Installing and configuring Samba-AD on Debian

Warning

If you haven’t already done so, follow the previous page to prepare your Debian server to configure the network and machine name of your new machine.

Retrieving the necessary packages

Tranquil IT’s DEBs are currently validated for Debian 11 & 12.

The packages of the latest version validated by the engineering team at Tranquil IT can be downloaded from the url https://samba.tranquil.it/debian/samba-4.19/.

When it will be necessary to migrate to the next version of Samba, you’ll just have to update the repository url like for example https://samba.tranquil.it/debian/samba-4.19/.

For more comfort, you can define an apt repository and add our GPG public key:

wget -qO-  https://samba.tranquil.it/tissamba-pubkey.gpg | tee /usr/share/keyrings/tissamba.gpg > /dev/null
sha256sum /usr/share/keyrings/tissamba.gpg
  bd0f7140edd098031fcb36106b24a6837b067f1c847f72cf262fa012f14ce2dd  /usr/share/keyrings/tissamba.gpg
echo "deb [signed-by=/usr/share/keyrings/tissamba.gpg] https://samba.tranquil.it/debian/samba-4.19/ $(lsb_release -c -s) main" > /etc/apt/sources.list.d/tissamba.list

Installing the packages

export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install samba winbind libnss-winbind krb5-user smbclient ldb-tools python3-cryptography
unset DEBIAN_FRONTEND

Instantiating the Active Directory Samba domain

Configuring Kerberos

  • Modify the file /etc/krb5.conf and replace all its contents by the following 4 lines by specifying the Active Directory domain of your organization (here MYDOMAIN.LAN).

Attention

The default_realm must absolutely be written in UPPER CASE LETTERS!!

[libdefaults]
  default_realm = MYDOMAIN.LAN
  dns_lookup_kdc = true
  dns_lookup_realm = false

Setting up Samba

  • Delete the file /etc/samba/smb.conf if it has already been generated (it will be regenerated by the instantiation command):

    rm -f /etc/samba/smb.conf
    
  • Configure Samba with the role of domain controller. In the following line, you will think about changing both the name of the kerberos kingdom, and the short name of the domain (netbios name):

    samba-tool domain provision --realm=MYDOMAIN.LAN --domain MYDOMAIN --server-role=dc
    
  • Reset the administrator password:

    samba-tool user setpassword administrator
    
  • Check the line dns forwarder = xxx.xxx.xxx in your file /etc/samba/smb.conf. It must point to a valid DNS server, e.g.:

    dns forwarder = 1.1.1.1
    
  • Reconfigure the DNS resolution for the local machine. In the network interface file /etc/resolv.conf, replace the following line with the following line:

    search mydomain.lan
    nameserver 127.0.0.1
    
  • The Samba domain creation script creates an unnecessary /var/lib/samba/private/krb5.conf file. It must be removed and replaced by a symbolic link to the /etc/krb5.conf file:

    rm -f /var/lib/samba/private/krb5.conf
    ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf
    
  • Activate Samba so that it starts automatically at the next reboot:

    systemctl disable samba winbind nmbd smbd
    systemctl mask samba winbind nmbd smbd
    systemctl unmask samba-ad-dc
    systemctl enable samba-ad-dc
    
  • Reboot the machine with a reboot to verify that Samba reboots:

  • After rebooting, ensure that kerberos is properly configured and that you get a TGT:

    Attention

    The default administrator is administrator in English (type the account password administrator, if it does not return anything or you get a message about the password expiration, it is OK).

    kinit administrator
    klist
    
  • Test the DNS:

    dig @localhost google.fr
    dig @localhost srvads.mydomain.lan
    dig -t SRV @localhost _ldap._tcp.mydomain.lan
    

Validating the new installation with a Windows client

  • Join a machine to the domain.

  • From this machine, verify access to system shares \mydomain.lan\sysvol and \mydomain.lan\netlogon.

To manage your new domain, the management interfaces must be installed on a Windows workstation. The Samba command line is efficient for many administrative tasks, but some tasks will be easier to perform with the graphical tool RSAT.

You will find by yourself your optimal balance between command line and RSAT with the operating experience of your Samba.

Once RSAT is installed:

  • Create and delete a DNS record from the DNS Active Directory console.

  • Create and delete a user account or a machine account from the Users and Computers Active Directory console.

Great, if you’ve made it this far, then everything is going well and you have a new Samba Active Directory domain up and running.

Now we will configure the DNS service in BindDLZ mode to improve the performance of your Samba-AD.