• VMware

    Learn about VMware virtualization for its products like vsphere, vCenter Server, VMware View, VMware P2V and many more

  • Linux

    Step by step configuration tutorials for many of the Linux services like DNS, DHCP, FTP, Samba4 etc including many tips and tricks in Red Hat Linux.

  • Database

    Learn installation and configuration of databases like Oracle, My SQL, Postgresql, etc including many other related tutorials in Linux.

  • Success is like your own shadow, if you try to ctach it you will never succeed, ignore it and walk in your own way, and it will follow you!!!

    Wednesday, June 05, 2013

    Samba 4.1 as Active Directory configuration guide

    In my earlier post I had shown you the steps to install and configure Samba 4.0 but since then the Samba4 developers have upgraded the Samba version from 4.0 to 4.1. I will be releasing my post for upgrading Samba 4 very soon but in the mean time for the new users planning to configure Samba 4.1 in their machine. Please follow the below steps.

    You can look out for the pre-requisites before installing Samba 4.1

    In my case I am using CentOS 6.2 and have verified all the pre requisite rpms and conditions.
    NOTE: Make sure you have python version more than 2.5 installed in your machine

    For configuring Samba 4.0 follow this link

    In case you are planning to configure a secondary domain controller for your Samba4 and Windows Server 2008 AD

    NOTE: Make sure you don't have any earlier version of Samba installed

    Downloading Samba 4.1 package

    NOTE: You can download the Samba4 package from their source directory of Samba. BUT using the below command you will download the latest release of Samba4 available. If you want to download a specific version of Samba4. I suggest you to download the package manually.

    Automatic download of Samba 4.X
    # git clone git://git.samba.org/samba.git samba-master
    In case you get
    -bash: git command not found

    In RedHat, fedora and CentOS
    # yum install git
    Or you can manually download git package from the below location
    Download GIT rpm

    Manually download Samba 4.1 package
    Samba Official Website

    Once the package is completely downloaded
    # cd samba-master  (Name of home directory may differ as per the package downloaded)
    
    # ./configure  (Read below note before running this command)
    # make
    NOTE: You can run the above configure step with additional options

    1. If you run the configure command without any extra parameter then samba will be installed by default inside /usr/local/samba or else use --prefix option to specify different installation directory
    2. You can also use --enable-debug and --enable-selftest for Samba as it will include extra debug information that can help you diagnose the problem or you can also contact Samba4 developers with the output errors.
    # make install
    If the above steps complete without any error then you can move ahead for provisioning step
    Add the new path location to your bash file for samba
    # vi ~/.bashrc
    export PATH=$PATH:/usr/local/samba/sbin:/usr/local/samba/bin
    
    # . .bashrc
    
    Before running the provision step make sure the following things are in place
    # vi /etc/hosts
    127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
    ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
    10.10.20.42 test test.example.com
    
    # vi /etc/resolv.conf
    search example.com
    nameserver 10.10.20.42
    
    # hostname
    test.example.com

    Provision Samba

    # samba-tool domain provision 
    
    Realm [EXAMPLE.COM]: EXAMPLE.COM 
    Domain [EXAMPLE]: EXAMPLE 
    Server Role (dc, member, standalone) [dc]: dc 
    DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_FLATFILE 
    Administrator password: [Give Administrator Password]
    Retype password: [Retype Administrator Password]
    Looking up IPv4 addresses 
    Looking up IPv6 addresses 
    No IPv6 address will be assigned Setting up share.ldb 
    Setting up secrets.ldb 
    Setting up the registry 
    Setting up the privileges database 
    Setting up idmap db 
    Setting up SAM db 
    Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE 
    Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=example,DC=com 
    Adding configuration container Setting up sam.ldb schema 
    Setting up sam.ldb configuration data 
    Setting up display specifiers 
    Modifying display specifiers 
    Adding users container 
    Modifying users container 
    Adding computers container 
    Modifying computers container 
    Setting up sam.ldb data Setting up well known security principals 
    Setting up sam.ldb users and groups 
    Setting up self join Adding DNS accounts 
    Creating CN=MicrosoftDNS,CN=System,DC=example,DC=com 
    See /usr/local/samba/private/named.conf for an example configuration include file for BIND and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates 
    Setting up sam.ldb rootDSE marking as synchronized 
    Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf 
    Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller 
    Hostname: test NetBIOS Domain: EXAMPLE DNS Domain: example.com DOMAIN SID: S-1-5-21-3668134952-3729197751-3642420208
    Once you successfully run the provision step, Its time to run and test your samba
    # samba

    # ps -ef | grep samba
    root 20465 1 0 10:26 ? 00:00:00 samba
    root 20466 20465 0 10:26 ? 00:00:00 samba
    root 20467 20465 0 10:26 ? 00:00:00 samba
    root 20468 20465 0 10:26 ? 00:00:00 samba
    root 20469 20465 0 10:26 ? 00:00:00 samba
    root 20470 20465 0 10:26 ? 00:00:00 samba
    root 20471 20465 0 10:26 ? 00:00:00 samba
    root 20472 20466 0 10:26 ? 00:00:00 /usr/local/samba/sbin/smbd -D --option=serverrole check:inhibit=yes --foreground
    root 20473 20465 0 10:26 ? 00:00:00 samba
    root 20474 20465 0 10:26 ? 00:00:00 samba
    root 20475 20465 0 10:26 ? 00:00:00 samba
    root 20476 20465 0 10:26 ? 00:00:00 samba
    root 20477 20465 0 10:26 ? 00:00:00 samba
    root 20478 20465 0 10:26 ? 00:00:00 samba
    root 20481 20472 0 10:26 ? 00:00:00 /usr/local/samba/sbin/smbd -D --option=serverrole check:inhibit=yes --foreground
    root 21502 21310 0 11:15 pts/2 00:00:00 grep samba

    So our samba has started as you can see above
    Check the version
    # samba -V
    Version 4.1.0pre1-GIT-55add52
    Once you run the provision command following files should be automatically created.
    • /usr/local/samba/private/named.conf 
    • /usr/local/samba/private/dns/example.com.zone 
    • /usr/local/samba/private/krb5.conf 
    Now check if you are able to connect your samba server using smbclient.
    # smbclient -L localhost -U% 
    Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-55add52] 
            Sharename       Type      Comment 
            ---------       ----      ------- 
            netlogon        Disk 
            sysvol          Disk 
            IPC$            IPC       IPC Service (Samba 4.1.0pre1-GIT-55add52) 
     Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-55add52] 
            Server               Comment 
            ---------            ------- 
            Workgroup            Master 
            --------        ------
    When you run the mentioned command you should get the above output.

    NOTE: In case you are getting any error make sure all the pre-requisites are fulfilled correctly and your hostname and all files are proper.
    Check your SeLinux and firewall as in my case I have disabled both of them

    To configure iptables for Samba4 follow the below link
    iptables rules for Samba 4 in Red Hat Linux

    Configure your BIND server

    NOTE: Make sure your bind version is 9.8/9.9
    # rpm -q bind
    bind-9.8.2-0.17.rc1.el6_4.4.i686
    This is a copy of my named.conf file
    In the allow-query section below either you can use "any"argument or mention the subnet of the network where the DNS server is to be used for eg: 192.168.0.0/24
    # vi /etc/named.conf
     options {
            listen-on port 53 { 127.0.0.1; 10.10.20.42; };
            listen-on-v6 port 53 { ::1; };
            directory       "/var/named";
            forwarders { 8.8.8.8; 8.8.4.4; };
            dump-file       "/var/named/data/cache_dump.db";
            statistics-file "/var/named/data/named_stats.txt";
            memstatistics-file "/var/named/data/named_mem_stats.txt";
            allow-query     { localhost; any; };
            recursion yes;
            dnssec-enable yes;
            dnssec-validation yes;
            dnssec-lookaside auto;
    
            /* Path to ISC DLV key */
            bindkeys-file "/etc/named.iscdlv.key";
            managed-keys-directory "/var/named/dynamic";
     };
     logging {
            channel default_debug {
                    file "data/named.run";
                    severity dynamic;
            };
     };
    
     zone "." IN {
            type hint;
            file "named.ca";
     };
     include "/etc/named.rfc1912.zones";
     include "/etc/named.root.key";
     include "/usr/local/samba/private/named.conf";
    Restart your named server
    # service named restart
    Check if your DNS server is working on localhost
    # ping google.com
    PING google.com (74.125.236.32) 56(84) bytes of data.
    64 bytes from maa03s04-in-f0.1e100.net (74.125.236.32): icmp_seq=1 ttl=56 time=19.1 ms
    64 bytes from maa03s04-in-f0.1e100.net (74.125.236.32): icmp_seq=2 ttl=56 time=18.7 ms
    In case you get
    unknown host google.com
    Check your bind configuration files again. Make sure the Time zone setting and time is properly set in your linux machine as in some cases that is another reason for failure of DNS server.

    Verify if your Samba server is listening to DNS server
    # host -t SRV _kerberos._udp.example.com.
    _kerberos._udp.example.com has SRV record 0 100 88 test.example.com.
    
    # host -t SRV _ldap._tcp.example.com.
    _ldap._tcp.example.com has SRV record 0 100 389 test.example.com.
    
    # host -t A samba.example.com.
    samba.example.com has address 10.10.20.42
    NOTE: In case you get error while using the last command above
    Host samba.example.com. not found: 3(NXDOMAIN)
    then follow the below mentioned steps
    # vi /usr/local/samba/private/dns/example.com.zone
    Add a last line
    samba IN A 10.10.20.42
    Restart your bind server and try the above command again. You should get a positive reply.

    Configure Kerberos

    Replace your krb5.conf file inside /etc with the file krb5.conf created after provision step
    Sample krb
    # vi /etc/krb5.conf
    [libdefaults]
    default_realm = ${REALM}
    dns_lookup_realm = false
    dns_lookup_kdc = true
    
    Testing kerberos
    # kinit administrator@EXAMPLE.COM
    Password:
    Warning: Your password will expire in 41 days on Wed Jul 17 10:26:06 2013

    To join a Windows Client to join Samba 4
    Configuring a Windows Client for Samba 4 AD

    To join a Linux client to Samba 4
    How to configure Linux client to join samba4 domain

    Related Articles


    Follow the below links for more tutorials

    What is the difference/comparison between Unix and Linux ?
    What are the maximum and minimum limits for RHEL 4 vs 5 vs 6 ?
    Step by Step Linux Boot Process Explained In Detail
    What is the difference between ext3 and ext4 filesystem in Linux ?
    How to configure Private Network in VMware Workstation
    9 examples to help you understand top command usage in Unix/Linux
    Configure Red Hat Cluster using VMware, Quorum Disk, GFS2, Openfiler
    Tutorial for Monitoring Tools SAR and KSAR with examples in Linux
    15 tips to enhance security of your Linux machine
    Why is Linux more secure than windows and any other OS
    Understanding Load Average in Linux and when to be worried about it?
    Disk Attachment Technology FC vs SAS vs iSCSI
    Understanding UMASK value in Linux
    How to keep a track of all the commands run by any user in Linux
    How do you check Linux machine is Physical or Virtual remotely?
    RAID levels 0, 1, 2, 3, 4, 5, 6, 0+1, 1+0 features explained in detail

    32 comments:

    1. Thank You for making it so much simpler. It took a bit of time but was finally able to over come.

      So finally I have configured Samba 4 on my Linux box.
      Doing a great job. Keep up the good work.

      ReplyDelete
    2. What are the advantages of using BIND9_FLATFILE instead of SAMBA_INTERNAL as DNS backend?

      Using SAMBA_INTERNAL as DNS backend is it possible to have Apache and Postfix serving sites and email for internet via public IP on the same machine of Samba 4.1?

      Could you help us with an article about installing Samba 4.1 rc3 (or final release) on Debian 7 Wheezy?

      Thanks,
      Roberto Carlos
      rc.1990 @ bol com br

      ReplyDelete
      Replies
      1. As per the setup you are asking I believe BIN9_FLATFILE will have more advantage because using SAMBA_INTERNAL as DNS backend you won't get must customization feature for your DNS and for Apache specially you need a proper DNS setup for hosting.

        You can get more information on this page
        https://wiki.samba.org/index.php/DNS#Which_DNS_backend_should_I_choose.3F

        From the above page which says -If you already having BIND running, plan complex DNS setups or you require special functions (zone transfers only from defined hosts, etc.), that are currently not supported by the internal DNS, BIND should be the preferred backend.

        And replying to your last question I have not worked on Debian yet so I am not much familiar with commands but still I will try to figure out this setup and update a new post soon enough.

        Thanks
        Deepak

        Delete
      2. Hi Deepak.

        Thanks for your information on proper DNS setup por Samba 4.

        I am looking for new releases on https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.1

        I have tried these articles about installing Samba 4.1 rc3 or rc4 or final release on Debian 7 Wheezy:
        https://wiki.samba.org/index.php/Samba_4/OS_Requirements
        https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
        http://www.jadota.com/2013/01/installing-samba4-on-ubuntu-12-04/
        http://sector7e.com/setup-a-samba4-domain-controller-on-debian-6-0-squeeze/
        http://mps.eti.br/home/?p=11

        I also tried some new information on Debian Experimental:

        http://forge.univention.org/bugzilla/show_bug.cgi?id=31698
        --------
        The following packages are now renamed via transitional packages:
        samba4 -> samba-ad-dc
        python-samba4 -> python-samba
        winbind4 -> winbind
        --------

        http://packages.debian.org/search?keywords=samba-ad-dc
        http://packages.debian.org/experimental/samba-ad-dc

        I am also trying to install via 'pinning':
        http://wiki.debian.org/AptPreferences
        apt-get -t experimental install samba-ad-dc

        http://us.generation-nt.com/answer/bug-721015-samba-ad-dc-documentation-fix-named-txt-setup-help-212272232.html
        http://us.generation-nt.com/answer/samba-samba-ad-dc-migration-official-packages-help-209928082.html

        Your articles on Samba 4 / 4.1 where the best I could find on internet. I tryed and they worked correctly on CentOS, but our cheap Linux Server in production is Debian and we did not succeed on migrating all services to CentOS.

        We really apreciate if you could provide in the futurre an article about setup and update of Samba 4.1 on Debian 7 Wheezy.

        Congratulations on your article about Samba 4 roaming profile.

        Could you make articles on Iptables for Samba 4.1, Squid autenticanting on Samba 4.1 and how to migrate from Samba 3.x to Samba 4.1?

        Thanks,

        Roberto Carlos
        rc.1990 @ bol com br

        Delete
      3. I really appreciate for the time you spent for your feedback.

        Will surely try to update an article on configuring Samba4 in Debian but before that I need to practice the same by myself to be very sure my article works.

        And regarding all other articles you have asked, I will try and update those as soon as possible.

        Thanks
        Deepak

        Delete
      4. I have create a new article for iptables in Samba 4 in the below link

        http://www.golinuxhub.com/2013/09/iptable-rules-for-samba-4-in-red-hat.html

        Kindly subscribe our website for more updates

        Thanks
        Deepak

        Delete
    3. Thanks again for your help.

      I have just subscribed, but I am always reading your articles. They help me a lot on improving my small knowledge of English and Linux.

      Roberto Carlos
      rc.1990 @ bol com br

      ReplyDelete
    4. How join linux client? (CLI)

      ReplyDelete
      Replies
      1. Hello,

        As of now I have not tried to join Linux client to my domain server
        You can try following the below link (You need to be a valid subscriber to view the content)
        https://access.redhat.com/site/solutions/67432

        But I will try to upload an article on my blog soon enough for the same.

        Thanks and regards
        Deepak Prasad

        Delete
    5. I've been trying to follow this article using CentOS 6.4. I am however getting stuck when running the host commands:

      # host -t SRV _kerberos._udp.example.com.

      gives the response of:

      Host _kerberos._udp.example.com. not found: 3(NXDOMAIN)

      All three host commands fail with the same "not fould: 3(NXDOMAIN)" error. Any ideas why?

      ReplyDelete
    6. It means that your DNS server is not properly configured. make sure you have properly configured it (resolv.conf, date&time, example.com.zone etc..) Unless your DNS server works properly the above command would not work.

      Also make sure domain name you are using(example.com) is the one which you have used for configuration at the provision step as in my case I have just shown a test scenario.

      Thanks
      Deepak

      ReplyDelete
    7. Thanks Deepak, I'm not using "example.com", I just used that rather than providing my actual domain name. I'll check the configuration again. DNS resolution seems to work OK since I can ping "server" and "server.example.com" but I obviously I must have missed something :)

      ReplyDelete
      Replies
      1. In that case you can check once /var/log/messages for any helpful hint as at initial stage even I had faced such issues and lastly it came out to be permission issue on one of the dns server config files.

        Thanks
        Deepak

        Delete
    8. I seem to have resolved my issue by changing resolv.conf to read "nameserver 127.0.0.1" rather than using the server IP address. I'm not exactly sure why this would be the case, I've even disabled the firewall completely in case it was a firewall config issue. Still, everything seems to work and I'll dig deeper to see what might be causing it.

      Thank you for replying, and thank you for writing such a great article.

      ReplyDelete
    9. I found out where I went wrong - I forgot to set the server IP address as a valid listening address in Bind. Mystery solved, and Samba AD now working like a charm :)

      ReplyDelete
      Replies
      1. Thank you Chris for posting a solution, I am sure this will help my other viewers.

        Regards
        Deepak

        Delete
    10. nice article deepak, now the problem i am facing is to join a linux client to samba4, will you please elaborate can we have active directory advantages like centralized login, roaming profiles etc.if joining our linux machine to samba AD?

      ReplyDelete
      Replies
      1. I will give you an example to help you understand

        Suppose you have 1000+ linux servers and you are a member of admin team, so every time a server is build all the user credentials has to be added and apart of that each machine username/password detail can vary making it complicated to remember. So better you can just add the linux machines to Samba 4 and utilize the centralized login feature of universal username/password for all linux box.

        Moreover you can interact almost all services of Linux with Samba4 like I have tested Quota, Roaming profile, DNS restrictions with my Samba 4 config

        I hope I made my self clear.

        Thanks
        Deepak

        Delete
    11. nice Tutorial and thanx alot for sharing deepak, the problem is still how to configure linux client to join a samba domain and what features of active directory can we have on linux client.

      ReplyDelete
      Replies
      1. Hi Humayoun,

        I have not yet tried to connect a Linux box to my Samba 4 AD so I might not be able to answer your question clearly. But I believe after joining Linux client with domain all the users under AD should be visible in the client as well. So that you can utilize the centralized login feature but again I have to test it to be 100% confirm

        Thanks
        Deepak

        Delete
    12. Hi Deepak when i write smbclient -L localhost -U% it gives
      "session setup failed: NT_STATUS_INVALID_SERVER_STATE"
      kindly help me out.

      ReplyDelete
      Replies
      1. Hi Humayoun,

        Please make sure you have verified the pre-requisites properly before you start firing for the configuration.

        Also, Can you look out for some other logs generated inside your samba logs and /var/log/messages.

        As I would be needing more information. Any how I found this fix on web for
        the above issue please check if it works.

        "Manually creating directory "lib" in /usr/local/samba/var"

        Thanks
        Deepak

        Delete
      2. Just a quick update, I found a case where due to improper time this error was popping up. So check your date and time in the Linux box

        Thanks
        Deepak

        Delete
    13. thanx alot deepak for your time and help.
      will you please make a tutorial on samba4 as a backup domain controller? have you tried this out?

      ReplyDelete
      Replies
      1. Honestly I am running a bit busy so couldn't try yet. But that is sure on my checklist and once I do, surely I will update it on my blog. Kindly subscribe for all the updates.

        Thanks
        Deepak

        Delete
    14. hello sir nice guide and i also build a samba 4 domain controller in redhat 6 using ur guide ,i download a remote administrative tools and install into windows 7 system ,it working fine i added a client user policy and to system its working fine , the problem is client system are very slow after adding to a domain control can you help me to solve the problem ......

      ReplyDelete
      Replies
      1. Hi Udaya,

        The speed of the client machine will depend on the network used between your dc and client computers and also your server configuration.

        Have you implemented in any organisation or is it test basis?
        Have you implemented roaming profile or only AD?
        How many computers are connected to your domain server?

        Thanks Deepak

        Delete
    15. hello sir thanks

      my server configuration is less than client configuration ....may be problem with that ?!

      no, i am going to implement in company in future, but now it was testing only
      currently 7 system only connected,but in my office more than 120 system i don't know how to implement it

      i download a remote administrative tools and installed into windows7 system , in administrative tools i create a policy for user name and password for client system, i think its a roaming profile

      can u help me to solve the problem

      thx in advance

      ReplyDelete
      Replies
      1. Hell Udaya,

        Before moving to production please look out for all the pre-requisites and possibilities. I had been using Samba 4.1 for more than 150 users in my last company and I never faced much of a problem. Though it is always a good idea to keep in touch with Samba4 mailing list for updates on bugs and fixes. Look out for a server with good configuration as for my case I was using a virtual server in VMware.

        In case you face load related issues you can always configure a secondary domain controller for multiple networks.

        You just need a server for Samba 4 and 1 client Windows 7 machine for Remote Administration and Group Policy Implementation

        Also if you want to implement Roaming Profiles then the network speed should be very promising or else end users would face many speed related issues.

        Thanks
        Deepak

        Delete
    16. hello deepak

      can u give a configuration details for sever then we can implement for testing and can u give a idea to control a client system with out a roaming profile then a network speed fast

      thanks

      ReplyDelete
      Replies
      1. Hello Udaya,

        As I said in my last post I was using a virtual server. So I don't have much experience on that part, In case you are planning to use a physical server I would suggest you to create a thread in Samba4 mailing list and ask the members, they might guide you in a better way.

        As per your second question, I didn't understood completely
        You have the option to control your clients using GPO. Roaming profile is not used to control users. If you can explain what you want to do I might help

        Thanks
        Deepak

        Delete