====== Ubuntu - Samba - Join an existing Windows Active Directory Domain ======

This example is based on the environment like follows.

  * Domain Server                       : Windows Server 2012 R2
  * NetBIOS名 Nmae                      : SW1S01
  * Domain Name                         : srv.SHAREWIZ
  * Realm                               : SRV.sharewiz
  * Hostname                            : sw1s.srv.sharewiz
  * Forest/Domain Functional Level      : 2008 R2

----

===== Get Doman Administrator's Kerberos Ticket =====

<code bash>
sudo apt install krb5-user
</code>

----

Edit the Kerberos config file.

<file bash /etc/krb5.conf>
# change like follows (replace Realm to your own one)

[libdefaults]
        default_realm = SRV.SHAREWIZ
        dns_lookup_realm = false
        dns_lookup_kdc = true
</file>

----

<code bash>
sudo systemctl stop systemd-resolved

sudo systemctl disable systemd-resolved

Removed /etc/systemd/system/samba-ad-dc.service.
</code>

----

Remove link of resolv.conf and create new one.

<code bash>
sudo ll /etc/resolv.conf

lrwxrwxrwx 1 root root 39 Apr 27 10:30 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf

sudo rm /etc/resolv.conf
</code>

Edit /etc/resolv.conf

<file bash /etc/resolv.conf>
# change DNS setting to refer to AD (replace the domain name to your own one)

domain srv.sharewiz
nameserver 192.168.1.8
</file>

Initialize Kerberos.

<code bash>
sudo kinit administrator

Password for administrator@SRV.SHAREWIZ:
</code>

List Kerberos Info.

<code bash>
sudo klist
</code>

returns:

<code bash>
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@SRV.SHAREWIZ

Valid starting       Expires              Service principal
08/17/2015 22:12:34  08/18/2015 08:12:34  krbtgt/SRV.WORLD@SRV.SHAREWIZ
        renew until 08/17/2015 22:12:25
</code>

----

===== Add Samba DC to existing AD =====

Rename or remove default config.

<code bash>
sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.org

sudo samba-tool domain join srv.sharewiz DC -U "SW1S01\administrator" --dns-backend=SAMBA_INTERNAL

Finding a writeable DC for domain 'srv.sharewiz'
Found DC SW1S.srv.sharewiz
Password for [SW1S01\administrator]:
workgroup is SW1S01
realm is srv.sharewiz
Adding CN=DLP,OU=Domain Controllers,DC=srv,DC=sharewiz
Adding CN=DLP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=srv,DC=sharewiz
Adding CN=NTDS Settings,CN=DLP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=srv,DC=sharewiz
Adding SPNs to CN=DLP,OU=Domain Controllers,DC=srv,DC=sharewiz
Setting account password for DLP$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=srv,DC=sharewiz
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=srv,DC=sharewiz] objects[402/1438] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=srv,DC=sharewiz] objects[804/1438] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=srv,DC=sharewiz] objects[1206/1438] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=srv,DC=sharewiz] objects[1608/1438] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=srv,DC=sharewiz] objects[1743/1438] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=srv,DC=sharewiz] objects[402/2159] linked_values[0/39]
Partition[CN=Configuration,DC=srv,DC=sharewiz] objects[804/2159] linked_values[0/39]
Partition[CN=Configuration,DC=srv,DC=sharewiz] objects[1206/2159] linked_values[0/39]
Partition[CN=Configuration,DC=srv,DC=sharewiz] objects[1608/2159] linked_values[0/39]
Partition[CN=Configuration,DC=srv,DC=sharewiz] objects[1776/2159] linked_values[39/39]
Replicating critical objects from the base DN of the domain
Partition[DC=srv,DC=sharewiz] objects[110/110] linked_values[25/28]
Partition[DC=srv,DC=sharewiz] objects[381/4798] linked_values[28/28]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=srv,DC=sharewiz
Partition[DC=DomainDnsZones,DC=srv,DC=sharewiz] objects[36/36] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=srv,DC=sharewiz
Partition[DC=ForestDnsZones,DC=srv,DC=sharewiz] objects[19/19] linked_values[0/0]
Exop on[CN=RID Manager$,CN=System,DC=srv,DC=sharewiz] objects[3] linked_values[0]
Committing SAM database
Adding 1 remote DNS records for DLP.srv.sharewiz
Adding DNS A record DLP.srv.sharewiz for IPv4 IP: 192.168.1.30
Adding DNS CNAME record e856365c-3f62-4774-b8a8-0c8b06d566c7._msdcs.srv.world for DLP.srv.sharewiz
All other DNS records (like _ldap SRV records) will be created samba_dnsupdate on first startup
Replicating new DNS records in DC=DomainDnsZones,DC=srv,DC=sharewiz
Partition[DC=DomainDnsZones,DC=srv,DC=sharewiz] objects[1/36] linked_values[0/0]
Replicating new DNS records in DC=ForestDnsZones,DC=srv,DC=sharewiz
Partition[DC=ForestDnsZones,DC=srv,DC=sharewiz] objects[1/19] linked_values[0/0]
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain SW1S01 (SID S-1-5-21-1764851099-3332435390-390327390) as a DC
</code>

Restart

<code bash>
sudo systemctl stop smbd nmbd winbind

sudo systemctl disable smbd nmbd winbind

sudo systemctl unmask samba-ad-dc

Removed /etc/systemd/system/samba-ad-dc.service.

sudo systemctl start samba-ad-dc

sudo systemctl enable samba-ad-dc
</code>

Verify possible authenticate with an AD user to localhost

<code bash>
sudo smbclient //127.0.0.1/netlogon -U ShareWiz -c 'ls'

Enter SW1S01\ShareWiz's password:
  .                                   D        0  Wed Jun 27 20:54:35 2018
  ..                                  D        0  Wed Jun 27 20:54:35 2018

                29832064 blocks of size 1024. 26234432 blocks available
</code>


Verify replication status with AD.

<code bash>
sudo samba-tool drs showrepl
</code>

returns:

<code bash>
Default-First-Site-Name\DLP
DSA Options: 0x00000001
DSA object GUID: e856365c-3f62-4774-b8a8-0c8b06d566c7
DSA invocationId: 6c2f7dda-a93e-4158-9b8b-3a494863c3d9

==== INBOUND NEIGHBORS ====

DC=DomainDnsZones,DC=srv,DC=sharewiz
        Default-First-Site-Name\SMB via RPC
                DSA object GUID: ab920914-1b88-4df9-9146-f2d13d04830e
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

.....
.....

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: 465f7e2b-02ab-4d47-8265-9e5a7388ddd2
        Enabled        : TRUE
        Server DNS name : smb.srv.sharewiz
        Server DN name  : CN=NTDS Settings,CN=SMB,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=srv,DC=sharewiz
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!
</code>

<WRAP info>
For [No NC replicated for Connection!] you don't care it according to samba official site
</WRAP>

----

Verify possible join to this Samba DC from another Ubuntu Client Host.