Installing free Active Directory with Ubuntu and Samba
We are making great progress in our series, “completely open source office“. We have a firewall now, and our empty office has internet access on all the ports of our shiny new switch.
We still have some “infrastructure” to put in place before we work on our workstations and other office equipment.
In this article, we will cover samba. This is a software module that installs on top of Linux to allow users to log in to a unified directory. This is an open-source version of Microsoft Active Directory. Not only does this provide a single place to manage all the users in the company but it will also form the basis of setting up permissions for our data.
We have broken this article into two phases: Installing the basic Linux operating system, and then installing and configuring Samba.
As in the PfSense article, we need to download the Linux operating system. For this article, we will be using the Ubuntu 20.04 server image available from Ubuntu directly or from our repository. As in the PfSense article, either choose the latest version and hope that the installation follows our video or install the same software from the ISO in our repository and then update afterward.
After downloading the software, you need to insert your trusty thumb drive again and we will use RUFUS to install the ISO image onto the thumb drive and boot from that.
For this article, I have created TWO videos
Because there is a lot of material to cover, I have broken this article into two parts:
- Installing the operating system
- installing and configuring Samba
There is a video for installing Ubuntu Server and a video for installing and configuring Samba.
I urge you to watch each video before proceeding. In our repository, I have included a text file with the commands needed to complete this piece of our series.
Installing Ubuntu Server (20.04)
We need to discuss Ubuntu for a moment. While Microsoft has workstation and server software for licensing purposes, Ubuntu only keeps two versions because they have different uses. The Ubuntu server edition is mainly used without a person sitting in front of it so there is only text on the screen. This keeps the overhead low, speeds up the machine, and leaves fewer processes running that would need patches. The workstation version has all the fancy graphics and software that a person would normally want.
For this article, the server is a perfect choice. We will set it up entirely at the terminal window.
Put down the mouse!
For the rest of the article, we will be using our keyboard only. This keeps the server lightweight and fast.
Since RUFUS is so handy to have on hand, we wanted to show you this video that explains how to create a bootable thumb drive. While it is intended for Windows, it works the same for the Ubuntu server (and workstation, and the trueNAS system as well).
After inserting the thumb drive and booting, you will be presented with the option of choosing a language and a different keyboard layout. Most of us will want to keep everything default.
The next screen is going to cover networking. When we installed the PfSense firewall, we chose to turn on the DHCP server on the internal interface so all the workstations will get the correct configuration information. This works well for workstations, but not so much for servers and other equipment that provide services.
For the Samba server, we will press the tab key until we choose the network card and press enter. Choose the option that says, “Edit IPV4”. The default selection is “DHCP” but presenter on that option and you can choose manual. You will now make the following changes:
- Subnet will be “10.0.0.0/24”. This tells the server that everything on the network will start with “10.0.0.X” With X being the address of each machine on that network
- Address will be set to “10.0.0.10”. Each machine on the network will have the same “10.0.0.” and the last number will be unique for each machine on the network. The value for the last number can be anything from 0-255. The firewall is 1, the Samba server is 10 and workstations will get their address from the range that we set earlier (200-250).
- The “gateway” field will be set to use the IP address of the PfSense firewall that we set up earlier (10.0.0.1).
- For “name servers” we will also be using the PfSense firewall, although this will change soon. We will need internet access shortly so we can update the software on the Samba server so enter “10.0.0.1” for the name server (just one for now).
- Search domains will be left empty.
Click SAVE and you will be returned to the networking options. Press the tab key until you are on,” continue without network” and don’t click anything yet. After a few seconds, it will change to a green button labeled, “done. Click done.
We will now be asked where to install the operating system. Your server should only have a single disk show up. Check the box to include that single disk on click done.
Continue pressing ok/done until you get to the user/server name screen. Here we will create a user and give our server a name. Admittedly, this screen is a bit confusing. Here is what it is asking:
- For “your name” it is just asking what your full name is.
- For “Your server’s name” it is asking what single word you want to name your server. You should consider the various servers you might have and what you want to call them. For this server, you might want to choose from “Samba” or “dc1” (domain controller 1) or something else that makes sense to you.
- For “pick a username” just choose something without spaces, like your first name
- Choose a decent password, enter it twice to confirm.
The last option we will change is on the next screen where we check the box for installing OpenSSH.
What is OpenSSH?
This server (and most other servers) never see the light of day. There is rarely a monitor or keyboard plugged into it. Most of the time, due to the noise they create, they are tucked away in a server room or a room with no other humans. On those rare occasions that we need to access the server, we don’t want to walk to the server. We want to access it remotely.
SSH is short for, “Secure SHell”. With a program like putty, we can open up a window to the server and type commands like we are sitting in front of it. By checking the box for installing OpenSSH, we know that we will always have access to our server without having to sit in front of it.
Blah Blah Blah
The next screen contains a bunch of other options that most people will not choose. We don’t need any of these options. Press the tab key until you are at the Done button, click done.
Now the server will perform the software installation, perform some updates, and reboot. You might want to grab yourself a cup of coffee at this point. It will be running for ten minutes to an hour, depending on the speed of your machine.
A Little Housekeeping Before Samba
When you return, the server has booted and is sitting at the login prompt. It is very common to get to the login prompt before the server has finished starting all its services. I recommend you wait for a minute to let all its services start. You will see some random messages pop up that cover up the login message. Pressing enter will get you back to the login prompt.
Enter your username and password and press enter.
At this point, we need to discuss security on Linux. You created a standard user during the installation and that user account has very limited privileges. You can’t even reboot the server!
In Linux, there is a command called, “sudo” and it is used to turn yourself into a superuser with unlimited rights on the server. Instead of performing a command (for example, show me all files with the “ls -la” command) you put “sudo” at the beginning (your command would look like, “sudo ls -la”). You will be prompted for your password.
There is a file on Linux systems called “sudoers” (crafty name, huh?) and if your user account is in that file, you can run the sudo command.
In windows, there is an “administrator” account that has full privileges and in Linux, that user account is “root”. The root account is disabled by default and there is no need to enable the account if you are in the sudoers file.
After you have logged in, you need to do one last check for updates, in two steps. Type the following two commands:
- sudo apt update
- sudo apt upgrade
you may be prompted for your password
After those two commands have run (which may take a few minutes), we are ready for the last step before installing Samba, we need to get the time and time zone set.
During the Samba installation, we will be installing and configuring “Kerberos” and this package is very picky about time differences between machines. Only a few minutes’ difference between computers could mean it won’t be able to log in properly.
Taking the TIME to get it right
Verify the timesync service is running by typing:
“systemctl status system-timesyncd”
You should see “active (running)” in green. This means it has started and is in sync with an NTP server on the internet. Press CTRL-C to end the command.
NTP stands for Network Time Protocol. There are many nuclear clocks available on the internet for synchronizing your computer’s clock to achieve the accuracy that we need.
To verify we have the correct time and date, we type the “timedatectl” command. Note the date is correct but you see “UTC” and that is the Universal Time Zone. We want to set the correct zone now.
Now that we know we are syncing our clocks, the last step is setting the time zone. First, we need to see a list of time-zones that we can choose from with this command:
Continue scrolling through until you see your time zone. Write that down. It is case-sensitive, and every character needs to match in the next(final!) step.
To set the correct time zone, type this command (assuming we are in the Los Angeles time zone):
“sudo timedatectl set-timezone America/Los_Angeles”
Now show your time data one last time to verify it worked with the command “timedatectl”.
Congratulations! You just installed, patched, and configured your first Linux server!
Now let’s move on to installing Samba…
from Kevin Hart to Dwayne Johnson
The “samba” package gets its name from a feature that Microsoft built many years ago called, “smb” (Server Message Block). This feature eventually morphed into handling domains, which allowed for one database of logins for many computers to use.
That smb package then morphed from a simple domain (during windows NT4.0) to an active directory (Windows 2000 and later). The Linux samba package started as simple file sharing and eventually grew into being a domain controller, and then followed up with active directory.
We will be installing and “provisioning” samba as an active directory domain controller.
The process will entail the following steps:
- download the software packages
- disable the standard DNS server so an active directory (“AD”) enable DNS server can be installed
- turn on the samba (provision) server
- create a samba service so it starts automatically when the server reboots
We need to connect to the server remotely so we can use copy/paste. We do this with “putty”.
After installing putty and opening it up, you type in the IP address of your samba server (10.0.0.10?) and hit connect. You will most likely get a warning about a certificate, just click ok. This only happens once. Log in with the “test” user and password.
Before we get started, we want to turn ourselves into a superuser by typing <sudo su> and providing your password. By doing this, we don’t need to type sudo before every command (we’re going to be typing many commands that require admin privileges).
Before copying and pasting the command to install the software, we need to decide what the name of our “realm” and “domain” will be. For this tutorial, our realm will be “ad.startupcompany.com” (the ad stands for active directory, not too creative, am I?) and the domain will simply be called “ad”. I will give you three guesses of what the “ad” stands for!
You can either type in each command or copy/paste. I recommend the copy/paste method, but you can’t copy or paste unless you are connected to the server remotely, via putty in this case.
Now that we have decided on the naming conventions, we will copy and paste the command that starts with “apt install”. It will download many packages and set up Kerberos. You should see a purple screen that says, “Configuring Kerberos Authentication”. Here is where you will type in the name of the realm that was mentioned earlier (ad.startupcompany.com) and press enter.
You will see a screen asking for the Kerberos servers, just type “samba” at this prompt. There isn’t much point in getting this correct. It will write the configuration to a file that we are about to delete. The samba installation creates the correct file that we just copy into the correct location.
Killing (or at least HURTING) DNS
After the software installation completes, we need to disable the standard DNS server so samba can create the proper one. Use the two lines listed in the text file, just below the list of packages to install. If you don’t have access to that list:
- systemctl disable systemd-resolved.service
- service systemd-resolved stop
At this point, we need to make sure DNS is broken before we move on. Try to ping yahoo by typing:
You should see the error, “temporary failure in name resolution”. This one time only, this is good!
The next step is to make sure samba isn’t already running. At this point, watching the video will make much more sense but you can copy and paste the line from our document for this article.
This is the command to run:
- ps ax | egrep “samba|smbd|nmbd|winbindd”
Run the kill command for each samba process that is already running. By the end of your (~5) kill commands, many will say “no such process”. This simply means that one of the other processes killed the one that you are killing.
Samba is the HOST of this party!
When installing samba, we need to make sure the hostname “samba” points to a real IP address and not the loopback adapter (127.0.0.1). This won’t necessarily break active directory on the server itself but when other machines try to connect to “samba” they will all try to connect to themselves. Not good!
We need to run the text editor NANO and edit the hosts file (/etc/hosts) and add the line listed in the video. Don’t forget to delete the line that says “127.0.0.1 samba” but leave the line “127.0.0.1 localhost”.
Ya gotta crack a few eggs to make an omelette
Before making progress, we need to remove some files that were put in place by the default installation. They are all wrong.
Delete the /etc/samba/smb.conf file, also shown in the video, and listed in the text file.
If samba was already installed, there will also be database files that end in “tdb” and “ldb”. They all need to be removed as seen in the video. Notice there are lots of references to the video, a great way to get a feel for the overall process.
To see where those files are, run this command:
- smbd -b | egrep “LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR”
Beware! We are not deleting everything in those directories, only files ending in “tdb” and “ldb”.
The last housekeeping task is to remove the /etc/krb5.conf file. This standard file was created during the install of Kerberos and is totally incorrect for our purpose. Don’t worry, the next step, samba provisioning, will create the correct file. We will just need to take note of where the correct file is placed so we can copy it to its final home.
You’ve made it this far, time to finally create active directory!
You’ve made it this far, time to finally create active directory!
There are two ways to run the provisioning, interactive (where we answer each question as it pops up) or with arguments when we run the tool. For the scenario, we will run in interactive mode. The only argument we pass is the “rfc2307” option. This will just add some information to active directory so we don’t have to run it in the future.
Type “samba-tool domain provision –use-rfc2307 –interactive” to get started. Trust me, it’s not painful!
The first question it will ask is “realm”. This is the full name (FQDN) for the domain. In this case, the setup already knew about the name from the Kerberos setup when we installed the packages. Leave the default of [AD.STARTUPCOMPANY.COM] and press enter.
The second question will ask for the Domain. This is the “WINS” version or simple name of the domain. Again, we will leave the default of [AD] and press enter.
Setup will now ask what server role this machine will have. There are three roles: standalone, member, or domain controller. Standalone means the machine will know about active directory but not be a part of it. Member means the server is a part of the domain and dc (domain controller) means it has a copy of active directory and this server will take part in authenticating users. This is the correct choice.
One of the final questions is which type of DNS backend we want. The simplest, and the one we want, is samba_internal, also the default choice. Just press enter.
The downside to using “samba_internal” is that the server will have knowledge of active directory but nothing else (it won’t find yahoo.com for example). Due to this, we will need to specify a DNS forwarder for everything other than active directory.
The DNS forwarder will be the PfSense firewall that we built in the previous article. This will allow the samba server to ask PfSense, “Hey, I know about active directory, but somebody wants to get to google.com. Where is that on the internet?”. When asked for a DNS forwarder, enter “10.0.0.1” for the IP address.
We will now copy that Kerberos file to the location specified in the text file with the following command:
- cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
Active directory is now installed, and you can start it up by simply typing “samba”. While this might work fine, if the server restarts, the samba won’t start up automatically. We need to create a service, and this service will need to be set up start up on every reboot and start up the other processes that it depends on. Scary stuff, right? Nah! I walk you through it.
Creating a Linux Service
First let’s disable the things it needs so they don’t start up on their own.
Type these two commands:
- systemctl mask smbd nmbd winbind
- systemctl disable smbd nmbd winbind
With those two commands out of the way, we need to remove the symbolic link (a shortcut) so we can create the correct service file:
Now we can run NANO to create the file:
Copy and paste the following text into that file and save it:
Description=Samba Active Directory Domain Controller
After=network.target remote-fs.target nss-lookup.target
ExecReload=/bin/kill -HUP $MAINPID
Save that file by pressing the CTRL key and the letter O
It will ask for the file name, just press enter. Now exit the program by pressing CTRL and X. FYI- the video describes the cryptic lines in the file, in case you were wondering.
Done? Not quite. Now we need to tell the server to re-examine the service files, and then enable that new service we made with the following two commands:
systemctl enable samba-ad-dc
Time for testing
No, not that kind of testing. No need to study.
With those two commands done, time to reboot the server and test it to make sure active directory is restarted. Just type the single word “reboot”. When the server comes back online, log in so we can do two tests, verify Kerberos is working (kinit), and make sure some default shares are showing up (smbclient).
Run the Kerberos command:
This should prompt you for a password. If it does, you know the test passed. Anything other than asking for the Administrator password is a fail.
Now test for those default shares with this command:
smbclient -L localhost -N
You should see several shares show up on the screen. They don’t mean anything. You just don’t want to see a single line that says, “connection refused”. Anything else is perfect!
You are now done with the active directory but there is one last small tweak for DNS. In case you can’t tell by now, DNS is a big part of active directory, so it needs to be set “just right” for it to work.
Currently, we have active directory working but our PfSense firewall is handing out the DNS address itself. That works great for everything on the internet, but it has no knowledge of active directory. We need to tell PfSense, “from now on, tell the workstations to use the samba server and it will ask PfSense for everything on the internet only when it needs to”.
For this final step, we need to open a browser and go back to the admin page for PfSense (http://10.0.0.1). After logging in, navigate to SERVICES->DHCP SERVER. Scroll down a bit until you see a line for DNS servers and in the first line (DNS server 1) we will add the IP address of our samba server (10.0.0.10). Scroll down to the bottom and click SAVE.
Now we will test to make sure this last piece is working by rebooting this workstation and after logging in, we need to test that we can see the samba server, see active directory, AND see the internet. First, we ping samba with this command:
You should see a response from 10.0.0.10
Now ping active directory:
You should see the same response (10.0.0.10)
Now ping www.yahoo.com and make sure you get some type of response.
That’s it! We have a functional active directory, we can see the internet, and we are ready to continue to the next chapter of our journey:
Next article: Storage!
I hope this article has been informative for you. Interon has now set up many “open source offices” and the economic benefits for our clients have been immense. If you would like to learn more or hire us to implement any or all of the technologies discussed feel free to call us or use our CONTACT US page to request more information!