Let’s try it
On December 11, 2012, Samba 4 was released, bringing few very interesting features, Active Directory Compatible Server being one of them. What that means is that you can set up Active Directory, supporting Group Policies, Roaming Profiles, replication and other ADDS features without having to use Windows Server.
Finally finding some extra time, I decided to give it a try on my Raspberry Pi which was just lying unused. “The reason to have a domain controller at home, on Raspberry Pi?” you ask? Well, mainly it is “just because I can”.
If you would like to try this as well, here goes a little guide I came up to make the things easier for you.
Installing Archlinux ARM on Raspberry Pi
Installing Archlinux ARM does not really differs from installation of any other Linux distribution on Raspberry Pi, so if you done this before, you can skip this part of the guide. If you did not, here is how to do that:
- Download and extract Win32 Disk Imager tool.
- Download and extract Archlinux ARM image.
- Insert your SD card to the computer.
- Run Win32 Disk Imager, select the ISO file you downloaded and drive letter of your SD card. Click Write to load the image to the card.
Once the image is loaded, you can browse some contents of the card in File Explorer. There is one particular file you might want to edit – config.txt.
One of the goals of editing this file is to overclock your Raspberry Pi to improve the performance. I suggest uncommenting (removing # symbol) the following lines in ##Modest section:
arm_freq=800 core_freq=300 sdram_freq=400 over_voltage=0
You can actually try higher overclock settings, but you might face some issues later. For me, any other setting increasing voltage caused crashes.
After the card and configuration is ready, load the card to your Raspberry Pi and power on the device. Archlinux is very fast and it should take only few seconds until the OS is running and you can access it via SSH. To do that, you will need Putty or some other SSH client.
Check DHCP leases on your router to find out what IP address was assigned to your Raspberry Pi.
Once you connect to the device, use root account (password – root) to log-in. Probably, the first thing you would want to do after logging-in would be changing the password. To do this, enter passwd command and your new password twice.
At this point, there is really not much preventing you from going ahead and installing Samba. Anyhow, there are a few extra configuration changes I would suggest you to make before proceeding further.
First, use the following command to set your timezone (be sure to replace timezone with the one you need):
timedatectl set-timezone Europe/Vilnius
Also, set the hostname to the one you would like to have for this domain controller:
hostnamectl set-hostname LABDC01
You might also want to edit the locales available on your system. By default, the OS has en_GB.UTF-8 UTF-8 and en_US.UTF-8 UTF-8 locales enabled. If you want to add some other ones, simply uncomment the corresponding lines in /etc/locale.gen file using a text editor of your choice:
After doing that, you need to regenerate the locales:
The strange thing is that the command above always crashed the OS for me when I was using other overclocking settings than the “Modest” one described earlier.
Installing Samba 4
Before proceeding with Samba installation, I would strongly recommend you updating the existing packages:
Depending on your Internet speed and date of the OS image version, it might take some time. Once it completes, you can go ahead with Samba 4 installation:
pacman -Sy samba4
If you going to use this domain controller as a time server for domain members, you should install NTP package as well:
pacman -Sy ntp
Pacman might ask you to remove openntpd package which is already installed by default. There is no problem with that, so you can go ahead and click “Y”.
In case you are planning to use your Raspberry Pi as a print server as well, be aware that Samba requires Cups package:
pacman -Sy cups
That’s it. You can start with configuration of your domain now.
Configuring Samba as domain controller
Since the configuration is quite complex, let’s split it in few parts.
Provisioning the domain
We will be using the following command to promote our Raspberry Pi to a domain controller, creating a new domain:
samba-tool domain provision --realm=lab.local --domain=LAB --adminpass 'P@ssw0rd' --server-role=dc
Be sure to change realm parameter to FQDN of your domain, domain parameter to your domain name and adminpass parameter to the password of your choice (be aware that there are complexity requirements for the password).
It might get fixed in the new Archlinux/Samba builds, but at least for now the command above ends up with the following error:
Traceback (most recent call last):
File "/usr/bin/samba-tool", line 34, in
from samba.netcmd.main import cmd_sambatool
File "/usr/lib/python2.7/site-packages/samba/__init__.py", line 49, in
ImportError: libreplace.so: cannot open shared object file: No such file or directory
The error can be easily fixed by updating library search path on the system:
echo "/usr/lib/samba/" > /etc/ld.so.conf.d/samba.conf && ldconfig
Unfortunately, the provisioning command might still do not work and stop with a different error:
ERROR(ProvisioningError'>): Provision failed - ProvisioningError: guess_names: 'server role=auto' in /etc/samba/smb.conf must match chosen server role 'active directory domain controller'!
To solve this one, simple remove smb.conf file which is already presented on the system:
Now the provisioning command should be working fine. Run it and wait until the domain is provisioned. Once it finishes, it asks you to install Kerberos configuration file to get Samba 4 working:
mv /etc/krb5.conf /etc/krb5.conf.bak && cp /var/lib/samba/private/krb5.conf /etc/
Our Samba 4 domain controller is ready now and we can go ahead an start it.
Starting Samba 4
To start Samba, you can use the following command:
systemctl start samba
Anyhow, if you type systemctl command without any parameters afterwards, you would see that Samba didn’t start:
samba.service loaded failed failed Samba AD Daemon
Looking into Samba log (/var/log/samba/log.samba) you can find the reason it fails:
ldb: unable to dlopen /usr/lib/samba/ldb/ldbsamba_extensions.so : /usr/lib/ldb/libreplace.so: version `SAMBA_4.0.3' not found (required by /usr/lib/samba/libcmdline-credentials.so)
We can get this fixed using the command below:
mv /usr/lib/ldb/libreplace.so /usr/lib/ldb/libreplace.so.bak && ln -s /usr/lib/samba/libreplace.so /usr/lib/ldb/
Now the Samba is starting just fine:
samba.service loaded active running Samba AD Daemon
Of course, we want to make sure our Samba automatically starts after reboot:
systemctl enable samba
Repeat the command above for cups and ntpd services if you installed them:
systemctl enable ntpd cups
We can now proceed with configuration of the additional components now.
Configuring DNS service
The first thing we need to do is editing /etc/resolv.conf file for domain DNS queries to work properly:
domain lab.local nameserver 192.168.1.18
Make sure to edit the first line to have FQDN of your domain and the second line to have IP of your Raspberry Pi device.
Be aware that if your Raspberry Pi is getting IP from DHCP (which is not a good practice), this file will be regularly overwritten. To prevent that, run the following command:
chattr +i /etc/resolv.conf
For dynamic DNS updates and samba_dnsupdate command to work, add the following line to [global] section of /etc/samba/smb.conf file:
nsupdate command = /usr/sbin/samba_dnsupdate
Using internal Samba server the above configuration changes are sufficient and we can proceed further.
Configuring NTP service
If you installed NTP service and you would like your Raspberry Pi to get time from the Internet, providing it to all domain members, add the following lines to the bottom of /etc/ntp.conf file:
server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 1.lt.pool.ntp.org iburst prefer server 1.europe.pool.ntp.org iburst prefer logfile /var/log/ntp.log ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 1.lt.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.europe.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
Depending on your location, you might want using different time pools.
In addition to the /etc/ntp.conf changes above, you also need to edit permissions of /var/lib/samba/ntp_signd directory:
chmod 0750 -R /var/lib/samba/ntp_signd && chown root:ntp /var/lib/samba/ntp_signd
After completing the steps above, your Raspberry Pi should be working as a domain controller. You can now join your computers/servers to the newly created domain and use MMC consoles from Remote Server Administration Tools to manage domain users, group policies and sites.