Samba Active Directory Domain Controller (AD DC) Setup on Ubuntu 22.04.5 LTS

Step-by-Step: Samba Active Directory (AD) on Ubuntu 22.04 — Production Setup, Hardening & Failover (example.com)

Step-by-Step: Samba Active Directory (AD) on Ubuntu 22.04 — Production Setup, Hardening & Failover (example.com)

Author: Sidhesh Devale · Platform: Ubuntu 22.04 · Primary DC: sd01 (192.168.0.7) · Secondary DC: sd02 (192.168.0.10)

Contents
  1. Pre-Setup Requirements
  2. Primary DC (SD01) — Provision
  3. Secondary DC (SD02) — Join
  4. Secure SYSVOL Replication (rsync+ssh)
  5. Full Production Hardening
  6. Failover & FSMO Role Transfer
  7. Validation & Testing
  8. Monitoring, Backup & Maintenance
  9. Troubleshooting

1. Pre-Setup Requirements

This guide assumes two Ubuntu 22.04 servers (SD01 and SD02) on a trusted LAN with static IPs:

  • SD01 (Primary): 192.168.0.7
  • SD02 (Secondary): 192.168.0.10
  • Domain: example.com

Quick checklist

  1. Update OS and install required packages: 
    sudo apt update && sudo apt upgrade -y
sudo apt install samba krb5-user winbind smbclient dnsutils net-tools acl attr rsync chrony vim -y
  2. Set timezone & enable NTP: 
    sudo timedatectl set-timezone Asia/Kolkata
sudo systemctl enable --now chrony
  3. Set hostnames: 
    sudo hostnamectl set-hostname sd01    # on primary
sudo hostnamectl set-hostname sd02    # on secondary
  4. /etc/hosts entries (both machines): 
    192.168.0.7   sd01.example.com sd01
192.168.0.10  sd02.example.com sd02
  5. Disable conflicting resolver (optional): 
    sudo systemctl disable --now systemd-resolved
sudo rm -f /etc/resolv.conf
echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf

2. Primary DC (SD01) — Provision

Provision Samba AD domain (remove any existing /etc/samba/smb.conf first):

sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
sudo samba-tool domain provision \
  --use-rfc2307 \
  --realm=EXAMPLE.COM \
  --domain=EXAMPLE \
  --server-role=dc \
  --dns-backend=SAMBA_INTERNAL \
  --adminpass='StrongAdmin@123'

Copy generated krb5.conf into place:

sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

Enable Samba AD service:

sudo systemctl unmask samba-ad-dc
sudo systemctl enable --now samba-ad-dc

Verify

sudo samba-tool domain level show
sudo samba-tool user list
host -t SRV _ldap._tcp.example.com

3. Secondary DC (SD02) — Join as ADC

On SD02 install required packages and ensure time & DNS can reach the primary. Then join:

sudo apt install samba krb5-user winbind smbclient dnsutils rsync -y
sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.bak

sudo samba-tool domain join example.com DC \
    -U"EXAMPLE\\Administrator" \
    --realm=EXAMPLE.COM \
    --dns-backend=SAMBA_INTERNAL

Start the AD service:

sudo systemctl enable --now samba-ad-dc

Replication checks

sudo samba-tool drs showrepl
sudo samba-tool dns zonelist 127.0.0.1 -U Administrator

4. Secure SYSVOL Replication (rsync + SSH)

We replicate SYSVOL with rsync over key-authenticated SSH for production security.

  1. On SD01 generate key and copy to SD02: 
    sudo ssh-keygen -t rsa -b 4096 -f /root/.ssh/id_rsa -N ""
sudo ssh-copy-id -i /root/.ssh/id_rsa.pub root@192.168.0.10
  2. Create sync script on SD01: /usr/local/bin/sysvol-sync.sh 
    #!/bin/bash
rsync -XAavz --delete-after /var/lib/samba/sysvol/ root@192.168.0.10:/var/lib/samba/sysvol/
    sudo chmod +x /usr/local/bin/sysvol-sync.sh
  3. Add cron job to run every 5 minutes: 
    sudo crontab -e
# add:
*/5 * * * * /usr/local/bin/sysvol-sync.sh

If you prefer bidirectional sync, implement symmetric cron on both DCs but be careful to avoid conflicts; verifying replication status frequently is critical.

5. Full Production Hardening

Apply the following hardening controls (system, Samba, Kerberos, SSH, firewall, PAM, logging).

Samba configuration

sudo tee -a /etc/samba/smb.conf <<'EOF'

[global]
  min protocol = SMB2
  client min protocol = SMB2
  restrict anonymous = 2
  smb encrypt = required
  server signing = mandatory
  ntlm auth = no
EOF

sudo systemctl restart samba-ad-dc

Kerberos (strong ticket policies)

sudo tee /etc/krb5.conf <<'EOF'
[libdefaults]
  default_realm = EXAMPLE.COM
  dns_lookup_realm = false
  dns_lookup_kdc = true
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true
  rdns = false
EOF

SSH hardening

sudo sed -i 's/^#PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sed -i 's/^#PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config
# Restrict to specific admin users (replace 'adminuser' with your admin account)
echo "AllowUsers adminuser" | sudo tee -a /etc/ssh/sshd_config
sudo systemctl restart ssh

Sysctl / kernel

sudo tee -a /etc/sysctl.d/99-samba-hardening.conf <<'EOF'
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
EOF
sudo sysctl --system

Disable SMBv1 & NetBIOS services

sudo systemctl disable --now smbd nmbd winbind || true
sudo systemctl mask smbd nmbd winbind || true

Password & lockout policy (Samba AD)

sudo samba-tool domain passwordsettings set --complexity=on
sudo samba-tool domain passwordsettings set --history-length=24
sudo samba-tool domain passwordsettings set --min-pwd-age=1
sudo samba-tool domain passwordsettings set --max-pwd-age=90
sudo samba-tool domain passwordsettings set --min-pwd-length=12
sudo samba-tool domain passwordsettings set --lockout-threshold=5

File permissions & TLS keys

sudo chown root:root /var/lib/samba/private/tls/*
sudo chmod 600 /var/lib/samba/private/tls/key.pem

Firewall

# Example with ufw (allow DNS, LDAP, Kerberos, RPC, SMB for domain)
sudo ufw allow from 192.168.0.0/24 to any port 389 proto tcp
sudo ufw allow from 192.168.0.0/24 to any port 88 proto tcp
sudo ufw allow from 192.168.0.0/24 to any port 53 proto tcp
sudo ufw allow from 192.168.0.0/24 to any port 135 proto tcp
sudo ufw allow from 192.168.0.0/24 to any port 445 proto tcp
sudo ufw enable

Audit & logging

sudo apt install auditd -y
sudo systemctl enable --now auditd
# Add rules for Samba and LDAP log gathering based on company policy

6. Failover & FSMO Role Transfer

When SD01 is offline and you want SD02 to become authoritative, transfer FSMO roles.

sudo samba-tool fsmo show   # shows current owners

# If SD01 offline: force transfer to SD02
sudo samba-tool fsmo transfer --role=all --force

# Verify
sudo samba-tool fsmo show

After transfer, run:

sudo samba-tool ntacl sysvolreset
sudo samba-tool drs showrepl

To move roles back after recovery:

sudo samba-tool fsmo transfer --role=all

7. Validation & Testing

  1. Replication health: 
    sudo samba-tool drs showrepl
  2. DNS SRV records: 
    host -t SRV _ldap._tcp.example.com
host -t SRV _kerberos._tcp.example.com
  3. Kerberos tests: 
    kinit Administrator@EXAMPLE.COM
klist
  4. SMB shares: 
    smbclient -L localhost -U Administrator
  5. Windows client login: join domain & test logins when SD01 online & offline.

8. Monitoring, Backup & Maintenance

Essentials for production:

  • Daily backup of /var/lib/samba and /etc/samba/smb.conf (use encrypted offsite storage)
  • Regularly run samba-tool drs showrepl and samba-tool dbcheck --cross-ncs
  • Log rotation: configure /etc/logrotate.d/samba
# Example backup
sudo tar -C / -czf /backup/samba-$(date +%F).tar.gz /var/lib/samba /etc/samba
# Securely copy to offsite
scp /backup/samba-$(date +%F).tar.gz backupuser@backup.example.net:/secure/backups/

9. Troubleshooting (common issues)

DNS binding or port 53 already in use

sudo ss -lntup | grep ':53\b'
# if another process (systemd-resolved) is listening, disable it or adjust /etc/resolv.conf

Secrets DB missing on join

ls -l /var/lib/samba/private/secrets.ldb
# Ensure samba-ad-dc created secrets.ldb after successful join or provision

Replication refused on port 135 / RPC errors

nc -vz sd02.example.com 135
# Ensure connectivity & firewall rules allow RPC (135) and SMB (445)

Kerberos kinit failed

kinit Administrator@EXAMPLE.COM
# check /etc/krb5.conf and that KDC entries point to reachable DCs
# ensure correct time sync (ntp/chrony)

This document provides a reproducible, production-ready Samba AD deployment for example.com (Ubuntu 22.04). Use with appropriate change control, backups, and test windows in production environments.

Suggested labels: Ubuntu, Samba AD, Active Directory, Sysadmin, Linux Security, Samba Hardening

Authored by Sidhesh Devale

Comments

Post a Comment

Popular posts from this blog

Install & Configure GLPI on Ubuntu (Nginx + MariaDB + PHP 8.3) — Full SOP 2025

🧭 Install & Configure GLPI on Ubuntu (Nginx + MariaDB + PHP 8.3) — Full SOP 2025 Comprehensive setup guide for GLPI 10.x using Nginx , MariaDB , and PHP 8.3 on Ubuntu 22.04/24.04 LTS. 📋 1. Prerequisites Ubuntu 22.04/24.04 with sudo/root privileges DNS record or hostname (e.g. glpi.localhost or glpi.example.com ) Updated system packages sudo apt update && sudo apt upgrade -y ⚙️ 2. Install Required Packages 2.1 Nginx Web Server sudo apt install -y nginx sudo nano /etc/nginx/sites-available/glpi.conf server { listen 80; listen [::]:80; server_name glpi.localhost; root /var/www/glpi/public; location / { try_files $uri /index.php$is_args$args; } location ~ ^/index\.php$ { fastcgi_pass unix:/run/php/php8.3-fpm.sock; fastcgi_split_path_info ^(.+\.php)(/.*)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } } sudo ln -s /etc/...
Read more

Basic Linux Commands

🐧 Linux Basic Commands — Quick Reference A comprehensive yet compact beginner's guide to Linux file system, commands, permissions, networking, users, and more. 📘 Why Learn Linux? Linux powers everything from servers and clouds to IoT devices. Whether you’re a developer, sysadmin, or cloud engineer, Linux skills are essential . Works seamlessly with Windows and macOS. Hosts most cloud workloads and containers. Open source, modular, and secure. 📂 1. Linux File System Hierarchy / ├── bin ├── boot ├── dev ├── etc ├── home │ ├── alice │ ├── bob │ └── eve ├── root ├── run ├── sbin ├── tmp ├── usr │ ├── bin │ ├── local │ │ ├── bin │ │ ├── sbin │ └── sbin └── var /boot – Kernel & bootloader files /etc – System configuration /home – User directories /usr – Installed software /var – Logs, spools /tmp – Temporary data 📁 2. File Management & Navigation Absolute vs Relative Paths Absolute: /var/log/syslog Relative: log/s...
Read more

Secure Ollama API Deployment with Nginx Reverse Proxy

🚀 Secure Ollama API with Nginx — Deployment Guide Deploy Ollama behind Nginx with HTTPS (SSL) and Basic Authentication using Docker Compose. 🔧 Step 1: Create Certificates and Auth mkdir -p nginx/certs nginx/auth openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout nginx/certs/server.key \ -out nginx/certs/server.crt \ -subj "/CN=192.168.0.6" htpasswd -cb nginx/auth/.htpasswd admin yourpassword 🧩 Step 2: Nginx Configuration events {} http { server { listen 443 ssl; ssl_certificate /etc/nginx/certs/server.crt; ssl_certificate_key /etc/nginx/certs/server.key; auth_basic "Restricted"; auth_basic_user_file /etc/nginx/auth/.htpasswd; location / { proxy_pass http://ollama:11434; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } } 📦 Step 3: Dock...
Read more