Main menu

Purple Technician

Din leverantör av System- och tekniklösningar inom IT-området

Tjänster Läs mer

Mjukvara

Utveckling av mjukvara

Utveckling av applikationer och spel

Läs mer
Dator

Datornätverk

Installation, konfigurering, felsökning och support av nätverk, klienter, servrar och programvaror

Läs mer
Konsult

Konsulttjänster

Systemdesign, Weblösningar, IT-säkerhet, Utbildning m.m.

Läs mer

ActiveDirectory Domain Controller with Samba4 on Raspberry Pi

Welcome to this turorial on how to install Samba with AD-functionality on a Raspberry Pi.

First follow step 1-3 on my tutorial LAMP with Raspberry Pi.

Login in as root so you don't have to use sudo.

Step 1 – Network configuration

Either you config a static address on your Pi by editing

/etc/network/interfaces 

with (for example):

auto eth0
iface eth0 inet static
        address 192.168.0.200
        netmask 255.255.255.0
        gateway 192.168.0.1
        dns-nameserver 192.168.0.200
        dns-search mydomain.com

Or setup your router to always assign the same IP-address to your Pi.

 

Step 2 - Install prerequisites

I installed the following packages and toos Samba installation has a list under “OS requiremants” (http://wiki.samba.org/index.php/Samba_4/OS_Requirements)

apt-get install git-core python-dev libacl1-dev libblkid-dev
apt-get install build-essential libacl1-dev libattr1-dev \
   libblkid-dev libgnutls-dev libreadline-dev python-dev \
   python-dnspython gdb pkg-config libpopt-dev libldap2-dev \
   dnsutils libbsd-dev attr krb5-user docbook-xsl

I use the following settings:

  • Kerberos and samba realm: AD.MYDOMAIN.COM
  • Kerberos hostname: PISERVER
  • Password server: PISERVER
  • NetBIOS name (hostname): PISERVER
  • Domain: AD

 

Step 3- Install Samba4

cd /home/pi/
mkdir samba-master
git clone git://git.samba.org/samba.git samba-master
cd samba-master

Configure and make samba4, this will take some time....

./configure  --enable-debug --enable-selftest
make
make install

Update your $PATH variables

nano /etc/profile

add

PATH=$PATH:/usr/local/samba/bin/:/usr/local/samba/sbin

before "export PATH".

Reload bash

source /etc/profile

Test client and server installation

samba -V
smbclient -V

Start provisioning. Remember to use the same realm/domain as above and use "complex" password (info by looking in section administrator password).

samba-tool domain provision --use-rfc2307 --interactive --host-name=PISERVER

There is no script for starting samba but it can be downloaded. Create the init script:

wget "http://anonscm.debian.org/gitweb/?p=pkg-samba/samba.git;a=blob_plain;f=debian/samba.samba-ad-dc.init;h=3132d2e367675f822342a5b7bc2e50c046aa3b8f;hb=HEAD" -O /etc/init.d/samba4

You have to edit the file

nano /etc/init.d/samba4

and change all references /usr/sbin/samba to /usr/local/samba/sbin/samba (three places). You can also change the usage text "..... samba-ad-dc....." to "..... samba4....." to reflect the name of the file.

Make it executable and include it in the normal init sequence

chmod 755 /etc/init.d/samba4
update-rc.d samba4 defaults

Edit /etc/resolv.conf

nano /etc/resolv.conf

By editing/adding

domain ad.mydomain.com
search ad.mydomain.com
nameserver 192.168.0.200   # <--- this is rapi's ip
nameserver 192.168.0.1        # <-- this is the router

 

Step 4 - Testing Your Samba Domain Controller

Start samba

service samba4 start

Test samba version

smbclient -L localhost -U%
smbclient //localhost/netlogon -UAdministrator -c 'ls'

 And use your newly made password.

 From now on you can connect to your AD.

I'm using the Windows client LDAP Admin to connect. In this case you shall use the following settings:

  • Host: 192.168.0.200
  • Base: dc=ad,dc=mydomain,dc=com
  • Account/Username: cn=Administrator,cn=users,dc=ad,dc=mydomain,dc=com

You can also use LDAPExplorerTool 2. In ths case you shall use the following settings:

  • Server/Server name or IP: 192.168.0.200
  • Connection/User DN: cn=Administrator,cn=users,dc=ad,dc=mydomain,dc=com
  • Connection/Base DN: dc=ad,dc=mydomain,dc=com

 

Step 5 - Kerberos

Create the Kerberos configuration by copying it from the template in the samba directory

cd /etc
cp /usr/local/samba/share/setup/krb5.conf .

Then edit the file

nano krb5.conf

and replace ${REALM} with your domain-name. Realm must be in uppercase letters

[libdefaults]
default_realm = AD.MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true

Check Kerberos, get a ticket with kinit and display it. Use the realm name in upper case after the @.

kinit administrator@AD.MYDOMAIN.COM
klist

 

Step 6 - Add users and join domain

Add a smbuser (in this case user), and remember to use a complex password.

smbpasswd -a user

Add test the user

smbclient //localhost/netlogon -Uuser -c 'ls'

You can check the existing smbusers:

pdbedit -L

Now you can goto on a Windows system and join domain by by command -line or GUI:

1. Go to Start and enter cmd

In the command-window

netdom join %computername% /Domain:MYDOMAIN /UserD:Administrator /PasswordD:YOURADMINPASSWORD

2. Right-click Computer and choose properties. In "Computer name, domain, and workgroup settings" choose Change settings. Next, next and next. Enter Administrator, your password and Mydomain in the fields. Choose not to add an account.

Check the name of your Local account before restart if you are having problem logging into your domain by:

1. net users-command

2. Control Panel/User Accounts/User Accounts

 

You have to restart the Windows client to be able to join.

 

Optional Step 7 - Install PhpLDAPAdmin (Problem retrieving DN)

apt-get install php5-fpm php5-cli php5-ldap php-apc phpldapadmin nginx

Now we need to crack open /etc/phpldapadmin/config.php and change a couple lines so that it matches the domain we just setup.

nano /etc/phpldapadmin/config.php

We need to look for the following lines and modify them slightly.

//Original line
$servers->setValue('server','base',array('dc=example,dc=com'));
//Change to this domain so it matches yours like below
$servers->setValue('server','base',array('dc=ad, dc=mydomain,dc=com'));

//Original line
$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');
//Change the line so it matches your LDAP admin user, my example below
$servers->setValue('login','bind_id','cn=Administrator,cn=users,dc=ad, dc=mydomain,dc=com');

Now we're first going to disable the default Nginx virtual host configuration.

sudo unlink /etc/nginx/sites-enabled/default

Next start a new file at /etc/nginx/sites-available/phpldapadmin

nano /etc/nginx/sites-available/phpldapadmin

and let's the put the following in it.

server {

        root /usr/share/phpldapadmin/htdocs;
        index index.php index.html;

        server_name localhost;

        location ~ \.php$ {
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
        }
}

Save and exit

sudo ln -s /etc/nginx/sites-available/phpldapadmin /etc/nginx/sites-enabled/phpldapadmin
sudo service nginx restart

I had to kill a earlier running apache2 with

sudo fuser -k 80/tcp

before the Nginx could start.

Now point your browser to the server's IP and you should be presented with the login screen.

 

Optional Step 8 - Install Webmin

apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python
nano /etc/apt/sources.list

Add these lines to the end of the file

deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib

Save and exit

cd /root
wget http://www.webmin.com/jcameron-key.asc
apt-key add jcameron-key.asc 
apt-get update
apt-get install webmin

Open webbrowser and point it to your Raspi ip-address (in my case 192.168.0.200:10000)

Optional Step 9 - Create share

In the /home directory let's create a directory that the user will be able to access and a test file.

mkdir /home/share
sh -c 'echo "Hello World" > /home/share/hello.txt'

I had trouble with chown so I had to use /find UID:GID instead of chownuser:"domain users":

wbinfo -i user
chown 3000018:100 /home/share 

If you are having trouble with the chown command check existing users and groups with (this may return all users and groups)

wbinfo -u
wbinfo -g

Then let's open /usr/local/samba/etc/smb.conf with

nano /usr/local/samba/etc/smb.conf

and add the following lines to the end. This will setup the share.

[SHARE]
        path = /home/share
        browseable = yes
        valid users = user

Then restart Samba by doing

service samba4 restart

You could also create this share in webmin.

If you are uncertain of the NetBIOS-name of your server run this command and compare to your servers ip-address:

nmblookup -S __SAMBA__

After that you should be able to navigate to \\PISERVER\share and then enter AD\user with the password and you should be able to see the hello.txt file we created.

Or you could map a networkdrive by using the commandline in Windows

net use X: \\PISERVER\SHARE /user:AD\user <userPassWord> /persistent:yes

Optional Step 10 - Unjoin domain

If you have to remove the Windows 7 client from the domain issue

netdom remove %computername% /Domain:MYDOMAIN /UserD:Administrator /PasswordD:YOURADMINPASSWORD /force