Setting up a samba-ad-dc

2025-08-31T00:53:35Z

Fabio.homework: /* Installation */

= Notes =

==== Active Directory Naming ====

In all examples below, replace EXAMPLE with your NetBIOS domain name in caps, example.com with your DNS domain name, HOSTNAME with your system's host name in caps, and hostname with your system's host name.

Refer to the [https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ Active Directory naming FAQ] before choosing your domain name.

==== MS-SNTP signing support ====

AD Domain time sync requires MS-SNTP signing support, so be sure to check whether the NTP server you choose to deploy, does support it.

<span style="color:red">Some of the NTP server versions available in the Alpine repositories (chrony, openntpd, busybox) do not currently support it. This will cause time sync issues for the domain, so be forewarned.</span>

NTP implementations which do support MS-SNTP signing:

* chrony (version >= 3.2) [https://pkgs.alpinelinux.org/packages?name=chrony&branch=edge&repo=&arch=&maintainer= Alpine package in edge] [https://git.tuxfamily.org/chrony/chrony.git/tag/?h=3.2 Source download v3.2] [https://git.tuxfamily.org/chrony/chrony.git/commit/?h=3.2&id=577aed484207addd054441ee8be7e6e30ce36cb2 - Source code commit]
* The ntp.org "ntpd" server [https://ntp.org/downloads.html - Download ntpd]
* Windows

'''Install Chrony version 3.2 on Alpine 3.6.2:'''

Uncomment and pin the edge/main repository in /etc/apk/repositories

Note that the below URLs are invalid and used for illustrative purposes only. Replace with the valid repository URLs used by your installation.

See [https://wiki.alpinelinux.org/wiki/Alpine_Linux_package_management#Repository_pinning Package Repository Pinning] for further details.

<pre>
https://mirror/alpine/v3.6/main
@edge https://mirror/alpine/edge/main
</pre>

Update the package index:

{{Cmd|apk update}}

Upgrade chrony using the @edge tag

{{Cmd|apk add chrony chrony@edge}}

Upgrade chrony-doc using the @edge tag

{{Cmd|apk add chrony-doc chrony-doc@edge}}

Confirm that the installed version is from the edge repository:

{{Cmd|cat /etc/apk/world | grep chrony}}

<pre>
chrony@edge
chrony-doc@edge
</pre>

Restart chronyd to use the newly upgraded version:

{{Cmd|/etc/init.d/chronyd restart}}

= Installation =
Install packages:
{{Cmd|apk add samba-dc krb5 py3-cryptography }}

= Edit hosts file =
You need to modify your {{Path|/etc/hosts}} file to look similar to this.

127.0.0.1 localhost.localdomain localhost
10.1.1.10 hostname.example.com hostname

= Create smb.conf =
Alpine doesn't provide an example configuration file in the package so you'll need to create one at {{Path|/etc/samba/smb.conf}}.

[global]
server role = domain controller
workgroup = EXAMPLE
realm = example.com
netbios name = HOSTNAME
passdb backend = samba4
idmap_ldb:use rfc2307 = yes

[netlogon]
path = /var/lib/samba/sysvol/example.com/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

= Provision your Samba domain =
Answer the questions with your domain information:
{{Cmd|samba-tool domain provision --use-rfc2307 --interactive}}
Use the SAMBA_INTERNAL DNS option.
When asked for a forwarder IP, choose your internet DNS server. You can use your ISP or other public services (like Google) here.

= Configure resolv.conf =
Modify your {{Path|/etc/resolv.conf}} to include your new domain as a search domain and point to itself as the first nameserver.

search example.com
nameserver 10.1.1.10

= Configure Kerberos =
You need to replace krb5.conf with a link to the one generated by samba.
{{Cmd|ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf}}

= Install new init script =
As of 3/31/2016 and Alpine 3.3.3, the included samba init script doesn't support starting it as a domain controller. Modify your {{Path|/etc/init.d/samba}} script like the one below.

#!/sbin/openrc-run

extra_started_commands="reload"

DAEMON=${SVCNAME#samba.}
SERVER_ROLE=`samba-tool testparm --parameter-name="server role" 2>/dev/null | tail -1`
if [ "$SERVER_ROLE" = "active directory domain controller" ]; then
daemon_list="samba"
elif [ "$DAEMON" != "samba" ]; then
daemon_list=$DAEMON
fi

depend() {
need net
after firewall
}

start_samba() {
mkdir -p /var/run/samba
start-stop-daemon --start --quiet --exec /usr/sbin/samba --
}

stop_samba() {
start-stop-daemon --stop --quiet --pidfile /var/run/samba/samba.pid
}

start_smbd() {
start-stop-daemon --start --quiet --exec /usr/sbin/smbd -- \
${smbd_options:-"-D"}
}

stop_smbd() {
start-stop-daemon --stop --quiet --pidfile /var/run/samba/smbd.pid
}

start_nmbd() {
start-stop-daemon --start --quiet --exec /usr/sbin/nmbd -- \
${nmbd_options:-"-D"}
}

stop_nmbd() {
start-stop-daemon --stop --quiet --pidfile /var/run/samba/nmbd.pid
}

start_winbindd() {
start-stop-daemon --start --quiet --exec /usr/sbin/winbindd -- \
$winbindd_options
}

stop_winbindd() {
start-stop-daemon --stop --quiet --pidfile /var/run/samba/winbindd.pid
}

start() {
for i in $daemon_list; do
ebegin "Starting $i"
start_$i
eend $?
done
}

stop() {
for i in $daemon_list; do
ebegin "Stopping $i"
stop_$i
eend $?
done
}

reload() {
for i in $daemon_list; do
ebegin "Reloading $i"
killall -HUP $i
eend $?
done
}

= Configure the Samba service =
Run this command to start the service on boot.
{{Cmd|rc-update add samba}}

Run this command to start the service right now.
{{Cmd|rc-service samba start}}

[[Category:Printers]]
[[Category:Authentication]]

Alpine Linux - User contributions [en]

Setting up a samba-ad-dc