Samba 4 Active Directory Domain Controller on Ubuntu 18.04 Server
6 minute read
This post will outline how to install an Active Directory(AD) Domain Controller on Ubuntu Server 18.04. Yes, that’s right…Active Directory on a linux host. Not a backup domain controller but a functional AD that you can create users with, join computers to, and set up group policy.
Configure system hostname
Edit the hosts files so the hostname resolves to its IP address
Note that Ubuntu 18.04 is now using netplan to configure IP addresses on systems. I will outline a basic configuration in a future post
Update system and install required packages
Update and reboot the system
Install relevant samba, winbind, and kerberos packages. The installation will prompt for kerberos settings and will give an error at the end of installation. Ignore this for now and accept the defaults. This will be configured properly later as part of the AD installation.
Rename samba and kerberos files. You need to start from a clean environment when starting the samba AD setup.
Run the samba AD setup
All the default settings are fine. The only change I make is to set the DNS forwarder to 220.127.116.11. You can also use a different DNS backend. But this is out of the scope of this post for a simple setup.
Copy the provisioned kerberos configuration file to the kerberos configuration file location
Test the configuration
Samba can now be run. But before setting up with systemd, start samba and run some tests with DNS.
This is not good as without DNS, AD will fail to run properly. If we run netstat to see what processes are listening on port 53, we can see that systemd-resolve is running in addition to samba.
A quick and dirty way to make sure that samba is the only process listening to DNS queries is to disable the systemd-resolved service.
Test DNS again. It looks like everything is now working.
Let’s also go ahead and test kerberos authentication. Everything here looks in order.
Configure samba AD to start with systemd
Now that this is running, kill samba again so we can begin the process using systemd
Mask the smbd, nmbd, winbind services and unmask the samba-ad-dc service
Reboot and test
Join a computer to the domain
To join the domain on a Windows 10 computer, do the following:
Note: Make sure that your DNS is pointing to dc1 (192.168.122.70)
Go to Start > Settings
Access Work or School
Click Join this device to a local Active Directory domain
Type ad.ricosharp.com and enter the Administrator username/password for the domain
Select Skip to Add an account
Select Restart Now
An alternative way, and the way that I’m most used to is this:
Open the File Explorer
Right click This PC > Properties
Select Change settings under the Computer name, domain, and workgroup settings section
Click the Change button
Select Domain and enter ad.ricosharp.com
Click ok, enter an Administrator username/password for the domain and reboot
Create a user account
There are two ways you can manage user accounts. Firstly, you can use samba-tool. For example, to create a new user called user1, issue the following
The second way is to install the Remote System Administration Tools (RSAT) on a Windows 10 computer. You can download the RSAT from here
Once installed, open Active Directory Users and Computers from Start > Windows Administrative Tools. Expand the active directory domain name (ad.ricosharp.com) and open the Users organizational unit. Right click and select New > User.