Setting up an Active Directory domain controller with Samba 4 on a Raspberry Pi 3

The Raspberry Pi is a wonderful platform to simplify your daily IT jobs, such as serving as a media centre for your smart-TV, being the central hub for your home automation system or in the case at hand act as an Active Directory (AD) domain controller in a test lab. Obviously, we are talking about the Samba variant of the Active Directory implementation available since version 4 since the original one offered by the folks at Microsoft requires a x86 architecture which the Raspberry fails to provide using its ARM system. But hey, in the end for this scenario we don’t care too much about the underyling hardware but merely focus on the functional aspect. So let’s begin, shall we?

Raspberry Pi setup used

For the following guide I’ve used a vanilla Raspberry Pi 3 in the following configuration (although the setup should be just fine for other versions too):

$ cat /etc/os-release 
PRETTY_NAME="Raspbian GNU/Linux 9 (stretch)"
NAME="Raspbian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

Our goal at glance

Let’s break down what we need to do in order to achieve our goal to set up an Active Directory domain controller with Samba 4 on a Raspberry Pi 3:

  1. Initial setup of the Raspberry Pi using Raspbian
  2. Setup networking to use a static IP
  3. Install required packages
  4. Disable masked legacy service units
  5. Provision the AD domain
  6. Setup and start required Samba AD domain controller services
  7. Reboot
  8. Check setup by creating new AD user and add a client computer

For this particular setup we are going to use the following base information:

  • router has IP 192.168.1.1
  • hostname is pidc
  • pidc has IP 192.168.1.2
  • domain to be used my.domain.local

Initial setup of the Raspberry Pi using Raspbian

We are not going to cover this here since there are plenty of readups out there. Thus, please check them out and bootstrap your Raspberry Pi using Raspbian. Also make sure that your base system is at the latest version before proceeding further (i.e. sudo apt-get update && apt-get upgrade -V)

Setup networking to use a static IP

With an AD in place you will always want to have a static IP to keep things simple:

$ sudo nano /etc/dhcpcd.conf
# explicitely use eth0 and set static IPs, as well as domain specifics
interface eth0
static routers=192.168.1.1
static domain_name_servers=127.0.0.1
static domain_name_servers=192.168.1.1
static ip_address=192.168.1.2
static domain_search=my.domain.local

Install required packages

Next we need to install the required packages:

$ sudo apt-get install samba smbclient winbind krb5-user krb5-config krb5-locales winbind libpam-winbind libnss-winbind

During the setup you will be asked for

  • Default Kerberos realm
  • Kerberos servers
  • Administrative server

Based on our domain setup you need to enter the following data:

  • Default Kerberos realm: MY.DOMAIN.LOCAL
  • Kerberos servers: my.domain.local
  • Administrative server: pidc.my.domain.local

Disable masked legacy service units

In order to prevent error message related to masked legacy service units issue the following commands to stop and then fully disable them:

$ sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
$ sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service

Provision the AD domain

Before being able to actually provision our AD domain let’s do a little house keeping round to make our life easier:

# double-check where the samba config file resides
$ smbd -b | grep "CONFIGFILE"
# let's make a backup of the original samba configuration determined above
$ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.backup
# also, let's remove the original kerberos configuration, as it will be overwritten and edited later on
$ sudo rm /etc/krb5.conf

Having done those steps it’s finally time to provision our AD domain:

$ sudo samba-tool domain provision --use-rfc2307 --interactive

The provisioning process might take a little. When completed let’s handle the Kerberos configuration:

# again, let's make a backup of the original
$ sudo mv /etc/krb5.conf /etc/krb5.conf.backup
# and symlink to /etc/krb5.conf => NOTE: It's not the best to symlink here but it's OK for now
$ sudo ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf

Hint: We will come back to /etc/krb5.conf at the very end for potential missing information so hang in there for now.

Setup and start required Samba AD domain controller services

Finally, let’s start setup and start the required Samba AD domain controller services to get things moving:

$ sudo systemctl unmask samba-ad-dc.service
$ sudo systemctl start samba-ad-dc.service
$ sudo systemctl status samba-ad-dc.service
$ sudo systemctl enable samba-ad-dc.service

Time to check if Samba is running correctly:

$ sudo netstat -tulpn | egrep 'smbd|samba'

Also, make sure to set the search domain and your nameservers in /etc/resolv.conf correctly at this point:

$ sudo nano /etc/resolv.conf

search domain.name.net
nameserver 192.168.1.2
nameserver 192.168.1.1

Once completed, mark /etc/resolv.conf as write-protected to save yourself some pain after reboots:

$ sudo chattr +i /etc/resolv.conf

Reboot

Time to reboot your shiny new AD domain controller setup to take effect:

$ sudo reboot now

Check setup by creating new AD user and add a client computer

# do some simple ping tests
$ ping -c3 my.domain.local
$ ping -c3 pidc.my.domain.local
$ ping -c3 pidc

# test DNS configuration
$ host -t A my.domain.local
$ host -t A pidc.my.domain.local
$ host -t SRV _kerberos._udp.my.domain.local
$ host -t SRV _ldap._tcp.my.domain.local

# test kerberos ticketing => Note the upper-case!
$ kinit administrator@MY.DOMAIN.LOCAL
$ klist
# create a (test) domain user
$ sudo samba-tool user create some.user

More detailed information and the commands available for the create domain user call can be found on the Samba Wiki.

Possible trouble shooting tips for DNS / Kerberos / Samba

If you get an error message like “Cannot contact any KDC for realm while getting initial credentials” first check if Kerberos was in fact started correctly and is listening on port 88 (or a custom port that you’ve defined earlier), e.g. using telnet:

$ telnet pidc.my.domain.local 88

If you are not able to connect (e.g. “Connection refused”) make sure that the Samba services including KDC (Kerberos) is in fact set to be started. For this check the [global] section of your /etc/samba/smb.conf:

$ sudo nano /etc/samba/smb.conf

and add the following line if required:

server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns, s3fs

Afterwards restart Samba and re-test KDC kinit:

$ sudo systemctl stop samba-ad-dc.service
$ sudo systemctl start samba-ad-dc.service

Re-test kinit:

$ kinit administrator@MY.DOMAIN.LOCAL

In addition, also make sure that you have a working version of your /etc/krb5.conf, especially for the [realms] and [domain_realm] section:

[libdefaults]
default_realm = MY.DOMAIN.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
dns_fallback = yes

[realms]
MY.DOMAIN.LOCAL = {
kdc = PIDC.MY.DOMAIN.LOCAL:88
default_domain = MY.DOMAIN.LOCAL
}

[domain_realm]
.MY.DOMAIN.LOCAL = MY.DOMAIN.LOCAL
MY.DOMAIN.LOCAL = MY.DOMAIN.LOCAL

Finally, make sure that Samba itself is fully started, including all of its services, especially after a reboot:

$ samba

Next steps / Where to go from here

As usual, when dealing with an Active Directory setup you should always have a secondary backup domain controller. The steps to do so are pretty straight forward given the guidelines shown here. Simply hook up a second Raspberry Pi and configure it as your secondary domain controller.

If you are running this setup in a test lab you might not need a backup domain controller but as always make sure to back up your Raspberry as an image to have a quick restore point to go to, e.g. using the following command:

$ dd if=/dev/mmcblk0 of=/your-backup-path/YOUR-BACKUP-NAME-$(date +%Y%m%d-%H%M%S).img bs=1MB

That’s all folks! I hope this saves you some time when setting up an Active Directory domain controller with Samba 4 on a Raspberry Pi 3.

7 thoughts on “Setting up an Active Directory domain controller with Samba 4 on a Raspberry Pi 3”

  1. Can you describe the proper options for this domain after “$ sudo samba-tool domain provision –use-rfc2307 –interactive” is executed? Thank you.

  2. I tried this manual about 10 times now, but every time after the first reboot the “listen” on port 88 disappeared. And I also cant ping the domain name. Any idea what I am doing wrong?

  3. Is there a guide to get a Linux [Pi] box to connect to and use this Pi ADC for user/passwd control and SSO?

  4. Is there a way to add a user that is authenitcated by Azure AD? i.e. rather than add a user in the PI with a password, add a user with permissions but where that user is authenticated through something like SSO, i.e. Azure AD, hotmail, Google etc…

  5. Tried this on a fresh Rasbperrry pi 4B.
    largely works ok, but I’d include the additional bits as standard as they will likely always be needed with the basic install of Kerberos. Also worth adding in the extra realms into the krb5.conf file that are removed by the moving of the original file.
    Lastly, don’t sim link the file, just copy it. In the detail above it’s not that clear and should be done sooner rather than eaving it to the end.

    Currently I’m getting an error on starting the AD-DC, Failed DNS update, any ideas?

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top