# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 10.10.10.30
netmask 255.255.255.0
network 10.10.10.0
broadcast 10.10.10.255
gateway 10.10.10.1
dns-nameservers 10.10.10.30 10.10.10.1
dns-search devlab.nt
Change the hostname
echo "dc1" > /etc/hostname
Verify the host file, make adjustment if needed
nano /etc/hosts
Verify the following entries are in the file, save and exit
127.0.0.1 localhost
10.10.10.30 dc1.devlab.nt dc1
Install time server, time is very important especially in AD enviornment
sudo apt-get install ntp
Adjust the time, you can use any server
service ntp stop; ntpdate -B 0.ubuntu.pool.ntp.org; service ntp start
Set the file system required for AD object permission
nano /etc/fstab
Past the following in the file, replace xxxxx with the actual UUID of your root hard drive. Easy way is to copy the whole line, comment the original line and adjust the new line as per following
Note down the krb5.conf path from following line because we need this later on, you will see this line at the end when provision is done
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Now let place the krb5.conf in place, off course backup the original first
Now go ahead and change the dns setting to 10.10.10.30 only
nano /etc/network/interfaces
Remove 10.10.10.1 from the dns-nameservers line and save and exit
Now change the dns forwarder address from samba config, replace 10.10.10.30 to your isp dns address or 8.8.8.8
nano /etc/samba/smb.conf
Setup administrator password to never expire, by default the password will expire in 42 days
samba-tool user setexpiry administrator --noexpiry
Now reboot the system for changes to take effect, you can restart services but that might not work always so why not restart
reboot
Get ticket
kinit administrator
Now setup the reverse zone and add ptr record for dc1.
samba-tool dns zonecreate dc1 10.10.10.in-addr.arpa; samba-tool dns add dc1 10.10.10.in-addr.arpa 30 PTR dc1.devlab.nt.
Now reboot the system again for changes to take effect, you can restart services but that might not work always so why not restart
reboot
Now check the dns setting by running following entries. There should not be any error from the output of these commands
host -t A devlab.nt
host -t SRV _ldap._tcp.devlab.nt.
host -t SRV _kerberos._udp.devlab.nt.
host -t A dc1.devlab.nt.
host -t PTR 10.10.10.30
DON'T PROCEED IF YOU GET ANY ERROR FROM THE OUTPUT OF ABOVE COMMANDS
Check samba domain setting
Now lets ldif file for separate OUs for poeple, groups, and machines
cat << eot > ou.ldif
dn: OU=people,DC=devlab,DC=nt
changetype: add
objectClass: top
objectClass: organizationalunit
description: People OU
dn: OU=groups,DC=devlab,DC=nt
changetype: add
objectClass: top
objectClass: organizationalunit
description: Groups OU
dn: OU=machines,DC=devlab,DC=nt
changetype: add
objectClass: top
objectClass: organizationalunit
description: Machines OU
eot
Optionally make rkhan domain admin so it can be used for domain join etc.
samba-tool group addmembers 'Domain Admins' rkhan
Finally change the fowarder dns in samba configuration, otherwise you might not have internet access. I have to change this address to get internet working on dc01 and all members computers so
nano /etc/samba/smb.conf
Change the dns forward ip value to working dns ip address of your enviornment, save and exit.
Now reboot the machine to reflect the changes.
reboot
If you dont see any error then our reverse zone is working
Now its time to join the machines, dont forget to change the dns setting of machines in question by pointing their dns to 10.10.10.30
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ldap://dc01.devlab.nt/
# The search base that will be used for all queries.
base cn=users,dc=devlab,dc=nt
# The LDAP protocol version to use.
#ldap_version 3
###################
#Custom AD mappings
###################
#Replace objectSid:... with the domain SID
nss_min_uid 1000
pam_authz_search (!(userAccountControl:1.2.840.113556.1.4.803:=2))
filter passwd (&(objectClass=user)(!(objectClass=computer)))
map passwd uid sAMAccountName
map passwd uidNumber objectSid:S-1-5-21-2180207617-2439552426-3592756590
map passwd gidNumber primaryGroupID
map passwd homeDirectory "${unixHomeDirectory:-/home/$sAMAccountName}"
map passwd loginShell "${loginShell:-/bin/bash}"
filter shadow (&(objectClass=user)(!(objectClass=computer)))
map shadow uid sAMAccountName
map shadow shadowLastChange pwdLastSet
filter group (objectClass=group)
map group cn sAMAccountName
map group gidNumber objectSid:S-1-5-21-2180207617-2439552426-3592756590
#=============================
# Authentication #
#=============================
# Simple bind authentication
#binddn cn=nslcd,cn=users,dc=devlab,dc=nt
#bindpw xxxxx
# Kerberos authentication
sasl_mech GSSAPI
sasl_realm DEVLAB.NT
krb5_ccname /tmp/nslcd.tkt
Get your domain sid and copy the sid
net getlocalsid devlab
Now edit the nslcd configuration file and replace/paste the existing sid with your domain sid
nano /etc/nslcd.conf
Last but not least step to edit nsswitch.conf
nano /etc/nsswitch.conf
And add following somewhere in the file, make sure to comment out the old one