.. Reminder for header structure: Parts (H1) : #################### with overline Chapters (H2) : ******************** with overline Sections (H3) : ==================== Subsections (H4) : -------------------- Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^ Paragraphs (H6) : """"""""""""""""""""" .. |date| date:: .. meta:: :description: Installing and configuring Samba-AD on Debian :keywords: install, Debian, Samba-AD, documentation .. _server_install_samba_debian: *********************************************** Installing and configuring Samba-AD on Debian *********************************************** .. warning:: If you haven’t already done so, follow the previous page to :ref:`prepare your Debian server ` to configure the network and machine name of your new machine. .. include:: samba_config_server-samba_config_server-server_install_samba_debian_repo.rst.inc Instantiating the Active Directory Samba domain =============================================== .. _configure_kerberos_debian: Configuring Kerberos """""""""""""""""""" * Modify the file :file:`/etc/krb5.conf` and **replace all its contents by the following 4 lines** by specifying the Active Directory domain of your organization (here *MYDOMAIN.LAN*). .. attention:: The ``default_realm`` must absolutely be written in **UPPER CASE LETTERS**!! .. code-block:: bash [libdefaults] default_realm = MYDOMAIN.LAN dns_lookup_kdc = true dns_lookup_realm = false Setting up Samba ---------------- * Delete the file :file:`/etc/samba/smb.conf` if it has already been generated (it will be regenerated by the instantiation command): .. code-block:: bash rm -f /etc/samba/smb.conf * On Debian, we need to stop all fileserver services : .. code-block:: bash systemctl stop samba winbind nmbd smbd * Configure Samba with the role of domain controller. In the following line, you will think about changing both the name of the *kerberos kingdom*, and the short name of the domain (netbios name): .. code-block:: bash samba-tool domain provision --realm=MYDOMAIN.LAN --domain MYDOMAIN --server-role=dc * Reset the *administrator* password: .. code-block:: bash samba-tool user setpassword administrator * Check the line ``dns forwarder = xxx.xxx.xxx`` in your file :file:`/etc/samba/smb.conf`. It must point to a valid :abbr:`DNS (Domain Name Service)` server, e.g.: .. code-block:: bash dns forwarder = 1.1.1.1 * Reconfigure the DNS resolution for the local machine. In the network interface file :file:`/etc/resolv.conf`, replace the following line with the following line: .. code-block:: bash search mydomain.lan nameserver 127.0.0.1 * The Samba domain creation script creates an unnecessary :file:`/var/lib/samba/private/krb5.conf` file. It must be removed and replaced by a symbolic link to the :file:`/etc/krb5.conf` file: .. code-block:: bash rm -f /var/lib/samba/private/krb5.conf ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf * Activate Samba so that it starts automatically at the next reboot: .. code-block:: bash systemctl disable samba winbind nmbd smbd systemctl mask samba winbind nmbd smbd systemctl unmask samba-ad-dc systemctl enable samba-ad-dc * Reboot the machine with a :command:`reboot` to verify that Samba reboots: * After rebooting, ensure that kerberos is properly configured and that you get a :abbr:`TGT (Ticket Granting Ticket)`: .. attention:: The default administrator is **administrator** in English (type the account password *administrator*, if it does not return anything or you get a message about the password expiration, it is OK). .. code-block:: bash kinit administrator klist * Test the DNS: .. code-block:: bash dig @localhost google.fr dig @localhost srvads.mydomain.lan dig -t SRV @localhost _ldap._tcp.mydomain.lan Validating the new installation with a Windows client ===================================================== * Join a machine to the domain. * From this machine, verify access to system shares :file:`\\mydomain.lan\\sysvol` and :file:`\\mydomain.lan\\netlogon`. To manage your new domain, the management interfaces must be installed on a Windows workstation. The Samba command line is efficient for many administrative tasks, but some tasks will be easier to perform with the graphical tool :abbr:`RSAT (Remote Server Administration Tools)`. You will find by yourself your optimal balance between command line and RSAT with the operating experience of your Samba. * :ref:`Install RSAT on your management machine `. Once RSAT is installed: * Create and delete a DNS record from the DNS Active Directory console. * Create and delete a user account or a machine account from the :guilabel:`Users and Computers Active Directory console`. Great, if you’ve made it this far, then everything is going well and you have a new Samba Active Directory domain up and running. Now we will :ref:`configure the DNS service in hybrid mode ` to improve the performance of your Samba-AD.