If you don't have a Windows server available for testing, a Raspberry Pi makes a great test environment. It works with Mac AD Binding, Apple Enterprise Connect, and the Mac Kerberos SSO Extension.
Configuring a Domain Controller on Rasbian or other Debian-based Linux distribution:
-
Install Rasbian. Use NOOBS if you are new to Raspberry Pi at https://www.raspberrypi.org/downloads/. Optionally enable SSH or VNC support in Raspbian settings menu to remote in to the machine.
-
Install Samba and related packages. Some packages may launch setup tools. Skip through the Kerberos configuration with defaults. We will be deleting the Kerberos configuration in a later step.
sudo apt-get install acl attr samba samba-dsdb-modules \
samba-vfs-modules winbind libpam-winbind libnss-winbind \
libpam-krb5 krb5-config krb5-user dnsutils smbutil ldb-tools
- Add a static network configuration to /etc/dhcpcd.conf. An IPv6 address is optional. Make sure the search path includes the domain.
# Example static IP configuration:
interface eth0
static ip_address=192.168.0.2/24
#static ip6_address=fd51:42f8:caae:d92e::ff/64
static routers=192.168.0.1
static domain_name_servers=192.168.0.2 #fd51:42f8:caae:d92e::1
static domain_search=sample.lan
- Add the static ip, hostname, and short hostname to the /etc/hosts file. Comment or remove the 127.0.1.1 line since it is for devices without a permanent IP.
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
#127.0.1.1 raspberrypi
192.168.0.2 dc1.sample.lan dc1
- Disable and mask smb services so they don't start early. The Samba Domain Controller will be responsible for starting these processes.
sudo systemctl mask smbd nmbd winbind
sudo systemctl disable smbd nmbd winbind
-
(Optional) Restart to make sure there is a clean boot with the new static IP and hostname.
-
Remove or rename the exising Samba and Kerberos configuration. If the installation fails for any reason, retry starting from this step.
sudo rm /etc/samba/smb.conf
sudo rm /etc/krb5.conf
- Remove all existing Samba database files.
sudo rm /var/run/samba/*.tdb
sudo rm /var/run/samba/*.ldb
sudo rm /var/lib/samba/*.tdb
sudo rm /var/lib/samba/*.ldb
sudo rm /var/cache/samba/*.tdb
sudo rm /var/cache/samba/*.ldb
sudo rm /var/lib/samba/private/*.tdb
sudo rm /var/lib/samba/private/*.ldb
- Provision the Samba Active Directory Domain Controller interactively.
sudo samba-tool domain provision --use-rfc2307 --interactive
Realm [SAMPLE.LAN]: <ENTER>
Domain [SAMPLE]: <ENTER>
Server Role (dc, member, standalone) [dc]: <ENTER>
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: <ENTER>
DNS forwarder IP address (write 'none' to disable forwarding) [192.168.0.2]: 8.8.8.8
Administrator password: <PASSWORD>
Retype password: <PASSWORD>
- Create a reverse zone. Change the the *.in-addr.arpa zone reflects the network address backwards. The last component of the IP address is specified before the PTR record type ("2" in this example).
samba-tool dns zonecreate dc1.sample.lan 0.168.192.in-addr.arpa -Uadministrator
Password for [SAMPLE\administrator]: <PASSWORD>
samba-tool dns add dc1.sample.lan 0.168.192.in-addr.arpa 2 PTR dc1.sample.lan -Uadministrator
Password for [SAMPLE\administrator]: <PASSWORD>
- Copy the auto-generated Kerberos configuration to the etc folder.
sudo cp /var/lib/samba/private/krb5.conf /etc
- Set up the Domain Controller to start automatically. smbd, nmbd, and winbind will be started by samba-ad-dc.
sudo systemctl unmask samba-ad-dc
sudo systemctl enable samba-ad-dc
-
(Optional) Add some file shares to /etc/samba/smb.conf
-
(Optional) Add an additional user.
sudo samba-tool user add myusername
New Password: <PASSWORD>
Retype Password: <PASSWORD>