How to Perform a Samba Active Directory Install on Linux

Published:8 February 2022 - 10 min. read

Arvid Larson Image

Arvid Larson

Read more tutorials by Arvid Larson!

Do you need centralized domain management for your networks but aren’t keen on using a Windows Server and paying the additional license cost? Samba Active Directory is one of the best and free alternatives you can try on Linux.

Samba is an open-source solution primarily known for its network file server and print services. But since version 4.0, Samba allows you to provision the Active Directory server role, too.

This tutorial will teach you how to install and configure Samba Active Directory on Ubuntu 20.04. Get ready and jump right in!

Prerequisites

This post is a hands-on demonstration. If you’d like to follow along, you’ll need the following requirements.

  • An Ubuntu 20.04 server. Throughout this tutorial, the server’s name will be dc1, the domain will be example.com, and the IP address is 172.16.1.10.
  • A user account with sudo privileges.
  • A Windows 10 computer on the same network as the Ubuntu server.

Setting Up the Server Hostname

The first step is to set up the server’s identity in the network. To do so, you’ll need to assign the server’s hostname and fully qualified domain name (FQDN) by following the steps below.

1. First, log in to your Ubuntu server and open the terminal session.

2. Next, run the hostnamectl command below to change your server’s hostname. The command below changes the hostname to dc1.

# set up the hostname
hostnamectl set-hostname dc1

3. Now, open the /etc/hosts file for editing using your preferred editor, such as nano. Inside the file, append an entry specifying the server’s IP address, FQDN, and hostname in this format – server-IP hostname.domain.com hostname.

For this example, the hosts file entry is: # setup FQDN dc1.example.lan 172.16.1.10 dc1.example.lan dc1

# setup FQDN dc1.example.lan
172.16.1.10 dc1.example.lan dc1

After adding the new entry, save and exit the file.

Editing /etc/hosts file
Editing /etc/hosts file

4. Finally, run the command below to verify the FQDN of the Samba server. # verify FQDN hostname -f # verify FQDN is resolved to the Samba IP address ping -c3 dc1.example.lan

# verify FQDN
hostname -f

# verify FQDN is resolved to the Samba IP address
ping -c3 dc1.example.lan

As you can see below, the FQDN of the Samba server is dc1.example.lan, which resolves to 172.16.1.10.

Verifying FQDN
Verifying FQDN

Disabling the DNS Resolver

The systemd-resolved service controls the DNS configuration on the Ubuntu server, which is not suitable with Samba Active Directory. To set up Samba Active Directory, you’ll first have to disable the systemd-resolved service and replace the /etc/resolv.conf configuration file.

  1. Run the following commands to disable and stop the systemd-resolved service at once, and remove the symbolic link to the file /etc/resolv.conf, in order.
# stop and disable systemd-resolved service
sudo systemctl disable --now systemd-resolved

# remove the symlink file /etc/resolv.conf
sudo unlink /etc/resolv.conf
Disabling systemd-resolved service
Disabling systemd-resolved service

2. Next, create a new /etc/resolv.conf file.

# create a new /etc/resolv.conf file
touch /etc/resolv.conf

3. Open the /etc/resolv.conf using your preferred editor and define the DNS resolver using the configuration below. Be sure to put the Samba server IP address on top of the line. Save the file and exit after editing.

# Samba server IP address
nameserver 172.16.1.10

# fallback resolver
nameserver 1.1.1.1

# main domain for Samba
search example.lan

4. Lastly, run the following command to make the file /etc/resolv.conf file immutable. This step ensures that the resolver does not change unknowingly for any reason.

# add attribute immutable to the file /etc/resolv.conf
sudo chattr +i /etc/resolv.conf

Installing Samba

After you set up the FQDN and configure the name resolution, you’ll be installing Samba to your system and enabling the Samba Active Directory service. As of this writing, the official Ubuntu repository provides Samba v4.13.

1. Run the apt command below to refresh your Ubuntu server’s package index.

sudo apt update

2. Now, execute the below command to install Samba with all packages and dependencies.

sudo apt install -y acl attr samba samba-dsdb-modules samba-vfs-modules smbclient winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user dnsutils chrony net-tools

3. Type the default realm domain name in uppercase. In this example, the FQDN is dc1.example.lan, so the default realm domain name should be EXAMPLE.LAN. Highlight Ok and press Enter.

Setting up default Realm domain for the Samba Active Directory
Setting up default Realm domain for the Samba Active Directory

4. On the next prompt, type the server FQDN. This step defines the default Kerberos server. Highlight Ok and press Enter.

Setting up default Kerberos server for the Samba Active Directory
Setting up default Kerberos server for the Samba Active Directory

5. Next, type the server FQDN again to specify the Kerberos administrative server. Highlight Ok, and press Enter to complete the initial Samba configuration.

Setting up the administrative server for the Samba Active Directory
Setting up the administrative server for the Samba Active Directory

6. After the Samba installation, run the following command to stop and disable services that the Samba Active Directory server does not require smbdnmbd, and winbind. The server only needs the samba-ac-dc to serve as Active Directory and domain controller.

# stop and disable samba services - smbd, nmbd, and winbind
sudo systemctl disable --now smbd nmbd winbind
Disabling the smbd, nmbd, and winbind services
Disabling the smbd, nmbd, and winbind services

7. Lastly, run the commands below to activate and enable the samba-ad-dc service.

# activate samba-ad-dc service
sudo systemctl unmask samba-ad-dc

# enable samba-ad-dc service
sudo systemctl enable samba-ad-dc
Activating and enabling samba-ad-dc service
Activating and enabling samba-ad-dc service

Configuring Samba Active Directory

Now you’ve installed Samba on your system. There are several more steps to configure the Samba Active Directory. The Samba installation came with a command-line tool called samba-tool to provision the Samba Active Directory.

1. First, create a backup of the /etc/samba/smb.conf file for good measure. The provisioning process will replace this file.

# backup default Samba configuration file
sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.orig

2. Now, run the samba-tool command below to start provisioning Samba Active Directory.

# provisioning Samba Active Directory
sudo samba-tool domain provision

3. On the Realm prompt, accept the default value and press Enter.

4. On the Domain prompt, press Enter again to accept the default value.

5. On the Server role prompt, leave the default and press Enter.

6. On the DNS backend prompt, leave the value as default (SAMBA_INTERNAL) and press Enter.

7. Next, type the additional DNS forwarder IP address. This example will add the Cloudflare DNS 1.1.1.1 as the DNS forwarder. This option is only available when you’re using the SAMBA_INTERNAL DNS backend.

8. Type in your Samba Active Directory Administrator password and press Enter.

Provisioning Samba as Active Directory using samba-tool
Provisioning Samba as Active Directory using samba-tool

The provisioning automatically creates the new Samba configuration file (/etc/samba/smb.conf) and the Kerberos configuration (/var/lib/samba/private/krb5.conf) file.

After the Samba Active Directory provisioning, you’ll receive the output similar to the screenshot below.

Provisioning Samba Active Directory
Provisioning Samba Active Directory

9. Now, run the below commands to backup the default Kerberos configuration and replace it with the file /var/lib/samba/private/krb5.conf.

# rename default Kerberos configuration to krb5.conf.orig
sudo mv /etc/krb5.conf /etc/krb5.conf.orig

# copy the Kerberos configuration generated by the samba-tool
sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

10. Finally, execute the systemctl commands below to start the Samba Active Directory service samba-ad-dc and verify that the service status is active (running).

# start samba-ad-dc service
sudo systemctl start samba-ad-dc

# verify samba-ad-dc service
sudo systemctl status samba-ad-dc

The samba-ad-dc service is active (running) and enabled, as you can see below. The Samba AD daemon will now start automatically on system startup.

Copying Kerberos configuration and starting samba-ad-dc service
Copying Kerberos configuration and starting samba-ad-dc service

Setting Up Time Synchronisation

Samba Active Directory depends on the Kerberos protocol, and the Kerberos protocol requires that the AD server and workstation times are synchronized. To ensure proper time synchronization, you’ll need to set up a Network Time Protocol (NTP) server on Samba, too.

Benefits of AD time synchronization include replay attack prevention and resolving AD replication conflicts.

1. Run the below commands to change the default permission and ownership of the directory /var/lib/samba/ntp_signd/ntp_signed. The user/group _chrony must have read permission to the ntp_signed directory.

# allow group _chrony to read the directory ntp_signd
sudo chown root:_chrony /var/lib/samba/ntp_signd/

# change the permission of the directory ntp_signd
sudo chmod 750 /var/lib/samba/ntp_signd/

2. Now, open the configuration file /etc/chrony/chrony.conf in a text editor and add the following configuration to the bottom of the file. This configuration enables chrony NTP server and points the NTP socket location to /var/lib/samba/ntp_signd. Save the configuration file and exit the editor.

# bind the chrony service to IP address of the Samba AD
bindcmdaddress 172.16.1.10

# allow clients on the network to connect to the Chrony NTP server
allow 172.16.1.0/24

# specify the ntpsigndsocket directory for the Samba AD
ntpsigndsocket /var/lib/samba/ntp_signd
Editing the chrony configuration file
Editing the chrony configuration file

3. Next, run the following commands to restart and verify the chronyd service on the Samba AD server.

# restart chronyd service
sudo systemctl restart chronyd

# verify chronyd service status
sudo systemctl status chronyd

As you can see below, the chronyd service is enabled and active (running). At the bottom of the chronyd log message, you’ll see the message MS-SNTP authentication is enabled, which confirms that the NTP authentication extension is functional.

Restarting and verifying the chrony service
Restarting and verifying the chrony service

Verifying Samba Active Directory

After the installation, you should verify the Samba configuration to ensure that what you’ve done so far works. You can do so by verifying the Samba DNS configuration, default shared folder (File Server), and testing the Kerberos authentication.

1. Run the host commands below to verify the AD domain name example.lan and dc1.example.lan.

# verify domain example.lan
host -t A example.lan

# verify domain dc1.example.lan
host -t A dc1.example.lan

And the result should confirm that both host records point to the Samba server IP address 172.16.1.10.

Verifying the domain for Samba Active Directory

2. Next, verify that _kerberos and _ldap service record both point to your Samba Active Directory server’s FQDN.

# verify SRV record for _kerberos
host -t SRV _kerberos._udp.example.lan

# verify SRV record for _ldap
host -t SRV _ldap._tcp.example.lan

In this example, the output below confirms that both SRV records resolve to dc1.example.lan.

Verifying SRV records of the _kerberos and _ldap services
Verifying SRV records of the _kerberos and _ldap services

3. Next, run the smbclient command below to verify the default resources available on the Samba Active Directory.

# checking available resources on Samba AD
smbclient -L example.lan -N

You should see that the default shared folder on the Samba Active Directory is sysvol and netlogon, and the default service available is IPC$.

Checking available resources on the Samba AD
Checking available resources on the Samba AD

4. Lastly, run the below kinit commands to authenticate to the Kerberos server using the user Administrator and verify the Kerberos tickets cached on your system.

Note: The domain part should be in uppercase.

# authenticate to Kerberos using administrator
kinit [email protected]

# verify list cached Kerberos tickets
klist

You will receive the output similar to the screenshot below. The administrator Kerberos ticket is stored at the file /tmp/krb5cc_0 and will expire in 41 days.

Verifying Kerberos Authentication
Verifying Kerberos Authentication

Creating a New Samba Active Directory User

At this point, you’ve finished configuring Samba Active Directory. But as you know, there are no users yet. Now it’s time to create your first Samba AD user account using the samba-tool command.

1. Run the below command to create a new user named alice, whose password is alice_password88.

# create a new user in Samba
sudo samba-tool user create alice alice_password88

2. Next, run the samba-tool command below to verify available users on Samba.

# checking users on Samba
sudo samba-tool user list

As you can see below, the new user alice is available on the Samba Active directory.

Creating and verifying users on Samba Active Directory
Creating and verifying users on Samba Active Directory

Joining and Logging In to Samba Active Directory Domain

Now that you have created a new user, what’s left is to join a workstation to the Active Directory domain. Afterward, you can then log in to the workstation using the Samba AD user credentials.

1. Log in to your Windows PC and open PowerShell as administrator.

Running PowerShell as Administrator
Running PowerShell as Administrator

2. Run the below command to list the available ethernet adapters on your Windows PC.

# checking available interface using Powershell command
Get-NetAdapter -Name "*"

You may see different outputs on your PowerShell screen. This example shows one network interface called Ethernet Instance 0 2.

Checking available Ethernet with PowerShell
Checking available Ethernet with PowerShell

3. Execute the following command to change the adapter’s DNS server to the Samba Active Directory’s IP address with additional fallback Cloudflare DNS 1.1.1.1. Doing this step ensures that your workstation uses the Samba AD server for name resolution.

# setup DNS resolver using Powershell
Set-DNSClientServerAddress "Ethernet Instance 0 2" –ServerAddresses ("172.16.1.10","1.1.1.1")

4. Run the below command to verify your DNS resolver, and make sure that your computer uses the Samba AD server as the default DNS resolver.

# verify DNS resolver
Get-DnsClientServerAddress

You’ll receive a similar output like the screenshot below.

Configuring DNS resolver using PowerShell
Configuring DNS resolver using PowerShell

5. Now, ping the server hostname and domain.

# ping the AD domain dc1.example.lan
ping dc1.example.lan

# ping the AD domain example.lan
ping example.lan

You should see the reply from the AD server as below. Confirm that the result points to the Samba AD server’s IP address.

Pinging Samba AD server
Pinging Samba AD server

6. Next, run the following command to join the workstation to the Samba Active Directory domain.

# add Windows 10 to Active Directory
Add-Computer -DomainName "example.lan" -Restart

7. Type in the Samba AD administrator user name and password, click OK. The computer will automatically restart as part of the domain join process.

Joining the Samba AD domain
Joining the Samba AD domain

8. After restarting, click Other users on the login screen. Type in the Active Directory username and password of the Samba AD user you previously created ([email protected]), and press Enter to log in.

Login to Windows 10 using Samba AD User
Login to Windows 10 using Samba AD User

9. After a successful login, open a PowerShell window and run on or both commands below to verify the currently logged-on username.

whoami
query user
Verifying the currently logged-on username
Verifying the currently logged-on username

Conclusion

The concept and application of Active Directory are not exclusive to the Windows ecosystem. You’ve learned in this tutorial that you can enjoy the same Active Directory benefits in Linux by implementing the Samba Active Directory.

Throughout this tutorial, you’ve learned how to install and configure the Samba Active Directory on Ubuntu 20.04. You’ve also learned to create new users and join a Windows workstation to the Samba Active Directory domain.

What’s next for you? How about integrating Samba to CUPS service for printing support or setting up a Samba Share file server? You see, there’s more to Samba than Active Directory!

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!