Tag: pi

  • Setting up an Active Directory domain controller with Samba 4 on a Raspberry Pi 3

    Setting up an Active Directory domain controller with Samba 4 on a Raspberry Pi 3

    The Raspberry Pi is a wonderful platform to simplify your daily IT jobs, such as serving as a media centre for your smart-TV, being the central hub for your home automation system or in the case at hand act as an Active Directory (AD) domain controller in a test lab. Obviously, we are talking about the Samba variant of the Active Directory implementation available since version 4 since the original one offered by the folks at Microsoft requires a x86 architecture which the Raspberry fails to provide using its ARM system. But hey, in the end for this scenario we don’t care too much about the underyling hardware but merely focus on the functional aspect. So let’s begin, shall we?

    Raspberry Pi setup used

    For the following guide I’ve used a vanilla Raspberry Pi 3 in the following configuration (although the setup should be just fine for other versions too):

    $ cat /etc/os-release 
    PRETTY_NAME="Raspbian GNU/Linux 9 (stretch)"
    NAME="Raspbian GNU/Linux"
    VERSION_ID="9"
    VERSION="9 (stretch)"
    ID=raspbian
    ID_LIKE=debian
    HOME_URL="http://www.raspbian.org/"
    SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
    BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

    Our goal at glance

    Let’s break down what we need to do in order to achieve our goal to set up an Active Directory domain controller with Samba 4 on a Raspberry Pi 3:

    1. Initial setup of the Raspberry Pi using Raspbian
    2. Setup networking to use a static IP
    3. Install required packages
    4. Disable masked legacy service units
    5. Provision the AD domain
    6. Setup and start required Samba AD domain controller services
    7. Reboot
    8. Check setup by creating new AD user and add a client computer

    For this particular setup we are going to use the following base information:

    • router has IP 192.168.1.1
    • hostname is pidc
    • pidc has IP 192.168.1.2
    • domain to be used my.domain.local

    Initial setup of the Raspberry Pi using Raspbian

    We are not going to cover this here since there are plenty of readups out there. Thus, please check them out and bootstrap your Raspberry Pi using Raspbian. Also make sure that your base system is at the latest version before proceeding further (i.e. sudo apt-get update && apt-get upgrade -V)

    Setup networking to use a static IP

    With an AD in place you will always want to have a static IP to keep things simple:

    $ sudo nano /etc/dhcpcd.conf
    # explicitely use eth0 and set static IPs, as well as domain specifics
    interface eth0
    static routers=192.168.1.1
    static domain_name_servers=127.0.0.1
    static domain_name_servers=192.168.1.1
    static ip_address=192.168.1.2
    static domain_search=my.domain.local

    Install required packages

    Next we need to install the required packages:

    $ sudo apt-get install samba smbclient winbind krb5-user krb5-config krb5-locales winbind libpam-winbind libnss-winbind

    During the setup you will be asked for

    • Default Kerberos realm
    • Kerberos servers
    • Administrative server

    Based on our domain setup you need to enter the following data:

    • Default Kerberos realm: MY.DOMAIN.LOCAL
    • Kerberos servers: my.domain.local
    • Administrative server: pidc.my.domain.local

    Disable masked legacy service units

    In order to prevent error message related to masked legacy service units issue the following commands to stop and then fully disable them:

    $ sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
    $ sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service

    Provision the AD domain

    Before being able to actually provision our AD domain let’s do a little house keeping round to make our life easier:

    # double-check where the samba config file resides
    $ smbd -b | grep "CONFIGFILE"
    # let's make a backup of the original samba configuration determined above
    $ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.backup
    # also, let's remove the original kerberos configuration, as it will be overwritten and edited later on
    $ sudo rm /etc/krb5.conf

    Having done those steps it’s finally time to provision our AD domain:

    $ sudo samba-tool domain provision --use-rfc2307 --interactive

    The provisioning process might take a little. When completed let’s handle the Kerberos configuration:

    # again, let's make a backup of the original
    $ sudo mv /etc/krb5.conf /etc/krb5.conf.backup
    # and symlink to /etc/krb5.conf => NOTE: It's not the best to symlink here but it's OK for now
    $ sudo ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf

    Hint: We will come back to /etc/krb5.conf at the very end for potential missing information so hang in there for now.

    Setup and start required Samba AD domain controller services

    Finally, let’s start setup and start the required Samba AD domain controller services to get things moving:

    $ sudo systemctl unmask samba-ad-dc.service
    $ sudo systemctl start samba-ad-dc.service
    $ sudo systemctl status samba-ad-dc.service
    $ sudo systemctl enable samba-ad-dc.service

    Time to check if Samba is running correctly:

    $ sudo netstat -tulpn | egrep 'smbd|samba'

    Also, make sure to set the search domain and your nameservers in /etc/resolv.conf correctly at this point:

    $ sudo nano /etc/resolv.conf
    
    search domain.name.net
    nameserver 192.168.1.2
    nameserver 192.168.1.1

    Once completed, mark /etc/resolv.conf as write-protected to save yourself some pain after reboots:

    $ sudo chattr +i /etc/resolv.conf

    Reboot

    Time to reboot your shiny new AD domain controller setup to take effect:

    $ sudo reboot now

    Check setup by creating new AD user and add a client computer

    # do some simple ping tests
    $ ping -c3 my.domain.local
    $ ping -c3 pidc.my.domain.local
    $ ping -c3 pidc
    
    # test DNS configuration
    $ host -t A my.domain.local
    $ host -t A pidc.my.domain.local
    $ host -t SRV _kerberos._udp.my.domain.local
    $ host -t SRV _ldap._tcp.my.domain.local
    
    # test kerberos ticketing => Note the upper-case!
    $ kinit administrator@MY.DOMAIN.LOCAL
    $ klist
    # create a (test) domain user
    $ sudo samba-tool user create some.user

    More detailed information and the commands available for the create domain user call can be found on the Samba Wiki.

    Possible trouble shooting tips for DNS / Kerberos / Samba

    If you get an error message like “Cannot contact any KDC for realm while getting initial credentials” first check if Kerberos was in fact started correctly and is listening on port 88 (or a custom port that you’ve defined earlier), e.g. using telnet:

    $ telnet pidc.my.domain.local 88

    If you are not able to connect (e.g. “Connection refused”) make sure that the Samba services including KDC (Kerberos) is in fact set to be started. For this check the [global] section of your /etc/samba/smb.conf:

    $ sudo nano /etc/samba/smb.conf

    and add the following line if required:

    server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns, s3fs

    Afterwards restart Samba and re-test KDC kinit:

    $ sudo systemctl stop samba-ad-dc.service
    $ sudo systemctl start samba-ad-dc.service

    Re-test kinit:

    $ kinit administrator@MY.DOMAIN.LOCAL

    In addition, also make sure that you have a working version of your /etc/krb5.conf, especially for the [realms] and [domain_realm] section:

    [libdefaults]
    default_realm = MY.DOMAIN.LOCAL
    dns_lookup_realm = true
    dns_lookup_kdc = true
    dns_fallback = yes
    
    [realms]
    MY.DOMAIN.LOCAL = {
    kdc = PIDC.MY.DOMAIN.LOCAL:88
    default_domain = MY.DOMAIN.LOCAL
    }
    
    [domain_realm]
    .MY.DOMAIN.LOCAL = MY.DOMAIN.LOCAL
    MY.DOMAIN.LOCAL = MY.DOMAIN.LOCAL

    Finally, make sure that Samba itself is fully started, including all of its services, especially after a reboot:

    $ samba

    Next steps / Where to go from here

    As usual, when dealing with an Active Directory setup you should always have a secondary backup domain controller. The steps to do so are pretty straight forward given the guidelines shown here. Simply hook up a second Raspberry Pi and configure it as your secondary domain controller.

    If you are running this setup in a test lab you might not need a backup domain controller but as always make sure to back up your Raspberry as an image to have a quick restore point to go to, e.g. using the following command:

    $ dd if=/dev/mmcblk0 of=/your-backup-path/YOUR-BACKUP-NAME-$(date +%Y%m%d-%H%M%S).img bs=1MB

    That’s all folks! I hope this saves you some time when setting up an Active Directory domain controller with Samba 4 on a Raspberry Pi 3.