Samba 4 is a good bit of software. If only that last few tweaks could be done to finish it and the documentation off it would be great software. I have found lot of ways to set up Samba4 as a AD DC most of which fail to work only this one series of steps worked. Samba4 configuration is really really flaky! The official Samba documentation is getting better and beginning to cover some of the configuration pitfalls.
For this how to we are building on some of my other howtos.
- Setup a Test Networking Lab with VirtualBox
- Ubuntu minimal Install with MATE as the Desktop 14.04 LTS
- Bind9, DNS and DHCP on Ubuntu 14.04
We will be building this:
- AD DC Hostname: lab-addc1
- AD DNS Domain Name: black.dragon.lab
- Kerberos Realm: black.dragon.lab
- Domain Name/NetBIOS Name: black
- IP Address: 10.1.200.3
- Forwarder DNS Server: 10.1.200.3
- Gateway: 10.1.200.3
- Subnet Mask: 255.255.255.0
- Server Role: Primary Domain Controller (PDC)
- Domain Admin Password: Admin1234
- Backend DNS: BIND9 DLZ
Update Ubuntu To The Latest
Always use the latest bug fixes and security patches. Also Samba is still being updated with bug fixes and newer features so get them too.
sudo apt-get update
sudo apt-get dist-upgrade
OS Requirements
A functioning DNS and usually a DHCP server see above. Kerberos requires that all systems have the same time, you will therefore need a functioning NTP server. See my post about setting up an NTP server process.
To use the full functionality of Samba when sharing file systems you need acl and both user and system xattr additions. Although using your AD DC as a file share is not a good idea, as the file system could be overloaded sharing files and be slow or unable to check credentials of users.
Make sure the acl and attr packages are installed.
sudo apt-get install acl attr
These can be turned on by updating your /etc/fstab. Be careful when setting these get it wrong an the system will not be bootable. You did do that full backup, didn’t you?!
To add the features add user_xattr,acl,barrier=1 to each file system you want to use for shares. Try it out on a file system that is not required during the booting process, e.g. Create a small temporary fs and mount that as /data.
sudo nano /etc/fstab
/dev/sdb1 /data ext4 user_xattr,acl,barrier=1,noatime 0 0
Test it out without booting first, when you get the fs mounted without errors then proceed to the others and reboot before proceeding.
umount /data
mount -a
mount | grep '/data '
/dev/sdb1 on / type ext4 (rw,user_xattr,acl,barrier=1,noatime)
and all other file systems on the server where they are going to be accessed via Samaba using Windows ACL’s
Once you are sure you have your fstab correct you should reboot, to take those changes into use.
Check ACL’s are working
This next part is almost direct lift from the Samba docs, it seemed pointless reinventing the wheel for this part.
Some of the names have been changed to protect the innocent.
All these commands should be run as root, either su to root or give yourself a root shell with sudo -i.
Create a test file, to play around with:
sudo touch testing_acl.txt
Add some extended attributes with the name user.test, adding a value of test. Then add a second set named security.test and a valuer of test2.
sudo setfattr -n user.test -v test testing_acl.txt
sudo setfattr -n security.test -v test2 testing_acl.txt
View the ACL’s just added to the test file.
sudo getfattr -d testing_acl.txt
# file: testing_acl.txt user.test="test"
sudo getfattr -n security.test -d testing_acl.txt
# file: testing_acl.txt security.test="test2"
Now add some file access control list, ACL, permissions to our test file. For the users who have the Linux group adm give them, additionally, read/write and execute permissions.
sudo setfacl -m g:adm:rwx testing_acl.txt
sudo getfacl testing_acl.txt
# file: testing_acl.txt # owner: root # group: root user::rw- group::r-- group:adm:rwx mask::rwx other::r--
Only continue on if all went as above. If it did not go back top your backup and start again.
Installing even more software
Depending on how you installed your system some of these packages may already be installed.
sudo apt-get install samba smbclient build-essential libacl1-dev libattr1-dev \
libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev \
python-dnspython gdb pkg-config libpopt-dev libldap2-dev \
dnsutils libbsd-dev krb5-user docbook-xsl libcups2-dev ldb-tools
During the installation process you will be asked some questions:
- Configuring Kerberos Authentication: BLACK.DRAGON.LAB
- hostname of Kerberos servers in the BLACK.DRAGON.LAB: lab-addc1
- hostname of the Administrative (password changing) servers: lab-addc1
Pitfall: If you get these wrong your AD DC will not work and you will have to start again!
Once that lot is installed, without errors, delete the Samba configuration file created by the system. The provisioning tool fails if it already exists. (Why don’t the Samba guys update the provisioning tool to do that or ask you?)
sudo rm /etc/samba/smb.conf
Now to provision the AD. Pitfall: Be very careful and precise here you only get one shot at this!
sudo samba-tool domain provision --use-rfc2307 --interactive
The only inputs you should been to change are:
- Realm: BLACK.DRAGON.LAB
- Domain: BLACK
- Server Role: dc
- DNS Backend: BIND_DLZ
- Administrator password:
Realm [DRAGON.LAB]: BLACK.DRAGON.LAB Domain [BLACK]: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ Administrator password: Retype password: Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=black,DC=dragon,DC=lab Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=black,DC=dragon,DC=lab Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions See /var/lib/samba/private/named.conf for an example configuration include file for BIND and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf Setting up fake yp server settings Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: lab-addc1 NetBIOS Domain: BLACK DNS Domain: black.dragon.lab DOMAIN SID: S-1-5-21-1234567890-1234567890-1234567890
Configuring Samba and Bind
Edit the file /etc/samba/smb.conf and add the following lines to the end of the [global] section.
sudo nano /etc/samba/smb.conf
allow dns updates = nonsecure and secure dns forwarder = 10.1.200.3 # Thanks to Lars for this fix, it stops the syslog # being spammed by the lack of a CUPS server. printing = CUPS printcap name = /dev/null
Add the following to /etc/bind/named.conf.options at the end of the options{…} block. You may need to comment out any existing lines as duplicate settings are not allowed.
sudo nano /etc/bind/named.conf.options
auth-nxdomain yes; empty-zones-enable no; // Adding this Samba generated file will allow for automatic DDNS updates tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
Edit /var/lib/samba/private/named.conf for the version of bind9 see the comments in the file, to find out the version of bind run the following and look at the last line there is a lot of output here which is the usage text for the command.
sudo /usr/sbin/rndc --version
Version: 9.9.5-3ubuntu0.2-Ubuntu
sudo nano /var/lib/samba/private/named.conf
dlz "AD DNS Zone" { # For BIND 9.8.0 # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so"; # For BIND 9.9.0 database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so"; };
Add the following to /etc/bind/named.conf as the second include line.
sudo nano /etc/bind/named.conf
include "/var/lib/samba/private/named.conf";
Change the permissions on the private dns.keytab file so it is readable by your bind group.
sudo chgrp bind /var/lib/samba/private/dns.keytab
sudo chmod g+r /var/lib/samba/private/dns.keytab
Add the following apparmor rules to the end of /etc/apparmor.d/usr.sbin.named inside the {..}
sudo nano /etc/apparmor.d/usr.sbin.named
/usr/lib/x86_64-linux-gnu/ldb/** rwmk, /usr/lib/x86_64-linux-gnu/samba/** rwmk, /var/lib/samba/private/dns/** rwmk, /var/lib/samba/private/named.conf r, /var/lib/samba/private/dns.keytab r, /var/tmp/* rw, /dev/urandom rw,
Pitfall: If you followed all of the above and the software for Samba, Kerberos and Bind has not changed and the configuration requirements have not changed for anything, your AD DC should work. Check it all through once more before rebooting. If it fails to work after the reboot it will be quicker to just start again. π
sudo reboot
Testing it all still works.
smbclient -L localhost -U%
Domain=[BLACK] OS=[Unix] Server=[Samba 4.1.6-Ubuntu] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.1.6-Ubuntu) Domain=[BLACK] OS=[Unix] Server=[Samba 4.1.6-Ubuntu] Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP LAB-ADDC1
smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter Administrator's password: Domain=[BLACK] OS=[Unix] Server=[Samba 4.1.6-Ubuntu] . D 0 Sat May 9 12:20:08 2015 .. D 0 Sat May 9 12:20:14 2015 41773 blocks of size 262144. 27672 blocks available
host -t SRV _ldap._tcp.black.dragon.lab.
_ldap._tcp.black.dragon.lab has SRV record 0 100 389 lab-addc1.black.dragon.lab.
host -t SRV _kerberos._udp.black.dragon.lab.
_kerberos._udp.black.dragon.lab has SRV record 0 100 88 lab-addc1.black.dragon.lab.
host -t A lab-addc1.black.dragon.lab.
lab-addc1.black.dragon.lab has address 10.1.200.3
Kerberos testing
kinit administrator
Password for administrator@BLACK.DRAGON.LAB: Warning: Your password will expire in 41 days on Sat 20 Jun 2015 12:20:13 BST
klist
Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: administrator@BLACK.DRAGON.LAB Valid starting Expires Service principal 09/05/15 12:33:07 09/05/15 22:33:07 krbtgt/BLACK.DRAGON.LAB@BLACK.DRAGON.LAB renew until 10/05/15 12:32:59
samba-tool dns query lab-addc1 BLACK.DRAGON.LAB @ ALL
Name=, Records=3, Children=0 SOA: serial=1, refresh=900, retry=600, expire=86400, minttl=0, ns=lab-addc1.black.dragon.lab., email=hostmaster.black.dragon.lab. (flags=600000f0, serial=1, ttl=3600) NS: lab-addc1.black.dragon.lab. (flags=600000f0, serial=1, ttl=900) A: 10.1.200.3 (flags=600000f0, serial=1, ttl=900) Name=_msdcs, Records=0, Children=0 Name=_sites, Records=0, Children=1 Name=_tcp, Records=0, Children=4 Name=_udp, Records=0, Children=2 Name=DomainDnsZones, Records=0, Children=2 Name=ForestDnsZones, Records=0, Children=2 Name=lab-addc1, Records=1, Children=0 A: 10.1.200.3 (flags=f0, serial=1, ttl=900)
If the above test worked you should have a working AD DC running on Linux and can replace your Microsoft Small Business Server with it. Yay!
To add Ubuntu machines to the new domain see this how to I prepared earlier π
Trouble shooting
Aug 2 16:22:18 lab-addc1 named[2347]: Loading 'AD DNS Zone' using driver dlopen Aug 2 16:22:18 lab-addc1 named[2347]: dlz_dlopen: incorrect version 1 should be 2 in '/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so' Aug 2 16:22:18 lab-addc1 named[2347]: dlz_dlopen of 'AD DNS Zone' failed
You need to edit /var/lib/samba/private/named.conf for the correct version of the lib.
After booting up a Windows machine using DHCP and the DNS updated automatically. Put a tail on the syslog file and run the following command. It will try and force Samba to update the DNS setting it knows about. The command below will in turn try and call the bind utility nsupdate.
sudo samba_dnsupdate --verbose --all-names
There will be loads of output to the terminal and to the syslog. Likely causes are
- The apparmor rules in
- /etc/apparmor.d/usr.sbin.named
- /etc/apparmor.d/usr.sbin.dhcpd
- File permissions
- -rw-r–r– 1 root root 3781 May 10 11:59 /etc/krb5.conf
- -rw-r—– 1 root bind 852 May 10 12:00 /var/lib/samba/private/dns.keytab
Also see https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable
For the next part in this series take a look at Administering AD DC via Windows.
Hello Richard,
thank you very much for this Tutorial ! Now i was able to setup my DC without problems …. after 2 Weeks self study … =)
After a full copy from your lab i figured out for me, that my problem was the naming from bind + samba with FQN -_-
But on Question , if i follow your tutorial , the first step is setup Bind9 and then the DC.
You use the same IP for DNS and DC , this is correct for Samba4 setups with Bind, but i am a little bit confused with the Hostnames =)
For AD is it : lab-addc1
For DNS is it: dns-server
If i setup DNS then DC is my DC Hostname allways dns-server.
You have change your setup ?
Or i have a missing configuration π
Greetings and Thank you again !
By the way, Ubuntu 14.04 Server has always the ACL as default, normaly you need only the packages.
But for documentation is it ok, and not totaly wrong =)
Thank you for the feedback. regarding your question, I missed off a CNAME record in the Bind9 tutorial, sorry! I have updated that post.
You need to add another record to /var/lib/bind/dragon.lab.zone at the end.
lab-addc1 CNAME ns1
Also add the reverse lookup record to /var/lib/bind/dragon.lab.rev.zone. The new record is the one in the middle.
3 PTR dns-server.dragon.lab.
3 PTR lab-addc1.dragon.lab. <=- this is the new line PTR dragon.lab.
CNAME records allow you to have one IP address with multiple hostnames.
And I am again =)
If I do after this installation a :
sudo samba_dnsupdate --verbose --all-names
I obtain this in my syslog:
type=1400 audit(1408563965.420:18): apparmor=”DENIED” operation=”mknod” profile=”/usr/sbin/named” name=”/var/tmp/DNS_105″ pid=1116 comm=”named” requested_mask=”c” denied_mask=”c” fsuid=105 ouid=105
so we need in your tutorial one entry more for appamor:
/var/tmp/** rw,
and this also in the global section from smb.conf
printing = bsd
printcap name = /dev/null
without we have a flooding syslog with printer cups errors =)
Greetings Lars
Thanks again Lars for the feed back and pointing out more errors,
grumble grumbleπThanks for the solution to the issue with error messages in the syslog saved me looking that up. The values for the printing option can be any one of these: BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ.
I will update this tutorial and use CUPS as I’m thinking about adding a section of printer sharing, which will use CUPS.
Hi Richard,
I do very appreciate your tutorial. Being a totally newbie among Linux/Ubuntu users, I was able to install a stand alone Samba Active Directory Server perfectly with these few exceptions:
1. command ‘host -t’ did not work for me. I received replies with “not found: 3(NXDOMAIN)” at the end
2. restarting bind9 failed. I could find this line during the process “rndc: connect failed: 127.0.0.1#953:
connection refused”, and finally * Starting domain name service… bind9 [fail]
3. in the syslog file there are lines as follows:
Aug 21 21:41:32 server2 named[2111]: Loading ‘AD DNS Zone’ using driver dlopen
Aug 21 21:41:32 server2 named[2111]: samba_dlz: Failed to connect to /var/lib/samba/private/dns/sam.ldb
Aug 21 21:41:32 server2 named[2111]: dlz_dlopen of ‘AD DNS Zone’ failed
Aug 21 21:41:32 server2 named[2111]: SDLZ driver failed to load.
Aug 21 21:41:32 server2 named[2111]: DLZ driver failed to load.
Aug 21 21:41:32 server2 named[2111]: loading configuration: failure
Aug 21 21:41:32 server2 named[2111]: exiting (due to fatal error)
I would be very pleased to know what was done wrong during the Samba Server with AD installation. Could you help me with that issue?
Many thanks!
This looks like the permissions on the file /var/lib/samba/private/dns/sam.ldb are wrong which, implies you missed a step or something else went wrong. There may also be entries in your syslog from apparmor regarding the file which means you’ll need to update the its config file for /usr/sbin/named.
The permissions on the directory and files in in should be
sudo ls -l /var/lib/samba/private/dns -d
drwxrwx--- 3 root bind 4096 Aug 17 08:40 /var/lib/samba/private/dns
sudo ls -l /var/lib/samba/private/dns/
-rw-rw---- 1 root bind 3018752 Aug 17 08:40 sam.ldb
drwxrwx--- 2 root bind 4096 Aug 17 08:40 sam.ldb.d
I would also say that installing and configuring Bind9 DNS and Samba4 as a AD DC was not a task to be undertaken by someone new to Linux, try smaller steps and do one step at a time. π
chown root:bind /var/lib/samba/private/
will solve your problem. This Information is missing in the tutorial, which ist one of the best so far in the web
I had to install bind9 before “samba-tool domain provision –use-rfc2307 –interactive”
You also had to install Linux, in this case Ubuntu. π
Which is why I say at the beginning of the tutorial “For this how to I am building on some of my other howtos.” and provide links to the required posts.
i would like to say first off great tutorial. its fairly easy to understand and follow but i had a few questions concerning “samba-tool domain provision –use-rfc2307 –interactive”
i have found out that this will set up an INTERNAL LDAP however i am trying to use OpenLDAP as the LDAP backend so i can manage the users/passwords for everyone in a unified single sign-on environment for things like mail, web access, printers, and the like am i correct in guessing that i can skip this step or is there another option for provisoning that will help set up an external LDAP server? i have found a plethera of information regarding Samba 4 and LDAP and so far this is the only one that is extremly easy to folow.
Whatever method you use to authenticate users you will have to provision the Samba server, using anything other than the Samba internal LDAP server does not look promising though.
The Samba4 Wiki is quite explicit about using OpenLDAP as an LDAP backend with Samba. It does not sound like a good direction to go, two quotes from that page:
“While this is an area of active development in Samba as an Active Directory Domain Controller, it is not supported, or expected to be supported in the near future” and “This does not yet work in any released or development branch. You have been warned.“.
On a brighter note you may be able to configure Postfix to use a Samba back end to authenticate logins. I have not yet tried but it is on my rather long list. π
Hi, thanks for really nice tutorial, but there are some thing i miss understand.
Is ICS-DHCP-SERVER still dynamic update leased IP to DNS records on BIND9_DLZ DNS Server ?
I have setup BIND9 and ICS-DHCP-Server use rndc.key to update before and it’s automaticly update to DNS Server without problems.
But after i change to BIND9_DLZ it’s no longer work anymore (i checked on DNS Manager of Administrator Tools on Windows 7 and dinn’t see any WORKGROUP cliens.)
thanks.
Sorry for the delay but life got in the way π
It looks like you missed a step when configuring your DNS DHCP servers. The solution is to set the permissions on the file /var/lib/samba/private/dns.keytab As I show in my other post https://blogging.dragon.org.uk/dns-with-bind9-and-dhcp-on-ubuntu-14-04/
sudo chown root:bind /etc/bind/rndc.key
sudo chmod 640 /etc/bind/rndc.key
I am trying to setup AD-DC server following this tutorial, thanks for taking the time to make such a clear and easy to follow set of instructions.
While the tutorial have the setup of isc-dhcp-server as a requirement for setting the AD-DC,
I found the following comment on the samba.org wiki for ad-dc:
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
“Note: If your server is set up to receive its IP configuration via DHCP, the β/etc/resolv.confβ file might be automatically updated. Refer to your distributions documentation on how to stop/change this behavior, although DHCP is not recommended on a DC!”
To be clear, You do not want your AD DC server to get its IP address from DHCP, that is just plain nuts, for so many reasons.
hello, this is good, but I have a question, should I install KDC and configure it ifrst?
I did not have to as it gets puled lin automatically and the default configuration is good enough to get this all working.
Hi Richard,
I’ve followed your tutorial religiously, I believe … but here’s what happened when I try to start bind:
root@primera:/home/najib# tail /var/log/syslog
Jan 16 04:00:45 primera named[1293]: listening on IPv4 interface eth0, 192.168.1.2#53
Jan 16 04:00:45 primera named[1293]: generating session key for dynamic DNS
Jan 16 04:00:45 primera named[1293]: sizing zone task pool based on 7 zones
Jan 16 04:00:45 primera named[1293]: Loading ‘AD DNS Zone’ using driver dlopen
Jan 16 04:00:46 primera named[1293]: samba_dlz: started for DN DC=mbmdistro,DC=loc
Jan 16 04:00:46 primera named[1293]: samba_dlz: starting configure
Jan 16 04:00:46 primera named[1293]: samba_dlz: Failed to configure zone ‘mbmdistro.loc’
Jan 16 04:00:46 primera named[1293]: loading configuration: already exists
Jan 16 04:00:46 primera named[1293]: exiting (due to fatal error)
Jan 16 04:00:46 primera named[1293]: samba_dlz: shutting down
Any idea what went wrong?
Can you explain what exactly the ranges affect? Does it mean that you can only use that many users (i.e. if I put the SERVER:backend as 10000-59999, there can only be 49999 users created on that server?) Thanks for this article, it helped me a ton!
Yes you are right about this limiting the number of ADDC user to a maximum of 49999. If you are administering an environment (Windows and Linux) with that many users your company should be sending you on tutor lead courses to give you the proper training. You should not have to rely on information scraped from blogs like mine π
Hello Richard,
Thank you for your nice tutorial. Almost everything works very nice here.
Unfortunately, I choose a too long Kerberos Authentication. That’s why Kerberos isn’t working here.
How can I change the Kerberos Realm?
In your Tutorial it’s just written like this:
If you get these wrong your AD DC will not work and you will have to start again!
Thank you very much for your answer!
It was a lot simpler, for me :-), to say “start again” than go into details of fixing problems and editing multiple files.
Hi
thank you for your great work
I’m hanging on one point:
when I try to use:
host -t A lab-addc1.black.dragon.lab.
I just get an NXDOMAIN error
all the other commands work fine just that particular one doesnt work
I already tried to reinstall the server 3 times but stuck every time at the same point
Hope you or someone can help with that
Eric
this was the best tutorial every .. east to follow step by step. I tried many others and this is the first one that worked flawlessly … congratulation on your had work ….
Hi Richard
Thank you very much for this – it still works well.
The next step is to add users and shares on the machine –
1 – How do I add a user to the SAMBA network
2 – How do I add groups?
Thanks
Take a look at the next blog post Administering ADDC Via Windows You will need a Windows 7 machine for this.
I doubt I will be doing a post for 16.04 as Samba 4 cannot run as an AD DC for 2012 or 2016. See the samaba documentation. This means you would have to remain using a 2008 server and that is getting on for 8 years out of date or the pre-stone age in computer terms!
Is there anyway you’d considering doing a new post but with Ubuntu 16.04 this time?
sudo apt-get install bind9 winbind
before doing this. Pulling what little hair I had left.
I can’t help it, I have to comment. I have used your article with success to install and configure U16.04.1LTS with samba 4.3.9 and bind9.10 and get a functional active directory DC working. Having said that, your article has missed many important steps that are needed to get Samba4 working. Like where did you install bind9? Nowhere in your list of packages to install did you include bind9? Yet, you configured bind9 . . .
I know this sounds harshly critical but, it’s a good article . . . just some of the pieces are missing. There has too be a lot of readers who tried and failed, just like I did. Look at the August 2016 comment about “apt-get install bind9 and winbind” . . . . that dude was frustrated. Sorry but, shame on you for leaving out those critical parts!!
You may find this reply harsh. Shame on you for not bothering to read the post in full. It clearly states, with a link, that this post builds on my post for installing and configuring Bind9. Try reading the instructions, all of them, in the order they were written. Yes, that includes the bit about installing and configuring Bind9. Before posting comments about your own frustrations make sure you have bothered to read the full post then you will not be the cause of your own frustration!
Hello Richard,
I’m a bit stuck on the part of adding a test volume. I’m trying to follow these steps on an Ubuntu 16.04 VM with LVM for disk management.
How do I create a test file system with LVM?
You do not need to create an LVM volume just a directory on an existing file system. I just happen to use LVM.
thanks a lot. great documentation. DNS, DHCP and SAMBA AD working perfectly fine together.
Thank You!
Despite this article is quite outdated, it may be used Π΅ΡΠΏΡΠ΅ΡΡΠΊ with other materials. And Bind9 part is actual.
I have only one question: if we are installing samba from Ubuntu repo, why do we need all theese dev packages? And do we need them?
I cannot remember that far back. Since there is nothing being compiled against them and they are not being changed, you may be able to get away with not having them. I found the connection will no longer work with M$ server 2012 and after so I gave up. M$ are only interested in their revenue, and so continually change the protocol without making it backwards compatible or back porting security fixes. Forcing companies to go their way once they are locked into the M$ BS. π Also, I changed firms just after doing this post and no longer had to deal with the security nightmare and IT abomination that is M$. Good luck.
Thank You again.
Sadly, soft, we are using, as far as I know, is not working with other LDAP implementations, so we need AD. I’ll try to make it work.
And “Π΅ΡΠΏΡΠ΅ΡΡΠΊ” is “together” π
And this is what we can do with MS Server 2012 for now: https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD
Aah, it looks like the SAMBA guys have updated their documentation. Last time I looked it was saying Windows 2012 would not be supported.
Hello, just saying you might want to add the “domain must be uppercase for kerberos” warning somewhere, otherwise you’ll get
kinit: KDC reply did not match expectations while getting initial credentials