Setting up a samba-ad-dc: Difference between revisions
m (fix formatting) |
Prabuanand (talk | contribs) (removed outdated information about chrony, fixed heading levels, added links) |
||
| (15 intermediate revisions by 6 users not shown) | |||
| Line 1: | Line 1: | ||
This page documents the setting up a [[Setting up a Samba server|Samba]] based Active Directory (AD) domain controller (DC). | |||
In all examples below, | |||
== Prerequisites == | |||
AD Domain time sync requires MS-SNTP signing support, so install one of the below NTP server implementations which do support MS-SNTP signing: | |||
* {{Pkg|chrony}} - Chrony | |||
* {{pkg|ntpd-rs}} - The ntp.org "ntpd" server | |||
== Installation == | |||
Install packages:{{Cmd|apk add samba-dc krb5 py3-cryptography }} | |||
== Configuration == | |||
In all examples below, replace EXAMPLE with your NetBIOS domain name in caps, example.com with your DNS domain name, HOSTNAME with your system's host name in caps, and hostname with your system's host name. | |||
Refer to the [https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ Active Directory naming FAQ] before choosing your domain name. | Refer to the [https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ Active Directory naming FAQ] before choosing your domain name. | ||
= | === Edit hosts file === | ||
You need to modify your {{Path|/etc/hosts}} file to look similar to this. | |||
You need to modify | |||
127.0.0.1 localhost.localdomain localhost | 127.0.0.1 localhost.localdomain localhost | ||
10.1.1.10 hostname.example.com hostname | 10.1.1.10 hostname.example.com hostname | ||
= Create smb.conf = | === Create smb.conf === | ||
Alpine doesn't provide an example configuration file in the package so you'll need to create one. | |||
Alpine doesn't provide an example configuration file in the package so you'll need to create one at {{Path|/etc/samba/smb.conf}}. | |||
[global] | [global] | ||
| Line 33: | Line 45: | ||
read only = No | read only = No | ||
= Provision your Samba domain = | === Provision your Samba domain === | ||
Answer the questions with your domain information: | Answer the questions with your domain information: | ||
{{Cmd|samba-tool domain provision --use-rfc2307 --interactive}} | {{Cmd|samba-tool domain provision --use-rfc2307 --interactive}} | ||
| Line 39: | Line 52: | ||
When asked for a forwarder IP, choose your internet DNS server. You can use your ISP or other public services (like Google) here. | When asked for a forwarder IP, choose your internet DNS server. You can use your ISP or other public services (like Google) here. | ||
= Configure resolv.conf = | === Configure resolv.conf === | ||
Modify your /etc/resolv.conf to include your new domain as a search domain and point to itself as the first nameserver. | |||
Modify your {{Path|/etc/resolv.conf}} to include your new domain as a search domain and point to itself as the first nameserver. | |||
search example.com | search example.com | ||
nameserver 10.1.1.10 | nameserver 10.1.1.10 | ||
= Configure Kerberos = | === Configure Kerberos === | ||
You need to replace krb5.conf with a link to the one generated by samba. | You need to replace krb5.conf with a link to the one generated by samba. | ||
{{Cmd|ln -sf / | {{Cmd|ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf}} | ||
= Install new init script = | === Install new init script === | ||
Modify your {{Path|/etc/init.d/samba}} script like the one below to support starting Samba as a domain controller as follows: | |||
#!/sbin/openrc-run | #!/sbin/openrc-run | ||
| Line 71: | Line 87: | ||
start_samba() { | start_samba() { | ||
mkdir -p /var/run/samba | |||
start-stop-daemon --start --quiet --exec /usr/sbin/samba -- | start-stop-daemon --start --quiet --exec /usr/sbin/samba -- | ||
} | } | ||
| Line 129: | Line 146: | ||
done | done | ||
} | } | ||
= Configure the Samba service = | === Configure the Samba service === | ||
{{Cmd|rc-update add samba}} | To enable the service on startup:{{Cmd|rc-update add samba}} | ||
{{Cmd|rc-service samba start}} | |||
To start the service right now:{{Cmd|rc-service samba start}} | |||
== See also == | |||
* [[https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller Official Samba Wikipage]] | |||
[[Category:Printers]] | |||
[[Category:Authentication]] | |||
Latest revision as of 10:32, 19 September 2025
This page documents the setting up a Samba based Active Directory (AD) domain controller (DC).
Prerequisites
AD Domain time sync requires MS-SNTP signing support, so install one of the below NTP server implementations which do support MS-SNTP signing:
Installation
Install packages:
apk add samba-dc krb5 py3-cryptography
Configuration
In all examples below, replace EXAMPLE with your NetBIOS domain name in caps, example.com with your DNS domain name, HOSTNAME with your system's host name in caps, and hostname with your system's host name.
Refer to the Active Directory naming FAQ before choosing your domain name.
Edit hosts file
You need to modify your /etc/hosts file to look similar to this.
127.0.0.1 localhost.localdomain localhost 10.1.1.10 hostname.example.com hostname
Create smb.conf
Alpine doesn't provide an example configuration file in the package so you'll need to create one at /etc/samba/smb.conf.
[global]
server role = domain controller
workgroup = EXAMPLE
realm = example.com
netbios name = HOSTNAME
passdb backend = samba4
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/example.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Provision your Samba domain
Answer the questions with your domain information:
samba-tool domain provision --use-rfc2307 --interactive
Use the SAMBA_INTERNAL DNS option. When asked for a forwarder IP, choose your internet DNS server. You can use your ISP or other public services (like Google) here.
Configure resolv.conf
Modify your /etc/resolv.conf to include your new domain as a search domain and point to itself as the first nameserver.
search example.com nameserver 10.1.1.10
Configure Kerberos
You need to replace krb5.conf with a link to the one generated by samba.
ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
Install new init script
Modify your /etc/init.d/samba script like the one below to support starting Samba as a domain controller as follows:
#!/sbin/openrc-run
extra_started_commands="reload"
DAEMON=${SVCNAME#samba.}
SERVER_ROLE=`samba-tool testparm --parameter-name="server role" 2>/dev/null | tail -1`
if [ "$SERVER_ROLE" = "active directory domain controller" ]; then
daemon_list="samba"
elif [ "$DAEMON" != "samba" ]; then
daemon_list=$DAEMON
fi
depend() {
need net
after firewall
}
start_samba() {
mkdir -p /var/run/samba
start-stop-daemon --start --quiet --exec /usr/sbin/samba --
}
stop_samba() {
start-stop-daemon --stop --quiet --pidfile /var/run/samba/samba.pid
}
start_smbd() {
start-stop-daemon --start --quiet --exec /usr/sbin/smbd -- \
${smbd_options:-"-D"}
}
stop_smbd() {
start-stop-daemon --stop --quiet --pidfile /var/run/samba/smbd.pid
}
start_nmbd() {
start-stop-daemon --start --quiet --exec /usr/sbin/nmbd -- \
${nmbd_options:-"-D"}
}
stop_nmbd() {
start-stop-daemon --stop --quiet --pidfile /var/run/samba/nmbd.pid
}
start_winbindd() {
start-stop-daemon --start --quiet --exec /usr/sbin/winbindd -- \
$winbindd_options
}
stop_winbindd() {
start-stop-daemon --stop --quiet --pidfile /var/run/samba/winbindd.pid
}
start() {
for i in $daemon_list; do
ebegin "Starting $i"
start_$i
eend $?
done
}
stop() {
for i in $daemon_list; do
ebegin "Stopping $i"
stop_$i
eend $?
done
}
reload() {
for i in $daemon_list; do
ebegin "Reloading $i"
killall -HUP $i
eend $?
done
}
Configure the Samba service
To enable the service on startup:
rc-update add samba
To start the service right now:
rc-service samba start