Samba Active Directory - Introduction
Samba is a free protocol that is utilized for communication between Windows and Linux servers. Principally to allow Windows hosts like a workstation to grab and communicate off of the Linux hosts. Samba is a re-implementation of the SMB (Server Message Block) protocol and is available for most UNIX-based systems, including Linux, Solaris, BSD variants, and AIX. It is also available for OpenVMS and IBM operating systems. Samba makes use of the Common Internet File System (CIFS) and can be used to perform actions like;
- File and print services
- Name resolution
- Allows Windows to share files and printers on the Unix host
- Authorization
- Authentication
- Service announcement
In this post, we will look at setting up Samba Active directory on Rocky Linux 8. We already have Rocky Linux installed on a virtual machine, accessing it over an SSH connection.
Pre-requisites
- Rocky Linux 8 installation
- An active internet connection
- Static IP Address
- root privileges
Update and upgrade your system with the commands below to ensure you are only running the latest packages:
sudo yum update sudo yum upgrade
Step 1: Set a Static IP Address on Rocky Linux
Before getting started with Samba4 AD DC installation, you need to set up a static server on Rocky Linux. We already posted this - Setting a Static IP in Rocky Linux [6 Different Methods]. Please feel free to check it out. In this post, we will set up a static IP using the ifconfig
command. First, execute the command below to get the currently assigned IP address and netmask.
ifconfig
Sample Output:
From the image above, we can see we are connected to the interface ens33
with IP 192.168.1.61. We will use the syntax below to set up our static IP address.
ifconfig <interface> <IP Address> netmask <netmask_value>
e.g
ifconfig ens33 192.168.1.61 netmask 255.255.255.0
Sample Output:
Next, we need to set the default gateway address. First, run the command below to see the gateway address of your network.
route -n
Sample Output:
To set the default gateway address, we will use the syntax below:
sudo route add default gw <your_gateway_address> <network_interface>
e.g
sudo route add default gw 192.168.1.21 ens33
Sample Output:
That's it! Now, we can start to install and configure Samba Active Directory on our Rocky Linux installation.
Step 2: Disable SELINUX
Security-Enhanced Linux (SELinux) is a security feature present on various Linux distributions which give administrators more control over users of a system. Unfortunately, SELinux doesn't work well with Samba unless with additional configurations. For this particular tutorial, we will disable selinux to avoid any arising future issues. Execute the command below to check SELinux status.
sestatus
Sample Output:
From the image above, we can see SELinux is enabled on our system. To disable it, execute the command below to edit the selinux
configuration with the nano editor.
sudo nano /etc/sysconfig/selinux
Find the line SELINUX, which might be set to enforcing or permissive. Set it to disabled as shown below:
Save the file (Ctrl + S) and Exit (Ctrl + X). Reboot your system and confirm SELinux status again.
sudo reboot now
Step 3: Setup a Hostname (update /etc/hosts files)
You can check your currently set hostname with the command below:
sudo cat /etc/hostname
To set a new hostname such as golinuxcloud_adc1, use the command below:
sudo hostnamectl set-hostname golinuxcloud_adc1
Sample Output:
We also need to edit the /etc/hosts
file and ensure the DC resolves to our Fully Qualified Domain Name (FQDN), which we will set as glc.com
. See the image below:
Sample Output:
Reboot the server to apply the changes.
sudo reboot now
Sample Output:
Step 4: Install epel-repo
EPEL stands for Extra Packages for Enterprise Linux. As the name suggests, this repository contains additional packages not present in the Rocky Linux repository. Execute the command below to add the peel repository to your system.
sudo yum install epel-release -y
Sample Output:
After installing the repository, we can now install the required packages to compile Samba on our system.
Step 5: Install Packages Required to Compile Samba Active Directory (Important!)
When trying to compile and install Samba from the source on Rocky Linux 8, you will encounter many errors and missing packages. Additionally, installing these packages one by one can be quite a tiresome and hectic process since some packages are already installed, but Samba can't detect them. You might need to create numerous symlinks for these packages. A solution I found to all these was to use the dependencies installation scripts provided by the Samba developers.
Follow the steps below:
Head over to this Samba git repository and search for bootstrap.sh script based on your distribution and Samba version.
On the terminal, create a script with the command below:
sudo nano installDependencies.sh
Paste all the contents you copied here (Ctrl + V). Don't add/delete any line unless you are well-versed with Linux systems and with a good understanding of what you are doing.
Save the file (Ctrl + S) and Exit (Ctrl + X)
For reference, I am placing the content I have added:
set -xueo pipefail yum update -y yum install -y dnf-plugins-core yum install -y epel-release yum -v repolist all yum config-manager --set-enabled PowerTools -y || \ yum config-manager --set-enabled powertools -y yum config-manager --set-enabled Devel -y || \ yum config-manager --set-enabled devel -y yum update -y yum install -y \ --setopt=install_weak_deps=False \ "@Development Tools" \ acl \ attr \ autoconf \ avahi-devel \ bind-utils \ binutils \ bison \ ccache \ chrpath \ cups-devel \ curl \ dbus-devel \ docbook-dtds \ docbook-style-xsl \ flex \ gawk \ gcc \ gdb \ git \ glib2-devel \ glibc-common \ glibc-langpack-en \ glusterfs-api-devel \ glusterfs-devel \ gnutls-devel \ gpgme-devel \ gzip \ hostname \ htop \ jansson-devel \ keyutils-libs-devel \ krb5-devel \ krb5-server \ libacl-devel \ libarchive-devel \ libattr-devel \ libblkid-devel \ libbsd-devel \ libcap-devel \ libcephfs-devel \ libicu-devel \ libnsl2-devel \ libpcap-devel \ libtasn1-devel \ libtasn1-tools \ libtirpc-devel \ libunwind-devel \ libuuid-devel \ libxslt \ lmdb \ lmdb-devel \ make \ mingw64-gcc \ ncurses-devel \ openldap-devel \ pam-devel \ patch \ perl \ perl-Archive-Tar \ perl-ExtUtils-MakeMaker \ perl-JSON \ perl-Parse-Yapp \ perl-Test-Simple \ perl-generators \ perl-interpreter \ pkgconfig \ popt-devel \ procps-ng \ psmisc \ python3 \ python3-cryptography \ python3-devel \ python3-dns \ python3-gpg \ python3-iso8601 \ python3-libsemanage \ python3-markdown \ python3-policycoreutils \ python3-pyasn1 \ python3-setproctitle \ quota-devel \ readline-devel \ redhat-lsb \ rng-tools \ rpcgen \ rpcsvc-proto-devel \ rsync \ sed \ sudo \ systemd-devel \ tar \ tree \ wget \ which \ xfsprogs-devel \ yum-utils \ zlib-devel yum clean all
Or alternatively you can follow the same guide to get the list of packages to be installed and then install them manually based on your distribution.
Make the file executable with the command below:
sudo chmod +x installDependencies.sh
Execute the script with the command below:
sudo bash installDependencies.sh
The script will install all the required packages for compiling and installing Samba on Rocky Linux 8. This process might take some time, depending on your internet speed.
Step 6: Download and Install the Latest Samba Archive
After successfully installing the packages, we can proceed to install Samba. Head over to the Samba website and get the link to the latest Samba release. Use the wget
command to download Samba on your Rocky Linux system.
cd / wget https://download.samba.org/pub/samba/samba-latest.tar.gz
Sample Output:
Execute the commands below to extract the setup file and configure the Samba Active Directory setup for installation. This might take a few minutes.
tar -zxvf samba-latest.tar.gz
cd samba-4.12.5 #The vesion might be different to mine
sudo ./configure
If the ./configure
command executes successfully without any errors; you should see a message similar to the image below.
Sample Output:
Now, execute the command below to install Samba Active Directory on Rocky Linux 8. This step will also take a few minutes. Please be patient.
sudo make && make install
After a successful installation, you should see a message similar to the image below:
Step 7: Provisioning Samba Active Directory
Domain provisioning involves configuring and setting up all the needed infrastructure for Samba AD. That includes LDAP, Kerberos, and DNS servers. Execute the command below:
samba-tool domain provision --use-rfc2307 --interactive
Tip:
If you get the error "-bash: samba-tool: command not found," use the command below.
/usr/local/samba/bin/samba-tool domain provision --use-rfc2307 --interactive
Sample Output:
You will see several prompts:
- Realm: Here, enter the Realm name and press Enter. In our case, the set Realm name is GLC.COM
- Domain: Type the domain name and hit Enter. In our case, we used GLC.
- Server Role: Type dc and hit Enter.
- DNS backend: Here, we will let samba configure its own DNS and zone files. Type SAMBA_INTERNAL and hit Enter.
- DNS forwarder: Here, we will use Google's DNS. Type
8.8.8.8
and hit Enter
Next, you need to set a strong administrator password. Press Enter when done.
Step 8: Configure Samba DC as systemd service
Now, we need to create a script to start the Samba service on boot. Execute the command below:
cat /etc/systemd/system/samba.service
If you get an error like "cat: /etc/systemd/system/samba.service: No such file or directory," you will need to create the file manually. Execute the command below to create a samba.service
file using the nano
editor.
sudo nano /etc/systemd/system/samba.service
Paste the contents below on the window that opens:
[Unit] Description= Samba 4 Active Directory After=syslog.target After=network.target [Service] Type=forking PIDFile=/usr/local/samba/var/run/samba.pid ExecStart=/usr/local/samba/sbin/samba [Install] WantedBy=multi-user.target
Save the file (Ctrl + S) and Exit (Ctrl + X). When you run that cat
command again, you should see an output similar to the image below.
cat /etc/systemd/system/samba.service
Sample Output:
Start the Samba service using the commands below:
sudo systemctl daemon-reload sudo systemctl enable samba sudo systemctl start samba
Sample Output:
Step 9: Configure Firewall
We are using firewalld in our CentOS 8 environment so we will use firewalld to enable ports and services part of Samba Active Directory
[root@samba-ad ~]# firewall-cmd --add-service={dns,ldap,ldaps,kerberos} success [root@samba-ad ~]# firewall-cmd --add-port={389/udp,135/tcp,135/udp,138/udp,138/tcp,137/tcp,137/udp,139/udp,139/tcp,445/tcp,445/udp,3268/udp,3268/tcp,3269/tcp,3269/udp,49152/tcp} success
Step 10: Join Windows Host to Samba Domain Controller
For this post, we will use a Windows 7 virtual machine. However, the same procedure can be used on the latest Windows 10 releases. On your Windows system, navigate to the Network Adapter settings and click on Properties.
Click on IPV4 and enter the DNS server similar to the IP address of your Samba4 server's IP, as shown in the image below.
Click OK to save and apply the new configurations.
Next, right-click on "This PC" or "Computer" on the file manager and select "Properties." On the new window that appears, click "Advanced System Settings" to open the "System Properties" window, as shown below.
Select the "Computer Name" tab and click the Change button. This will open the Computer Name/Domain Changes window. Select the Domain radio button and enter the Realm of your Samba4 server. In our case, we used glc.com. Click OK.
A window will pop up, prompting you to enter the name and password of an account with permission to join the domain. We will use "Administrator," which is the user we created during Domain provisioning. Enter the password that you set
If everything was set up correctly, you should see a welcome message after a few seconds, as shown in the image below. Click OK.
Now, you need to restart your PC to apply the new configurations. After a successful reboot, we can now use our newly added account to log in to the Windows system.
It might take a few seconds to launch the Desktop for the new user. When you click on the "Properties" option again, you should see that you are now connected to the samba4 domain.
If you wish to manage the Samba4 server from the Windows system, you must install Microsoft Remote Server Tools (RSAT).
Conclusion
In this post, we have given you a step-by-step guide on configuring Samba4 AD using Rocky Linux. We have also looked at how to solve any arising errors when executing the Samba commands. Please note, when executing any samba command and you get an error like "command not found," try executing it from the /usr/local/samba/bin/
directory. For example, to use the samba-tool
command, you would write. /usr/local/samba/bin/samba-tool
.
If you encounter an error that you can't seem to find a solution to, please let us know in the comments, and we will be happy to help. Also, if you have any additional tips for our readers, feel free to hit the comments below.
Hello Alex,
Thanks for your feedback.
In my case, SElinux is deactivated after running the command: sestatus on Sever
(Rocky Linux 8)
The problem persists on the Windows 10 Client side.
What to do in this case, I’m really out of ideas.
Thanks for your help.
Hello, Incase SElinux is NOT disabled you need to enter this command to execute samba
From https://serverfault.com/questions/1032710/samba-wont-start-with-systemd
“The SELinux restricts binaries that can be used in ExecStart to paths that has system_u:object_r:bin_t:s0 attribute set. Typically those are /usr/bin /usr/sbin /usr/libexec /usr/local/bin directories. You need to move samba binary into one of this directories or change selinux policy to allow systemd to use binaries in /usr/local/samba/sbin/ as:
chcon -R -t bin_t /usr/local/samba/sbin/ “
Hello. I hope you are well. Thank you for the quality of the work done. I get when I am on the windows computer to join the Active directory. What to do? Thank you
The error was: “DNS name does not exist” (error code 0x00000232B RCODE_NAME_ERROR). The request was for the SRV record for _ldap._tcp.dc._msdcs.domain name. The causes of this error: – The DNS SRV records required to locate an Active Directory domain controller for the domain are not registered in the DNS. One or more of the following zones do not include delegation to their child zone
After install samba, only administrator can enter into the domain . When instal RSAT tool and create users , neether one can not login into the domain on windows machines.
“sudo make && make install” returns: The project was not configured: run “waf configure” first! Any idea of how to get rid of it?
Ignore this please 🙂 all worked out like a charm. Thanks mate
Step 5 is missing the content that has to be copied.
Updated, thanks for highlighting!