Samba 4 as a Domain Controller

After Windows 2012 and vSphere 5.1 big announcement, samba also announced the first release candidate for version 4. This version is suppose to bring Unix the Microsoft Active Directory but is it true ?

Let’s take a good debian with the following package

# apt-get install build-essential libacl1-dev libattr1-dev \
   libblkid-dev libgnutls-dev libreadline-dev python-dev \
   python-dnspython gdb pkg-config libpopt-dev libldap2-dev \
   dnsutils libbsd-dev lsb

Then get samba4 tarball ( debian package is not yet finalized as far as I saw ) and compile with

root@smb:/home/fjacquet/samba-master# ./configure.developer \ 
 --with-ads --enable-iprint --enable-cups --enable-avahi \
 --with-acl-support  --with-dnsupdate --with-aio-support \
 --fatal-errors

And when compile is done

root@smb:/home/fjacquet/samba-master# make install

We are ready to create a new domain controller (samba-tool is the all in one magic tool)

root@smb:/# /usr/local/samba/bin/samba-tool domain provision \
--realm feedback.eu.org --domain FEEDBACK \ 
--adminpass xxx --server-role=dc
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=feedback,DC=ch
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=feedback,DC=eu,DC=org
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              smb
NetBIOS Domain:        feedback
DNS Domain:            feedback.eu.org
DOMAIN SID:            S-1-5-21-2735747792-3624078016-2815364829
A phpLDAPadmin configuration file suitable for administering the Samba 4 LDAP server has been created in /usr/local/samba/private/phpldapadmin-config.php.

Thanks for that ! I know have samba taking care of Kerberos, SMB traffic, DNS and LDAP ! As the Active directory and no other package integration needed ( but still it create file templates for kerberos. Like in previous versions, you can decide to use ISC bind and OpenLDAP but … it is now optional, Samba team is proud of their version !

As you see, all services dns entries are ready

root@smb:/usr/local/samba/sbin# host -t SRV _ldap._tcp.feedback.eu.org. 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:
_ldap._tcp.feedback.ch has SRV record 0 100 389 smb.feedback.org.

The same for kerberos

root@smb:/usr/local/samba/sbin# kinit Administrator
Password for Administrator@FEEDBACK.EU.ORG:
Warning: Your password will expire in 41 days on Wed Nov  7 08:07:09 2012
root@smb:/usr/local/samba/sbin#

No the funny part is to take a Windows 2003R2 VM and to make it join the domain and manage the domain as another DC : It works just fine ! And you use MS admin pack to manage samba

For any SMB enterprise with limited fund, that’s just a very nice way to put some redundancy at very low cost. Same for every one needing a DC for some lab like vCenter or Sharepoint 😉

Awesome job team !