Samba as AD and Domain Controller

Samba AD Domain Controller

Photo by Eric Schirtzinger on Unsplash

Having a server with Samba providing AD and Domain Controller functionality will provide you with a very mature and professional way to have a centralized place with all users and groups information. It will free you from the burden of having to manage users and groups on each server. This solution is useful for authenticating applications such as WordPress, FTP servers, HTTP servers, you name it.

This step-by-step tutorial about setting up Samba as an AD and Domain Controller will demonstrate to you how you can achieve this solution for your network, servers, and applications.

Pre-requisites

A fresh Fedora Linux 35 server installation.

Definitions

Hostname: dc1.onda.org
Domain: onda.org
IP: 10.1.1.10/24

Considerations

  • Once the domain was chosen, you can’t change it, be wise;
  • In the /etc/hosts file, the server name can’t be on 127.0.0.1 line, it must be on its IP address line;
  • Use a fixed IP address for the server, as a result, the server’s IP won’t change;
  • Once you provision the DC server, do not provision another one, join other ones to the domain instead;
  • For the DNS server, we will choose SAMBA_INTERNAL, so we can have the DNS forwarding feature;
  • It is necessary to have a time synchronization service running in the server, like chrony or ntp, so you can avoid numerous problems from not having the server and clients synchronized with the same time;

Samba installation

Let’s install the required software to get through this guide. It will provide all the applications you will need.

sudo dnf install samba samba-dc samba-client krb5-workstation
Samba installation

Configurations

For setting up Samba as an AD and Domain Controller, you will have to prepare the environment with a functional configuration before you start using it.

Hostname

Ensure the hostname of your server is set to its fully-qualified domain name (FQDN).

sudo hostnamectl hostname dc1.onda.org

Firewall

You will need to allow some UDP and TCP ports through the firewall so that clients will be able to connect to the Domain Controller.

I will show you two methods to add them. Choose the one that suits you best.

First method

This is the most straightforward method, firewalld comes with a service with all ports needed to open Samba DC, which is called samba-dc. Add it to the firewall rules:

Add the service:

sudo firewall-cmd --permanent --add-service samba-dc

Second method

Alternatively, you can add the rules from the command line:

sudo firewall-cmd --permanent --add-port={53/udp,53/tcp,88/udp,88/tcp,123/udp,135/tcp,137/udp,138/udp,139/tcp,389/udp,389/tcp,445/tcp,464/udp,464/tcp,636/tcp,3268/tcp,3269/tcp,49152-65535/tcp}

Reload firewalld:

sudo firewall-cmd --reload

For more information about firewalld, check the following article: Control the firewall at the command line

SELinux

To run a Samba DC and running with SELinux in enforcing mode, it is necessary to set some samba booleans for SELinux to on. After these booleans are set, it should not be necessary to disable SELinux.

sudo setsebool -P samba_create_home_dirs=on samba_domain_controller=on samba_enable_home_dirs=on samba_portmapper=on use_samba_home_dirs=on

Restore the default SELinux security contexts for files:

sudo restorecon -Rv /

Samba

First, remove the /etc/samba/smb.conf file if it exists:

sudo rm /etc/samba/smb.conf

Samba uses its own DNS service, and for that reason, the service won’t start if systemd-resolved is running, that is why it is necessary to edit its configuration to stop listening on port 53 and use Samba’s DNS.

Create the directory /etc/systemd/resolved.conf.d/ if it does not exist:

sudo mkdir /etc/systemd/resolved.conf.d/

Create the file /etc/systemd/resolved.conf.d/custom.conf that contains the custom config:

[Resolve]
DNSStubListener=no
Domains=onda.org
DNS=10.1.1.10

Remember to change the DNS and Domains entries to be your Samba DC server.

Restart the systemd-resolved service:

sudo systemctl restart systemd-resolved

Finally, provision the Samba configuration. samba-tool provides every step needed to make Samba an AD server.

Using the samba-tool, provision the Samba configuration:

sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=ONDA.ORG --domain=ONDA --adminpass=sVbOQ66iCD3hHShg
Using samba-tool to provision a domain
Samba domain provisioning

The ‐‐use-rfc2307 argument provides POSIX attributes to Active Directory, which stores Unix user and group information on LDAP (rfc2307.txt).

Make sure that you have the correct dns forwarder address set in /etc/samba/smb.conf. Concerning this tutorial, it should be different from the server’s own IP address 10.1.1.10, in my case I set to 8.8.8.8, however your mileage may vary:

Changing the dns forwarder value on /etc/samba/smb.conf file

Kerberos

After Samba installation, it was provided a krb5.conf file that we will use:

sudo cp /usr/share/samba/setup/krb5.conf /etc/krb5.conf.d/samba-dc

Edit /etc/krb5.conf.d/samba-dc content to match your organization information:

[libdefaults]
default_realm = ONDA.ORG
dns_lookup_realm = false
dns_lookup_kdc = true

[realms]
ONDA.ORG = {
default_domain = ONDA
}

[domain_realm]
dc1.onda.org = ONDA.ORG

Starting and enabling Samba on boot time

To make sure that Samba will start on system initialization, enable and start it:

sudo systemctl enable samba
sudo systemctl start samba

Testing

Connectivity

$ smbclient -L localhost -N

As a result of smbclient command, shows that connection was successful.

Anonymous login successful
        Sharename       Type      Comment
        ---------       ----      -------
        sysvol          Disk
        netlogon        Disk
        IPC$            IPC       IPC Service (Samba 4.15.6)
SMB1 disabled -- no workgroup available
Testing connection with smbclient tool
smbclient connection test

Now, test the Administrator login to netlogon share:

$ smbclient //localhost/netlogon -UAdministrator -c 'ls'
Password for [ONDA\Administrator]:
  .                              D        0  Sat Mar 26 05:45:13 2022
  ..                             D        0  Sat Mar 26 05:45:18 2022

                8154588 blocks of size 1024. 7307736 blocks available
smbclient Administrator connection test
smbclient Administrator connection test

DNS test

To test if the name resolution is working, execute the following commands:

$ host -t SRV _ldap._tcp.onda.org.
_ldap._tcp.onda.org has SRV record 0 100 389 dc1.onda.org.
$ host -t SRV _kerberos._udp.onda.org.
_kerberos._udp.onda.org has SRV record 0 100 88 dc1.onda.org.
$ host -t A dc1.onda.org.
dc1.onda.org has address 10.1.1.10

If you get the error:

-bash: host: command not found 

Install the bind-utils package:

sudo dnf install bind-utils

Kerberos test

Testing Kerberos is important because it generates the required tickets to let clients authenticate with encryption. It heavily relies on correct time.

It can’t be stressed enough to have date and time set correctly, and that is why it is so important to have a time synchronization service running on both clients and servers.

$ kinit administrator
$ klist
Kerberos ticket validation

Adding a user to the Domain

samba-tool provides us an interface for executing Domain administration tasks, so we can add a user to the Domain easily.

The samba-tool help is very comprehensive:

$ samba-tool user add --help

Adding user danielk to the domain:

sudo samba-tool user add danielk --unix-home=/home/danielk --login-shell=/bin/bash --gecos 'Daniel K.' --given-name=Daniel --surname='Kühl' --mail-address='danielk@onda.org'
Adding user to the Domain using samba-tool
Adding user to the Domain

To list the users on Domain:

sudo samba-tool user list

Wrap up and conclusion

We started out by installing Samba and required applications in a fresh Fedora Linux 35 installation. We’ve also explained the problems that this solution solves. Thereafter, we did an initial configuration that prepares the environment to be ready to Samba to operate as an AD and Domain Controller.

Then, we proceeded to cover how to have Samba up and running alongside Fedora Linux security features, like having it working with firewalld and SELinux enabled. We did some important testing to make sure everything was fine and ended by showing a bit on how to administrate users using samba-tool.

To summarize, if you want to establish a robust solution for centralizing authentication across your network, servers (If one wanted to, one could even join a Windows 10 client to this Samba domain [tested with Windows 10 Professional version 20H2]) and services, consider using this approach as part of your infrastructure.

Now that you know how to have a Samba as AD and Domain Controller solution, what would you like to see covered next? Share your thoughts in the comments below.

For System Administrators

53 Comments

  1. Tigg

    Hello. Subjects written by engineers and dealing with domain controllers for Linux platforms with up-to-date instructions and commands are rare. That is then a wise initiative you had. I wish a subject would deal with FreeIPA for environments exclusively composed of Linux hosts, so the need to support non-Linux hosts is null. In this regard the latest guide issued by the Fedora Project at https://docs.fedoraproject.org/en-US/docs/– currently by link ‘Older releases’– is self explicit. It has version number 18 while current version, now as beta, is 36, then ‘2 x 18’.

    Attempting to observe those instructions and commands within that guide shall at best reveal their partial obsolescence which is inevitable when maintenance of ageing documentation is null. As we can’t easily conceive it, such a maintenance is a huge task for a single person. Sad it would be to end-up relying on issues of the present magazine in order to get at last valid instructions and commands for Linux key components, among them FreeIPA. In the meanwhile a subject here involving Qemu/KVM, e.g via virt-manager – now in v. 4.0.0 with Libvirt, now in v. 8.1.0 –, for the achievement of such project would be most welcome

    • Phoenix

      I second that. Using FreeIPA in a lightweight way myself and would like to dive in deeper.

      While this article is definitely something for a mixed environment (which is true for most use cases), I too would love to see a more in-depth article on FreeIPA integration. In particular when it comes to avoiding any traps during installation, configuration or getting the CSR accepted by an official CA as well as HBAC rules.

      Anyway: With most articles more tailored for the entry or intermediate user, this is one of the first more advanced articles/guides for Fedora I consciously read here. Well done! Would like to see more.

  2. Germano Massullo

    Thank you Daniel, very useful article

  3. Conan Kudo (ニール・ゴンパ)

    Samba in Fedora (including Samba AD) is linked to MIT Kerberos, so I’m confused why you’re installing heimdal-workstation. It doesn’t use it at all. Couldn’t you just use the regular krb5-workstation package instead?

  4. ShortCircuit

    Do you have an article yet on joining Linux and Windows clients to the domain controller?

  5. Jake

    I honestly thought redhat did not support samba in domain controller mode?

    • JoshuaPK

      RedHat does not support Samba4 AD DC in the Enterprise Linux ecosystem- just Fedora. You can, however, get Samba4 AD DC in Enterprise Linux by compiling Samba4 from scratch.

  6. Hi Daniel, congratulations for the article, very useful. You already commented that there will be a next article on how to insert clients in that domain, I would also like to suggest that you cover how to add a group policy in the domain and that it would be applied to all clients of that domain (windows10,7), for example, turning off the windows update 😉 not that easy huh ?? worth a challenge, thank you, good work and luck out there!!

    • Hey Marcelo, thank you for your kind words.

      Definitely I will cover Group Policy for that. Thanks for suggesting it.

  7. William Firmino

    Is it possible to do the same thing using RHEL 8?

    • JoshuaPK

      In order to do this in any of the Enterprise Linux versions you’d have to compile Samba4 from scratch, as RedHat does not officially support Samba4 AD domain controller mode.

    • Aaron

      A company in France, https://www.tranquil.it/en/, maintains a CentOS/RHEL repo for SAMBA AD server. The company maintains a good documentation for installing and configuring a SAMBA AD server for both RHEL/CentOS and Debian in both English and French, https://samba.tranquil.it/doc/en/. You can find the repos. You can find the repos at https://samba.tranquil.it/. I have been using the repos for several years on a CentOS 7 vm without any issues.

  8. nice, waiting for part when you going to join windows machines into domain controller and define some group policy for them, eg set default printers, installation of software, mapping network drive, etc…

    • Linux-Windows interoperability, in my experience, has always been a game of cat and mouse. I doubt we will want to run an article on how to work on Windows in this magazine. I think about the best you could hope for is a pointer to some of Microsoft’s documentation with a big YMMV (your mileage may vary) tacked onto the end. Future articles should probably focus on how Linux services (e.g. SSSD) can be configured to use this Samba DC.

      • Robert Redziak

        To be honest, if you need domain like services for Linux, it is better to use FreeIPA than Samba. However there are many small businesses which run Samba for their Windows clients instead of Windows Server with appropriate licenses to save some money.

        PS. I wish samba used FreeIPA as an engine/backend.

        • William B Peckham

          FYI:. FreeIPA uses samba as a backend according to the FreeIPA site data.

          • Robert Redziak

            FreeIPA uses Samba to manage trust between IPA domain and AD. But standalone FreeIPA is based on a mix of Kerberos 5 with LDAP (389.org) on server(s) and SSSD on IPA domain members, and many, many other stuff like DogTag, BIND, softHSM if I’m not mistaken.

            IPA’s design basically resembles AD one, but of course the devil is in the details (for example LDAP Schemas are incompatible).

  9. Super useful, straight to the point and very convenient. Thank you, very much, for this! ;D

  10. Catiane

    Nice to know that I can safely run Samba with SELinux enabled. Thanks for the guide!

  11. Waethorn

    Seems like a lot of Microsoft technologies are getting heavily-integrated into Linux: SMB, Active Directory, RDP, Hyper-V Enlightenment, DirectX, etc…

    Are they trying to tell us something?

  12. William B Peckham

    I like the article and the level of detail that you put into it, very useful. It does give the false impression that there is something unique to Fedora that makes it a platform of choice for this, while it is obviously not optimal for anything you want to run for a year or more. Are you planning more articles covering other base distributions: Arch/Manjaro, Debian, Ubuntu, etc.?

  13. Slava

    This is an awesome guide, thank you! Can you please do a part two for sharing printers via Samba/AD ? Thank you!

  14. werfkwoe

    how convert avif file to png?
    from commandline in fedora

  15. stippi

    Hi,
    I am wondering why DNS is not working for me:
    Host _ldap._tcp.ondra.org. not found: 3(NXDOMAIN)
    Where can I find further hints on making it work?
    I’m stuck here. And it’s not the first time I failed configuring SAMBA as a DC and it was always DNS which was the pitfall. 🙁

    • Are you running that query on the samba server itself or from another machine? In either case, the output from

      resolvectl

      might help you to figure out how your DNS queries are being routed.

    • Tim

      I had a similar issue. In my case I had other DNS servers listed in /etc/resolv.conf left over from installation, but you should only see your own Samba server. I edited /etc/systemd/resolved.conf to list my samba server as the only DNS provider and restarted systemd-resolved, and that solved it for me.

      Looking forward to the follow up article(s).

      • stippi

        Hi Tim & Gregory Bartholomew,

        both of you gave the right hints, but nevertheless after I got DNS resolve-stuff running I cannot get kerberos to fly:
        kinit: krb5_parse_name_flags: unable to find realm of host dc1
        As the advise was to check the time on both server and client I can confirm both do have the same time. Plus I double-checked /etc/krb5.conf.d/samba-dc and there seems nothing to be wrong.

        • I wonder if the hostname needs to be fully-qualified? It is recommended in the documentation: Understanding_Host_Names

          Is the FQDN shown in the output of the hostnamectl command? If not, does running something like

          hostnamectl hostname dc1.$(sed -n '/default_realm/ {s/.* \(.*\)/\L\1\E/; p;}' /etc/krb5.conf.d/samba-dc)

          help?

          • stippi

            Hello Gregory,

            nope, but I set the FQDN manually (hostnamectl hostname dc1.onda.org) and that looks like it’s working now. Thank you for your assistance. You made my day.

  16. Darkmagewall

    Hi there,

    I do like this article and thanks for creating and sharing.

    Following your article exactly as posted, I’m getting a lot of error messages in the samba log file. This one appears right after the samba service starts.

    [2022/04/11 01:40:28.423869, 0] ../../source4/samba/server.c:626(binary_smbd_main)

    This is a fresh install of Fedora server 35 and everything else.

    Please help

    Darkmagewall

    • Not every message in the log file is necessarily an error. Some of them are just notices. The line you mentioned does not look like an error. I have similar lines in an older samba server that I’m running.

      Dec 29 22:11:36 example.edu smbd[41]: [2021/12/30 04:11:36.518540,  0] ../../lib/util/become_daemon.c:135(daemon_ready)
      Dec 29 22:11:36 example.edu smbd[41]:   daemon_ready: daemon 'smbd' finished starting up and ready to serve connections
      
      • Darkmagewall

        Hi Gregory,

        I started Samba once I got home. Here is what I’m getting

        5:35 PM
        samba_terminate: samba_terminate of samba 6931: mitkdc child process exited
        samba
        5:35 PM
        [2022/04/11 17:35:44.993381, 0] ../../source4/samba/server.c:392(samba_terminate)
        samba
        5:35 PM
        initialize_winbindd_cache: clearing cache and re-creating with version number 2
        winbindd
        5:35 PM
        [2022/04/11 17:35:38.144426, 0] ../../source3/winbindd/winbindd_cache.c:3085(initialize_winbindd_cache)
        winbindd
        5:35 PM
        Copyright Andrew Tridgell and the Samba Team 1992-2021
        winbindd
        5:35 PM
        winbindd version 4.15.6 started.
        winbindd
        5:35 PM
        [2022/04/11 17:35:38.007925, 0] ../../source3/winbindd/winbindd.c:1722(main)
        winbindd
        5:35 PM
        Failed to bind to 0.0.0.0:53 TCP – NT_STATUS_ADDRESS_ALREADY_ASSOCIATED
        samba
        5:35 PM
        [2022/04/11 17:35:37.920788, 0] ../../source4/dns_server/dns_server.c:648(dns_add_socket)
        samba
        5:35 PM
        stream_setup_socket: Failed to listen on 0.0.0.0:53 – NT_STATUS_ADDRESS_ALREADY_ASSOCIATED
        samba
        5:35 PM
        [2022/04/11 17:35:37.917841, 0] ../../source4/samba/service_stream.c:372(stream_setup_socket)
        samba
        5:35 PM
        Copyright Andrew Tridgell and the Samba Team 1992-2021
        smbd
        5:35 PM
        smbd version 4.15.6 started.
        smbd
        5:35 PM
        [2022/04/11 17:35:37.908823, 0] ../../source3/smbd/server.c:1734(main)
        smbd
        5:35 PM
        binary_smbd_main: samba: using ‘prefork’ process model
        samba
        5:35 PM
        [2022/04/11 17:35:37.836405, 0] ../../source4/samba/server.c:907(binary_smbd_main)
        samba
        5:35 PM
        daemon_status: daemon ‘samba’ : Starting process…
        samba
        5:35 PM
        [2022/04/11 17:35:37.699776, 0] ../../lib/util/become_daemon.c:150(daemon_status)
        samba
        5:35 PM
        Copyright Andrew Tridgell and the Samba Team 1992-2021
        samba
        5:35 PM
        samba version 4.15.6 started.
        samba
        5:35 PM
        [2022/04/11 17:35:37.698397, 0] ../../source4/samba/server.c:626(binary_smbd_main)

        Darkmagewall

        • Failed to bind to 0.0.0.0:53 TCP – NT_STATUS_ADDRESS_ALREADY_ASSOCIATED

          It is saying it cannot start because something is listening on port 53. The following command might tell you what service is listening on that port.

          ss -ap 'sport = :53'
          • Darkmagewall

            Thanks for the command it show I had bind (named) running stop it and now getting this below:

            2:46 AM
            samba.service: Consumed 1.911s CPU time.
            systemd
            2:46 AM
            samba.service: Failed with result ‘exit-code’.
            systemd
            2:46 AM
            samba.service: Main process exited, code=exited, status=1/FAILURE
            systemd
            2:46 AM
            samba_terminate: samba_terminate of samba 2536: mitkdc child process exited
            samba
            2:46 AM
            [2022/04/12 02:46:47.876862, 0] ../../source4/samba/server.c:392(samba_terminate)
            samba
            2:46 AM
            initialize_winbindd_cache: clearing cache and re-creating with version number 2
            winbindd
            2:46 AM
            [2022/04/12 02:46:45.348131, 0] ../../source3/winbindd/winbindd_cache.c:3085(initialize_winbindd_cache)
            winbindd
            2:46 AM
            Copyright Andrew Tridgell and the Samba Team 1992-2021
            winbindd
            2:46 AM
            winbindd version 4.15.6 started.
            winbindd
            2:46 AM
            [2022/04/12 02:46:45.226147, 0] ../../source3/winbindd/winbindd.c:1722(main)
            winbindd
            2:46 AM
            Started Samba AD Daemon.
            systemd
            2:46 AM
            Copyright Andrew Tridgell and the Samba Team 1992-2021
            smbd
            2:46 AM
            smbd version 4.15.6 started.
            smbd
            2:46 AM
            [2022/04/12 02:46:45.094329, 0] ../../source3/smbd/server.c:1734(main)
            smbd
            2:46 AM
            No dictionary file specified, continuing without one.
            samba
            2:46 AM
            binary_smbd_main: samba: using ‘prefork’ process model
            samba
            2:46 AM
            [2022/04/12 02:46:45.035517, 0] ../../source4/samba/server.c:907(binary_smbd_main)
            samba
            2:46 AM
            daemon_status: daemon ‘samba’ : Starting process…
            samba
            2:46 AM
            [2022/04/12 02:46:44.897526, 0] ../../lib/util/become_daemon.c:150(daemon_status)
            samba
            2:46 AM
            Copyright Andrew Tridgell and the Samba Team 1992-2021
            samba
            2:46 AM
            samba version 4.15.6 started.
            samba
            2:46 AM
            [2022/04/12 02:46:44.896990, 0] ../../source4/samba/server.c:626(binary_smbd_main)
            samba
            2:46 AM
            Starting Samba AD Daemon…
            systemd

            Thanks for your help with trying to resolve this.

            • Failed with result ‘exit-code’

              Unfortunately, that error is too generic to diagnose. You might have omitted some important error messages that occurred earlier or you might need to increase the verbosity of the logging. In either case, the guide shows how to get this working on “A fresh Fedora Linux 35 server installation.” If you are not working from a fresh installation, there are too many possibilities as to what could be misconfigured to diagnose remotely. Normally, someone is designated as the administrator for such a system and it is their responsibility to know how the system has been altered in the past and how those alterations might affect other programs running on the system. I’ve even seen error messages that say, “Contact your system administrator.” 🙂

              • Darkmagewall

                I’ll nuke it and start with a fresh install, with the other changes that I made.

                Yes Admin in training here, but learning a lot a very fast. It’s for home use to start and I’ll build from there. It’ my domain and I want to have full control over it and host it as well.

                if issues i will reach back out.

              • @Darkmagewall: Our apologies, but there may have been an issue with the ordering of a few of the commands. We’ve just revised this article so that Samba isn’t started until after the Kerberos configuration is complete. Let us know if this resolved the problem.

  17. SD

    Awesome article. Just want to say thank you for pointing out how to allow it with SElinux instead of the normal “just disable.”

    Great stuff. Kudos.

  18. Özgür Ertürk

    Hi Daniel,

    Thank you for your effort. Your work neatly wraps up the pieces in the Samba Wiki which are scattered there.

    Just recently I have installed Samba-AD-DC in an lxd container for my small office network. The only difference from your article is that I have setup ISC DHCP / BIND DNS in the same container as well and enabled BIND_DLZ.

    Thanks again.

    Regards,
    Özgür

  19. Rob

    Microsoft deprecated idmu quite some time ago.

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772571(v=ws.11)?redirectedfrom=MSDN

    Keep that in mind when you reapply your posix attributes in modern windows AD environments

    As descibed in this doc
    https://docs.microsoft.com/en-us/windows/win32/adschema/c-posixaccount

    nice for home systems, and yeah you might be lucky and never experience any issues.

    But I would think twice on implementing a feature on a windows ad that is not supported by microsoft nor redhat/fedora.

    Cheers
    Rob

  20. Rob

    oh yeah… here’s redhat response to it
    https://access.redhat.com/articles/3023821

    Rob

  21. Darkmagewall

    Works as described. thank you so very much!!! next add users, etc.

  22. Martin

    Thank you for this write up.

    Could you elaborate on how you made the console gifs – I’ve been looking for something like that for my teaching in Linux commands, and haven’t been successful with the programs I’ve found so far.

    • Sure, for Fedora Linux I use Peek, for Windows I use ScreenToGif and for macOS I use GIF Brewery 3.

    • In addition to what Daniel mentioned, some people might find termtosvg an interesting option. Instead of encoding to gif, it encodes to svg which might yield a smaller file size and scale better.

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions