You must have heard or have worked on Windows Domain Controller but its time to configure Ubuntu Linux Domain Controller. In this article we will show you how to setup and configure Ubuntu Linux as a Domain Controller.
Download and install SAMBA
First, obtain the latest sources in Ubuntu with these commands:
$ sudo apt-get update
$ sudo apt-get upgrade
Next, you’ll need to install several libraries and packages. However, they can all be installed with one line of code:
$ sudo apt-get install attr build-essential libacl1-dev libldap2-dev libattr1-dev libgnutls-dev libblkid-dev libpopt-dev libreadline-dev libpam0g-dev libbsd-dev libcups2-dev python-dev python-dnspython gdb pkg-config dnsutils attr krb5-user docbook-xsl acl ntp
nstall SAMBA prerequisite packages
During package installation, Kerberos will display a few pink screens and ask to configure Kerberos Authentication and define the Default Kerberos version 5 realm and the Server Name and Administrative server. Use upper-case characters, as Kerberos will have fewer problems:
Realm: TESTDOMAIN.COMServer Name: DC1.TESTDOMAIN.COM
Administrative server for Kerberos realm: DC1.TESTDOMAIN.COM
Kerberos servers for your realm
DNS is important and required to set up our domain controller with SAMBA, so ensure that the default Ethernet interface has a static IP address assigned. To assign a static IP address, edit the file /etc/network/interfaces with vi or nano. You can use the following command to edit the file:
$ sudo vi /etc/network/interfaces
Your interfaces file should look similar to the following:
Interface configuration
Notice that during the installation of our domain controller, two dns-nameservers are listed in our interfaces file (192.168.1.7 and 192.168.1.1). Once we have the domain controller running, we’ll remove the secondary upstream DNS server, as SAMBA could have problems identifying its own DNS services. Also, provide the domain name when defining the dns-search variable.
Now provide /etc/hostname with your hostname (DC1). The following screenshot demonstrates how the file will look after editing, commenting, and setting the hostname. After editing the hostname configuration file, it should return the correct name when issuing the command $ hostname.
Configure hostname and display output
Kerberos requires that the NTP (or Network Time Protocol) is accurate and synced with time servers. In this case, we’ll synchronize NTP with ntp.pool.org servers. First, stop the ntp service, set the date/time with the ntpdate command, and then start the ntp service again with the following commands:
$ sudo service ntp stop$ sudo ntpdate -B pool.ntp.org$ sudo service ntp start
The output will look similar to the following screenshot:
Synchronize ntp service with pool.ntp.org
The acl and attr packages were installed earlier, and now we need to add some additional options to /etc/fstab to extend the attributes of our ext4 file system partition located at the root /. According to Wikipedia:
“The fstab file typically lists all available disk partitions and other types of file systems and data sources that are not necessarily disk-based, and indicates how they are to be initialized or otherwise integrated into the larger file system structure.”
Below are two screenshots. The first is the original file, and the second is the file after editing. As always, it’s best to save a copy of the original file before editing. We’ll include the following options for our ext4 / partition, separated by commas:
user_xattr
acl
barrier=1
Original fstab file:
fstab original configuration
Here’s how the fstab file looks after editing:
fstab edited configuration
Because we’ve edited the way our file system initializes system partitions, we’ll restart the virtual machine to complete the options integration. This is quickly accomplished with the command:
$ sudo shutdown -r now
Configure SAMBA server as domain controller
At this point, we’re ready to configure SAMBA as a domain controller. Because we added the SAMBA file server component during the original Ubuntu operating system install, we can now run our SAMBA configuration utility SAMBA-tool. If you missed installing the SAMBA file utility during your initial system setup, get the Software selection tool again issuing the command:
$ sudo tasksel
If you do use tasksel, select SAMBA file server. Press enter.
When SAMBA is installed, we want to first remove the default smb.conf file located at /etc/samba/smb.conf. When we run SAMBA-tool, the smb.conf file will regenerate. Do this by entering the command:
$ sudo rm /etc/samba/smb.conf
Now we issue the following command to set up SAMBA with a 2008 R2 Forest Functional level:
$ sudo samba-tool domain provision --function-level=2008_R2 --interactive
The first request will be for us to provide the realm. I’ll enter my realm, TESTDOMAIN.COM (which is the FQDN for our domain), and press enter:
Realm: TESTDOMAIN.COM
Now enter the netbios name for our domain name [TESTDOMAIN]. This is our default, so we can just press enter.
Domain [TESTDOMAIN]:
Our Server Role will be a domain controller [dc]. Again, this is the default. We can simply hit enter.
Server Role (dc, member, standalone) [dc]:
Press enter again to confirm that we want the default DNS backend to use SAMBA_INTERNAL, which will add DNS entries for computers when they are joined to the domain.
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
The DNS forwarder IP address is the address used when a DNS entry cannot be found on our own DNS server. I like to use my own default gateway, 192.168.1.1, for the forwarder, but you can use Google’s public DNS server 8.8.8.8.
DNS forwarder IP address (write ‘none’ to disable forwarding) [192.168.1.7]: 192.168.1.1
We’ll now be prompted to enter the Administrator (Domain admin) password for our domain. Use a long and complex password; if this part fails due to a weak password, it’ll be a difficult problem to rectify.
Administrator password:
Retype password:
SAMBA-tool configuration
If everything is correct, the SAMBA-tool will build the structure and directories for your domain. The output will look similar to the following:
SAMBA-tool domain build output
Modifying the permissions of the default netlogon and sysvol share directories is the last configuration change to make before we can start adding computers to our domain. To do this, edit the newly-generated /etc/samba/smb.conf file to include 0700 and 0644 permissions for both directories.
Add the following lines under the [netlogon] and [sysvol] groups:
create mask = 0700
directory mask = 0644
Your edited file will look similar to the following screenshot:
smb.conf mask permissions
After completing the SAMBA installation, go back and edit the /etc/network/interfaces file to remove your second upstream server (192.168.1.1) from the dns-nameservers group. Restart your new domain controller one final time, and the server will be ready to accept computers into the domain. Use the following command:
$ sudo reboot
Join a Windows workstation to the new domain
After the domain controller has completed its reboot, Windows workstations can join the domain. For Windows 7, you’ll need Windows 7 Pro or Ultimate. For Windows 8 and Windows 10, you’ll want at least the Professional version.
In Windows 10, right-click on the start menu, and click System.
Windows 10 system settings
Under Computer settings, click Change Settings and then the Change button. Enter the name of your domain (testdomain.com), and click OK.
System properties and join domain
If you receive the following error, it means the workstation you’re trying to join either isn’t able to ping the IP address of the domain controller and/or you need to explicitly set the DNS entry in TCP/IP V4 to include your domain controller’s IP address:
An Active Directory Domain Controller (AD DC) for the domain “testdomain.com” could not be contacted.
Once your Windows workstation can contact the domain controller, you’ll be greeted with a prompt to authenticate. Type in the user name (Administrator) and the password you provided during the SAMBA-tools setup. Click OK, and your workstation will now be a member of the domain.
Welcome to the domain
You’ll be prompted to restart the workstation. After the reboot, log on to the domain with your username (Administrator) and password. You can now use Active Directory Users and Computers (ADUC) as well as other administrative tools to configure a domain and set up user accounts, GPO’s, and home directories.