Samba4 as Active Directory Server

The scope of this article is to set up the Samba4 alpha 17 release in order to get the maximum possible Active Directory experience Linux can provide at the moment. It is not a full beginner howto, since the expectation is that you
 * know the basic functions of your Gentoo by heart, so that you can mask/unmask versions and deal with keywords on your owne
 * know how to set up and use layman
 * know at least how to use tools like netstat and strace
 * have at least basic knowledge about Windows Domain mechanisms and terms

If that is the case, this article will help to get an Active Directory Server replacement for your Windows clients, but also a Kerberos and LDAP server for all your capable local clients, including Linux. The article will also give you basic information on setting certain Linux services up, so that they can use the ADS functions. The reason why the author does this here and not in the actual articles is, that he had to scavange them from all over the internet and he was frustrated by the clutterin. So in his opinion, it is easier to put the information here, than adding them to other articles. This article is build on the almost excellent Howto from the official Samba wiki, but gives details about how to do it the Gentoo way.

= Prerequisites =

Blocks
In order to install Samba, we need to remove from your system and install. Before removing mit-krb5 make sure that you can recover from any problems. For example wget can USE kerberos and if it has been removed you wont be able to download Heimdal to replace it. The following packages are incompatible with the heimdal kerberos:


 * see
 * ses

So you might want to put them with in your /etc/portage/package.use!

USE Flags
To get the most out of your Samba4 ADS install, it is wise to apply the following flags globally on the server and maybe your clients:
 * This is important for your Bind9 implementation, see below.
 * This is important for your Bind9 implementation, see below.
 * This is important for your Bind9 implementation, see below.

Filesystem options (recommended)
You will also have to tell your filesystems to use these options:

Test Filesystem options
You can test the options you applied above by doing the following on a extX partition:

= Installation =

If you haven't already done this, we will now prepare your system:

Samba-4 RC2 is now included in the official portage tree, but it is hard masked. We need to unmask it first.

= Configuration = For the following configurations we assume these values:
 * DNS Domain wonderland.org
 * Hostname madhatter.wonderland.org
 * IP 10.1.0.1

Samba4
In order to turn Samba4 into a Domain Controller, we need to issue the following command:

The important part of the output, if all went well is this: See /var/lib/samba/private/named.conf for an example configuration include file for BIND and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf Please install the phpLDAPadmin configuration located at /var/lib/samba/private/phpldapadmin-config.php into /etc/phpldapadmin/config.php Once the above files are installed, your Samba4 server will be ready to use Server Role:          domain controller Hostname:             madhatter NetBIOS Domain:       WONDERLAND DNS Domain:           wonderland.org DOMAIN SID:           S-1-5-21-2164530812-92510604-2697246494 Admin password:       Jabberwocky123!

Now that we have this part set up, we could issue to see if it starts up, but we still need to conigure some other services, before we can start to join computers to the domain.

Kerberos
To tell our system the important kerberos details, we use the the created krb5.conf

Bind9
To properly pose as an Actice Directory Domain controller, we need to receive and answer some DNS packages which need special configuration. In order to ease the etc-update steps on a bind update, we will put our zone information in a seperate file. Also, we do not directly copy the zone info which Samba4 generates, since at least the reverse lookup info is wrongly generated.

Our zone data (example based on automatically generated /var/lib/samba/private/named.conf, which contained wrong IP values by default!)

Either you copy the whole /var/lib/samba/private/dns/wonderland.org.zone or you cherry pick the important part.

Bind9 running in chroot
If you are running bind9 in a chrooted environment, the following steps are nescessary. We assume that chroot is under /var/chroot/dns/.

The following entry is a workaround that lets the chrooted environment access the updates Samba4 generates.

testing service lookups
The following commands should give the results listed below. These commands are critical, since Windows clients rely on these informations to find the Active Directory Server

NTP (recommended)
Time is very importan on Kerberos environments and so on Active Directories, so it is generally wise to synchronize the clocks of your clients and your servers, even before joining the domain. You won't be able to set the timeserver explicitly after you joined a windows machine to the domain, they simply assume the Domain Controller to be time server. Newer versions of Windows assume signed NTP packets for which we need a specially prepared NTP. As of version 4.2.6 this is possible, although Gentoo lacks a useflag for it. I will post a feature request on bugzilla soon.

Update: net-misc/ntp-4.2.6_p4 has the USE flag which will enable signd. At the moment the ebuild needs to be unmasked.

If you use and run your ntp under a dedicated user and group, you might need to adapt permissions

After you restarted your ntpd, you can check from a Windows7 Domain Member from a commandline (with admin rights!) if it works: U:\>w32tm /resync /rediscover Sending resync command to local computer The command completed successfully.

If you get an error, check your permissios again or visit the link above for further ideas of troubleshooting.

Avahi (recommended)
Samba4 does not have a nmbd component yet, so it wont add itself to your browse list. As a workaround for *NIX machines including Macintoshs, we can use Avahi

= Usage =

Create shares
The basic setup is the same as under Samba3, but most of the options no longer work and you configure a lot via the graphical userinterfaces provided by Microsoft Domain Management tools.

Of course, you still have to restart samba after config changes

Joining the domain
Finally, we want to join a Windows client to our domain. This is basically the same on every windows, open the control panel, look for the System component and find an option for your computer's name. You'll find the option to join a domain, enter your domain name wonderland.org, if that fails, try only wonderland. If your DNS is properly set up, you'll be asked for credentials, enter Administrator as account name and the domain admin's password, Jabberwocky123! in our test case. You should see some welcome message now and you will be asked to reboot the computer. Do so and your machine is a proud new domain member.

Domain administration using Windows XP Professional
Your computer needs to be a domain member and you need the following tools installed.
 * Adminpak (SP2)
 * Support Tools

Now you can either enter dsa.msc in your Execute box our you can find the tools under Control Panel -> Administrative tools.

Create users and home-shares
Now, under "Active Directory Users and Groups", you can create new users. We need one user called Alice for the rest of this howto. Your username is your login name for samba shares and domain member computers. You can also use it for Single Sign On processes with other software. We also create a home share and a folder for each user.

Now you open that share as domain admin from windows, add Domain Users to the premissions list and then open the Profile tab for each user who should have a home folder on the samba server. You can even select more than one user and edit their properties, be sure to give them a drive, say letter U for their share and use \\madhatter\home\%username% as share name. The %username% variable will make sure that each user gets a folder named after his account name when he logs onto the domain next time.

File permissions and mapping linux uids to Samba users
One of the tricky things you might encounter is the translation of linux file permissions to Samba permissions, especially when it comes to file ownership and the ability to change that ownership from within Windows systems. What I mean is this scenario: You copy some file around in linux to a place that is also a share in your Samba server. Then you find out that a certain user needs certain permissions and realize that not even the Adminitrator account can do anything about it. You will only see something like S-1-22-1-1013 as owner. By default, the Active Directory/Domain users will get a uid assigned, these are starting at 3000000 as it seems. So what do we do about it?

Easy fix
uid 0 gets mapped to the Administrator account of your Samba Domain and it will be changeable from Windows again.

Convenient fix
We will permanently map the uid of a certain linux user to a certain Samba user. In order to do that we find out which SID belongs to the Samba user, in our case it is the Samba user called "Dodo" and we want to map him to a linux uid 1013.

Now we edit the mapping, this should work with the SID as userparameter, but it didn't work on my system using alpha17. So take special care, since you will edit the whole ldb file with the possibiliy of corrupting it completely!

Verify that it worked::

Create Kerberos Service Principal
The following method is what I found working, although it might be a little dated. The following example is for a libvirtd install which runs on the same server as Samba4


 * Create user marchhare
 * select "Password never expires"
 * deselect "User must change password on next login"

U:\>setspn -A http/madhatter.wonderland.org marchhare Registering ServicePrincipalNames for CN=marchhare,CN=Users,DC=wonderland,DC=org http/madhatter.wonderland.org Updated object

U:\>ktpass -out .\krb5_marchhare.tab -princ http/madhatter.wonderland.org@WONDERLAND.ORG -mapUser WONDERLAND\marchhare -mapOp set -pass Dormouse123! Targeting domain controller: madhatter.wonderland.org Using legacy password setting method Successfully mapped http/madhatter.wonderland.org to mockturtle. WARNING: pType and account type do not match. This might cause problems. Key created. Output keytab to .\krb5_marchhare.tab: Keytab version: 0x502 keysize 87 http/madhatter.wonderland.org@WONDERLAND.ORG ptype 0 (KRB5_NT_UNKNOWN) vno 2 etype 0x17 (RC4-HMAC) keylength 16 (0x741bfa6ee28254c06c136948c1aabcce)

Access kerberized services as user
Linux clients don't join the domain directly, but you will need an appropriate set up to do this

Now we can issue the following command to test wether this is with the kinit command, which should give you a working ticket. With klist you can check the details

Example for application specific auth plugin: Apache
Apache is able to use Kerberos Tickets, too. You need and a patch from, since the module doesn't build out of the box against heimdal at the moment.

Example for SASL with GSSAPI: libvirt
Select at least for, since that's what our example is about. Re-emerge packages with new sasl useflag!

The principal we create now needs libvirt instead of http as above, also you choose a different username, say mockturtle

Now you just need to restart libvirtd and get a ticket as a user on a remote client. If you connect via the TCP mechanism to you kerberized libvirtd, you should immidiately log in. You won't need saslauthd to be running!

BindDN
Many services will require a so called BindDN to browse the LDAP directory, so let's create one.
 * Create a user called walrus and give him the password Oyster!
 * Again select "pasword doesn't expire" and also "can't be modified by user"
 * Set Domain Guests as his default group and remove him from Domain Users

General case
For example the groupware Citadel uses a rather complicated approach, but this style is common among lots of applications. Domain Controller: madhatter.wonderland.org LDAP port: 389 LDAP base DN: dc=wonderland,dc=org LDAP bind DN: cn=walrus,cn=Users,dc=wonderland,dc=org LDAP bind password: Oyster!

Example: dokuwiki
dokuwiki uses a specialised approach to use the Active Directory

Apache again
Apache can not only use Kerberos, but also LDAP via a module maintained directly by upstream, you just need to make sure that apache was built with

Troubleshooting

 * The command testparm shows you an overview of your explicitly set options.
 * With testparm -v you will also see the implicitly set default options. This is a poor man's documentation replacement, since upstream does not provide anything. That's not a critizism, upstream just changes options too often or might do so in the future.

= TODO =
 * SSO with Firefox/Internet Explorer