Table of Contents
Prerequisites
This guide recommends using Ubuntu 22.04 or later.
The guide will assume some details:
- Server IP:
10.0.0.97 - Kerberos Realm:
MINERSONLINE.LAN - Kerberos server hostname:
ipa.minersonline.lan - Kerberos administrative server hostname:
ipa.minersonline.lan
You may changes these assumptions based on your requirements.
1. Setup hostname
Set the hostname.
sudo hostnamectl set-hostname ipa.minersonline.lanAdd the hostname to hosts file.
sudo nano /etc/hostsAdd the line 10.0.0.97 ipa.minersonline.lan ipa to the top of the file but change 10.0.0.97 to your machine’s IP
Press Control + X then Y to save the file.
2. Install dependencies
sudo apt-get install samba krb5-user krb5-config winbind libpam-winbind libnss-winbindDuring installation you may get asked for your Kerberos Realm, Kerberos server hostname, and Kerberos administrative server hostname.
3. Provision Samba
1. Stop existing Samba services
sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.servicesudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service2. Backup Samba configuration
sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.initial3. Reconfigure Samba
sudo samba-tool domain provision --use-rfc2307 --interactiveYou will get asked for the following information:
- Realm:
MINERSONLINE.LAN. - Domain:
MINERSONLINE. - Server Role:
dc. - DNS backend:
SAMBA_INTERNAL. - DNS forwarder IP address: Your DNS server’s IP (normally your gateway) or Cloudflare (1.1.1.1) or Google (8.8.8.8).
- Administrator password: Enter something secure and rememberable.
4. Make a link to use Samba’s Kerberos configuration
sudo mv /etc/krb5.conf /etc/krb5.conf.initialsudo ln -s /var/lib/samba/private/krb5.conf /etc/4. Start Samba
sudo samba2. Configure local DNS
DNS is used so external services can locate the domain controller and query the services located on it. This will allow clients to connect to the domain controller easily.
1. Install resolvconf
sudo apt install resolvconfsudo systemctl enable --now resolvconf.service2. Configure resolvconf
sudo nano /etc/resolvconf/resolv.conf.d/headAdd nameserver 127.0.01 at the bottom. Press Control + X then Y to save the file.
We use 127.0.0.1 because Samba is acting as the DNS server and they are forwarding external DNS requests to outside world.
3. Delete conflicting DNS records
Doing the command:
samba-tool dns query 10.0.0.97 minersonline.lan minersonline.lan Awill allow you to check if you have conflicting DNS records. If the IPs 172.17.0.1, 172.19.0.1, and 172.18.0.1 appear above the server’s ipa 10.0.0.97. These conflicting records will confuse clients because they will try to connect to themselves instead of the domain controller.
samba-tool dns delete 10.0.0.97 minersonline.lan minersonline.lan A 172.17.0.1samba-tool dns delete 10.0.0.97 minersonline.lan minersonline.lan A 172.19.0.1samba-tool dns delete 10.0.0.97 minersonline.lan minersonline.lan A 172.18.0.1
samba-tool dns delete 10.0.0.97 minersonline.lan ipa.minersonline.lan A 172.17.0.1samba-tool dns delete 10.0.0.97 minersonline.lan ipa.minersonline.lan A 172.19.0.1samba-tool dns delete 10.0.0.97 minersonline.lan ipa.minersonline.lan A 172.18.0.14. Running Samba on startup
Running Samba on system startup is a good idea if you want clients to be allowed to connect automatically. To do this run the following command:
sudo update-rc.d smbd defaults5. Testing / verification
1. Verify DNS is working
host -t SRV _kerberos._udp.minersonline.lanYou should get a message like:
_kerberos._udp.minersonline.lan has SRV record 0 100 88 ipa.minersonline.lan.2. Test Kerberos
kinit administrator@MINERSONLINE.LANYou will get asked for the password you set earlier. If successful, you may get a response like Warning: Your password will expire in 41 days on Fri 26 Jan 2024 12:30:09 GMT.
The klist command will show you a list of your Kerberos tickets you made with kinit.
