The Raspberry Pi is a wonderful platform to simplify your daily IT jobs, such as serving as a media centre for your smart-TV, being the central hub for your home automation system or in the case at hand act as an Active Directory (AD) domain controller in a test lab. Obviously, we are talking about the Samba variant of the Active Directory implementation available since version 4 since the original one offered by the folks at Microsoft requires a x86 architecture which the Raspberry fails to provide using its ARM system. But hey, in the end for this scenario we don’t care too much about the underyling hardware but merely focus on the functional aspect. So let’s begin, shall we?
Raspberry Pi setup used
For the following guide I’ve used a vanilla Raspberry Pi 3 in the following configuration (although the setup should be just fine for other versions too):
$ cat /etc/os-release PRETTY_NAME="Raspbian GNU/Linux 9 (stretch)" NAME="Raspbian GNU/Linux" VERSION_ID="9" VERSION="9 (stretch)" ID=raspbian ID_LIKE=debian HOME_URL="http://www.raspbian.org/" SUPPORT_URL="http://www.raspbian.org/RaspbianForums" BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"
Our goal at glance
Let’s break down what we need to do in order to achieve our goal to set up an Active Directory domain controller with Samba 4 on a Raspberry Pi 3:
- Initial setup of the Raspberry Pi using Raspbian
- Setup networking to use a static IP
- Install required packages
- Disable masked legacy service units
- Provision the AD domain
- Setup and start required Samba AD domain controller services
- Reboot
- Check setup by creating new AD user and add a client computer
For this particular setup we are going to use the following base information:
- router has IP 192.168.1.1
- hostname is pidc
- pidc has IP 192.168.1.2
- domain to be used my.domain.local
Initial setup of the Raspberry Pi using Raspbian
We are not going to cover this here since there are plenty of readups out there. Thus, please check them out and bootstrap your Raspberry Pi using Raspbian. Also make sure that your base system is at the latest version before proceeding further (i.e. sudo apt-get update && apt-get upgrade -V)
Setup networking to use a static IP
With an AD in place you will always want to have a static IP to keep things simple:
$ sudo nano /etc/dhcpcd.conf
# explicitely use eth0 and set static IPs, as well as domain specifics interface eth0 static routers=192.168.1.1 static domain_name_servers=127.0.0.1 static domain_name_servers=192.168.1.1 static ip_address=192.168.1.2 static domain_search=my.domain.local
Install required packages
Next we need to install the required packages:
$ sudo apt-get install samba smbclient winbind krb5-user krb5-config krb5-locales winbind libpam-winbind libnss-winbind
During the setup you will be asked for
- Default Kerberos realm
- Kerberos servers
- Administrative server
Based on our domain setup you need to enter the following data:
- Default Kerberos realm: MY.DOMAIN.LOCAL
- Kerberos servers: my.domain.local
- Administrative server: pidc.my.domain.local
Disable masked legacy service units
In order to prevent error message related to masked legacy service units issue the following commands to stop and then fully disable them:
$ sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service $ sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service
Provision the AD domain
Before being able to actually provision our AD domain let’s do a little house keeping round to make our life easier:
# double-check where the samba config file resides $ smbd -b | grep "CONFIGFILE" # let's make a backup of the original samba configuration determined above $ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.backup # also, let's remove the original kerberos configuration, as it will be overwritten and edited later on $ sudo rm /etc/krb5.conf
Having done those steps it’s finally time to provision our AD domain:
$ sudo samba-tool domain provision --use-rfc2307 --interactive
The provisioning process might take a little. When completed let’s handle the Kerberos configuration:
# again, let's make a backup of the original $ sudo mv /etc/krb5.conf /etc/krb5.conf.backup # and symlink to /etc/krb5.conf => NOTE: It's not the best to symlink here but it's OK for now $ sudo ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
Hint: We will come back to /etc/krb5.conf at the very end for potential missing information so hang in there for now.
Setup and start required Samba AD domain controller services
Finally, let’s start setup and start the required Samba AD domain controller services to get things moving:
$ sudo systemctl unmask samba-ad-dc.service $ sudo systemctl start samba-ad-dc.service $ sudo systemctl status samba-ad-dc.service $ sudo systemctl enable samba-ad-dc.service
Time to check if Samba is running correctly:
$ sudo netstat -tulpn | egrep 'smbd|samba'
Also, make sure to set the search domain and your nameservers in /etc/resolv.conf correctly at this point:
$ sudo nano /etc/resolv.conf search domain.name.net nameserver 192.168.1.2 nameserver 192.168.1.1
Once completed, mark /etc/resolv.conf as write-protected to save yourself some pain after reboots:
$ sudo chattr +i /etc/resolv.conf
Reboot
Time to reboot your shiny new AD domain controller setup to take effect:
$ sudo reboot now
Check setup by creating new AD user and add a client computer
# do some simple ping tests $ ping -c3 my.domain.local $ ping -c3 pidc.my.domain.local $ ping -c3 pidc # test DNS configuration $ host -t A my.domain.local $ host -t A pidc.my.domain.local $ host -t SRV _kerberos._udp.my.domain.local $ host -t SRV _ldap._tcp.my.domain.local # test kerberos ticketing => Note the upper-case! $ kinit administrator@MY.DOMAIN.LOCAL $ klist
# create a (test) domain user $ sudo samba-tool user create some.user
More detailed information and the commands available for the create domain user call can be found on the Samba Wiki.
Possible trouble shooting tips for DNS / Kerberos / Samba
If you get an error message like “Cannot contact any KDC for realm while getting initial credentials” first check if Kerberos was in fact started correctly and is listening on port 88 (or a custom port that you’ve defined earlier), e.g. using telnet:
$ telnet pidc.my.domain.local 88
If you are not able to connect (e.g. “Connection refused”) make sure that the Samba services including KDC (Kerberos) is in fact set to be started. For this check the [global] section of your /etc/samba/smb.conf:
$ sudo nano /etc/samba/smb.conf
and add the following line if required:
server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns, s3fs
Afterwards restart Samba and re-test KDC kinit:
$ sudo systemctl stop samba-ad-dc.service $ sudo systemctl start samba-ad-dc.service
Re-test kinit:
$ kinit administrator@MY.DOMAIN.LOCAL
In addition, also make sure that you have a working version of your /etc/krb5.conf, especially for the [realms] and [domain_realm] section:
[libdefaults] default_realm = MY.DOMAIN.LOCAL dns_lookup_realm = true dns_lookup_kdc = true dns_fallback = yes [realms] MY.DOMAIN.LOCAL = { kdc = PIDC.MY.DOMAIN.LOCAL:88 default_domain = MY.DOMAIN.LOCAL } [domain_realm] .MY.DOMAIN.LOCAL = MY.DOMAIN.LOCAL MY.DOMAIN.LOCAL = MY.DOMAIN.LOCAL
Finally, make sure that Samba itself is fully started, including all of its services, especially after a reboot:
$ samba
Next steps / Where to go from here
As usual, when dealing with an Active Directory setup you should always have a secondary backup domain controller. The steps to do so are pretty straight forward given the guidelines shown here. Simply hook up a second Raspberry Pi and configure it as your secondary domain controller.
If you are running this setup in a test lab you might not need a backup domain controller but as always make sure to back up your Raspberry as an image to have a quick restore point to go to, e.g. using the following command:
$ dd if=/dev/mmcblk0 of=/your-backup-path/YOUR-BACKUP-NAME-$(date +%Y%m%d-%H%M%S).img bs=1MB
That’s all folks! I hope this saves you some time when setting up an Active Directory domain controller with Samba 4 on a Raspberry Pi 3.
Can you describe the proper options for this domain after “$ sudo samba-tool domain provision –use-rfc2307 –interactive” is executed? Thank you.
Peter see here:
https://www.techrepublic.com/article/how-to-configure-ubuntu-linux-server-as-a-domain-controller-with-samba-tool/
I tried this manual about 10 times now, but every time after the first reboot the “listen” on port 88 disappeared. And I also cant ping the domain name. Any idea what I am doing wrong?
Is there a guide to get a Linux [Pi] box to connect to and use this Pi ADC for user/passwd control and SSO?
Is there a way to add a user that is authenitcated by Azure AD? i.e. rather than add a user in the PI with a password, add a user with permissions but where that user is authenticated through something like SSO, i.e. Azure AD, hotmail, Google etc…
I can’t think of a vanilla approach here atm, but based on quick search have you also considered using 3rd party services, such as JumpCloud to extend Azure to Samba?
Tried this on a fresh Rasbperrry pi 4B.
largely works ok, but I’d include the additional bits as standard as they will likely always be needed with the basic install of Kerberos. Also worth adding in the extra realms into the krb5.conf file that are removed by the moving of the original file.
Lastly, don’t sim link the file, just copy it. In the detail above it’s not that clear and should be done sooner rather than eaving it to the end.
Currently I’m getting an error on starting the AD-DC, Failed DNS update, any ideas?