Install and configure samba active directory on debian 12 (bookworm) server

Configuring the DNS name

1. Modify the file /etc/hostname and fill in the FQDN name of the server

srvads.mydomain.lan

2. Edit /etc/hosts, fill in the name FQDN and the short name of the server.

# /etc/hosts of the Samba-AD server
10.0.0.10 srvads.mydomain.lan srvads

3. Reboot

Finalizing your basic configuration

1. After the reboot, set the system language to English to make it easier to find problems in the logs:

apt-get install -y locales-all
localectl set-locale LANG=en_US.utf8
localectl status

2. Disable avahi-daemon (mDNS protocol / bonjour):

systemctl stop avahi-daemon.service avahi-daemon.socket
systemctl disable avahi-daemon.service avahi-daemon.socket

3. Update Debian and install the necessary administration tools:

apt-get update -y
apt-get install -y wget sudo screen nmap telnet tcpdump rsync net-tools dnsutils htop apt-transport-https vim gnupg lsb-release

Installing and configuring Samba-AD on Debian

Define an apt repository and add  GPG public key:

wget -qO-  https://samba.tranquil.it/tissamba-pubkey.gpg | tee /usr/share/keyrings/tissamba.gpg > /dev/null sha256sum /usr/share/keyrings/tissamba.gpg   bd0f7140edd098031fcb36106b24a6837b067f1c847f72cf262fa012f14ce2dd  /usr/share/keyrings/tissamba.gpg

echo "deb [signed-by=/usr/share/keyrings/tissamba.gpg] https://samba.tranquil.it/debian/samba-4.20/ $(lsb_release -c -s) main" > /etc/apt/sources.list.d/tissamba.list

Installing the packages

export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install samba winbind libnss-winbind krb5-user smbclient ldb-tools python3-cryptography
unset DEBIAN_FRONTEND

Instantiating the Active Directory Samba domain

1. Modify the file /etc/krb5.conf and replace all its contents by the following 4 lines by specifying the Active Directory domain of your organization (here MYDOMAIN.LAN).

[libdefaults]
  default_realm = MYDOMAIN.LAN
  dns_lookup_kdc = true
  dns_lookup_realm = false

[realms]
MYDOMAIN.LAN = {
        kdc = srv.mydomain.lan
        admin_server = srv.mydomain.lan
    }


[domain_realm]

 .mydomain.lan = MYDOMAIN.LAN
    mydomain.lan = MYDOMAIN.LAN

Setting up Samba

1. Rename the file /etc/samba/smb.conf if it has already been generated (it will be regenerated by the instantiation command):

mv  /etc/samba/smb.conf /etc/samba/smb.conf.bak

2. On Debian, we need to stop all fileserver services :

systemctl stop samba winbind nmbd smbd

3. Configure Samba with the role of domain controller. In the following line, you will think about changing both the name of the kerberos kingdom, and the short name of the domain (netbios name):

samba-tool domain provision --realm=MYDOMAIN.LAN --domain MYDOMAIN --server-role=dc

#or you can provision with command line bellow :

samba-tool domain provision

4. Reset the administrator password:

samba-tool user setpassword administrator

5. Check the line dns forwarder = xxx.xxx.xxx in your file /etc/samba/smb.conf. It must point to a valid DNS server, e.g.:

dns forwarder = 1.1.1.1

6. Reconfigure the DNS resolution for the local machine. In the network interface file /etc/resolv.conf, replace the following line with the following line:

search mydomain.lan
nameserver 127.0.0.1

7. The Samba domain creation script creates an unnecessary /var/lib/samba/private/krb5.conf file. It must be removed and replaced by a symbolic link to the /etc/krb5.conf file:

rm -f /var/lib/samba/private/krb5.conf
ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf

8. Activate Samba so that it starts automatically at the next reboot:

systemctl disable samba winbind nmbd smbd
systemctl mask samba winbind nmbd smbd
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc

9. Reboot the machine with a reboot to verify that Samba reboots:

10. After rebooting, ensure that kerberos is properly configured and that you get a TGT:

kinit administrator
klist

11.  Test the DNS:

dig @localhost google.fr
dig @localhost srvads.mydomain.lan
dig -t SRV @localhost _ldap._tcp.mydomain.lan

Installing and configuring Hybrid DNS

Tranquil IT recommends the use of both Samba-AD internal DNS server and Bind. The Samba-AD internal DNS server will handle internal queries, while Bind will manage external ones. This configuration uses few resources and benefits from the caching functionality provided by Bind.

1. Install the Bind package:

apt-get install bind9

2. Modify the options section of the file /etc/bind/named.conf.options (remember to modify the forwarder):

options {
      directory "/var/cache/bind";
      // Exemple de forwarder :
      forwarders {
            1.1.1.1;
      };
      allow-query { any; };
      dnssec-validation no;
      minimal-responses yes;
      auth-nxdomain no;    # conform to RFC1035

      listen-on-v6 port 5353 { ::1; };
      listen-on port 5353 { 127.0.0.1; };
};

3. If needed, you can set a forwarder for a specific zone, modify the local section of the file /etc/bind/named.conf.local:

zone "myforwardedzone.lan" {
    type forward;
    forward only;
    forwarders { 192.168.50.10; } ;
};

4. Disable IPv6 bind on the local network in /etc/default/named:

# run resolvconf?
RESOLVCONF=no

# startup options for the server
OPTIONS="-4 -u bind"

5. In /etc/samba/smb.conf, add the following line:

[global]
...
dns forwarder = 127.0.0.1:5353

6. Finally restart the samba and bind services:

systemctl restart samba-ad-dc
systemctl restart bind9

Ensuring the correct configuration of Bind

1. Ensure that the Bind server is listening on port 5353:

netstat -tapn | grep 5353
    tcp     0    0 127.0.0.1:5353    0.0.0.0:*    LISTEN      5291/named

2. Test local and recursive queries:

dig @localhost google.fr
dig @localhost srvads.mydomain.lan
dig -t SRV @localhost _ldap._tcp.mydomain.lan

Congratulations, your configuration is moving forward and you have just taken another step towards the solidity and efficacy of your Samba-AD installation.