Installing Samba 4 domain controller on Raspberry Pi running Archlinux ARM

Let’s try it

On December 11, 2012, Samba 4 was released, bringing few very interesting features, Active Directory Compatible Server being one of them. What that means is that you can set up Active Directory, supporting Group Policies, Roaming Profiles, replication and other ADDS features without having to use Windows Server.

Finally finding some extra time, I decided to give it a try on my Raspberry Pi which was just lying unused. “The reason to have a domain controller at home, on Raspberry Pi?” you ask? Well, mainly it is “just because I can”.

If you would like to try this as well, here goes a little guide I came up to make the things easier for you.

Installing Archlinux ARM on Raspberry Pi

Installing Archlinux ARM does not really differs from installation of any other Linux distribution on Raspberry Pi, so if you done this before, you can skip this part of the guide. If you did not, here is how to do that:

  1. Download and extract Win32 Disk Imager tool.
  2. Download and extract Archlinux ARM image.
  3. Insert your SD card to the computer.
  4. Run Win32 Disk Imager, select the ISO file you downloaded and drive letter of your SD card. Click Write to load the image to the card.

Once the image is loaded, you can browse some contents of the card in File Explorer. There is one particular file you might want to edit – config.txt.

One of the goals of editing this file is to overclock your Raspberry Pi to improve the performance. I suggest uncommenting (removing # symbol) the following lines in ##Modest section:

arm_freq=800
core_freq=300
sdram_freq=400
over_voltage=0

You can actually try higher overclock settings, but you might face some issues later. For me, any other setting increasing voltage caused crashes.

After the card and configuration is ready, load the card to your Raspberry Pi and power on the device. Archlinux is very fast and it should take only few seconds until the OS is running and you can access it via SSH. To do that, you will need Putty or some other SSH client.

Check DHCP leases on your router to find out what IP address was assigned to your Raspberry Pi.

Configuring Archlinux

Once you connect to the device, use root account (password – root) to log-in. Probably, the first thing you would want to do after logging-in would be changing the password. To do this, enter passwd command and your new password twice.

At this point, there is really not much preventing you from going ahead and installing Samba. Anyhow, there are a few extra configuration changes I would suggest you to make before proceeding further.

First, use the following command to set your timezone (be sure to replace timezone with the one you need):

timedatectl set-timezone Europe/Vilnius

Also, set the hostname to the one you would like to have for this domain controller:

hostnamectl set-hostname LABDC01

You might also want to edit the locales available on your system. By default, the OS has en_GB.UTF-8 UTF-8 and en_US.UTF-8 UTF-8 locales enabled. If you want to add some other ones, simply uncomment the corresponding lines in /etc/locale.gen file using a text editor of your choice:

nano /etc/locale.gen

After doing that, you need to regenerate the locales:

locale-gen

The strange thing is that the command above always crashed the OS for me when I was using other overclocking settings than the “Modest” one described earlier.

Installing Samba 4

Before proceeding with Samba installation, I would strongly recommend you updating the existing packages:

pacman -Syu

Depending on your Internet speed and date of the OS image version, it might take some time. Once it completes, you can go ahead with Samba 4 installation:

pacman -Sy samba4

If you going to use this domain controller as a time server for domain members, you should install NTP package as well:

pacman -Sy ntp

Pacman might ask you to remove openntpd package which is already installed by default. There is no problem with that, so you can go ahead and click “Y”.

In case you are planning to use your Raspberry Pi as a print server as well, be aware that Samba requires Cups package:

pacman -Sy cups

That’s it. You can start with configuration of your domain now.

Configuring Samba as domain controller

Since the configuration is quite complex, let’s split it in few parts.

Provisioning the domain

We will be using the following command to promote our Raspberry Pi to a domain controller, creating a new domain:

samba-tool domain provision --realm=lab.local --domain=LAB --adminpass 'P@ssw0rd' --server-role=dc

Be sure to change realm parameter to FQDN of your domain, domain parameter to your domain name and adminpass parameter to the password of your choice (be aware that there are complexity requirements for the password).

It might get fixed in the new Archlinux/Samba builds, but at least for now the command above ends up with the following error:

Traceback (most recent call last):
File "/usr/bin/samba-tool", line 34, in
from samba.netcmd.main import cmd_sambatool
File "/usr/lib/python2.7/site-packages/samba/__init__.py", line 49, in
import ldb
ImportError: libreplace.so: cannot open shared object file: No such file or directory

The error can be easily fixed by updating library search path on the system:

echo "/usr/lib/samba/" > /etc/ld.so.conf.d/samba.conf && ldconfig

Unfortunately, the provisioning command might still do not work and stop with a different error:

ERROR(ProvisioningError'>): Provision failed - ProvisioningError: guess_names: 'server role=auto' in /etc/samba/smb.conf must match chosen server role 'active directory domain controller'!

To solve this one, simple remove smb.conf file which is already presented on the system:

rm /etc/samba/smb.conf

Now the provisioning command should be working fine. Run it and wait until the domain is provisioned. Once it finishes, it asks you to install Kerberos configuration file to get Samba 4 working:

mv /etc/krb5.conf /etc/krb5.conf.bak && cp /var/lib/samba/private/krb5.conf /etc/

Our Samba 4 domain controller is ready now and we can go ahead an start it.

Starting Samba 4

To start Samba, you can use the following command:

systemctl start samba

Anyhow, if you type systemctl command without any parameters afterwards, you would see that Samba didn’t start:

samba.service   loaded   failed   failed   Samba AD Daemon

Looking into Samba log (/var/log/samba/log.samba) you can find the reason it fails:

ldb: unable to dlopen /usr/lib/samba/ldb/ldbsamba_extensions.so : /usr/lib/ldb/libreplace.so: version `SAMBA_4.0.3' not found (required by /usr/lib/samba/libcmdline-credentials.so)

We can get this fixed using the command below:

mv /usr/lib/ldb/libreplace.so /usr/lib/ldb/libreplace.so.bak && ln -s /usr/lib/samba/libreplace.so /usr/lib/ldb/

Now the Samba is starting just fine:

samba.service   loaded   active   running   Samba AD Daemon

Of course, we want to make sure our Samba automatically starts after reboot:

systemctl enable samba

Repeat the command above for cups and ntpd services if you installed them:

systemctl enable ntpd cups

We can now proceed with configuration of the additional components now.

Configuring DNS service

The first thing we need to do is editing /etc/resolv.conf file for domain DNS queries to work properly:

domain lab.local
nameserver 192.168.1.18

Make sure to edit the first line to have FQDN of your domain and the second line to have IP of your Raspberry Pi device.

Be aware that if your Raspberry Pi is getting IP from DHCP (which is not a good practice), this file will be regularly overwritten. To prevent that, run the following command:

chattr +i /etc/resolv.conf

For dynamic DNS updates and samba_dnsupdate command to work, add the following line to [global] section of /etc/samba/smb.conf file:

nsupdate command = /usr/sbin/samba_dnsupdate

Using internal Samba server the above configuration changes are sufficient and we can proceed further.

Configuring NTP service

If you installed NTP service and you would like your Raspberry Pi to get time from the Internet, providing it to all domain members, add the following lines to the bottom of /etc/ntp.conf file:

server 127.127.1.0
fudge  127.127.1.0 stratum 10
server 1.lt.pool.ntp.org  iburst prefer
server 1.europe.pool.ntp.org  iburst prefer
logfile /var/log/ntp.log
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
restrict default kod nomodify notrap nopeer mssntp
restrict 127.0.0.1
restrict 1.lt.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 1.europe.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery

Depending on your location, you might want using different time pools.

In addition to the /etc/ntp.conf changes above, you also need to edit permissions of /var/lib/samba/ntp_signd directory:

chmod 0750 -R /var/lib/samba/ntp_signd && chown root:ntp /var/lib/samba/ntp_signd

That’s all

After completing the steps above, your Raspberry Pi should be working as a domain controller. You can now join your computers/servers to the newly created domain and use MMC consoles from Remote Server Administration Tools to manage domain users, group policies and sites.

Social

6 comments on the post

  1. hey there and thank you for your information – I have certainly picked up anything new from right here. I did however expertise several technical points using this site, as I experienced to reload the site a lot of times previous to I could get it to load correctly. I had been wondering if your hosting is OK? Not that I’m complaining, but sluggish loading instances times will often affect your placement in google and could damage your high quality score if advertising and marketing with Adwords. Anyway I am adding this RSS to my e-mail and could look out for much more of your respective interesting content. Make sure you update this again soon..

  2. ‘pacman -Sy samba4’ no longer works, the package has been renamed to just “samba”, so the command should be: ‘pacman -Sy samba’

    thanks for the tutorial, is there a way for setting it up by copying the settings from an existing domain controller (windows server in my case) as opposed to creating a new domain from scratch? (I am just looking for a cheap backup AD controller, a suitable role for a PI)

  3. Hi,

    I am getting a naming information cannot be located for the following reason error hope you can help

  4. Thanks, Excellent tutorial without too much detail but enough to get me up and running. Thank you again!

  5. any chance of an update pls.
    just been playing,
    sorted out the samba4 is now samba,
    but falls over on the

    mv /etc/krb5.conf /etc/krb5.conf.bak && cp /var/lib/samba/private/krb5.conf /etc/

    no such file or directory

Leave a Reply

Your email address will not be published. Required fields are marked *