Install AD on RaspbrryPi
This is the log from installing a Raspberry Pi as an Primay Domain Controller. The existing environment is a home net work, where a fritz.box acts as the DNS and DHCP server.
When the Pi is started out of the box it uses DHCP. The DHCP server on the Fritzbox was configured to “allways assign the same IP to this client” . So the IP is blocked for the PI and can be configured as a static configuration on the PI.
Although it might be uncool but I ran all this as root
sudo su
Prepare installation
For compiling and the operation of a DC there is no need for “high performance” grafics. Each free byte of memory will speed up the compilation. So change memory allocation – only 32 mb for grafics using the
Raspi-configure
Update to latest
aptitude update && aptitude safe-upgrade
Downlaod missing tools
I installed the following packages and tool. I needed multiple runs to find them. After that I found that the samba installation has a list under “OS requiremants” (http://wiki.samba.org/index.php/Samba_4/OS_Requirements)
apt-get install git-core apt-get install python-dev apt-get install libacl1-dev libblkid-dev apt-get install libgnutls28-dev apt-get install build-essential libacl1-dev libattr1-dev \ libblkid-dev libgnutls-dev libreadline-dev python-dev \ python-dnspython gdb pkg-config libpopt-dev libldap2-dev \ dnsutils libbsd-dev attr krb5-user docbook-xsl
The sources where installed under the pi-user’s home dir. There a subdirectory “master-samba” is created like suggested in the installation walkthrough ( http://wiki.samba.org/index.php/Samba_4/OS_Requirements)
Cd /home/pi/ Md samba-master
Git download the source code into samba-master
git clone git://git.samba.org/samba.git samba-master cd samba-master
Built the configuration with debug enabled. Also the selftest parameter is useful to check for bigger issues
./configure --enable-debug --enable-selftest make make install
After the make install is done run the set up. Important is that the passwort is complex ennogh.It should suffi´cent if you have a Uppercase char, a special character like $,# and a number. The internal DNS of samba is okay. The DNS forwarder is set to the fritzbox, because it handles all DNSrequest that are not for the realm (here myad.at.home).The realm is the full quallified DNS name of the AD Domain. It is intended tha it is not a sub domain of fritz.box.Although it should be possible that the Domain name is different from the first part of the realm name, it is a good idea to keep them the same.Choose a name less than 15 chars length.
/usr/local/samba/bin/samba-tool domain provision Realm: myad.at.home Domain [myad]: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: DNS forwarder IP address (write 'none' to disable forwarding) [10.188.173.1]: Administrator password: Retype password: Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=myad,DC=at,DC=home Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=myad,DC=at,DC=home Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: raspberrypi NetBIOS Domain: MYAD DNS Domain: myad.at.home DOMAIN SID: S-1-5-21-1141686708-2355780491-2416577776
There is no script for starting samba but it can be downloaded. Create the init script:
wget http://anonscm.debian.org/loggerhead/pkg-samba/samba4/unstable/download/head:/1833%40fc4039ab-9d04-0410-8cac-899223bdd6b0:trunk%252Fsamba4:debian%252Fsamba4.init/samba4.init -O /etc/init.d/samba4
Make it executable and include it in the normal init sequence
chmod 755 /etc/init.d/samba4 update-rc.d samba4 defaults
Set nameserver to look first on the local system and than on the fritzbox, just in case that samba’s dns server is not running. The “search” entry defines which domain parts are added to a client name for dns search. This helps when you only use hostnames instead full quallified names. “fritz.box” is added to the search list to help finding all the other mashines in the local net that are not part of the ad-domain
Edit /etc/resolv.conf
domain myad.at.home search myad.at.home fritz.box nameserver 10.199.173.100 <--- this is rapi's ip nameserver 10.199.173.1 <… this is the old router aka fritz.box
Set NIC to a fixed ID
Edit /etc/network/interfaces to use a fixed IP
auto lo iface lo inet loopback iface eth0 inet static address 10.199.173.100 netmask 255.255.255.0 network 10.199.173.0 broadcast 10.199.173.255 gateway 10.199.173.1 allow-hotplug wlan0 iface wlan0 inet manual wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf iface default inet dhcp
Reboot
Add samba-exe directories to user and root’s path variable
For root roots ~/.bashrc for example
For user edit the /etc/profile.defs
Test samba version (client)
smbclient --version Version 4.1.0pre1-GIT-bcacd8f
Sever
samba -V
Start samba so that it writes every thing to std out
/usr/local/samba/sbin/samba -i -M single & [1] 2618 root@raspberrypi:/home/pi# samba version 4.1.0pre1-GIT-bcacd8f started. Copyright Andrew Tridgell and the Samba Team 1992-2012 samba: using 'single' process model ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - NT_STATUS_IO_TIMEOUT ../source4/dsdb/dns/dns_update.c:323: Failed SPN update - NT_STATUS_IO_TIMEOUT
The errors can be ignored cause the configuration is not complete. Check the shares that have to be provided by every doman controller
/usr/local/samba/bin/smbclient -L localhost -U% Domain=[MYAD] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-bcacd8f] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.1.0pre1-GIT-bcacd8f) Domain=[MYAD] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-bcacd8f] Server Comment --------- ------- Workgroup Master --------- -------
Test account – replace the password by the one you set
smbclient //localhost/netlogon -UAdministrator%'p4$$word' -c 'ls' Domain=[MYAD] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-bcacd8f] . D 0 Wed Jan 2 10:22:54 2013 .. D 0 Wed Jan 2 10:42:24 2013 57691 blocks of size 65536. 15088 blocks available
Check DNS entries / DNS config. Fire the host commands . You should get simmilar results:
host -t SRV _ldap._tcp.myad.at.home _ldap._tcp.myad.at.home has SRV record 0 100 389 raspberrypi.myad.at.home. host -t SRV _ldap._tcp.myad.at.home. _ldap._tcp.myad.at.home has SRV record 0 100 389 raspberrypi.myad.at.home. host -t SRV _kerberos._udp.myad.at.home. _kerberos._udp.myad.at.home has SRV record 0 100 88 raspberrypi.myad.at.home. host -t A raspberrypi.myad.at.home. raspberrypi.myad.at.home has address 10.199.173.100
Create the Kerberos configuration by copying it from the template in the samba directory
cd /etc cp /usr/local/samba/share/setup/krb5.conf .
Then edit the file and replace ${REALM} with the value you chose for the –realm parameter of the provision command above. realm must be in uppercase letters
[libdefaults] default_realm = MYAD.AT.HOME dns_lookup_realm = false dns_lookup_kdc = true
Check Kerberos, get a tiket with kinit and display it. Use the realm name in upper case after the @.
kinit administrator@MYAD.AT.HOME Password for administrator@MYAD.AT.HOME: Warning: Your password will expire in 41 days on Thu Feb 14 10:56:46 2013 klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@MYAD.AT.HOME Valid starting Expires Service principal 03/01/13 11:33:40 03/01/13 21:33:40 krbtgt/MYAD.AT.HOME@MYAD.AT.HOME renew until 04/01/13 11:33:23
Now you can goto on a Windows system and join domain:
Update:
A well done instruction you can find here: http://linux-on-a-server.com/samba-4-active-directory-my-first-successfully-test/ . It uses samba4 installation via apt-get and includes hints how to use bind9 as DNS server.