NOTE:

• Provisioning the domain below will fail if samba is installed inside an unprivileged lxc container. See https://github.com/lxc/lxd/issues/3442
• Make sure that the servers can talk to each other, check firewall rules etc. if setting the directory replication
• If this is a container inside Proxmox make sure to edit DNS options in Proxmox Web gui and not in /etc/resolv.conf because it will get overwritten

apt update && apt -y install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind ldb-tools ldap-utils && apt clean

• Leave default domain as FQDN
• enter hostnames of the servers where Samba will be running e.g. auth1 auth2
• set one of the above servers as administrative

systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service && systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service &&  mv /etc/samba/smb.conf /etc/samba/smb.conf.initial

samba-tool domain provision --use-rfc2307 --interactive

root@server:~# samba-tool domain provision --use-rfc2307 --interactive
Realm [EXAMPLE.COM]: 
 Domain [EXAMPLE]: 
 Server Role (dc, member, standalone) [dc]: 
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: 
 DNS forwarder IP address (write 'none' to disable forwarding) [213.133.98.98]: 8.8.4.4
Administrator password: 
Retype password: 
Looking up IPv4 addresses
Looking up IPv6 addresses
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=example,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=example,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              auth1
NetBIOS Domain:        EXAMPLE
DNS Domain:            example.com
DOMAIN SID:            S-1-5-21-3181794916-3194312431-3547220048

mv /etc/krb5.conf /etc/krb5.conf.initial && ln -s /var/lib/samba/private/krb5.conf /etc/

systemctl unmask samba-ad-dc.service && systemctl enable samba-ad-dc.service && systemctl start samba-ad-dc.service

samba-tool domain level show

winbind use default domain = true
winbind offline logon = false
winbind nss info = rfc2307
winbind enum users = true
winbind enum groups = true
ldap server require strong auth = no

samba-tool user setexpiry Administrator --noexpiry

samba-tool domain passwordsettings show

samba-tool domain passwordsettings set --complexity=off

samba-tool domain passwordsettings set --history-length=0

samba-tool domain passwordsettings set --min-pwd-age=0

samba-tool domain passwordsettings set --max-pwd-age=0

samba-tool domain passwordsettings set --min-pwd-length=0

  cat example.com.crt > cert.pem
  cat example.com.key > key.pem
  cat intermediate.crt > ca.pem

  systemctl restart samba-ad-dc.service

openssl s_client -connect auth1.example.com:636

samba-tool user create --given-name=<user> --surname=<user> --mail-address=<user@example.com> <user.name>

samba-tool group add Example-Users

samba-tool group addmembers Git-Users <user.name>

See 'samba-tool help' for more commands.

On secondary server install samba like above but don't provision a new domain, instead we will join to an existing one.

On master (auth1) edit /etc/resolve.conf like so:

  root@auth1:~# cat /etc/resolv.conf
  search example.com
  nameserver 10.10.x.174
  nameserver 2a01:xxx:xxx:xxxx:10:10:4:ae

Nameservers are the ips of the master itself. On auth2 edit /etc/resolve.conf like so:

  root@auth2:~# cat /etc/resolv.conf
  search example.com
  nameserver 5.9.xxx.174
  nameserver 2a01:xxx:xxx:xxxx:10:10:4:ae

Nameserver are the ips of auth1 server.

  root@auth2:~# nslookup auth1.example.com
  Server:		2a01:xxx:xxx:xxxx:10:10:4:ae
  Address:	2a01:xxx:xxx:xxxx:10:10:4:ae#53

  Name:	auth1.example.com
  Address: 10.10.x.174

  mv /etc/krb5.conf /etc/krb5.conf.initial && ln -s /var/lib/samba/private/krb5.conf /etc/

  [libdefaults]
  dns_lookup_realm = false
  dns_lookup_kdc = true
  default_realm = EXAMPLE.COM

Password for “administrator” is same as “Administrator” account on auth1 server.

    root@auth2:~# kinit administrator
    Password for administrator@EXAMPLE.COM: 
    
    root@auth2:~# klist
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: administrator@EXAMPLE.COM

    Valid starting       Expires              Service principal
    08.07.2019 12:00:03  08.07.2019 22:00:03  krbtgt/EXAMPLE.COM@EXAMPLE.COM
	    renew until 09.07.2019 11:58:46

samba-tool domain join EXAMPLE.COM DC -U"administrator" --option='idmap_ldb:use rfc2307 = yes' --option='template shell = /bin/bash' --option='winbind use default domain = true' --option='winbind offline logon = false' --option='winbind nss info = rfc2307' --option='winbind enum users = true' --option='winbind enum groups = true' --option='ldap server require strong auth = no' --option='hosts allow = ALL' --dns-backend=SAMBA_INTERNAL

  systemctl start samba-ad-dc.service

  samba-tool drs showrepl

• Debian 9 (Stretch)
• Proxmox

Connect to Samba with LDAP (Bitbucket e.g.)

• https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
• https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
• https://wiki.samba.org/index.php/Linux_and_Unix_DNS_Configuration