Table of Contents

Ubuntu - Samba - Join an existing Windows Active Directory Domain

This example is based on the environment like follows.


Get Doman Administrator's Kerberos Ticket

sudo apt install krb5-user

Edit the Kerberos config file.

/etc/krb5.conf
# change like follows (replace Realm to your own one)
 
[libdefaults]
        default_realm = SRV.SHAREWIZ
        dns_lookup_realm = false
        dns_lookup_kdc = true

sudo systemctl stop systemd-resolved
 
sudo systemctl disable systemd-resolved
 
Removed /etc/systemd/system/samba-ad-dc.service.

Remove link of resolv.conf and create new one.

sudo ll /etc/resolv.conf
 
lrwxrwxrwx 1 root root 39 Apr 27 10:30 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
 
sudo rm /etc/resolv.conf

Edit /etc/resolv.conf

/etc/resolv.conf
# change DNS setting to refer to AD (replace the domain name to your own one)
 
domain srv.sharewiz
nameserver 192.168.1.8

Initialize Kerberos.

sudo kinit administrator
 
Password for administrator@SRV.SHAREWIZ:

List Kerberos Info.

sudo klist

returns:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@SRV.SHAREWIZ
 
Valid starting       Expires              Service principal
08/17/2015 22:12:34  08/18/2015 08:12:34  krbtgt/SRV.WORLD@SRV.SHAREWIZ
        renew until 08/17/2015 22:12:25

Add Samba DC to existing AD

Rename or remove default config.

sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.org
 
sudo samba-tool domain join srv.sharewiz DC -U "SW1S01\administrator" --dns-backend=SAMBA_INTERNAL
 
Finding a writeable DC for domain 'srv.sharewiz'
Found DC SW1S.srv.sharewiz
Password for [SW1S01\administrator]:
workgroup is SW1S01
realm is srv.sharewiz
Adding CN=DLP,OU=Domain Controllers,DC=srv,DC=sharewiz
Adding CN=DLP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=srv,DC=sharewiz
Adding CN=NTDS Settings,CN=DLP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=srv,DC=sharewiz
Adding SPNs to CN=DLP,OU=Domain Controllers,DC=srv,DC=sharewiz
Setting account password for DLP$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=srv,DC=sharewiz
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=srv,DC=sharewiz] objects[402/1438] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=srv,DC=sharewiz] objects[804/1438] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=srv,DC=sharewiz] objects[1206/1438] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=srv,DC=sharewiz] objects[1608/1438] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=srv,DC=sharewiz] objects[1743/1438] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=srv,DC=sharewiz] objects[402/2159] linked_values[0/39]
Partition[CN=Configuration,DC=srv,DC=sharewiz] objects[804/2159] linked_values[0/39]
Partition[CN=Configuration,DC=srv,DC=sharewiz] objects[1206/2159] linked_values[0/39]
Partition[CN=Configuration,DC=srv,DC=sharewiz] objects[1608/2159] linked_values[0/39]
Partition[CN=Configuration,DC=srv,DC=sharewiz] objects[1776/2159] linked_values[39/39]
Replicating critical objects from the base DN of the domain
Partition[DC=srv,DC=sharewiz] objects[110/110] linked_values[25/28]
Partition[DC=srv,DC=sharewiz] objects[381/4798] linked_values[28/28]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=srv,DC=sharewiz
Partition[DC=DomainDnsZones,DC=srv,DC=sharewiz] objects[36/36] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=srv,DC=sharewiz
Partition[DC=ForestDnsZones,DC=srv,DC=sharewiz] objects[19/19] linked_values[0/0]
Exop on[CN=RID Manager$,CN=System,DC=srv,DC=sharewiz] objects[3] linked_values[0]
Committing SAM database
Adding 1 remote DNS records for DLP.srv.sharewiz
Adding DNS A record DLP.srv.sharewiz for IPv4 IP: 192.168.1.30
Adding DNS CNAME record e856365c-3f62-4774-b8a8-0c8b06d566c7._msdcs.srv.world for DLP.srv.sharewiz
All other DNS records (like _ldap SRV records) will be created samba_dnsupdate on first startup
Replicating new DNS records in DC=DomainDnsZones,DC=srv,DC=sharewiz
Partition[DC=DomainDnsZones,DC=srv,DC=sharewiz] objects[1/36] linked_values[0/0]
Replicating new DNS records in DC=ForestDnsZones,DC=srv,DC=sharewiz
Partition[DC=ForestDnsZones,DC=srv,DC=sharewiz] objects[1/19] linked_values[0/0]
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain SW1S01 (SID S-1-5-21-1764851099-3332435390-390327390) as a DC

Restart

sudo systemctl stop smbd nmbd winbind
 
sudo systemctl disable smbd nmbd winbind
 
sudo systemctl unmask samba-ad-dc
 
Removed /etc/systemd/system/samba-ad-dc.service.
 
sudo systemctl start samba-ad-dc
 
sudo systemctl enable samba-ad-dc

Verify possible authenticate with an AD user to localhost

sudo smbclient //127.0.0.1/netlogon -U ShareWiz -c 'ls'
 
Enter SW1S01\ShareWiz's password:
  .                                   D        0  Wed Jun 27 20:54:35 2018
  ..                                  D        0  Wed Jun 27 20:54:35 2018
 
                29832064 blocks of size 1024. 26234432 blocks available

Verify replication status with AD.

sudo samba-tool drs showrepl

returns:

Default-First-Site-Name\DLP
DSA Options: 0x00000001
DSA object GUID: e856365c-3f62-4774-b8a8-0c8b06d566c7
DSA invocationId: 6c2f7dda-a93e-4158-9b8b-3a494863c3d9
 
==== INBOUND NEIGHBORS ====
 
DC=DomainDnsZones,DC=srv,DC=sharewiz
        Default-First-Site-Name\SMB via RPC
                DSA object GUID: ab920914-1b88-4df9-9146-f2d13d04830e
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)
 
.....
.....
 
==== KCC CONNECTION OBJECTS ====
 
Connection --
        Connection name: 465f7e2b-02ab-4d47-8265-9e5a7388ddd2
        Enabled        : TRUE
        Server DNS name : smb.srv.sharewiz
        Server DN name  : CN=NTDS Settings,CN=SMB,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=srv,DC=sharewiz
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!

For [No NC replicated for Connection!] you don't care it according to samba official site


Verify possible join to this Samba DC from another Ubuntu Client Host.