Posted on 7 Comments

Setting up an Active Directory domain controller with Samba 4 on a Raspberry Pi 3

RaspberryPi Logo

The Raspberry Pi is a wonderful platform to simplify your daily IT jobs, such as serving as a media centre for your smart-TV, being the central hub for your home automation system or in the case at hand act as an Active Directory (AD) domain controller in a test lab. Obviously, we are talking about the Samba variant of the Active Directory implementation available since version 4 since the original one offered by the folks at Microsoft requires a x86 architecture which the Raspberry fails to provide using its ARM system. But hey, in the end for this scenario we don’t care too much about the underyling hardware but merely focus on the functional aspect. So let’s begin, shall we?

Raspberry Pi setup used

For the following guide I’ve used a vanilla Raspberry Pi 3 in the following configuration (although the setup should be just fine for other versions too):

$ cat /etc/os-release 
PRETTY_NAME="Raspbian GNU/Linux 9 (stretch)"
NAME="Raspbian GNU/Linux"
VERSION="9 (stretch)"

Our goal at glance

Let’s break down what we need to do in order to achieve our goal to set up an Active Directory domain controller with Samba 4 on a Raspberry Pi 3:

  1. Initial setup of the Raspberry Pi using Raspbian
  2. Setup networking to use a static IP
  3. Install required packages
  4. Disable masked legacy service units
  5. Provision the AD domain
  6. Setup and start required Samba AD domain controller services
  7. Reboot
  8. Check setup by creating new AD user and add a client computer

For this particular setup we are going to use the following base information:

  • router has IP
  • hostname is pidc
  • pidc has IP
  • domain to be used my.domain.local

Initial setup of the Raspberry Pi using Raspbian

We are not going to cover this here since there are plenty of readups out there. Thus, please check them out and bootstrap your Raspberry Pi using Raspbian. Also make sure that your base system is at the latest version before proceeding further (i.e. sudo apt-get update && apt-get upgrade -V)

Setup networking to use a static IP

With an AD in place you will always want to have a static IP to keep things simple:

$ sudo nano /etc/dhcpcd.conf
# explicitely use eth0 and set static IPs, as well as domain specifics
interface eth0
static routers=
static domain_name_servers=
static domain_name_servers=
static ip_address=
static domain_search=my.domain.local

Install required packages

Next we need to install the required packages:

$ sudo apt-get install samba smbclient winbind krb5-user krb5-config krb5-locales winbind libpam-winbind libnss-winbind

During the setup you will be asked for

  • Default Kerberos realm
  • Kerberos servers
  • Administrative server

Based on our domain setup you need to enter the following data:

  • Default Kerberos realm: MY.DOMAIN.LOCAL
  • Kerberos servers: my.domain.local
  • Administrative server:

Disable masked legacy service units

In order to prevent error message related to masked legacy service units issue the following commands to stop and then fully disable them:

$ sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
$ sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service

Provision the AD domain

Before being able to actually provision our AD domain let’s do a little house keeping round to make our life easier:

# double-check where the samba config file resides
$ smbd -b | grep "CONFIGFILE"
# let's make a backup of the original samba configuration determined above
$ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.backup
# also, let's remove the original kerberos configuration, as it will be overwritten and edited later on
$ sudo rm /etc/krb5.conf

Having done those steps it’s finally time to provision our AD domain:

$ sudo samba-tool domain provision --use-rfc2307 --interactive

The provisioning process might take a little. When completed let’s handle the Kerberos configuration:

# again, let's make a backup of the original
$ sudo mv /etc/krb5.conf /etc/krb5.conf.backup
# and symlink to /etc/krb5.conf => NOTE: It's not the best to symlink here but it's OK for now
$ sudo ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf

Hint: We will come back to /etc/krb5.conf at the very end for potential missing information so hang in there for now.

Setup and start required Samba AD domain controller services

Finally, let’s start setup and start the required Samba AD domain controller services to get things moving:

$ sudo systemctl unmask samba-ad-dc.service
$ sudo systemctl start samba-ad-dc.service
$ sudo systemctl status samba-ad-dc.service
$ sudo systemctl enable samba-ad-dc.service

Time to check if Samba is running correctly:

$ sudo netstat -tulpn | egrep 'smbd|samba'

Also, make sure to set the search domain and your nameservers in /etc/resolv.conf correctly at this point:

$ sudo nano /etc/resolv.conf


Once completed, mark /etc/resolv.conf as write-protected to save yourself some pain after reboots:

$ sudo chattr +i /etc/resolv.conf


Time to reboot your shiny new AD domain controller setup to take effect:

$ sudo reboot now

Check setup by creating new AD user and add a client computer

# do some simple ping tests
$ ping -c3 my.domain.local
$ ping -c3
$ ping -c3 pidc

# test DNS configuration
$ host -t A my.domain.local
$ host -t A
$ host -t SRV
$ host -t SRV

# test kerberos ticketing => Note the upper-case!
$ kinit administrator@MY.DOMAIN.LOCAL
$ klist
# create a (test) domain user
$ sudo samba-tool user create some.user

More detailed information and the commands available for the create domain user call can be found on the Samba Wiki.

Possible trouble shooting tips for DNS / Kerberos / Samba

If you get an error message like “Cannot contact any KDC for realm while getting initial credentials” first check if Kerberos was in fact started correctly and is listening on port 88 (or a custom port that you’ve defined earlier), e.g. using telnet:

$ telnet 88

If you are not able to connect (e.g. “Connection refused”) make sure that the Samba services including KDC (Kerberos) is in fact set to be started. For this check the [global] section of your /etc/samba/smb.conf:

$ sudo nano /etc/samba/smb.conf

and add the following line if required:

server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns, s3fs

Afterwards restart Samba and re-test KDC kinit:

$ sudo systemctl stop samba-ad-dc.service
$ sudo systemctl start samba-ad-dc.service

Re-test kinit:

$ kinit administrator@MY.DOMAIN.LOCAL

In addition, also make sure that you have a working version of your /etc/krb5.conf, especially for the [realms] and [domain_realm] section:

default_realm = MY.DOMAIN.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
dns_fallback = yes

default_domain = MY.DOMAIN.LOCAL


Finally, make sure that Samba itself is fully started, including all of its services, especially after a reboot:

$ samba

Next steps / Where to go from here

As usual, when dealing with an Active Directory setup you should always have a secondary backup domain controller. The steps to do so are pretty straight forward given the guidelines shown here. Simply hook up a second Raspberry Pi and configure it as your secondary domain controller.

If you are running this setup in a test lab you might not need a backup domain controller but as always make sure to back up your Raspberry as an image to have a quick restore point to go to, e.g. using the following command:

$ dd if=/dev/mmcblk0 of=/your-backup-path/YOUR-BACKUP-NAME-$(date +%Y%m%d-%H%M%S).img bs=1MB

That’s all folks! I hope this saves you some time when setting up an Active Directory domain controller with Samba 4 on a Raspberry Pi 3.