Samba as Active Directory Controller in Home Networks

Samba can be used to deploy Configurations to Windows Machines. But wait, You can also use it as Fileshare, Timemachine Host, Authentication Server and so much more.

In this Tutorial, we gonna install Samba onto Ubuntu Linux and enable the Domain Server role to manage Windows Clients.

Requirements

System Preparation

First, make sure your System is up to date:

Advertisements
sudo apt-get update
sudo apt-get upgrade

Static IP-Address

We use the IP “192.168.0.10” in this Example. First check your Network-Configuration In Ubuntu “netplan” will be used to manage Network Settings. List your Configurations:

ls -l /etc/netplan

Usually you should have “50-cloud-init.yaml”. Depending on your Network Configuration File, edit it by typing:

nano -w /etc/netplan/50-cloud-init.yaml

In this Example. The Router (Gateway and DNS) is at IP “192.168.0.1”. Your static Network Config should be like

network:
  ethernets:
      eth0:
        addresses:
          - 192.168.0.10/24
        gateway4: 192.168.0.1
        nameservers:
          addresses: [192.168.0.1]
        optional: true
  version: 2

If you changed Settings, apply it by typing:

sudo netplan apply

Network Host- and Domain- Name

Decide your Domain Name. Important:

  • You should use only use Domain Names which you own.
  • It’s not recommended to use Top Level Domains (tld) ending with “.local
  • Microsoft does recommend to use a Subdomain. ie.: ad.mydomain.tld
    • In my Opinion, this will be the best Practise
  • You cannot change the Domain Name with ease if it’s already in use

We continue the Example with Server-Name: “dc1” and Domain “ad.mydomain.tld”. Let’s edit the Hostname File:

nano -w /etc/hostname

And changeadd the full qualified Hostname:

dc1.ad.mydomain.tld

Add your Host to the local hosts File:

nano -w /etc/hosts

The Server and your later Domain should appear with the IP you configured before. In case of our Example 192.168.13.10, the File should look like:

127.0.0.1 localhost
192.168.0.10 ad.mydomain.tld
192.168.0.10 dc1 dc1.ad.mydomain.tld

Time-Server

Your Active Directory (AD) Clients will synchronize the Time with your Server. First we will configure our Timezone (change Europe/Berlin depending on your Zone):

sudo timedatectl set-timezone Europe/Berlin

You can lookup your Timezone with “timedatectl list-timezones”.

Ubuntu ships with “timesyncd” to synchronize the Time over the Internet. Unfortunately we cannot use it to serve the Time for our Sama/AD Clients.

So we disable “timesyncd” and install “Chrony” afterwards:

sudo systemctl disable systemd-timesyncd.service
sudo systemctl stop systemd-timesyncd.service
sudo apt install chrony

Finally allow your Network Clients to synchronize the Time with “Chrony” by editing its Config File:

sudo nano -w /etc/chrony/chrony.conf

Add the following to the End of the Config file (change the Network depending on your Setup):

# Settings for Samba DC
allow 192.168.0.0/24 # dns netmask
ntpsigndsocket /var/lib/samba/ntp_signd

Make sure, your firewall does allow NTP Traffic. You can set this in Ubuntu with:

sudo ufw allow 123/udp
sudo ufw allow out 123/udp
sudo ufw allow out 53

Next we’ll enable Chrony as our Service and restart it with our new Configuration afterwards:

sudo systemctl enable chrony.service
sudo systemctl restart chrony.service

Samba Installation

And now we are on our final Lab – Let’s install Samba and its necessary Packages:

sudo apt install samba samba-common libnss-winbind winbind

Samba DC Promotion

The AD Domain Controller (DC) can be easily configured with Samba-Tool:

sudo samba-tool domain provision --use-rfc2307 --interactive

Answer the Questions – In our Example, this would be like:

  • Realm: AD.MYDOMAIN.TLD
  • Domain: mydomain
  • Server Role: dc
  • DNS backend: SAMBA_INTERNAL
  • DNS forwarder IP address: 192.168.0.1 (Your Router IP)
  • Administrator Password: YourNewDomainAdminPassword

Samba DNS Backend

The Server will handle DNS now with Samba, so we have to disable the OS DNS-Resolver:

sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved

Also Re-Configure the Network Settings in “Netplan” and Point the DNS to your “own” Samba IP:

sudo nano -w /etc/netplan/50-cloud-init.yaml
ethernets:
    eth0:
      addresses:
        - 192.168.0.10/24
      gateway4: 192.168.13.1
      nameservers:
        addresses: [192.168.0.10]
      optional: true
version: 2

And don’t forget to apply your Changes:

sudo netplan apply

Samba Services

Next we disable unnecessary Samba Services and enable our wanted Samba “AD-DC” Service.

Also allow Samba in your Firewall:

sudo systemctl mask smbd nmbd winbind
sudo systemctl disable smbd nmbd winbind
sudo systemctl unmask samba-ad-dc
sudo systemctl enable samba-ad-dc

sudo ufw allow from 192.168.0.0/24 to any app Samba

Test Samba AD Services

Okay time to do some Tests. If everything goes right, your should pass the Test by:

Check the Results of AD DNS Record by typing:

host -t SRV _ldap._tcp.ad.mydomain.tld.

Check Kerberos:

host -t SRV _kerberos._udp.ad.mydomain.tld.

Check the DNS A Record:

host -t A ad.mydomain.tld.

Join the Domain

Finally you can join your new Domain now from any Windows Client.

  • First set your Windows ClientsDNS to your Samba Server
  • Second, join the Domain by using your selected Domain Name

Congratulations – You successfully installed your own Samba Domain Controller.

Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments