Installing and configuring Samba-AD on Debian
Warning
If you haven’t already done so, follow the previous page to prepare your Debian server to configure the network and machine name of your new machine.
Retrieving the necessary packages
Tranquil IT’s DEBs are currently validated for Debian 11 & 12.
The packages of the latest version validated by the engineering team at Tranquil IT can be downloaded from the url https://samba.tranquil.it/debian/samba-4.20/.
When it will be necessary to migrate to the next version of Samba, you’ll just have to update the repository url like for example https://samba.tranquil.it/debian/samba-4.20/.
For more comfort, you can define an apt repository and add our GPG public key:
wget -qO- https://samba.tranquil.it/tissamba-pubkey.gpg | tee /usr/share/keyrings/tissamba.gpg > /dev/null
sha256sum /usr/share/keyrings/tissamba.gpg
bd0f7140edd098031fcb36106b24a6837b067f1c847f72cf262fa012f14ce2dd /usr/share/keyrings/tissamba.gpg
echo "deb [signed-by=/usr/share/keyrings/tissamba.gpg] https://samba.tranquil.it/debian/samba-4.20/ $(lsb_release -c -s) main" > /etc/apt/sources.list.d/tissamba.list
Installing the packages
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install samba winbind libnss-winbind krb5-user smbclient ldb-tools python3-cryptography
unset DEBIAN_FRONTEND
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install samba winbind libnss-winbind krb5-user smbclient ldb-tools python3-crypto
unset DEBIAN_FRONTEND
Instantiating the Active Directory Samba domain
Configuring Kerberos
Modify the file
/etc/krb5.conf
and replace all its contents by the following 4 lines by specifying the Active Directory domain of your organization (here MYDOMAIN.LAN).
Attention
The default_realm
must absolutely be written in UPPER CASE LETTERS!!
[libdefaults]
default_realm = MYDOMAIN.LAN
dns_lookup_kdc = true
dns_lookup_realm = false
Setting up Samba
Delete the file
/etc/samba/smb.conf
if it has already been generated (it will be regenerated by the instantiation command):rm -f /etc/samba/smb.conf
On Debian, we need to stop all fileserver services :
systemctl stop samba winbind nmbd smbd
Configure Samba with the role of domain controller. In the following line, you will think about changing both the name of the kerberos kingdom, and the short name of the domain (netbios name):
samba-tool domain provision --realm=MYDOMAIN.LAN --domain MYDOMAIN --server-role=dc
Reset the administrator password:
samba-tool user setpassword administrator
Check the line
dns forwarder = xxx.xxx.xxx
in your file/etc/samba/smb.conf
. It must point to a valid DNS server, e.g.:dns forwarder = 1.1.1.1
Reconfigure the DNS resolution for the local machine. In the network interface file
/etc/resolv.conf
, replace the following line with the following line:search mydomain.lan nameserver 127.0.0.1
The Samba domain creation script creates an unnecessary
/var/lib/samba/private/krb5.conf
file. It must be removed and replaced by a symbolic link to the/etc/krb5.conf
file:rm -f /var/lib/samba/private/krb5.conf ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf
Activate Samba so that it starts automatically at the next reboot:
systemctl disable samba winbind nmbd smbd systemctl mask samba winbind nmbd smbd systemctl unmask samba-ad-dc systemctl enable samba-ad-dc
Reboot the machine with a reboot to verify that Samba reboots:
After rebooting, ensure that kerberos is properly configured and that you get a TGT:
Attention
The default administrator is administrator in English (type the account password administrator, if it does not return anything or you get a message about the password expiration, it is OK).
kinit administrator klist
Test the DNS:
dig @localhost google.fr dig @localhost srvads.mydomain.lan dig -t SRV @localhost _ldap._tcp.mydomain.lan
Validating the new installation with a Windows client
Join a machine to the domain.
From this machine, verify access to system shares
\mydomain.lan\sysvol
and\mydomain.lan\netlogon
.
To manage your new domain, the management interfaces must be installed on a Windows workstation. The Samba command line is efficient for many administrative tasks, but some tasks will be easier to perform with the graphical tool RSAT.
You will find by yourself your optimal balance between command line and RSAT with the operating experience of your Samba.
Once RSAT is installed:
Create and delete a DNS record from the DNS Active Directory console.
Create and delete a user account or a machine account from the Users and Computers Active Directory console.
Great, if you’ve made it this far, then everything is going well and you have a new Samba Active Directory domain up and running.
Now we will configure the DNS service in BindDLZ mode to improve the performance of your Samba-AD.