OK so if you had no idea this was possible, your probably thinking. What? right now and a few years ago I would be in the same position. But once I discovered that you could run Active Directory on Linux. I was very excited about this. As the most small-to-medium-sized business struggle to justify the cost of purchasing Windows Server. So I felt like this was a massive bonus to have in the industry. I first found this on a product called ‘Zentyal‘. this is a replacement low-cost replacement for Microsoft Small Business Server / Back Office Server line of products. But when I looked into the technology. That Zentyal is using, I found out that it is very simply Samba.
If you didn’t already know, Samba is the Linux SMB/CIFS file-sharing protocol. Allowing you to share files between Windows and Linux with ease.
So as mentioned before Samba runs on Linux so your need a Linux system to get this running. In this post, I am using Debian for two reasons. The first reason is that I found that Debian is the easiest distribution to work with Samba. This is my opinion and you may have a better distribution to work with. The other reason is that you can do this on a Raspberry PI and THIS IS AWESOME!
To start with, you need to make sure that your server has a static IP, hostname, and a valid internet connection. Below I show you how to get your PI setup.
Setup Static IP:
DC01# sudo nano /etc/dhcpd.conf
Make the file look like below but with your IP subnet details and you must have DNS pointing to the server it’s self if it is the first domain controller in the domain and use the primary domain controller if this is the 2nd domain controller in the domain.
Uncomment:
static ip_address=
static routers=
static domain_name_servers
Once you have configured the static IP address, you will need to check your hostname and hosts file. This will be your own choice, but make sure that if your adding a domain controller to an existing domain, you need to make sure that the server can resolve the domain name. Most of the time, you can use the host file to achieve this.
DC01# sudo nano /etc/hostname
Once you have configured your host file, you can now configure your hostname file
DC01# sudo nano /etc/hostname
Your hostname file, should only contain one line containing your desired hostname in FQDN format (SERVERNAME.DOMAIN.LOCAL):
Once all of this is configured, you can then go ahead and reboot your server. Once the server is back online, make sure that your repositories and software is up-to-date.
DC01# sudo apt-get update & apt-get upgrade -y
The next thing we need to do is install the required packages.
DC01# sudo apt-get install samba krb5-config krb5-user winbind smbclient -y
During the installation of Kerberos, you will be asked for the following infomation:
Your realm is going to be your domain name, for example DOMAIN.LOCAL. The other two will be the FQDN of the server you are working on.
After this has been completed, your need to backup and delete your existing Samba configuration.
DC01# sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.org
DC01# sudo rm /etc/samba/smb.conf
If you have completed the prerequisite steps, you are now ready to prevision your domain.
DC01# sudo samba-tool domain provision --interactive
The command above will initiate samba to prevision a new domain (not join an existing domain). During this process you will be asked for the following information:
Realm: DOMAIN.LOCAL
Domain: DOMAIN
Server Role: dc
DNS Backend: SAMBA_INTERNAL
DNS Forwarder: 192.168.3.254
Admin Password: IDEBIAN123
Make sure you set your realm to the same that you defined in the Kerberos setup. The domain will need to be the same minus the suffix. The server role should be DC. DNS Backend, you can choose whatever you want to use but for simplicity, in this scenario, we are using Samba internal. The DNS forwarder should be your router or wherever you want to direct DNS requests. Your admin password can be whatever you want.
The next thing to configure is Kerberos. This is the authentication method against the domain. Like before we will need to back this up first and then edit it.
DC01# sudo cp /etc/krb5.conf /etc/krb5.conf.orq
DC01# sudo nano /etc/krb5.conf
Once in the file, make sure you edit the document to look as below, but with your domain details:
default_realm = DOMAINNAME.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
Once this is done, the last thing is to configure the services and start them up.
DC01# sudo systemctl stop smbd nmbd winbind
DC01# sudo systemctl disable smbd nmbd winmind
DC01# sudo systemctl unmask samba-ad-dc
DC01# sudo systemctl start samba-ad-dc
DC01# sudo systemctl enable samba-ad-dc
YOU SHOULD NOW HAVE A FUNCTIONING DOMAIN CONTROLLER!
Unlike with a new domain, your server will need to be able to resolve your domain name to an existing domain controller. This can be windows or Linux. Make sure you have followed the perquisites above first.
To get started, run the command below to initiate the domain controller promotion to an existing domain
DC02# sudo samba-tool domain join DOMAIN.LOCAL DC -U"DOMAIN\administrator" --use-rfc2307
Once this has run, you should find that most of the work is done, we now just have to configure Kerberos
The next thing to configure is Kerberos. This is the authentication method against the domain. Like before we will need to back this up first and then edit it.
DC01# sudo cp /etc/krb5.conf /etc/krb5.conf.orq
DC01# sudo nano /etc/krb5.conf
Once in the file, make sure you edit the document to look as below, but with your domain details:
default_realm = DOMAINNAME.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
Once this is done, the last thing is to configure the services and start them up.
DC01# sudo systemctl stop smbd nmbd winbind
DC01# sudo systemctl disable smbd nmbd winmind
DC01# sudo systemctl unmask samba-ad-dc
DC01# sudo systemctl start samba-ad-dc
DC01# sudo systemctl enable samba-ad-dc
YOU SHOULD NOW HAVE A FUNCTIONING DOMAIN CONTROLLER!