AD semantics
    • An internal Kerberos server, including PAC support
    • Bind9 integration for AD DNS support (with DLS)
    • Fully asynchronous internals
    • Flexible process models
    • Better scalability from micro to very large installations
    • New RPC infrastructure (PIDL)
    • A flexible database architecture (LDB)
    • Python support - used extensively for client and management tools
    • Generic security subsystem (GENSEC)
    • Over 50% auto-generated code!
    Server: CentOS 6.2
    Hostname: server1.example.com
    IP Address:

    I won't be able to explain each and every configuration part here for further refrence you can visit this website

    For installing the latest version of Samba 4 i.e.4.1 follow the below link
    Configure Samba 4.1 in Linux as AD

    Prerequisite before starting with the configuration

    # yum -y install git gcc libacl-devel libblkid-devel gnutls-devel readline-devel python-devel gdb pkgconfig zlib-devel setroubleshoot-server setroubleshoot-plugins policycoreutils-python libsemanage-python setools-libs-python setools-libs popt-devel libpcap-devel sqlite-devel libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel keyutils-libs-devel cyrus-sasl-devel
    Once all these packages are installed move on to the next step. Now you need to download the samba4 package.
    # git clone git://git.samba.org/samba.git samba-master; cd samba-master
    # cd samba-master
    # ./configure.developer
    # make
    # make install

    If this step is completed without any error move on the provision step
    /usr/local/samba/sbin/provision --realm=example.com --domain=EXAMPLE --adminpass=SOMEPASSWORD --server-role=dc
    Once this step is completed you will see the configured options which you mentioned above. Now time to start your samba server.

    NOTE: Make sure you do not have any other samba server installed apart from the one you just installed.

    You will have to add the PATH variable for Samba4 in your machine.
    # export PATH=$PATH:/usr/local/samba/sbin:/usr/local/samba/bin Save this path inside .bash_profile so that you do not need to export it every time you login after reboot.

    Run your samba services

    # samba
    Testing samba4
    # smbclient --version This should show you a version starting with "Version 4.0.XXXXX".

    Now try this command:
    # smbclient -L localhost -U%and check if you get a proper reply with all the shared directories including sysvol and netlogon.

    The 'netlogon' and 'sysvol' shares are basic shares needed for Active Directory server operation.

    To test that authentication is working, you should try to connect to the netlogon share using the administrator password you set earlier.
    # smbclient //localhost/netlogon -Uadministrator%PASSWORD

    Now the problem which I faced was that sample named.conf, krb5.conf and example.com.zone which was supposed to be created after the provision step was missing or was not properly created. So I decided to download another version of samba from the following website on one of my test servers.

    Once it was downloaded I repeated the above steps i.e. configure, make and make install. Once those process were completed successfully I ran the provision command using the same realm and provision which I had used in the above case. And adding to my surprise this time the example.com.zone, sample named.conf and krb5.conf was there in their default location inside /usr/local/samba

    So I copied those files from my test servers to samba server inside the proper location. Here I have pasted my krb5.conf, named.conf and example.conf.zone but since you will be using some other REALM and domain name and if you are also facing the issue as I faced you can follow the same steps which I took here. As it would be hard and risky to manually create those files.

    Configure DNS

    Make sure DNS package is installed in your machine
    # yum -y install bind
    Make the following changes in your named.conf
    # vi /etc/named.conf
    options {
    listen-on port 53 {; };
            listen-on-v6 port 53 { ::1; };
            directory       "/var/named";
            dump-file       "/var/named/data/cache_dump.db";
            statistics-file "/var/named/data/named_stats.txt";
            memstatistics-file "/var/named/data/named_mem_stats.txt";
            allow-query     { localhost; any; };
            recursion yes;

            dnssec-enable yes;
            dnssec-validation yes;
            dnssec-lookaside auto;

            /* Path to ISC DLV key */
    #       bindkeys-file "/etc/named.iscdlv.key";

    logging {
            channel default_debug {
                    file "data/named.run";
                    severity dynamic;

    zone "." IN {
            type hint;
            file "named.ca";

    include "/etc/named.rfc1912.zones";
    include "/usr/local/samba/private/named.conf";

    Now you need to edit /usr/local/samba/private/named.conf file so take a backup of this file and create a new named.conf inside the same location with following details
    # vi  /usr/local/samba/private/named.conf
    # This file should be included in your main BIND configuration file
    # For example with
    # include "/usr/local/samba/private/named.conf";
    zone "example.com." IN {
            type master;
            file "/usr/local/samba/private/example.com.zone";
             * Attention: Not all BIND versions support "ms-self". The instead use
             * of allow-update { any; }; is another, but less secure possibility.
            update-policy {
                     * A rather long description here, as the "ms-self" option does
                     * not appear in any docs yet (it can only be found in the
                     * source code).
                     * The short of it is that each host is allowed to update its
                     * own A and AAAA records, when the update request is properly
                     * signed by the host itself.
                     * The long description is (look at the
                     * dst_gssapi_identitymatchesrealmms() call in lib/dns/ssu.c and
                     * its definition in lib/dns/gssapictx.c for details):
                     * A GSS-TSIG update request will be signed by a given signer
                     * (e.g. machine-name$@EXAMPLE.COM).  The signer name is split into
                     * the machine component (e.g. "machine-name") and the realm
                     * component (e.g. "EXAMPLE.COM").  The update is allowed if the
                     * following conditions are met:
                     * 1) The machine component of the signer name matches the first
                     * (host) component of the FQDN that is being updated.
                     * 2) The realm component of the signer name matches the realm
                     * in the grant statement below (EXAMPLE.COM).
                     * 3) The domain component of the FQDN that is being updated
                     * matches the realm in the grant statement below.
                     * If the 3 conditions above are satisfied, the update succeeds.
    grant EXAMPLE.COM ms-self * A AAAA;
    # The reverse zone configuration is optional.  The following example assumes a
    # subnet of
    zone "123.168.192.in-addr.arpa" in {
            type master;
            file "123.168.192.in-addr.arpa.zone";
            update-policy {
                    grant *.COM wildcard *.123.168.192.in-addr.arpa. PTR;
    # Note that the reverse zone file is not created during the provision process.
    # The most recent BIND versions (9.5.0a5 or later) support secure GSS-TSIG
    # updates.  If you are running an earlier version of BIND, or if you do not wish
    # to use secure GSS-TSIG updates, you may remove the update-policy sections in
    # both examples above.

    # vi /usr/local/samba/private/example.com.zone
    ; -*- zone -*-
    ; generated by provision.pl
    $ORIGIN example.com.
    $TTL 1W
    @               IN SOA  @   hostmaster (
                                    2012052216   ; serial
                                    2D              ; refresh
                                    4H              ; retry
                                    6W              ; expiry
                                    1W )            ; minimum
                            IN NS   server1             IN A
    server1        IN A
     gc._msdcs               IN CNAME        server1
    8de12608-9880-4c52-ad21-8a1bf5ef7e41._msdcs     IN CNAME        server1
     ; global catalog servers
    _gc._tcp                IN SRV 0 100 3268       server1
    _gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268       server1
    _ldap._tcp.gc._msdcs    IN SRV 0 100 389        server1
    _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs     IN SRV 0 100 389 server1
    ; ldap servers
    _ldap._tcp              IN SRV 0 100 389        server1
    _ldap._tcp.dc._msdcs    IN SRV 0 100 389        server1
    _ldap._tcp.pdc._msdcs   IN SRV 0 100 389        server1
    _ldap._tcp.d709eaf9-d010-4f94-916c-ca3e8e179e24 IN SRV 0 100 389        server1
    _ldap._tcp.d709eaf9-d010-4f94-916c-ca3e8e179e24.domains._msdcs          IN SRV 0 100 389 server1
    _ldap._tcp.Default-First-Site-Name._sites               IN SRV 0 100 389 server1
    _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs     IN SRV 0 100 389 server1
    ; krb5 servers
    _kerberos._tcp          IN SRV 0 100 88         server1
    _kerberos._tcp.dc._msdcs        IN SRV 0 100 88 server1
    _kerberos._tcp.Default-First-Site-Name._sites   IN SRV 0 100 88 server1
    _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 server1
    _kerberos._udp          IN SRV 0 100 88         server1
    ; MIT kpasswd likes to lookup this name on password change
    _kerberos-master._tcp           IN SRV 0 100 88         server1
    _kerberos-master._udp           IN SRV 0 100 88         server1
    ; kpasswd
    _kpasswd._tcp           IN SRV 0 100 464        server1
    _kpasswd._udp           IN SRV 0 100 464        server1
    ; heimdal 'find realm for host' hack
    _kerberos               IN TXT  EXAMPLE.COM
     samba           IN A

    Change your DNS server pointing towards your IP inside resolv.conf and ifcfg-eth0 then restart your network card and named service
    # service named restart
    Check your DNS if it is working properly or not and if you get the following replies then you are good to go:
    # host -t SRV _ldap._tcp.example.com.
    _ldap._tcp.example.com has SRV record 0 100 389 server1.example.com.

    # host -t SRV _kerberos._udp.example.com.
    _kerberos._udp.example.com has SRV record 0 100 88 server1.example.com.

    # host -t A samba.example.com.
    samba.example.com has address

    Now take a backup of your existing krb5.conf and replace it with the following
    Make sure kerberos package is installed in your system
    # yum -y install krb5-workstation
    # mv /etc/krb5.conf /etc/krb5.conf.orig

    # vi /etc/krb5.conf
            default_realm = EXAMPLE.COM
            dns_lookup_realm = false
            dns_lookup_kdc = false
            ticket_lifetime = 24h
            forwardable = yes

            EXAMPLE.COM = {
                    kdc = server1.example.com:88
                    admin_server = server1.example.com:749
                    default_domain = example.com

            .example.com = EXAMPLE.COM
            example.com = EXAMPLE.COM

    Now check your kerberos
    # kinit administrator@EXAMPLE.COM
    password for administrator@EXAMPLE.COM:
    Enter the password and the part of configuration on server is done.

    Check your firewall and selinux settings as in my case I have disabled both the options.

    To configure iptables for Samba4 follow the below link
    iptables rules for Samba 4 in Red Hat Linux

    To configure a secondary domain controller using Samba4
    How to configure Samba 4 Secondary Domain Controller

    Client: Windows XP and Windows 7

    Change the DNS of your client machine with the server IP and make sure the time zone of the client machine is same as the server.
    From here you can follow this page to configure your client machine as a part of the domain and manage group policy for all the users.

    Related Articles

    Follow the below links for more tutorials


    Post a Comment