Skip to content

ActiveDirectory Domain Controller with Samba4 on RaspberryPi

2013/01/03

Install AD on RaspbrryPi

This is the log from installing a Raspberry Pi as an Primay Domain Controller. The existing environment is a home net work, where a fritz.box acts as the DNS and DHCP server.

When the Pi is started out of the box it uses DHCP. The DHCP server on the Fritzbox was configured to “allways assign the same IP to this client” . So the IP is blocked for the PI and can be configured as a static configuration on the PI.

Although it might be uncool but I ran all this as root

sudo su

Prepare installation

For compiling and the operation of a DC there is no need for “high performance” grafics. Each free byte of memory will speed up the compilation. So change memory allocation  – only 32 mb for grafics using the

Raspi-configure

Update to latest

aptitude update && aptitude safe-upgrade

Downlaod missing tools

I installed the following packages and tool. I needed multiple runs to find them. After that I found that the samba installation has a list under “OS requiremants” (http://wiki.samba.org/index.php/Samba_4/OS_Requirements)

apt-get install git-core
apt-get install python-dev
apt-get install libacl1-dev libblkid-dev
apt-get install libgnutls28-dev
apt-get install build-essential libacl1-dev libattr1-dev \
   libblkid-dev libgnutls-dev libreadline-dev python-dev \
   python-dnspython gdb pkg-config libpopt-dev libldap2-dev \
   dnsutils libbsd-dev attr krb5-user docbook-xsl

The sources where installed under the pi-user’s home dir. There a subdirectory “master-samba” is created like suggested in the installation walkthrough ( http://wiki.samba.org/index.php/Samba_4/OS_Requirements)

Cd /home/pi/
Md samba-master

Git download the source code  into samba-master

git clone git://git.samba.org/samba.git samba-master
cd samba-master

Built the configuration with debug enabled. Also the selftest parameter is useful to check for bigger issues

./configure  --enable-debug --enable-selftest
make
make install

After the make install is done run the set up. Important is that the passwort is complex ennogh.It should suffi´cent if you have a Uppercase char, a special character like $,# and a number. The internal DNS of samba is okay. The DNS forwarder is set to the fritzbox, because it handles all DNSrequest that are not for the realm (here myad.at.home).The realm is the full quallified DNS name of the AD Domain. It is intended tha it is not a sub domain of fritz.box.Although it should be possible that the Domain name is different from the first part of the realm name, it is a good idea to keep them the same.Choose a name less than 15 chars length.

/usr/local/samba/bin/samba-tool domain provision 
Realm: myad.at.home
Domain [myad]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [10.188.173.1]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=myad,DC=at,DC=home
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=myad,DC=at,DC=home
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              raspberrypi
NetBIOS Domain:        MYAD
DNS Domain:            myad.at.home
DOMAIN SID:            S-1-5-21-1141686708-2355780491-2416577776

There is no script for starting samba but it can be downloaded. Create the init script:

wget http://anonscm.debian.org/loggerhead/pkg-samba/samba4/unstable/download/head:/1833%40fc4039ab-9d04-0410-8cac-899223bdd6b0:trunk%252Fsamba4:debian%252Fsamba4.init/samba4.init -O /etc/init.d/samba4

Make it executable and include it in the normal init sequence

chmod 755 /etc/init.d/samba4
update-rc.d samba4 defaults

Set nameserver to look first on the local system and than on the fritzbox, just in case that samba’s dns server is not running. The “search” entry defines which domain parts are added to a client name for dns search. This helps when you only use hostnames instead full quallified names. “fritz.box” is added to the search list to help finding all the other mashines in the local net that are not part of the ad-domain

Edit /etc/resolv.conf

domain myad.at.home
search myad.at.home fritz.box
nameserver 10.199.173.100   <--- this is rapi's ip
nameserver 10.199.173.1        <… this is the old router aka fritz.box

Set NIC to a fixed ID

Edit /etc/network/interfaces to use a fixed IP

auto lo
iface lo inet loopback
iface eth0 inet static
address 10.199.173.100
netmask 255.255.255.0
network 10.199.173.0
broadcast 10.199.173.255
gateway 10.199.173.1
allow-hotplug wlan0
iface wlan0 inet manual
wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp

Reboot

Add samba-exe directories to user and root’s path variable

For root roots ~/.bashrc for example

For user edit the /etc/profile.defs

Test samba version (client)

smbclient --version
Version 4.1.0pre1-GIT-bcacd8f

Sever

samba -V

Start samba so that it writes every thing to std out

/usr/local/samba/sbin/samba -i -M single &
[1] 2618
root@raspberrypi:/home/pi# samba version 4.1.0pre1-GIT-bcacd8f started.
Copyright Andrew Tridgell and the Samba Team 1992-2012
samba: using 'single' process model
../source4/dsdb/dns/dns_update.c:294: Failed DNS update - NT_STATUS_IO_TIMEOUT
../source4/dsdb/dns/dns_update.c:323: Failed SPN update - NT_STATUS_IO_TIMEOUT

The errors can be ignored cause the configuration is not complete. Check the shares that have to be provided by every doman controller

/usr/local/samba/bin/smbclient -L localhost -U%
Domain=[MYAD] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-bcacd8f]
Sharename       Type      Comment
---------       ----      -------
netlogon        Disk
sysvol          Disk
IPC$            IPC       IPC Service (Samba 4.1.0pre1-GIT-bcacd8f)
Domain=[MYAD] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-bcacd8f]
Server               Comment
---------            -------
Workgroup            Master
---------            -------

Test account – replace the password by the one you set

smbclient //localhost/netlogon -UAdministrator%'p4$$word' -c 'ls'
Domain=[MYAD] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-bcacd8f]
.                                   D        0  Wed Jan  2 10:22:54 2013
..                                  D        0  Wed Jan  2 10:42:24 2013
57691 blocks of size 65536. 15088 blocks available

Check DNS entries / DNS config. Fire the host commands . You should get simmilar results:

host -t SRV _ldap._tcp.myad.at.home
_ldap._tcp.myad.at.home has SRV record 0 100 389 raspberrypi.myad.at.home.
host -t SRV _ldap._tcp.myad.at.home.
_ldap._tcp.myad.at.home has SRV record 0 100 389 raspberrypi.myad.at.home.
host -t SRV _kerberos._udp.myad.at.home.
_kerberos._udp.myad.at.home has SRV record 0 100 88 raspberrypi.myad.at.home.
host -t A raspberrypi.myad.at.home.
raspberrypi.myad.at.home has address 10.199.173.100

Create the Kerberos configuration by copying it from the template in the samba directory

cd /etc
cp /usr/local/samba/share/setup/krb5.conf .

Then edit the file and replace ${REALM} with the value you chose for the –realm parameter of the provision command above. realm must be in uppercase letters

[libdefaults]
default_realm = MYAD.AT.HOME
dns_lookup_realm = false
dns_lookup_kdc = true

Check Kerberos, get a tiket with kinit and display it. Use the realm name in upper case after the @.

kinit administrator@MYAD.AT.HOME
Password for administrator@MYAD.AT.HOME:
Warning: Your password will expire in 41 days on Thu Feb 14 10:56:46 2013

klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYAD.AT.HOME
Valid starting     Expires            Service principal
03/01/13 11:33:40  03/01/13 21:33:40  krbtgt/MYAD.AT.HOME@MYAD.AT.HOME
renew until 04/01/13 11:33:23

Now you can goto on a Windows system and join domain:

rapi_DCsetup01

rapi_DCsetup02

Update:

A well done instruction you can find here: http://linux-on-a-server.com/samba-4-active-directory-my-first-successfully-test/ . It uses samba4 installation via apt-get and includes hints how to use bind9 as DNS server.

Advertisements

From → RaspberryPi

15 Comments
  1. Rathna permalink

    Been looking for a post like this for a while, thanks for taking the time to post. What version/ flavour of Pi OS did you use?

    • Hi Rathna,
      I used a nearly clean Raspbian “wheezy” .
      uname –all
      Linux raspberrypi 3.2.27+ #250 PREEMPT Thu Oct 18 19:03:02 BST 2012 armv6l GNU/Linux

  2. Rathna permalink

    Need to run sed -i ‘s|/usr/sbin|/usr/local/samba/sbin|g’ /etc/init.d/samba4 for autostart

  3. Todd permalink

    I am having a problem with the smbclient –version. My version comes back as 3.6.6. The server version comes back as”

    samba: /usr/lib/arm-linux-gnueabihf/libwbclient.so.0: no version information available (required by /usr/lib/arm-linux-gnueabihf/samba/libauth4.so)
    Version 4.0.0beta2
    root@pidc1:/home/pi#

    Any help on installing the correct SMBclient version would be appreciated

    • Todd,
      have you checked he path if there is an entry pointing o the old smb client version ? See Rathana’ s comment on changing the path in the init.d . /usr/sbin is he location where the old samba lives and /usr/local/samba/sbin should be the location of the new version

      • ferdydek permalink

        I get very similar error:
        sudo /etc/init.d/samba4 restart
        [ ok ] Stopping Samba 4 daemon: samba.
        [….] Starting Samba 4 daemon: samba/usr/sbin/samba: /usr/lib/arm-linux-gnueabihf/libwbclient.so.0: no version information available (required by /usr/lib/arm-linux-gnueabihf/samba/libauth4.so)
        . ok

        and
        samba -V
        samba: /usr/lib/arm-linux-gnueabihf/libwbclient.so.0: no version information available (required by /usr/lib/arm-linux-gnueabihf/samba/libauth4.so)
        Version 4.0.0beta2

        When I try to run the command Rathna gave I get:
        sed -i ‘s|/usr/sbin|/usr/local/samba/sbin|g’ /etc/init.d/samba4
        -bash: /usr/sbin: Is a directory
        -bash: /usr/local/samba/sbin: No such file or directory
        -bash: $’g\342\200\231′: command not found
        sed: -e expression #1, char 1: unknown command: `▒’

        about the PATH – what I get is:
        whereis samba
        samba: /usr/sbin/samba /etc/samba /usr/lib/samba /usr/share/samba /usr/share/man/man8/samba.8.gz

        any idea how to solve this?

  4. Alberto Scrubbs permalink

    How many users do you think this could handle? I’m talking serious corporate numbers, not 3 or 4 for home use..

    • Alberto,
      to be honest, I don’t know. I set this up for home usage when tinkering around whith Sharepoint. Using directory account makes many things easier. When you are asking about company usage I think it depends on what you are doing. Only authentication, or do you make heavy usage of GPOs. What IMHO is a risk when using it in a production environment is the missing SYSVOL replication. That means that you have to build that on your own. Depending on the logon scripts and specially the GPO the netlogon share might become big.

      kind regards
      justtinkering

  5. Thanks for finally talking about >ActiveDirectory Domain
    Controller with Samba4 onn RaspberryPi | Just tinkeringg Blog <Loved it!

  6. Rick permalink

    I just tried to follow your instructions. Actually I’ve been trying to get a Samba DC setup for awhile now off and on with a Raspberry Pi. I tried Samba3 and LDAP, No luck. I tried samba4 from the repo’s and no luck. I then tried your method of compiling the latest version. No luck!!

    I get this now when I try the samba -i -M single method:

    service_setup_stream_socket(address=::,port=0) failed – NT_STATUS_INVALID_PARAMETER_MIX

    If I try to start it up as a daemon, checking the /var/log/syslog & daemon logs I get these errors;

    Apr 4 12:50:41 rpisrv1 samba[3045]: [2014/04/04 12:50:41.220044, 0] ../source4/smbd/server.c:370(binary_smbd_main)
    Apr 4 12:50:41 rpisrv1 samba[3045]: samba version 4.2.0pre1-GIT-7f2d12c started.
    Apr 4 12:50:41 rpisrv1 samba[3045]: Copyright Andrew Tridgell and the Samba Team 1992-2014
    Apr 4 12:50:48 rpisrv1 samba[3046]: [2014/04/04 12:50:48.406221, 0] ../source4/smbd/server.c:492(binary_smbd_main)
    Apr 4 12:50:48 rpisrv1 samba[3046]: samba: using ‘standard’ process model
    Apr 4 12:50:48 rpisrv1 samba[3049]: [2014/04/04 12:50:48.698525, 0] ../source4/rpc_server/dcerpc_server.c:1789(add_socket_rpc_tcp_iface)
    Apr 4 12:50:48 rpisrv1 samba[3054]: [2014/04/04 12:50:48.702776, 0] ../source4/cldap_server/cldap_server.c:129(cldapd_add_socket)
    Apr 4 12:50:48 rpisrv1 samba[3054]: Failed to bind to ipv6::::389 – NT_STATUS_INVALID_PARAMETER_MIX
    Apr 4 12:50:48 rpisrv1 samba[3054]: [2014/04/04 12:50:48.707328, 0] ../source4/smbd/service_task.c:35(task_server_terminate)
    Apr 4 12:50:48 rpisrv1 samba[3054]: task_server_terminate: [cldapd failed to setup interfaces]
    Apr 4 12:50:48 rpisrv1 samba[3049]: service_setup_stream_socket(address=::,port=0) failed – NT_STATUS_INVALID_PARAMETER_MIX
    Apr 4 12:50:48 rpisrv1 samba[3049]: [2014/04/04 12:50:48.722142, 0] ../source4/smbd/service_task.c:35(task_server_terminate)
    Apr 4 12:50:48 rpisrv1 samba[3049]: task_server_terminate: [Failed to startup dcerpc server task]
    Apr 4 12:50:48 rpisrv1 samba[3053]: [2014/04/04 12:50:48.837698, 0] ../source4/lib/tls/tlscert.c:70(tls_cert_generate)
    Apr 4 12:50:48 rpisrv1 samba[3053]: Attempting to autogenerate TLS self-signed keys for https for hostname ‘RPISRV1.dualhelix.local’
    Apr 4 12:50:49 rpisrv1 samba[3046]: [2014/04/04 12:50:49.220303, 0] ../source4/smbd/server.c:211(samba_terminate)
    Apr 4 12:50:49 rpisrv1 samba[3046]: samba_terminate: cldapd failed to setup interfaces
    Apr 4 12:50:49 rpisrv1 samba[3055]: [2014/04/04 12:50:49.268225, 0] ../source4/kdc/kdc.c:671(kdc_add_socket)
    Apr 4 12:50:49 rpisrv1 samba[3055]: Failed to bind to :::88 TCP – NT_STATUS_INVALID_PARAMETER_MIX
    Apr 4 12:50:49 rpisrv1 samba[3055]: [2014/04/04 12:50:49.271559, 0] ../source4/smbd/service_task.c:35(task_server_terminate)
    Apr 4 12:50:49 rpisrv1 samba[3055]: task_server_terminate: [kdc failed to setup interfaces]
    Apr 4 12:50:49 rpisrv1 samba[3065]: [2014/04/04 12:50:49.716034, 0] ../source4/dns_server/dns_server.c:623(dns_add_socket)

    These are now different error messages from my prior attempts. Any thoughts as to what I’m doing wrong?

    Thanks.

  7. Gus permalink

    Hey, Rick. I used samba 4.1.7 stable and kept getting that error. Tried 4.1.6 and I didn’t.

  8. Karl Haue permalink

    I have the same problem – any solution found?

    Karl

  9. Where can we find a sample of the profile.defs file?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: