Vypr
Posts: 55
Joined: Tue Apr 09, 2013 2:02 am

How-To: Pi as an Active Directory Domain Controller

Sun Mar 06, 2016 11:07 pm

I recently found the need to set up a test domain for work purposes but couldn't get access to a proper Windows Server box so since Samba 4 can act as a proper AD controller I decided to give it a go.
It took a few tries and several card formattings before I got the process down pat so I thought I would share it and hopefully save other people the same headaches I had.

The process described will configure the PI as an AD controller, a DHCP client and also bridge the internet connection between the wired and wireless adaptors so that the connected clients can access the internet through the Pi.

http://www.virtualfrontiers.co.uk/domain_controller.htm

cjdawson
Posts: 10
Joined: Fri Mar 25, 2016 6:15 pm

Re: How-To: Pi as an Active Directory Domain Controller

Fri Mar 25, 2016 9:35 pm

I'm working through the post that you've put together, as I'm looking to add a domain controller to my dhcp, dns, ntp, vpn setup on my pi 3. From my down dealings with raspbian jessie, I've got as far as setting up the static ip part and noticed that there is a problem in your steps.

The problem is that the /etc/resolv.conf is overwritten when the PI starts up. This causes the domain and search items to be removed from the file as it's make the content of that file based on the ip settings for the device.

So rather than editing resolv.conf, it's better to add a couple of extra settings in /etc/dhcpcd.conf
Add these two lines to your IP configuration for eth0

static domain_name=vfrontiers.net
static domain_search=vfrontiers.net

so that your interface section reads like this...

interface eth0
static domain_name_servers=192.168.0.254
static ip_address=192.168.0.254
static routers=
static domain_search=vfrontiers.net
static domain_name=vfrontiers.net
static domain_search=vfrontiers.net


when you do that, your /etc/resolv.conf file will be populated with the domain and the nameserver the search item is omitted as it is the same as the domain. (I know it will add it as I tested it with a different value).


love the part about, iptables-persistent. This is a great idea, and much better than a bash script that I'd been doing. think I'll do that as a change to my server.

There's a problem with isc-dhcp-server, you may find that after a reboot it will fail to start up, unless you start it manually. Which will be very confusing to people. To solve this problem.

raspi-config

Choose option 4 – Wait for Network as Boot

Then choose

Slow Wait for network connection before completing boot

This will fix the problem. I'm sure that there is a better solution, but I don't know yet.

cjdawson
Posts: 10
Joined: Fri Mar 25, 2016 6:15 pm

Re: How-To: Pi as an Active Directory Domain Controller

Sat Mar 26, 2016 2:24 am

I've tried following this guide and have got to the point of having provisioned the domain, however when I attempt the first test this is what I get....

smbclient -L localhost -U%
Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED)


I'm not really sure what to do about this. Any ideas?

huwmungous
Posts: 2
Joined: Wed May 18, 2016 3:02 pm

Re: How-To: Pi as an Active Directory Domain Controller

Thu May 19, 2016 12:54 pm

@cjdawson - I seem to be in the same place you were. Were you able to resolve this?


borborpa
Posts: 1
Joined: Mon Dec 26, 2016 7:53 pm

Re: How-To: Pi as an Active Directory Domain Controller

Mon Dec 26, 2016 7:55 pm

You can fix that issue by installing winbind (sudo apt-get install winbind) and rebooting.

hortimech
Posts: 323
Joined: Wed Apr 08, 2015 5:52 pm

Re: How-To: Pi as an Active Directory Domain Controller

Mon Dec 26, 2016 9:25 pm

There is that much wrong with that howto, I do not really know where to start. I cannot recommend using it to set up a Samba AD DC, try following the official Samba wiki instead:

https://wiki.samba.org/index.php/Settin ... Controller

pete_dl
Posts: 3
Joined: Wed Dec 13, 2017 12:26 am

Re: How-To: Pi as an Active Directory Domain Controller

Wed Dec 13, 2017 12:41 am

I followed the instructions carefully (omitting the DHCP and port forwarding setup as i don't need it)

Unfortunately when I get to testing it with smbclient -L localhost -U% it responds with

Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED)

and the kinit says it cant find KDC for the realm

Any suggestions ? Is there a firewall i need to switch off ? I am using the latest version of all the software. Might the instructions be out of date ?

pete_dl
Posts: 3
Joined: Wed Dec 13, 2017 12:26 am

Re: How-To: Pi as an Active Directory Domain Controller

Wed Dec 13, 2017 2:19 am

I've managed to get over the problem of the error from the following command

smbclient -L localhost -U%

By looking at other tutorials, after the "sudo samba-tool domain provision..." you actually have to start samba with "sudo samba"

However, I am now stuck at configuring Kerberos. when calling "kinit administrator@BP.LOCAL" i get the error "kinit: Cannot contact any KDC for realm 'BP.LOCAL' while getting initial credentials"

How do i debug this ?

Many thanks.

pete_dl
Posts: 3
Joined: Wed Dec 13, 2017 12:26 am

Re: How-To: Pi as an Active Directory Domain Controller

Thu Dec 14, 2017 1:07 pm

after further investigation, the DNS that samba provides is not working properly, the suggested host -A check produces a "no server could be reached"

My guess is one of the latest package versions has invalidated this tutorial. The samba log is as follows...

2017/12/14 11:45:18.617866, 0] ../source4/smbd/server.c:372(binary_smbd_main)
samba version 4.5.12-Debian started.
Copyright Andrew Tridgell and the Samba Team 1992-2016
[2017/12/14 11:45:20.626682, 0] ../source4/smbd/server.c:479(binary_smbd_main)
samba: using 'standard' process model
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
[2017/12/14 11:45:20.759830, 0] ../lib/util/become_daemon.c:124(daemon_ready)
STATUS=daemon 'samba' finished starting up and ready to serve connections
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
[2017/12/14 11:45:21.215442, 0] ../source4/winbind/winbindd.c:47(winbindd_done)
winbindd daemon died with exit status 1
[2017/12/14 11:45:21.216219, 0] ../source4/smbd/service_task.c:35(task_server_terminate)
task_server_terminate: [winbindd child process exited]
[2017/12/14 11:45:21.243255, 0] ../source4/smbd/server.c:211(samba_terminate)
samba_terminate of 894: winbindd child process exited
[2017/12/14 11:45:21.309388, 0] ../file_server/file_server.c:46(file_server_smbd_done)
file_server smbd daemon died with exit status 1
[2017/12/14 11:45:21.309983, 0] ../source4/smbd/service_task.c:35(task_server_terminate)
task_server_terminate: [smbd child process exited]
[2017/12/14 11:45:40.928144, 0] ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
../source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error code 110
[2017/12/14 11:55:41.013822, 0] ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
../source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error code 110
[2017/12/14 12:05:41.063985, 0] ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
../source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error code 110

akechristian
Posts: 1
Joined: Mon Dec 31, 2018 1:10 am

Re: How-To: Pi as an Active Directory Domain Controller

Mon Dec 31, 2018 1:15 am

Hi All,

About resolv.conf, no need to change its attributes, check the dhcpcd page (https://wiki.archlinux.org/index.php/dhcpcd) saying :

resolv.conf

dhcpcd' by default overwrites resolv.conf.

This can be stopped by adding the following to the last section of /etc/dhcpcd.conf:

nohook resolv.conf

Have a good one, and happy new year in advance !

EDIT1: sorry guys, but does not work, at least for me... i will continue to see if another way exist.
EDIT2: in this web page, found better explanation why resolv.conf is overwritten
https://manpages.ubuntu.com/manpages/ar ... onf.8.html
and also the following URL about resolvconf that seems to be part of the openresolv framework.
https://roy.marples.name/projects/openresolv
It seems this guy, Roy, was strongly involved in dhcpcd too !

mfayiz
Posts: 1
Joined: Mon Jan 21, 2019 11:11 pm

Re: How-To: Pi as an Active Directory Domain Controller

Mon Jan 21, 2019 11:14 pm

I have been trying for some time to work my pi as a DC, and followed the above and few other writings but none of them worked, always received error messages on my samba.

Anyone worked it as a DC, can you guide me to a good document.

Thanks for your help.

Return to “Networking and servers”