This document is free text: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version.
This document is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see
Windows workstations can connect to the domain
Groups and Users:
All:
File server shares:
//filesrv/Xmrk01 mrk01 RW
//filesrv/Xmrk02 mrk02 RW
//filesrv/Xmrk03 mrk03 RW
//filesrv/XMrk Marketing RW
//filesrv/XMrkPub Marketing RW, All R
//filesrv/Xsls01 sls01 RW
//filesrv/Xsls02 sls02 RW
//filesrv/Xsls03 sls03 RW
//filesrv/XSls Sales RW
//filesrv/XSlsPub Sales RW, All R
//filesrv/Xprd01 prd01 RW
//filesrv/Xprd02 prd02 RW
//filesrv/Xprd03 prd03 RW
//filesrv/XPrd Production RW
//filesrv/XPrdPub Production RW, All R
//filesrv/Xit01 it01 RW
//filesrv/Xit02 it02 RW
//filesrv/Xit03 it03 RW
//filesrv/Xsupport support RW
//filesrv/XIT IT RW
//filesrv/XITPub IT RW, All R
//filesrv/XSys SysAdmin RW
//filesrv/XSysPub SysAdmin RW, All R
//filesrv/XAll ALL RW
On my tests I used distros uniformly. That is all servers were Debian 11, Debian 12, Ubuntu 20.04, or Ubuntu 22.04. I believe the system would work with nonuniform distros too, but I haven't tested it.
There are some important matters to consider. Not complying them can cause some problems.
Realm is in the domain name format and Domain Name is a single word (actually Netbios Name of your domain).
If your company's internet domain name is example.com, then you can choose your Realm and Domain Name as following:
Realm : EXAMPLE.COM
Domain Name : EXAMPLE
Whenever you use them, they must be UPPERCASE. Don't ask me why, that is something about Micros*ft's bad design.
Domain Controllers and Domain Members should have static IP addresses.
There might be some ways to use DHCP but I don't know how and actually I don't see any reason to use DHCP for Domain Controllers.
Hostname must be in the format of name.example.com (lowercase this time) and due to an incompatability with Samba and Debian/Ubuntu (Actually all Debian based Linuxes) you have to erase the line starting with 127.0.1.1 (not 127.0.0.1) from your /etc/hosts file and add the IP and hostname (short and long formats) in your /etc/hosts file as in below.
127.0.0.1 localhost
192.168.1.216 srv1.x386.org srv1
You should have at least 2 DCs (Domain Controllers), you can use 1 Windws and 1 Linux to benefit from Microsft's AD Management programs.
But actually it is not necessary.
I'd advice installing all DCs as Linux and use any Windxws workstation to manage AD. You can install RSAT Management Tools to a Windxws workstation and use AD Manager programs (including DNS and WINS server) from there.
Remember to replace all the occurences of X386, x386, X386.ORG, and x386.org with yours, regarding the cases.
Domain Name: X386
Realm: X386.ORG
Hostname: srv1.x386.org
IP: 192.168.1.216
Set hostname as fully qualified (if you haven't done it before)
sudo hostnamectl set-hostname srv1.x386.org
Update /etc/hosts file
sudo nano /etc/hosts
Change the start of the file as below:
127.0.0.1 localhost
192.168.1.216 srv1.x386.org srv1
sudo apt update
sudo apt -y install samba krb5-config winbind smbclient
Answers to parameter questions:
Backup original samba configuration
sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.original
Run provision tool to create the Domain
sudo samba-tool domain provision
Answers to parameter questions:
sudo cp /var/lib/samba/private/krb5.conf /etc/
sudo systemctl stop smbd nmbd winbind systemd-resolved
sudo systemctl disable smbd nmbd winbind systemd-resolved
sudo systemctl unmask samba-ad-dc
Debian 12 gives the following error, ignore it:
Failed to stop systemd-resolved.service: Unit systemd-resolved.service not loaded.
sudo rm /etc/resolv.conf
sudo nano /etc/resolv.conf
Fill as below
domain x386.org
nameserver 127.0.0.1
sudo systemctl start samba-ad-dc
sudo systemctl enable samba-ad-dc
Check domain level
sudo samba-tool domain level show
Create a domain user named exforge
sudo samba-tool user create exforge
Domain Name: X386
Realm: X386.ORG
Hostname: srv2.x386.org
IP: 192.168.1.217
Org. DC Hostname: srv1.x386.org
Org. DC IP: 192.168.1.216
Set hostname as fully qualified (if you haven't done it before)
sudo hostnamectl set-hostname srv2.x386.org
Update /etc/hosts file
sudo nano /etc/hosts
Change the start of the file as below:
127.0.0.1 localhost
192.168.1.217 srv2.x386.org srv2
sudo apt update
sudo apt -y install krb5-user
Pass all the questions with enter
sudo nano /etc/krb5.conf
Change the beginning of the file as below
[libdefaults]
default_realm = X386.ORG
dns_lookup_realm = false
dns_lookup_kdc = true
This step is not necessary for Debian 12
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
sudo rm /etc/resolv.conf
sudo nano /etc/resolv.conf
Add following lines
domain x386.org
nameserver 192.168.1.216
Domain Admin password will be asked (Entered at 1.2.)
sudo kinit administrator
Check Kerberos ticket
sudo klist
Add necessary packages
sudo apt -y install samba winbind smbclient
Rename and remove default samba config, create a new one
sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.org
sudo samba-tool domain join X386.ORG DC -U "srv1\administrator" \
--dns-backend=SAMBA_INTERNAL
sudo systemctl stop smbd nmbd winbind
sudo systemctl disable smbd nmbd winbind
sudo systemctl unmask samba-ad-dc
sudo systemctl start samba-ad-dc
sudo systemctl enable samba-ad-dc
Verify authentication to localhost
sudo smbclient //127.0.0.1/netlogon -U Administrator -c 'ls'
Verify replication status with AD
sudo samba-tool drs showrepl
Following warning is not important, you can ignore it:
Warning: No NC replicated for Connection!
You can run on any DC
sudo samba-tool user --help
sudo samba-tool user list
Display DN info instead of user names
sudo samba-tool user list --full-dn
sudo samba-tool user create ubuntu
Force to change password at next login
sudo samba-tool user create ubuntu2 --must-change-at-next-login
sudo samba-tool user delete ubuntu2
sudo samba-tool user setpassword ubuntu
User will be disabled at expiration
sudo samba-tool user setexpiry ubuntu --days=7
Remove expiration
sudo samba-tool user setexpiry --noexpiry ubuntu
sudo samba-tool user disable ubuntu
sudo samba-tool user enable ubuntu
sudo samba-tool user show ubuntu
sudo samba-tool user edit ubuntu
You can edit the details in an editor, be careful.
sudo samba-tool group --help
sudo samba-tool group list
sudo samba-tool group listmembers "Domain Users"
sudo samba-tool group add TestUsers
sudo samba-tool group delete TestUsers
sudo samba-tool group addmembers TestUsers ubuntu
sudo samba-tool group removemembers TestUsers ubuntu
sudo samba-tool group show TestUsers
sudo samba-tool group edit TestUsers
sudo samba-tool computer --help
sudo samba-tool computer list
sudo samba-tool computer show srv1
sudo samba-tool computer edit srv1
sudo samba-tool dbcheck --help
sudo samba-tool delegation --help
sudo samba-tool dns --help
sudo samba-tool domain --help
sudo samba-tool drs --help
sudo samba-tool forest --help
sudo samba-tool fsmo --help
sudo samba-tool gpo --help
sudo samba-tool ou --help
sudo samba-tool schema --help
sudo samba-tool sites --help
sudo samba-tool time --help
Create all users with Password1 as the default password. Users are going to have to change their password at their first logon.
sudo samba-tool user add mrk01 Password1 --given-name=Mrk --surname=01 \
--must-change-at-next-login
sudo samba-tool user add mrk02 Password1 --given-name=Mrk --surname=02 \
--must-change-at-next-login
sudo samba-tool user add mrk03 Password1 --given-name=Mrk --surname=03 \
--must-change-at-next-login
sudo samba-tool user add sls01 Password1 --given-name=Sls --surname=01 \
--must-change-at-next-login
sudo samba-tool user add sls02 Password1 --given-name=Sls --surname=02 \
--must-change-at-next-login
sudo samba-tool user add sls03 Password1 --given-name=Sls --surname=03 \
--must-change-at-next-login
sudo samba-tool user add prd01 Password1 --given-name=Prd --surname=01 \
--must-change-at-next-login
sudo samba-tool user add prd02 Password1 --given-name=Prd --surname=02 \
--must-change-at-next-login
sudo samba-tool user add prd03 Password1 --given-name=Prd --surname=03 \
--must-change-at-next-login
sudo samba-tool user add it01 Password1 --given-name=IT --surname=01 \
--must-change-at-next-login
sudo samba-tool user add it02 Password1 --given-name=IT --surname=02 \
--must-change-at-next-login
sudo samba-tool user add it03 Password1 --given-name=IT --surname=03 \
--must-change-at-next-login
sudo samba-tool user add support Password1 --given-name=Support --surname=User \
--must-change-at-next-login
sudo samba-tool group add Marketing
sudo samba-tool group add Sales
sudo samba-tool group add Production
sudo samba-tool group add IT
sudo samba-tool group add SysAdmin
sudo samba-tool group add All
sudo samba-tool group addmembers Marketing mrk01,mrk02,mrk03
sudo samba-tool group addmembers Sales sls01,sls02,sls03
sudo samba-tool group addmembers Production prd01,prd02,prd03
sudo samba-tool group addmembers IT it01,it02,it03,support
sudo samba-tool group addmembers SysAdmin support
sudo samba-tool group addmembers All Marketing,Sales,Production,IT,SysAdmin
Set hostname as fully qualified (if you haven't done it before)
sudo hostnamectl set-hostname filesrv.x386.org
Update /etc/hosts file
sudo nano /etc/hosts
Change the start of the file as below:
127.0.0.1 localhost
192.168.1.218 filesrv.x386.org filesrv
Remove resolv.conf and create a new one
sudo rm /etc/resolv.conf
sudo nano /etc/resolv.conf
Add following lines
domain x386.org
nameserver 192.168.1.216
nameserver 192.168.1.217
sudo apt update
sudo apt -y install winbind libpam-winbind libnss-winbind krb5-config \
samba-dsdb-modules samba-vfs-modules
Answers to parameter questions (if asked):
sudo nano /etc/samba/smb.conf
Change/add following lines under [global] stanza
workgroup = X386
realm = X386.ORG
security = ads
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config X386 : backend = rid
idmap config X386 : range = 10000-999999
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
sudo nano /etc/pam.d/common-session
Add following line
session optional pam_mkhomedir.so skel=/etc/skel umask=077
sudo net ads join -U Administrator
Restart winbind
sudo systemctl restart winbind
sudo wbinfo -u
There will be 24 shares:
/srv/shares/Xmrk01 mrk01 RW
/srv/shares/Xmrk02 mrk02 RW
/srv/shares/Xmrk03 mrk03 RW
/srv/shares/XMrk Marketing RW
/srv/shares/XMrkPub Marketing RW, All R
/srv/shares/Xsls01 sls01 RW
/srv/shares/Xsls02 sls02 RW
/srv/shares/Xsls03 sls03 RW
/srv/shares/XSls Sales RW
/srv/shares/XSlsPub Sales RW, All R
/srv/shares/Xprd01 prd01 RW
/srv/shares/Xprd02 prd02 RW
/srv/shares/Xprd03 prd03 RW
/srv/shares/XPrd Production RW
/srv/shares/XPrdPub Production RW, All R
/srv/shares/Xit01 it01 RW
/srv/shares/Xit02 it02 RW
/srv/shares/Xit03 it03 RW
/srv/shares/Xsupport support RW
/srv/shares/XIT IT RW
/srv/shares/XITPub IT RW, All R
/srv/shares/XSys SysAdmin RW
/srv/shares/XSysPub SysAdmin RW, All R
/srv/shares/XAll ALL RW
Create shared folders:
sudo mkdir -p /srv/shares/Xmrk01
sudo mkdir -p /srv/shares/Xmrk02
sudo mkdir -p /srv/shares/Xmrk03
sudo mkdir -p /srv/shares/XMrk
sudo mkdir -p /srv/shares/XMrkPub
sudo mkdir -p /srv/shares/Xsls01
sudo mkdir -p /srv/shares/Xsls02
sudo mkdir -p /srv/shares/Xsls03
sudo mkdir -p /srv/shares/XSls
sudo mkdir -p /srv/shares/XSlsPub
sudo mkdir -p /srv/shares/Xprd01
sudo mkdir -p /srv/shares/Xprd02
sudo mkdir -p /srv/shares/Xprd03
sudo mkdir -p /srv/shares/XPrd
sudo mkdir -p /srv/shares/XPrdPub
sudo mkdir -p /srv/shares/Xit01
sudo mkdir -p /srv/shares/Xit02
sudo mkdir -p /srv/shares/Xit03
sudo mkdir -p /srv/shares/Xsupport
sudo mkdir -p /srv/shares/XIT
sudo mkdir -p /srv/shares/XITPub
sudo mkdir -p /srv/shares/XSys
sudo mkdir -p /srv/shares/XSysPub
sudo mkdir -p /srv/shares/XAll
Set Permissions to full, we are going to set permissions on the shares too
sudo chmod -R 777 /srv/shares
sudo apt -y install samba
sudo nano /etc/samba/smb.conf
Add following lines under [global] stanza
netbios name = filesrv
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap uid = 10000-20000
winbind enum users = yes
winbind gid = 10000-20000
os level = 20
winbind enum groups = yes
password server = *
preferred master = no
winbind separator = +
encrypt passwords = yes
dns proxy = no
wins server = 192.168.1.216
wins proxy = no
Add following lines at the end of the file
!!! Remember to change them according to your shares !!!
# Marketing
[Xmrk01]
comment = Xmrk01
path = /srv/shares/Xmrk01
browseable = yes
read only = no
create mask = 770
directory mask = 770
valid users = mrk01
write list = mrk01
[Xmrk02]
comment = Xmrk02
path = /srv/shares/Xmrk02
browseable = yes
read only = no
create mask = 770
directory mask = 770
valid users = mrk02
write list = mrk02
[Xmrk03]
comment = Xmrk03
path = /srv/shares/Xmrk03
browseable = yes
read only = no
create mask = 770
directory mask = 770
valid users = mrk03
write list = mrk03
[XMrk]
comment = XMrk
path = /srv/shares/XMrk
browseable = yes
read only = no
create mask = 770
directory mask = 770
valid users = @Marketing
write list = @Marketing
[XMrkPub]
comment = XMrkPub
path = /srv/shares/XMrkPub
browseable = yes
read only = no
create mask = 770
directory mask = 770
valid users = @Marketing, @All
read list = @All
write list = @Marketing
# Sales
[Xsls01]
comment = Xsls01
path = /srv/shares/Xsls01
browseable = yes
read only = no
create mask = 770
directory mask = 770
valid users = sls01
write list = sls01
[Xsls02]
comment = Xsls02
path = /srv/shares/Xsls02
browseable = yes
read only = no
create mask = 770
directory mask = 770
valid users = sls02
write list = sls02
[Xsls03]
comment = Xsls03
path = /srv/shares/Xsls03
browseable = yes
read only = no
create mask = 770
directory mask = 770
valid users = sls03
write list = sls03
[XSls]
comment = XSls
path = /srv/shares/XSls
browseable = yes
read only = no
create mask = 770
directory mask = 770
valid users = @Sales
write list = @Sales
[XSlsPub]
comment = XSlsPub
path = /srv/shares/XSlsPub
browseable = yes
read only = no
create mask = 770
directory mask = 770
valid users = @Sales, @All
read list = @All
write list = @Sales
# Production
[Xprd01]
comment = Xprd01
path = /srv/shares/Xprd01
browseable = yes
read only = no
create mask = 770
directory mask = 770
valid users = prd01
write list = prd01
[Xprd02]
comment = Xprd02
path = /srv/shares/Xprd02
browseable = yes
read only = no
create mask = 770
directory mask = 770
valid users = prd02
write list = prd02
[Xprd03]
comment = Xprd03
path = /srv/shares/Xprd03
browseable = yes
read only = no
create mask = 770
directory mask = 770
valid users = prd03
write list = prd03
[XPrd]
comment = XPrd
path = /srv/shares/XPrd
browseable = yes
read only = no
create mask = 770
directory mask = 770
valid users = @Production
write list = @Production
[XPrdPub]
comment = XPrdPub
path = /srv/shares/XPrdPub
browseable = yes
read only = no
create mask = 770
directory mask = 770
valid users = @Production, @All
read list = @All
write list = @Production
# IT
[Xit01]
comment = Xit01
path = /srv/shares/Xit01
browseable = yes
read only = no
create mask = 770
directory mask = 770
valid users = it01
write list = it01
[Xit02]
comment = Xit02
path = /srv/shares/Xit02
browseable = yes
read only = no
create mask = 770
directory mask = 770
valid users = it02
write list = it02
[Xit03]
comment = Xit03
path = /srv/shares/Xit03
browseable = yes
read only = no
create mask = 770
directory mask = 770
valid users = it03
write list = it03
[Xsupport]
comment = Xsupport
path = /srv/shares/Xsupport
browseable = yes
read only = no
create mask = 770
directory mask = 770
valid users = support
write list = support
[XIT]
comment = XIT
path = /srv/shares/XIT
browseable = yes
read only = no
create mask = 770
directory mask = 770
valid users = @IT
write list = @IT
[XITPub]
comment = XITPub
path = /srv/shares/XITPub
browseable = yes
read only = no
create mask = 770
directory mask = 770
valid users = @IT, @All
read list = @All
write list = @IT
# All
[XAll]
comment = XAll
path = /srv/shares/XAll
browseable = yes
read only = no
create mask = 770
directory mask = 770
valid users = @All
write list = @All
sudo systemctl restart smbd
Change Windows computer's DNS setting to first DC and proceed as usual.
AD (including the DNS server on DC) could be managed through windows workstation after installing RSAT management.
You can connect to the file server using \srvf\share1 (share2,3,4) notation from your workstation.