Installing Samba4 (4.1) on Ubuntu 12.04 LTS

Filed Under (Samba 4, Ubuntu, Windows Networking) by Just An Admin on 23-01-2013

It has been several months now since the Samba 4.1 release is available for download; A version I’ve been looking forward to for a long time now. But the installation documentation and blog posts of users actually installing it are still limited, outdated, to general or incomplete. But I’m very interested to see how this new version works and how well it installs, so I’ll give it a go.

For this setup we will use a basic Ubuntu 12.04.1 LTS (Precise Pangolin) install and the most recent version of Samba 4.1 (GIT source).



Throughout this document i will be using the following information, which you can replace with your own settings:

Servername: SAMBA

DNS Domain name: mydomain.local

NETBIOS Domain name: MYDOMAIN

IP number: 192.168.1.10 with subnetmask 255.255.255.0

Default gateway: 192.168.1.1

 

Installing Ubuntu 12.04 LTS

For this test we installed Ubuntu 12.04.1 LTS x64 in a VMWare ESXi virtual machine. This will be a standard install with no extra software or packages selected during the initial installation. I will not go in to the installation of Ubuntu in to much detail, as it is very straightforward. We used a 32GB disk which was automatically partitioned. If you know what you’re doing, you can can select a manual partition schema and disk size that suites your wishes.

After the install of Ubuntu is complete and the first boot of the OS has finished, we need to address some minor configurations tasks. First we need to make sure we are up to date on the latest patches and hotfixes:

[cc width=”600″ lang=”bash”]

sudo apt-get update

sudo apt-get upgrade

[/cc]

Install a SSH server.

To make the copy/paste from this guide easier (VMWare console lacks a good copy/paste support) we will install SSH. Besides the ease of copy/paste this is a useful way to manage your server remotely.

[cc width=”600″ lang=”bash”]

sudo apt-get install openssh-server

sudo reboot now

[/cc]

Reboot the server. Use Putty or other SSH client to connect.

Change the root password

Change the password for your root account and make sure you use a password with a solid complexity.

[cc width=”600″ lang=”bash”]

sudo passwd root

[/cc]

Configure a fixed IP for your new server.

Edit /etc/network/interfaces and change the config to set a static IP. Please use your own IP information where applicable:

[cc width=”600″ lang=”bash”]

sudo nano /etc/network/interfaces

[/cc]

[cc width=”600″ lang=”bash”]
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 192.168.1.10
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 192.168.1.10 8.8.8.8
dns-search mydomain.local
[/cc]

Now reboot the server

[cc width=”600″ lang=”bash”]

sudo reboot now

[/cc]

After the reboot has finished and you logged on to the server, you can check if the new IP configuration has been applied:

[cc width=”600″ lang=”bash”]

ifconfig

[/cc]

Install a NTP service to sync the time.

Active Directory and Kerberos rely on a correct time and date settings.

[cc width=”600″ lang=”bash”]

sudo apt-get install ntp

[/cc]

Edit /etc/ntp.conf and replace the server with a Time server of your own or use one from http://www.pool.ntp.org/en/. if you are not familiar with this, you can leave the default server (0.ubuntu.pool.ntp.org) as is.

Example:

[cc width=”600″ lang=”bash”]

sudo nano /etc/ntp.conf

[/cc]

and change:

[cc width=”600″ lang=”bash”]
server 0.north-america.pool.ntp.org
[/cc]

To set the time for a first time, do:

[cc width=”600″ lang=”text”]
sudo service ntp stop
sudo ntpdate -B (replace with preferred timeserver)
example: sudo ntpdate -B server 0.north-america.pool.ntp.org
sudo service ntp start
[/cc]

To check if all went well, do:

[cc width=”600″ lang=”bash”]
ntpq -p
[/cc]

 

Installing Samba 4 (4.1)

Before we can begin installing Samba, we need to install some prerequisites:

[cc width=”600″ lang=”bash”]
sudo apt-get install build-essential libacl1-dev python-dev libldap2-dev pkg-config gdb libgnutls-dev libblkid-dev libreadline-dev libattr1-dev python-dnspython libpopt-dev libbsd-dev attr docbook-xsl libcups2-dev git
[/cc]

We will be installing Samba 4, most current release, from the GIT repository, Samba 4.1.0pre1-GIT-0a4a4ba at the time of writing:

[cc width=”600″ lang=”bash”]
sudo git clone git://git.samba.org/samba.git /usr/src/samba4/
[/cc]

Make sure port 9418 is open on your firewall. GIT uses this port. You will know when you’re in trouble if you get this error:  errno=Connection timed out

[cc width=”600″ lang=”bash”]
cd /usr/src/samba4
[/cc]

Use the following line only if you want to fix the install to version 4.1.0, instead of the most recent build. If you want to use 4.1.0 stable, please use the following command:

[cc width=”600″ lang=”bash”]
sudo git checkout tags/samba-4.1.0
[/cc]

Now we continue the installation of Samba:

[cc width=”600″ lang=”bash”]
sudo ./configure –enable-debug
sudo make
[/cc]

You will receive a lot of subcontext() and pointer messages. From what is was able to find so far is that all these warnings can be discarded. That is what i did.

[cc width=”600″ lang=”bash”]
sudo make install
[/cc]

After the install we will add the path to the bin and sbin directory of Samba:

[cc width=”600″ lang=”bash”]
sudo nano /etc/sudoers
[/cc]

and add the following to the end of the Defaults secure_path= before the closing :

[cc width=”600″ lang=”bash”]
:/usr/local/samba/sbin:/usr/local/samba/bin
[/cc]

and write the changes and exit nano.

Make the same change to the system environment PATH variable:

[cc width=”600″ lang=”bash”]
sudo nano /etc/environment
[/cc]

and add the following to the end of the PATH, before the closing :

[cc width=”600″ lang=”bash”]
:/usr/local/samba/sbin:/usr/local/samba/bin
[/cc]

and write the changes and exit nano.

Now that Samba is installed, we can start constructing a new domain using the samba-tool domain provision command:

[cc width=”600″ lang=”bash”]
sudo /usr/local/samba/bin/samba-tool domain provision –realm mydomain.local –domain MYDOMAIN –adminpass Pa$$w1rd –server-role=dc
[/cc]

NB. Be sure to pick a strong password. The password complexity requirement is at least one uppercase letter, one number and at least eight characters long. If you have to rerun the command because the password was not strong enough or has failed for any other reason, first remove your partial config, otherwise a new provision will fail. you can do this by running this command:  sudo rm /usr/local/samba/etc/smb.conf

If you receive this error:

      "ProvisioningError: Your filesystem or build does not support posix ACLs, which s3fs 
      requires. Try the mounting the filesystem with the 'acl' option"

There is much debate about the solution to solving this problem. Please educate and inform yourself, using google or other resource, on how to fix this problem. One common solution is to add [cc lang=”bash”]–use-ntvfs[/cc] to the end of the provision command to fix this error. But you will be using legacy file server technology, as Mark stated in his comment.

Setting DNS forwarding allows queries the server can’t resolve to be forwarded to another DNS that can. This is required to be able to browse the Internet or download updates during the rest of this post. We will also allow automatic DNS updates. Make the following adjustment to enable forwarding:

[cc width=”600″ lang=”bash”]

sudo nano /usr/local/samba/etc/smb.conf

[/cc]

add or change the following lines, where the IP of the forwarder is your router. If your router does not forward DNS request, use 8.8.8.8 (Google DNS):

[cc width=”600″ lang=”bash”]

dns forwarder = 192.168.1.1
allow dns updates = nonsecure and secure
[/cc]

Now reboot the server

[cc width=”600″ lang=”bash”]

sudo reboot now

[/cc]

Now we need to make this server point to it’s own DNS for resolving.

[cc width=”600″ lang=”bash”]

sudo nano /etc/network/interfaces

[/cc]

And remove the 8.8.8.8 from the dns-nameservers line. Afterwards it looks like this:

[cc width=”600″ lang=”bash”]

dns-nameservers 192.168.1.10

[/cc]

After you have finished the provisioning command successfully and made teh required changes for DNS forwarding, we are ready to start the Samba server and see if all works as expected.

[cc width=”600″ lang=”bash”]

sudo /usr/local/samba/sbin/samba start

[/cc]

A working DNS server is required for Samba or any Active Directory to function properly, specifically Kerberos will fail. We will be using the default DNS service that comes with Samba. If you specify --dns-backend=SAMBA_INTERNAL in the above mentioned provision command or didn’t specify this options at all, the internal DNS of Samba will be installed.

As our DNS server was already installed with Samba, we now need to test if the DNS is functioning properly. We will test a few basic DNS queries and see if they return a valid repsonse:

[cc width=”600″ lang=”bash”]

host -t SRV _ldap._tcp.mydomain.local.

[/cc]

Should return something like:

_ldap._tcp.mydomain.local has SRV record 0 100 389 samba.mydomain.local.

 

[cc width=”600″ lang=”bash”]

host -t SRV _kerberos._udp.mydomain.local.

[/cc]

Should return something like:

_kerberos._udp.mydomain.local has SRV record 0 100 88 samba.mydomain.local.

 

[cc width=”600″ lang=”bash”]

host -t A samba.mydomain.local.

[/cc]

Should return something like:

samba.mydomain.local has address 192.168.1.10

 

If the DNS works as expected, we will test if Kerberosis running correctly. First we install the Kerberos 5 utilities:

[cc width=”600″ lang=”bash”]

sudo apt-get install krb5-user

[/cc]

Once the Kerberos utilities are installed, we will try to log on to the domain using Kerberos. Be sure to log on using the password you specified in the provision command.

[cc width=”600″ lang=”bash”]

kinit administrator

[/cc]

Should return something like:

Warning: Your password will expire in 41 days on Tue Mar  5 15:23:03 2013

 

You can check if a Kerberos ticket has been processed correctly using the following command:

[cc width=”600″ lang=”bash”]

klist

[/cc]

This should return something like:

Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator@MYDOMAIN.LOCAL

Valid starting    Expires           Service principal
23/01/2013 13:27  23/01/2013 23:27  krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL
        renew until 24/01/2013 13:27

 

Finally we will test the SMB function of the domain and see if all shares required for a functional Active Directory are up and running. Especially the netlogon and sysvol share should be visible.


[cc width=”600″ lang=”bash”] /usr/local/samba/bin/smbclient -L localhost -U% [/cc] Should return something like:

Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-0a4a4ba]

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        IPC$            IPC       IPC Service (Samba 4.1.0pre1-GIT-0a4a4ba)
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-0a4a4ba]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

And finally we will check if the user administrator can log in using SMB:

[cc width=”600″ lang=”bash”]

/usr/local/samba/bin/smbclient //localhost/netlogon -U ‘administrator’

[/cc]

Should return something like:

Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-0a4a4ba]

 

Type quit to exit the SMBClient prompt.

 

We are done! Congratulations, we have installed a Samba4 server on Ubuntu 12.04.

 

Init script for auto start

When rebooting the server, it would be nice if the Samba service would start automatically. The following init.d startup script will take care of that:

[cc width=”600″ lang=”bash”]

sudo nano /etc/init.d/samba4

[/cc]

and add the following:

[cc escaped="true" width=”600″ lang=”text”]

#! /bin/sh
### BEGIN INIT INFO
# Provides: samba
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $network $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start Samba daemons
### END INIT INFO
#
# Start/stops the Samba daemon (samba).
# Adapted from the Samba 3 packages.
#

SAMBAPID=/var/run/samba/samba.pid

# clear conflicting settings from the environment
unset TMPDIR
# See if the daemon and the config file are there
test -x /usr/local/samba/sbin -a -r /usr/local/samba/etc/ || exit 0

. /lib/lsb/init-functions

case “$1” in
start)
log_daemon_msg “Starting Samba 4 daemon” “samba”
if ! start-stop-daemon –start –quiet –oknodo –exec /usr/local/samba/sbin/samba — -D; then
log_end_msg 1
exit 1
fi

log_end_msg 0
;;
stop)
log_daemon_msg “Stopping Samba 4 daemon” “samba”

start-stop-daemon –stop –quiet –name samba $SAMBAPID
# Wait a little and remove stale PID file
sleep 1
if [ -f $SAMBAPID ] && ! ps h `cat $SAMBAPID` > /dev/null
then
# Stale PID file (samba was succesfully stopped),
# remove it (should be removed by samba itself IMHO.)
rm -f $SAMBAPID
fi

log_end_msg 0
;;
restart|force-reload)
$0 stop
sleep 1
$0 start
;;
*)
echo “Usage: /etc/init.d/samba {start|stop|restart|force-reload}”
exit 1
;;
esac

exit 0

[/cc]

After you have created the file, be sure to change the permissions and set the script to autostart using update-rc.d:

[cc width=”600″ lang=”bash”]

sudo chmod 755 /etc/init.d/samba4

sudo update-rc.d samba4 defaults

[/cc]

 

Homefolders for Acitve Directory users

First we need to create a folder where all the Home folders will reside:

[cc width=”600″ lang=”bash”]

sudo mkdir -m 770 /Users

sudo chmod g+s /Users

sudo chown root.users /Users

[/cc]

Next we will add the the following to /usr/local/samba/etc/smb.conf:

[cc width=”600″ lang=”bash”]

[Users]
directory_mode: parameter = 0700
read only = no
path = /Users
csc policy = documents

[/cc]

You can either map that by using net use h: \\samba\Users\%USERNAME% or by adding the same path to the home folder paragraph under the profile tab of the AD user. The home folder will be created automatically if you use the last option.

 

Before you add a workstation to this new domain, be sure to point the DNS server on this client to the new domain controller. Now join the domain as you would with a Windows domain.

Extra tips:

  1. samba -b (shows paths to application and config files)
  2. Install the Windows Server 2003 Service Pack 2 Administration Tools Pack for x86 editions to manage the Active Directory server from a Windows client :
    http://www.microsoft.com/en-us/download/details.aspx?id=6315
  3. If you want to debug your Samba server, please use the following command to start Samba in single user and debug mode. This will log all information to stdout and makes debugging easy.
    gdb --args /usr/local/samba/sbin/samba -i -M single
  4. Use the command /usr/local/samba/sbin/samba -V to see what version of Samba you’re running, or try /usr/local/samba/bin/smbclient –version

 

Parts of the following online resources were used for this tutorial:

https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

http://praxis.edoceo.com/howto/samba4

http://www.matrix44.net/cms/notes/gnulinux/samba-4-ad-domain-with-ubuntu-12-04

http://frednotes.wordpress.com/2012/09/27/samba-4-as-a-domain-controller/

http://www.bryanpopham.com/tutorials/Samba4PDCWin7WinXP.html#make%20init.d%20startup%20scripts%20for%20samba4

 

Updates:

24-1-2013 added init.d startup script
10-2-2013 added update-rc.d for autostart and added home folder creation
11-2-2013 corrected DNS forwarder and DNS updates for smb.conf
22-4-2013 changed the password example in the provisioning command to comply with minimum password requirements
28-6-2013 changed the ‘allow dns updates’ value in smb.conf as the new GIT commit does not support ‘True’ anymore. Thanks José
3-7-2013 changed the way the PATH environment variable is set. It is now made permanent by adding it to the ~/bashrc
4-7-2013 changed the creation of the Home Folders to allow for auto creation through ADUC. This seemed broken.
6-1-2014 added root password change and a PATH change for sudoers and system env. Added a tip by DoitDave: fixing the git branche to 4.1.0
25-2-2014 added a comment to the ‘solution’ of adding –ntvfs to solve the ACL error. As Mark commented, this ‘solution’ is using old technology.

Incoming search terms:

Comments:

(74) Comments for the first post!

Post a comment