Samba 4 - domain controller: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 4: | Line 4: | ||
Install |
Install |
||
<pre> |
<pre> |
||
apt-get install libacl1-dev libattr1-dev \ |
apt-get install build-essential libacl1-dev libattr1-dev \ |
||
libblkid-dev libgnutls-dev libreadline-dev python-dev \ |
libblkid-dev libgnutls-dev libreadline-dev python-dev \ |
||
python-dnspython gdb pkg-config libpopt-dev libldap2-dev \ |
python-dnspython gdb pkg-config libpopt-dev libldap2-dev \ |
||
Revision as of 14:42, 2 February 2014
Prereq
Install
apt-get install build-essential libacl1-dev libattr1-dev \ libblkid-dev libgnutls-dev libreadline-dev python-dev \ python-dnspython gdb pkg-config libpopt-dev libldap2-dev \ dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl
Verify correct filesystem support
Install/setup ntpd
# Associate to the public NTP pool servers server 0.pool.ntp.org server 1.pool.ntp.org server 2.pool.ntp.org # Location of drift file driftfile /var/lib/ntp/ntp.drift # Location of the log file logfile /var/log/ntp # Location of the update directory ntpsigndsocket /var/lib/samba/ntp_signd/ # Restrictions restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
Copy kerberos conf
mv /etc/krb5.conf{,.default}
cp /var/lib/samba/private/krb5.conf /etc
Setup as domain controller
samba-tool domain provision --use-rfc2307 --interactive --use-xattrs=yes
Argument Explanations
--use-rfc2307
this argument adds POSIX attributes (UID/GID) to the AD Schema. This will be necessary if you intend to authenticate Linux, BSD, or OS X clients (including the local machine) in addition to Microsoft Windows.
--use-xattrs=yes
this argument enables the use of unix extended attributes (ACLs) for files hosted on this server. If you intend not have file shares on the domain controller, you can omit this switch (but this is not recommended). You should also ensure that any filesystems that will host Samba shares are mounted with support for ACLs.
--interactive
this parameter forces the provision script to run interactively. Alternately, you can review the help for the provision step by running samba-tool domain provision --help
Docs/guides/troubleshooting
Found inspirations @ various sites:
- [Seems like a good place to start] - http://ubuntuforums.org/showthread.php?t=2146198
- https://wiki.archlinux.org/index.php/Samba_4_Active_Directory_Domain_Controller
- http://wiki.samba.org/index.php/DNS
- http://www.golinuxhub.com/2013/06/samba-41-as-active-directory.html
- [getting windows machines on the new AD] - http://wiki.samba.org/index.php/Configuring_a_windows_client_for_AD
- [Kerberos] - https://help.ubuntu.com/10.04/serverguide/kerberos.html
Also I had some issues with DNS - make sure it is pointing to the ip of the machine running samba.