Create an Active Directory Infrastructure with Samba4 on Ubuntu

Active Directory is a powerful directory service for managing users, groups, and computers in a Windows environment. Samba4 is an open-source implementation that provides a complete Active Directory infrastructure on Linux systems. This tutorial demonstrates how to set up an Active Directory domain controller using Samba4 on Ubuntu.

Prerequisites

Before starting, ensure your Ubuntu system has a static IP address and proper hostname resolution. You'll also need administrative privileges and network connectivity.

Step 1: Install Required Packages

Install Samba4 and all necessary dependencies for Active Directory functionality

sudo apt update
sudo apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind libpam-krb5 libpam-ccreds ntp

This installs Samba4, Kerberos for authentication, Winbind for Windows integration, and NTP for time synchronization.

Step 2: Configure Kerberos

Edit the Kerberos configuration file to define your domain realm

sudo nano /etc/krb5.conf

Add the following configuration, replacing EXAMPLE.COM with your domain name

[libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_kdc = true
    dns_lookup_realm = true

[realms]
    EXAMPLE.COM = {
        kdc = dc1.example.com
        admin_server = dc1.example.com
        default_domain = example.com
    }

[domain_realm]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM

Step 3: Configure Samba

Back up the original Samba configuration and create a new one

sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.backup
sudo nano /etc/samba/smb.conf

Add the following configuration for Active Directory domain controller

[global]
    workgroup = EXAMPLE
    realm = EXAMPLE.COM
    netbios name = SAMBA4-DC
    server role = active directory domain controller
    dns forwarder = 8.8.8.8
    idmap_ldb:use rfc2307 = yes

[netlogon]
    comment = Network Logon Service
    path = /var/lib/samba/sysvol/example.com/scripts
    read only = No

[sysvol]
    comment = System Volume
    path = /var/lib/samba/sysvol
    read only = No

Step 4: Provision the Active Directory Database

Create the Samba Active Directory database using the provisioning tool

sudo samba-tool domain provision --use-rfc2307 --interactive

This interactive command will prompt you to configure

• Realm Your domain name in uppercase (e.g., EXAMPLE.COM)

• Domain NetBIOS name (e.g., EXAMPLE)

• Server Role Select "dc" for domain controller

• DNS backend Choose "SAMBA_INTERNAL" for built-in DNS

• Administrator password Set a strong password

Step 5: Start and Enable Services

Disable the default Samba services and start the Active Directory domain controller

sudo systemctl disable --now smbd nmbd winbind
sudo systemctl unmask samba-ad-dc
sudo systemctl enable --now samba-ad-dc

Step 6: Configure DNS Resolution

Update the system to use the local DNS server

sudo nano /etc/systemd/resolved.conf

Add the following lines

[Resolve]
DNS=127.0.0.1
Domains=example.com

Restart the resolved service

sudo systemctl restart systemd-resolved

Step 7: Verify Installation

Check the status of the Samba AD DC service

sudo systemctl status samba-ad-dc

Test DNS resolution for your domain

nslookup example.com localhost

Query the domain using samba-tool

sudo samba-tool dns query localhost example.com @ ALL -U administrator

Step 8: Create Users and Groups

Create a new user account

sudo samba-tool user create john.doe Password123! --given-name=John --surname=Doe

List all users in the domain

sudo samba-tool user list

Create a security group

sudo samba-tool group add "IT Department"

Key Configuration Points

• Time Synchronization Ensure NTP is properly configured for Kerberos authentication

• Firewall Rules Open ports 53 (DNS), 88 (Kerberos), 135 (RPC), 389 (LDAP), and 445 (SMB)

• DNS Configuration The domain controller must be its own primary DNS server

• Backup Strategy Regularly backup the /var/lib/samba directory

Conclusion

Setting up an Active Directory infrastructure with Samba4 on Ubuntu provides a cost-effective alternative to Microsoft's Active Directory. This solution offers centralized user management, Group Policy support, and Windows client integration. With proper configuration, Samba4 can serve as a reliable domain controller for small to medium-sized organizations.