Posted by Previous article : https://imanudin.net/2016/03/12/how-to-install-and-configure-excellent-samba4-appliance-as-active-directory-server-part-1/
# Provisioning Samba
After samba4 already compiled and install, you can provisioning samba4 and make it as Active Directory. Provisioning is like dcpromo on Windows Server
Do the following command on samba4 server
/usr/local/samba/bin/samba-tool domain provision --use-rfc2307 --interactive
Fill as the following example :
Realm : Your domain. Example IMANUDIN.NET Domain : Your Workgroup (Usually domain name without TLD). Example IMANUDIN Server Role : dc DNS backend : BIND9_DLZ Password : VerySecret123 (fill password with minimum length of 8 characters, 1 upper case, 1 lowercase and 1 number)
If you see the following process/info as below, your samba4 has been success provisioned
# Starting Samba4
For stop/starting samba4, i’ve been saving init script in /srv/ai folder. You can add the script to systemctl/sysinit.
cp /srv/ai/samba4 /etc/init.d/samba4 chmod 755 /etc/init.d/samba4 chmod +x /etc/init.d/samba4 chkconfig samba4 on service samba4 restart service samba4 status
# Test insert to folder share
/usr/local/samba/bin/smbclient //localhost/netlogon -Uadministrator%VerySecret123
VerySecret123 is password while provisioning samba4. if success, console would be changed like : smb: \> :
# Configure Dynamic DNS Server
Configure named.conf to perform query DNS from samba server (BIND9_DLZ) that has been chosen in provisioning section
vi /etc/named.conf
add and adjust the following line on the bottom
include "/usr/local/samba/private/named.conf";
Open file /etc/sysconfig/named and change NAMED_RUN_CHROOTED=”yes” become no
NAMED_RUN_CHROOTED="no"
Change owner folder /var/lib/named become named
chown named /var/lib/named/
Open file /usr/local/samba/private/named.conf and make sure already use bind 9.9.x
dlz "AD DNS Zone" {
# For BIND 9.8.0
# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";
# For BIND 9.9.0
database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";
};
restart dns service and testing
systemctl restart named systemctl status named systemctl enable named
host -t SRV _ldap._tcp.imanudin.net. host -t SRV _kerberos._udp.imanudin.net. host -t A imanudin.net.
The result must like below. If the result are different, maybe dns configuration still problem
[root@samba4 ~]# host -t SRV _ldap._tcp.imanudin.net. _ldap._tcp.imanudin.net has SRV record 0 100 389 samba4.imanudin.net. [root@samba4 ~]# host -t SRV _kerberos._udp.imanudin.net. _kerberos._udp.imanudin.net has SRV record 0 100 88 samba4.imanudin.net. [root@samba4 ~]# host -t A imanudin.net. imanudin.net has address 192.168.1.111
# Configure Kerberos
cp /etc/krb5.conf /etc/krb5.conf.ori cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
# Testing Kerberos
kinit administrator klist -e
The following is output result from above command
[root@samba4 ~]# kinit administrator
Password for administrator@IMANUDIN.NET:
Warning: Your password will expire in 41 days on Sat Mar 12 23:41:47 2016
[root@samba4 ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@IMANUDIN.NET
Valid starting Expires Service principal
03/12/16 23:41:04 03/12/16 10:57:04 krbtgt/IMANUDIN.NET@IMANUDIN.NET
renew until 03/12/16 00:57:01, Etype (skey, tkt): arcfour-hmac, arcfour-hmac
# Configure kerberos DNS dynamic updates (Optional)
This configuration is optional. You can apply or skip this section. For configuration, adding this line tkey-gssapi-keytab “/usr/local/samba/private/dns.keytab”; on named.conf in the options section. See the following example
vi /etc/named.conf
options {
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
Run the following command to change owner and access on dns.keytab file
chgrp named /usr/local/samba/private/dns.keytab chmod g+r /usr/local/samba/private/dns.keytab
check whether any updates about dynamic DNS with the following command
/usr/local/samba/sbin/samba_dnsupdate --verbose
# Configure NTP Server (Optional)
Open file /etc/ntp.conf and add the following line in the bottom (adjust with your NTP server in your Timezone)
server 0.id.pool.ntp.org server 1.id.pool.ntp.org server 2.id.pool.ntp.org server 3.id.pool.ntp.org
Restart NTP services
systemctl restart ntpd systemctl enable ntpd systemctl status ntpd ntpq -p
Congratulation, now we have been succeeded install Excellent Samba4 Appliance as Active Directory and be able join Windows client to Samba4.
You can configure some information below to complete your Samba4 Active Directory 😀
– https://imanudin.net/2014/11/18/tips-join-windows-client-to-samba4-active-directory/
– https://imanudin.net/2016/03/06/how-to-movemigrate-user-profile-on-windows/
– https://imanudin.net/2015/12/19/samba-tips-how-to-configure-automatic-mapping-drive-when-login/
Good luck and hopefully useful 😀
I tried to make the first step but my result was as follows :
Retype password:
ERROR(): Provision failed – ProvisioningError: guess_names: Domain ‘GERMAN’ must not be equal to short host name ‘GERMAN’!
File “/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py”, line 461, in run
nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
File “/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py”, line 2024, in provision
sitename=sitename, rootdn=rootdn, domain_names_forced=(samdb_fill == FILL_DRS))
File “/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py”, line 626, in guess_names
raise ProvisioningError(“guess_names: Domain ‘%s’ must not be equal to short host name ‘%s’!” % (domain, netbiosname))
Can you help me please?
Hi German,
Your hostname and your domain do not same. You can use your hostname SAMBA4 and your domain GERMAN.COM. So that, your FQDN is SAMBA4.GERMAN.COM. You don’t use geman.german.com
Thank you very much – your HOWTO helped me really 🙂