Let's start by updating the system.
$ sudo apt-get update
Next add a PPA which includes a more recent Bind 9 version. I believe this is mainly needed so your Windows clients can send DNS updates to the domain controller, but I can't say I thoroughly tested with the Ubuntu Maverick distributed version.
Personally I used bind9 from Hauke Lampe's PPA (BIND 9 Updates : Hauke Lampe).
Install samba4 and bind9:
$ sudo apt-get install samba4 samba4-clients bind9
Move existing smb.conf:
$ sudo mv /etc/samba/smb.conf{,.old}Create a samba 4 config and provision the database:
$ sudo LD_PRELOAD=/usr/lib/libdcerpc.so.0.0.1 /usr/share/samba/setup/provision --realm=samdom.example.com --domain=SAMDOM --adminpass=SOMEPASSWORD --server-role='domain controller'
You might be wondering what this LD_PRELOAD is about, well it's needed because some stuff is missing the link to the dcerpc library.
Now we want to start samba, there's another issue ahead. The samba4 init script doesn't check for the existence of the samba directory in /var/run, so let's add that ourselves.
# /etc/init.d/samba4
...
log_daemon_msg "Starting Samba 4 daemon" "samba"
if [ ! -d $(dirname $SAMBAPID) ]; then
mkdir -p $(dirname $SAMBAPID)
fi
if !...
We're still not there yet... Remember the missing library link? It will also return while running Samba, so let's work around it by creating local versions of the samba programs that will load the library:
Create /usr/local/sbin/samba:
#!/bin/sh
LD_PRELOAD=/usr/lib/libdcerpc.so.0.0.1 /usr/sbin/$(basename $0)
Now symlink samba_dnsupdate and samba_spnupdate to the same file:
$ sudo ln -s /usr/local/sbin/samba{,_dnsupdate}
$ sudo ln -s /usr/local/sbin/samba{,_spnupdate}Now start samba:
$ sudo /etc/init.d/samba4 start
Let's do a quick test if it's working:
$ smbclient -UAdministrator -Llocalhost
Password for [SAMDOM\Administrator]:
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.0.0alpha12-GIT-UNKNOWN)
ADMIN$ Disk DISK Service (Samba 4.0.0alpha12-GIT-UNKNOWN)
REWRITE: list servers not implemented
Seems to be working!
Now let's get DNS working too. Start by editing named.conf.local:
// /etc/bind/named.conf.local
...
//include "/etc/bind/zones.rfc1918";
include "/var/lib/samba/private/named.conf";
Thought we were done? Think again! AppArmor is protecting our samba4 files from bind, I'd rather have bind read them though...
# /etc/apparmor.d/usr.sbin.named
...
/var/lib/samba/private/* rw,
/var/lib/samba/private/dns/* rw,
}
Reload AppArmor profiles and restart bind:
$ sudo /etc/init.d/apparmor reload
$ sudo /etc/init.d/bind9 restart
Bind should now start without any issues. Next is to actually use bind for DNS:
# /etc/resolv.conf
nameserver 127.0.0.1
You can verify it's working by querying dns for kerberos:
$ host -t SRV _kerberos._udp.samdom.example.com
This should return an SRV record, if not, something's broken!
Now let's move the Kerberos config into place:
$ sudo cp /var/lib/samba/private/krb5.conf /etc/
You can verify it's working by installing krb5-user and doing a kinit Administrator, but since Kerberos comes out of the box with samba, I'm assuming it's working (it always did for me).
If you chose to add a PPA with a recent Bind version, you can enable Kerberized DNS updates by pointing named to the correct principal and keytab. More details on this can be found on the Samba 4 howto, I will add my own details here later.
You should now be able to administer your Samba 4 domain controller using the microsoft utilities for windows server management, the Samba net tool or direct LDAP queries.
Updates
- dec 8 2010, 22:56
- Added missing apparmor policy changes
21 comments:
Great info, but it looks like you left out the lines that need to be edited for apparmor.
I had to add the following:
/var/lib/samba/private/* rw,
/var/lib/samba/private/dns/* rw,
@Bradley
Thanks! I actually have another line in there at work because when using Kerberos, Bind also tries to create/open a tempfile.
Unfortunately I'm quite busy atm, would add some more info otherwise.
Regards,
Michael
Hi there and great tutorial!
Any chance of it working on Lucid Lynx server (10.04)?
Thanks..
@Craig
Unfortunately, Samba 4 in 10.04 is too old, but you might be able to install 10.10 samba4 in 10.04. Keep in mind you'll also need newer libraries for stuff samba depends on.
Alternatively you could use packages from a PPA, there's at least one PPA by an official samba developer, however that's containing daily builds which might be a bit too adventurous.
Regards,
Michael
Hi Michael and thank you
Yes i thought as much. So Ive looked at the samba 4 wiki which refers to 9.04 jaunty and building from source. Im going to grab a tarball of alpha 13 release and give it a whirl. Otherwise theres no harm in upgrading to maverick i suppose..
Will keep you posted..
Thanking you
Craig..
I got this after restarting bind9:
rndc: connect failed: 127.0.0.1#953: connection refused
What is likely to be happening? Did I did something wrong?
Hi,
Check if bind is running, if not, do a '/etc/init.d/bind9 start'. If it's not starting, check your log files. One probable cause for issues is apparmor, so you could try '/etc/init.d/apparmor teardown', then restart bind to see if it works.
Regards,
Michael
Hi,
i found this message
root@semar:/etc/bind# /etc/init.d/samba4 start
* Starting Samba 4 daemon samba /etc/init.d/samba4: 67: /var/run: Permission denied
[ OK ]
i add script in /etc/init.d/samba4 file :
if [ ! -d $(/var/run $SAMBAPID) ]; then
mkdir -p $(/var/run $SAMBAPID)
fi
. how to solve this problem
@nasori
You altered the code as listed in my post, just use what I posted and you should be fine.
To be over-explicit, 'dirname' is a command, not some variable you should substitute (and if it was, you chose the wrong directory).
Regards,
Michael
Thank you for nice tutorial!
Is anywhere a tutorial what explains how to set up the "member server" part?
Thank you!
@Thomas
Yes, on the official Samba 4 wiki they tell you not to use Samba 4 as a member server.
I have to agree, Samba 3 works fine as member server, including proper permission handling when using the right config options. Just avoid Samba 4 for your member servers for now.
I challenge you to make this easier... It was almost painless. What are the 'issues' you mention? I thought there was only issue with multiple forests of samba DCs?....
Oh also... you'll want to get libnss_winbind installed as well... it will install libnss-winbind.so.2 which needs to be linked to libnss-winbind.so per the samba 4 web pages
try this link.. if anybody interested
http://admingeeks.blogspot.com
Hi Michael, thank for your guide.
I have configured my Ubuntu server, but, when i do:
smbclient -L localhost
i got:
root@mailserver:/etc/init.d# smbclient -L localhost
Password for [SOCIPSRL\root]:
Password for [SOCIPSRL\root]:
Password for [SOCIPSRL\root]:
Failed to connect to ncacn_np:localhost - NT_STATUS_LOGON_FAILURE
and when i do:
smbclient -UAdministrator -Llocalhost
i got:
root@mailserver:/etc/init.d# smbclient -UAdministrator -Llocalhost
Password for [SOCIPSRL\Administrator]:
Failed to connect to ncacn_np:localhost - NT_STATUS_CONNECTION_REFUSED
REWRITE: list servers not implemented
root@mailserver:/etc/init.d#
Why?
I have search over google but nothing...
Thank you in advance.
Thomas
@Thomas:
I'm guessing that Samba isn't running. Check if Samba is running, check log files for what's happening. Also, it should be a lot easier to install Samba 4 on Ubuntu Natty. I installed a Natty machine as second domain controller (just Samba 4, no dns or anything), which was as easy as installing Samba 4 and following the documentation for adding a new domain controller to an existing domain on the Samba wiki.
Regards,
Michael
Step by Step configuration of samba server:
http://www.redhatlinux.info/2011/11/configure-samba-server.html
with ubuntu 11.10, the pre_load change to : LD_PRELOAD=/usr/lib/i386-linux-gnu/libdcerpc.so.0
@nitocris
Unfortunately, you're incorrect. For one, the path is determined by architecture, so your suggestion would only work on a 32 bit x86 install. Last but not least, the package in 11.10 doesn't require any of these hacks as far as I know, thus adding them is a mistake.
@nitocris
Unfortunately, you're incorrect. For one, the path is determined by architecture, so your suggestion would only work on a 32 bit x86 install. Last but not least, the package in 11.10 doesn't require any of these hacks as far as I know, thus adding them is a mistake.
Still 2012 and working like a charm, thx mate.
Post a Comment