ActiveDirectory Domain Controller with Samba4 on RaspberryPi
Install AD on RaspbrryPi
This is the log from installing a Raspberry Pi as an Primay Domain Controller. The existing environment is a home net work, where a fritz.box acts as the DNS and DHCP server.
When the Pi is started out of the box it uses DHCP. The DHCP server on the Fritzbox was configured to “allways assign the same IP to this client” . So the IP is blocked for the PI and can be configured as a static configuration on the PI.
Although it might be uncool but I ran all this as root
sudo su
Prepare installation
For compiling and the operation of a DC there is no need for “high performance” grafics. Each free byte of memory will speed up the compilation. So change memory allocation – only 32 mb for grafics using the
Raspi-configure
Update to latest
aptitude update && aptitude safe-upgrade
Downlaod missing tools
I installed the following packages and tool. I needed multiple runs to find them. After that I found that the samba installation has a list under “OS requiremants” (http://wiki.samba.org/index.php/Samba_4/OS_Requirements)
apt-get install git-core apt-get install python-dev apt-get install libacl1-dev libblkid-dev apt-get install libgnutls28-dev apt-get install build-essential libacl1-dev libattr1-dev \ libblkid-dev libgnutls-dev libreadline-dev python-dev \ python-dnspython gdb pkg-config libpopt-dev libldap2-dev \ dnsutils libbsd-dev attr krb5-user docbook-xsl
The sources where installed under the pi-user’s home dir. There a subdirectory “master-samba” is created like suggested in the installation walkthrough ( http://wiki.samba.org/index.php/Samba_4/OS_Requirements)
Cd /home/pi/ Md samba-master
Git download the source code into samba-master
git clone git://git.samba.org/samba.git samba-master cd samba-master
Built the configuration with debug enabled. Also the selftest parameter is useful to check for bigger issues
./configure --enable-debug --enable-selftest make make install
After the make install is done run the set up. Important is that the passwort is complex ennogh.It should suffi´cent if you have a Uppercase char, a special character like $,# and a number. The internal DNS of samba is okay. The DNS forwarder is set to the fritzbox, because it handles all DNSrequest that are not for the realm (here myad.at.home).The realm is the full quallified DNS name of the AD Domain. It is intended tha it is not a sub domain of fritz.box.Although it should be possible that the Domain name is different from the first part of the realm name, it is a good idea to keep them the same.Choose a name less than 15 chars length.
/usr/local/samba/bin/samba-tool domain provision Realm: myad.at.home Domain [myad]: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: DNS forwarder IP address (write 'none' to disable forwarding) [10.188.173.1]: Administrator password: Retype password: Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=myad,DC=at,DC=home Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=myad,DC=at,DC=home Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: raspberrypi NetBIOS Domain: MYAD DNS Domain: myad.at.home DOMAIN SID: S-1-5-21-1141686708-2355780491-2416577776
There is no script for starting samba but it can be downloaded. Create the init script:
wget http://anonscm.debian.org/loggerhead/pkg-samba/samba4/unstable/download/head:/1833%40fc4039ab-9d04-0410-8cac-899223bdd6b0:trunk%252Fsamba4:debian%252Fsamba4.init/samba4.init -O /etc/init.d/samba4
Make it executable and include it in the normal init sequence
chmod 755 /etc/init.d/samba4 update-rc.d samba4 defaults
Set nameserver to look first on the local system and than on the fritzbox, just in case that samba’s dns server is not running. The “search” entry defines which domain parts are added to a client name for dns search. This helps when you only use hostnames instead full quallified names. “fritz.box” is added to the search list to help finding all the other mashines in the local net that are not part of the ad-domain
Edit /etc/resolv.conf
domain myad.at.home search myad.at.home fritz.box nameserver 10.199.173.100 <--- this is rapi's ip nameserver 10.199.173.1 <… this is the old router aka fritz.box
Set NIC to a fixed ID
Edit /etc/network/interfaces to use a fixed IP
auto lo iface lo inet loopback iface eth0 inet static address 10.199.173.100 netmask 255.255.255.0 network 10.199.173.0 broadcast 10.199.173.255 gateway 10.199.173.1 allow-hotplug wlan0 iface wlan0 inet manual wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf iface default inet dhcp
Reboot
Add samba-exe directories to user and root’s path variable
For root roots ~/.bashrc for example
For user edit the /etc/profile.defs
Test samba version (client)
smbclient --version Version 4.1.0pre1-GIT-bcacd8f
Sever
samba -V
Start samba so that it writes every thing to std out
/usr/local/samba/sbin/samba -i -M single & [1] 2618 root@raspberrypi:/home/pi# samba version 4.1.0pre1-GIT-bcacd8f started. Copyright Andrew Tridgell and the Samba Team 1992-2012 samba: using 'single' process model ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - NT_STATUS_IO_TIMEOUT ../source4/dsdb/dns/dns_update.c:323: Failed SPN update - NT_STATUS_IO_TIMEOUT
The errors can be ignored cause the configuration is not complete. Check the shares that have to be provided by every doman controller
/usr/local/samba/bin/smbclient -L localhost -U% Domain=[MYAD] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-bcacd8f] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.1.0pre1-GIT-bcacd8f) Domain=[MYAD] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-bcacd8f] Server Comment --------- ------- Workgroup Master --------- -------
Test account – replace the password by the one you set
smbclient //localhost/netlogon -UAdministrator%'p4$$word' -c 'ls' Domain=[MYAD] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-bcacd8f] . D 0 Wed Jan 2 10:22:54 2013 .. D 0 Wed Jan 2 10:42:24 2013 57691 blocks of size 65536. 15088 blocks available
Check DNS entries / DNS config. Fire the host commands . You should get simmilar results:
host -t SRV _ldap._tcp.myad.at.home _ldap._tcp.myad.at.home has SRV record 0 100 389 raspberrypi.myad.at.home. host -t SRV _ldap._tcp.myad.at.home. _ldap._tcp.myad.at.home has SRV record 0 100 389 raspberrypi.myad.at.home. host -t SRV _kerberos._udp.myad.at.home. _kerberos._udp.myad.at.home has SRV record 0 100 88 raspberrypi.myad.at.home. host -t A raspberrypi.myad.at.home. raspberrypi.myad.at.home has address 10.199.173.100
Create the Kerberos configuration by copying it from the template in the samba directory
cd /etc cp /usr/local/samba/share/setup/krb5.conf .
Then edit the file and replace ${REALM} with the value you chose for the –realm parameter of the provision command above. realm must be in uppercase letters
[libdefaults] default_realm = MYAD.AT.HOME dns_lookup_realm = false dns_lookup_kdc = true
Check Kerberos, get a tiket with kinit and display it. Use the realm name in upper case after the @.
kinit administrator@MYAD.AT.HOME Password for administrator@MYAD.AT.HOME: Warning: Your password will expire in 41 days on Thu Feb 14 10:56:46 2013 klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@MYAD.AT.HOME Valid starting Expires Service principal 03/01/13 11:33:40 03/01/13 21:33:40 krbtgt/MYAD.AT.HOME@MYAD.AT.HOME renew until 04/01/13 11:33:23
Now you can goto on a Windows system and join domain:
Update:
A well done instruction you can find here: http://linux-on-a-server.com/samba-4-active-directory-my-first-successfully-test/ . It uses samba4 installation via apt-get and includes hints how to use bind9 as DNS server.
Just tinkering Blog 
Been looking for a post like this for a while, thanks for taking the time to post. What version/ flavour of Pi OS did you use?
Hi Rathna,
I used a nearly clean Raspbian “wheezy” .
uname –all
Linux raspberrypi 3.2.27+ #250 PREEMPT Thu Oct 18 19:03:02 BST 2012 armv6l GNU/Linux
Failed to fetch http://mirrordirector.raspbian.org/raspbian/pool/main/u/util-linux/uuid-dev_2.20.1-5.2_armhf.deb
Need to run sed -i ‘s|/usr/sbin|/usr/local/samba/sbin|g’ /etc/init.d/samba4 for autostart
I am having a problem with the smbclient –version. My version comes back as 3.6.6. The server version comes back as”
samba: /usr/lib/arm-linux-gnueabihf/libwbclient.so.0: no version information available (required by /usr/lib/arm-linux-gnueabihf/samba/libauth4.so)
Version 4.0.0beta2
root@pidc1:/home/pi#
Any help on installing the correct SMBclient version would be appreciated
Todd,
have you checked he path if there is an entry pointing o the old smb client version ? See Rathana’ s comment on changing the path in the init.d . /usr/sbin is he location where the old samba lives and /usr/local/samba/sbin should be the location of the new version
I get very similar error:
sudo /etc/init.d/samba4 restart
[ ok ] Stopping Samba 4 daemon: samba.
[….] Starting Samba 4 daemon: samba/usr/sbin/samba: /usr/lib/arm-linux-gnueabihf/libwbclient.so.0: no version information available (required by /usr/lib/arm-linux-gnueabihf/samba/libauth4.so)
. ok
and
samba -V
samba: /usr/lib/arm-linux-gnueabihf/libwbclient.so.0: no version information available (required by /usr/lib/arm-linux-gnueabihf/samba/libauth4.so)
Version 4.0.0beta2
When I try to run the command Rathna gave I get:
sed -i ‘s|/usr/sbin|/usr/local/samba/sbin|g’ /etc/init.d/samba4
-bash: /usr/sbin: Is a directory
-bash: /usr/local/samba/sbin: No such file or directory
-bash: $’g\342\200\231′: command not found
sed: -e expression #1, char 1: unknown command: `▒’
about the PATH – what I get is:
whereis samba
samba: /usr/sbin/samba /etc/samba /usr/lib/samba /usr/share/samba /usr/share/man/man8/samba.8.gz
any idea how to solve this?
How many users do you think this could handle? I’m talking serious corporate numbers, not 3 or 4 for home use..
Alberto,
to be honest, I don’t know. I set this up for home usage when tinkering around whith Sharepoint. Using directory account makes many things easier. When you are asking about company usage I think it depends on what you are doing. Only authentication, or do you make heavy usage of GPOs. What IMHO is a risk when using it in a production environment is the missing SYSVOL replication. That means that you have to build that on your own. Depending on the logon scripts and specially the GPO the netlogon share might become big.
kind regards
justtinkering
Thanks for finally talking about >ActiveDirectory Domain
Controller with Samba4 onn RaspberryPi | Just tinkeringg Blog <Loved it!
I just tried to follow your instructions. Actually I’ve been trying to get a Samba DC setup for awhile now off and on with a Raspberry Pi. I tried Samba3 and LDAP, No luck. I tried samba4 from the repo’s and no luck. I then tried your method of compiling the latest version. No luck!!
I get this now when I try the samba -i -M single method:
service_setup_stream_socket(address=::,port=0) failed – NT_STATUS_INVALID_PARAMETER_MIX
If I try to start it up as a daemon, checking the /var/log/syslog & daemon logs I get these errors;
Apr 4 12:50:41 rpisrv1 samba[3045]: [2014/04/04 12:50:41.220044, 0] ../source4/smbd/server.c:370(binary_smbd_main)
Apr 4 12:50:41 rpisrv1 samba[3045]: samba version 4.2.0pre1-GIT-7f2d12c started.
Apr 4 12:50:41 rpisrv1 samba[3045]: Copyright Andrew Tridgell and the Samba Team 1992-2014
Apr 4 12:50:48 rpisrv1 samba[3046]: [2014/04/04 12:50:48.406221, 0] ../source4/smbd/server.c:492(binary_smbd_main)
Apr 4 12:50:48 rpisrv1 samba[3046]: samba: using ‘standard’ process model
Apr 4 12:50:48 rpisrv1 samba[3049]: [2014/04/04 12:50:48.698525, 0] ../source4/rpc_server/dcerpc_server.c:1789(add_socket_rpc_tcp_iface)
Apr 4 12:50:48 rpisrv1 samba[3054]: [2014/04/04 12:50:48.702776, 0] ../source4/cldap_server/cldap_server.c:129(cldapd_add_socket)
Apr 4 12:50:48 rpisrv1 samba[3054]: Failed to bind to ipv6::::389 – NT_STATUS_INVALID_PARAMETER_MIX
Apr 4 12:50:48 rpisrv1 samba[3054]: [2014/04/04 12:50:48.707328, 0] ../source4/smbd/service_task.c:35(task_server_terminate)
Apr 4 12:50:48 rpisrv1 samba[3054]: task_server_terminate: [cldapd failed to setup interfaces]
Apr 4 12:50:48 rpisrv1 samba[3049]: service_setup_stream_socket(address=::,port=0) failed – NT_STATUS_INVALID_PARAMETER_MIX
Apr 4 12:50:48 rpisrv1 samba[3049]: [2014/04/04 12:50:48.722142, 0] ../source4/smbd/service_task.c:35(task_server_terminate)
Apr 4 12:50:48 rpisrv1 samba[3049]: task_server_terminate: [Failed to startup dcerpc server task]
Apr 4 12:50:48 rpisrv1 samba[3053]: [2014/04/04 12:50:48.837698, 0] ../source4/lib/tls/tlscert.c:70(tls_cert_generate)
Apr 4 12:50:48 rpisrv1 samba[3053]: Attempting to autogenerate TLS self-signed keys for https for hostname ‘RPISRV1.dualhelix.local’
Apr 4 12:50:49 rpisrv1 samba[3046]: [2014/04/04 12:50:49.220303, 0] ../source4/smbd/server.c:211(samba_terminate)
Apr 4 12:50:49 rpisrv1 samba[3046]: samba_terminate: cldapd failed to setup interfaces
Apr 4 12:50:49 rpisrv1 samba[3055]: [2014/04/04 12:50:49.268225, 0] ../source4/kdc/kdc.c:671(kdc_add_socket)
Apr 4 12:50:49 rpisrv1 samba[3055]: Failed to bind to :::88 TCP – NT_STATUS_INVALID_PARAMETER_MIX
Apr 4 12:50:49 rpisrv1 samba[3055]: [2014/04/04 12:50:49.271559, 0] ../source4/smbd/service_task.c:35(task_server_terminate)
Apr 4 12:50:49 rpisrv1 samba[3055]: task_server_terminate: [kdc failed to setup interfaces]
Apr 4 12:50:49 rpisrv1 samba[3065]: [2014/04/04 12:50:49.716034, 0] ../source4/dns_server/dns_server.c:623(dns_add_socket)
These are now different error messages from my prior attempts. Any thoughts as to what I’m doing wrong?
Thanks.
My samba version is 4.2.0pre1-GIT-7f2d12c
Hey, Rick. I used samba 4.1.7 stable and kept getting that error. Tried 4.1.6 and I didn’t.
I have the same problem – any solution found?
Karl
Where can we find a sample of the profile.defs file?