Samba Domain Controller on a Raspberry Pi

Samba Domain Controller.md

Running a Samba 4.x Domain Controller on a Raspberry Pi

If you don't have a Windows server available for testing, a Raspberry Pi makes a great test environment. It works with Mac AD Binding, Apple Enterprise Connect, and the Mac Kerberos SSO Extension.

Configuring a Domain Controller on Rasbian or other Debian-based Linux distribution:

1. Install Rasbian. Use NOOBS if you are new to Raspberry Pi at https://www.raspberrypi.org/downloads/. Optionally enable SSH or VNC support in Raspbian settings menu to remote in to the machine.

2. Install Samba and related packages. Some packages may launch setup tools. Skip through the Kerberos configuration with defaults. We will be deleting the Kerberos configuration in a later step.

sudo apt-get install acl attr samba samba-dsdb-modules \
    samba-vfs-modules winbind libpam-winbind libnss-winbind \
    libpam-krb5 krb5-config krb5-user dnsutils smbutil ldb-tools

3. Add a static network configuration to /etc/dhcpcd.conf. An IPv6 address is optional. Make sure the search path includes the domain.

# Example static IP configuration:
interface eth0
static ip_address=192.168.0.2/24
#static ip6_address=fd51:42f8:caae:d92e::ff/64
static routers=192.168.0.1
static domain_name_servers=192.168.0.2 #fd51:42f8:caae:d92e::1
static domain_search=sample.lan

4. Add the static ip, hostname, and short hostname to the /etc/hosts file. Comment or remove the 127.0.1.1 line since it is for devices without a permanent IP.

127.0.0.1       localhost
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

#127.0.1.1       raspberrypi
192.168.0.2     dc1.sample.lan dc1

5. Disable and mask smb services so they don't start early. The Samba Domain Controller will be responsible for starting these processes.

sudo systemctl mask smbd nmbd winbind
sudo systemctl disable smbd nmbd winbind

6. (Optional) Restart to make sure there is a clean boot with the new static IP and hostname.

7. Remove or rename the exising Samba and Kerberos configuration. If the installation fails for any reason, retry starting from this step.

sudo rm /etc/samba/smb.conf
sudo rm /etc/krb5.conf

8. Remove all existing Samba database files.

sudo rm /var/run/samba/*.tdb
sudo rm /var/run/samba/*.ldb
sudo rm /var/lib/samba/*.tdb
sudo rm /var/lib/samba/*.ldb
sudo rm /var/cache/samba/*.tdb
sudo rm /var/cache/samba/*.ldb
sudo rm /var/lib/samba/private/*.tdb
sudo rm /var/lib/samba/private/*.ldb

9. Provision the Samba Active Directory Domain Controller interactively.

sudo samba-tool domain provision --use-rfc2307 --interactive
Realm [SAMPLE.LAN]: <ENTER>  
Domain [SAMPLE]: <ENTER>  
Server Role (dc, member, standalone) [dc]: <ENTER> 
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: <ENTER>
DNS forwarder IP address (write 'none' to disable forwarding) [192.168.0.2]: 8.8.8.8
Administrator password: <PASSWORD>
Retype password: <PASSWORD>

10. Create a reverse zone. Change the the *.in-addr.arpa zone reflects the network address backwards. The last component of the IP address is specified before the PTR record type ("2" in this example).

samba-tool dns zonecreate dc1.sample.lan 0.168.192.in-addr.arpa -Uadministrator
Password for [SAMPLE\administrator]: <PASSWORD>

samba-tool dns add dc1.sample.lan 0.168.192.in-addr.arpa 2 PTR dc1.sample.lan -Uadministrator
Password for [SAMPLE\administrator]: <PASSWORD>

11. Copy the auto-generated Kerberos configuration to the etc folder.

sudo cp /var/lib/samba/private/krb5.conf /etc

12. Set up the Domain Controller to start automatically. smbd, nmbd, and winbind will be started by samba-ad-dc.

sudo systemctl unmask samba-ad-dc
sudo systemctl enable samba-ad-dc

13. (Optional) Add some file shares to /etc/samba/smb.conf

14. (Optional) Add an additional user.

sudo samba-tool user add myusername
New Password: <PASSWORD>
Retype Password: <PASSWORD>

May i suggest to replace "smbutils" with "smbclient" on step 2?

If I already have a Windows-based AD Server as the primary DC, can these instructions be modified to set up the Pi/Samba as a secondary/backup DC?

No, you can’t mix Samba DCs and Windows DCs.

Actually did get it working. Followed your steps up to #8 and then used the command: samba-tool domain join example.domain.com DC -U"EXAMPLE\administrator". The one hangup is that the Samba/Pi cannot join as an AD Server unless the forest and domain functional levels are set to "WIndows2008R2".

Nice!

Following these instructions in a freshly deployed Raspberry PI OS Lite (64 bit), released 2022-04-04 in a raspberry pi 3b+ I ran into some problems:

• at step 2 the smbutil package is not found. I've instead installed smbclient as suggested by Platypuschan, then continued.
• at step 10 a dns server is not available yet, so the "samba-tool dns zonecreate ..." command replies with "Failed to connect host 192.168.1.2 on port 135 - NT_STATUS_CONNECTION_REFUSED" "Failed to connect host 192.168.1.2 () on port 135 - NT_STATUS_CONNECTION_REFUSED." "ERROR: Connecting to DNS RPC server failed wioth (3221226038, 'The transport-connection attempt was refused by the remote system.')"
  What can I do to get past this issue?

Reboot the RPi. That worked for me.

I have the same problem as rrozema above. At step 10, after the command "samba-tool dns zonecreate 192.168.0.3 0.168.192.in-addr.arpa -Uadministrator", I get this error:
"ERROR: Connecting to DNS RPC server 192.168.0.3 failed with (3221226038, 'The transport-connection attempt was refused by the remote system.')"
I have rebooted the RPi. I am new to Rpi and Linux and Samba. Where can I look to find a solution?

I also get an earlier error "Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs " but my research seems to indicate this is normal. Am I correct?

192.168.0.3 is the IP Address of my RPi

Thank you

These instructions are a few years old and I’m no longer running this PI, so there may be some changes. They were mainly my personal notes to remember how I set up a PI.

This may be an advanced task for someone new to Linux. Make sure you understand how to check if processes are running, how to check logs, how to adjust and troubleshoot network settings, how to use apt package manager, and how to use systemctl. Raspberry PI is very similar to Debian Linux, so most of that applies.

Make sure the Samba DC is running. It sounds like it isn’t running and the RPC port isn’t open as a result. You may need to check Samba logs to see if there are messages about it failing to start. It is important a normal version of Samba isn’t running or they will conflict, but that should be addressed by masking those services as in the instructions. Maybe try restarting after step 9 to give it a chance to start fresh. Step 9 should create an smb.conf file. You may want to review those settings. The SID message would be harmless.

You might want to compare to the official instructions: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

Thanks for your reply. I'll try the official version but your was a lot more detailed and easier to follow! It has given me a good starting point. Thank you Tony

…

On Wed, 26 Oct 2022, 13:42 Eric Summers, ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ These instructions are a few years old and I’m no longer running this PI, so there may be some changes. They were mainly my personal notes to remember how I set up a PI. Make sure the Samba DC is running. It sounds like it isn’t running and the RPC port isn’t open. You may need to check Samba logs to see if there are messages about it failing to start. It is important a normal version of Samba isn’t running or they will conflict, but that should be addressed by unmasking those services. Maybe try restarting after step 9 to give it a chance to start fresh. Step 9 should create an smb.conf file. You may want to review those settings. The SID message would be harmless. You might want to compare to the official instructions: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller — Reply to this email directly, view it on GitHub <https://gist.github.com/bd0289a6a2df8af218bf197a4fc1be96#gistcomment-4348597>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A32HLUF2P4G4M6NSOSAEZKTWFERKXANCNFSM5HTN4YNA> . You are receiving this because you commented.Message ID: <esummers/Samba Domain ***@***.***>

I started samba using

sudo /usr/bin/samba start

and I was able to execute

samba-tool dns zonecreate .....

Is it necessary to install Kerberos before Samba?