Zedicus
[H]ard|Gawd
- Joined
- Nov 2, 2010
- Messages
- 1,337
NOTE: cleaned up some things, 4/3/18
my original debian AD DC is based on Debian 6 and it has been upgraded a couple times but is starting to show wierd errors, time to just build a new one. problem is none of the ubuntu guides work out of the box on debian. so this is my alterations to build a Debian 9.4 AD DC.
samba4 samba 4 active directory domain controller guide (REAL ACTIVE DIRECTORY, NOT LDAP)
NOTE: for the moment this is a notes dump (so i can get to it at home and work easily.) i will clean it up and add more pictures next week.
built on a Debian 9.4 install, BASE SYSTEM ONLY.
first boot, apt-get install acl attr ntp ntpdate openssh-server dnsutils
Nano /etc/fstab
add user_xattr,acl,barrier=1,noatime options on disks where samba connects
mount -a (no errors reboot)
apt -y install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind
NOTE: borking this step causes unfixable failure and needs reinstall
screen 1 needs CAPS DOMAIN.NAME
screen 2 needs no caps FQDN servername.domain.name
screen 3 needs no caps FQDN servername.domain.name
systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service
mv /etc/samba/smb.conf /etc/samba/smb.old
samba-tool domain provision --use-rfc2307 --interactive
defaults
mv /etc/krb5.conf /etc/krb5.old
mv /var/lib/samba/private/krb5.conf /etc/krb5.conf
FIXING ALL THE CONFIGS
nano /etc/hosts add 127.0.0.1 domain.name servername and ipaddy FQDN servername do not remove anything
nano /etc/network/interfaces -- add lines dns-nameservers 'your-ip' dns-search 'domain.name'
nano /etc/hostname 'may or may not need fixed
nano /etc/resolv.conf will need 'fixed' lots of options for this
nano /etc/samba/smb.conf in global add "server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns, s3fs" no quotes (it will NOT work correctly with out this and you will be confused by the errors, you have been warned)
systemctl unmask samba-ad-dc.service
systemctl start samba-ad-dc.service
systemctl enable samba-ad-dc.service
systemctl status samba-ad-dc.service
samba-tool domain level show should = windows 2008R2
REBOOT
TESTING
ping FQDN, domain.name, server name
host –t A tecmint.lan
host –t A adc1.tecmint.lan
host –t SRV _kerberos._udp.tecmint.lan # UDP Kerberos SRV record
host -t SRV _ldap._tcp.tecmint.lan # TCP LDAP SRV record
kinit administrator
kinit [email protected]
klist
finally test joining some windows machines too the domain
this system can be managed by a windows machine running RSAT. DNS, gp, active directory all functional normally in RSAT. DHCP MUST be handled by a different system.
in DNS make sure to create your reverse lookup zones.
boot issue samba-ad-dc needs delay added post net
nano /lib/systemd/system/samba-ad-dc.service add
After=network-online.target
Wants=network-online.target
systemctl daemon-reload
systemctl restart samba-ad-dc
my original debian AD DC is based on Debian 6 and it has been upgraded a couple times but is starting to show wierd errors, time to just build a new one. problem is none of the ubuntu guides work out of the box on debian. so this is my alterations to build a Debian 9.4 AD DC.
samba4 samba 4 active directory domain controller guide (REAL ACTIVE DIRECTORY, NOT LDAP)
NOTE: for the moment this is a notes dump (so i can get to it at home and work easily.) i will clean it up and add more pictures next week.
built on a Debian 9.4 install, BASE SYSTEM ONLY.
first boot, apt-get install acl attr ntp ntpdate openssh-server dnsutils
Nano /etc/fstab
add user_xattr,acl,barrier=1,noatime options on disks where samba connects
mount -a (no errors reboot)
apt -y install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind
NOTE: borking this step causes unfixable failure and needs reinstall
screen 1 needs CAPS DOMAIN.NAME
screen 2 needs no caps FQDN servername.domain.name
screen 3 needs no caps FQDN servername.domain.name
systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service
mv /etc/samba/smb.conf /etc/samba/smb.old
samba-tool domain provision --use-rfc2307 --interactive
defaults
mv /etc/krb5.conf /etc/krb5.old
mv /var/lib/samba/private/krb5.conf /etc/krb5.conf
FIXING ALL THE CONFIGS
nano /etc/hosts add 127.0.0.1 domain.name servername and ipaddy FQDN servername do not remove anything
nano /etc/network/interfaces -- add lines dns-nameservers 'your-ip' dns-search 'domain.name'
nano /etc/hostname 'may or may not need fixed
nano /etc/resolv.conf will need 'fixed' lots of options for this
nano /etc/samba/smb.conf in global add "server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns, s3fs" no quotes (it will NOT work correctly with out this and you will be confused by the errors, you have been warned)
systemctl unmask samba-ad-dc.service
systemctl start samba-ad-dc.service
systemctl enable samba-ad-dc.service
systemctl status samba-ad-dc.service
samba-tool domain level show should = windows 2008R2
REBOOT
TESTING
ping FQDN, domain.name, server name
host –t A tecmint.lan
host –t A adc1.tecmint.lan
host –t SRV _kerberos._udp.tecmint.lan # UDP Kerberos SRV record
host -t SRV _ldap._tcp.tecmint.lan # TCP LDAP SRV record
kinit administrator
kinit [email protected]
klist
finally test joining some windows machines too the domain
this system can be managed by a windows machine running RSAT. DNS, gp, active directory all functional normally in RSAT. DHCP MUST be handled by a different system.
in DNS make sure to create your reverse lookup zones.
boot issue samba-ad-dc needs delay added post net
nano /lib/systemd/system/samba-ad-dc.service add
After=network-online.target
Wants=network-online.target
systemctl daemon-reload
systemctl restart samba-ad-dc
Last edited: