I try to set up Samba 4 on a dedicated server from kimsufi.com but I have difficulties configuring Kerberos and Samba4.
I am very confused about IP, Realm, Domain, NetBIOS, DNS etc. in Kerberos and Samba. All tutorials I found by Google seem to deal with homeservers in a LAN and show domains like TEST.LOCAL but my machine in the internet with an IP different to 192.168…
My question is: How is the config in my specific case?
Details of my server (Debian 7.8):
Hostname: ks12345xxx.kimsufi.com
IP: 37.187.xx.xxx
/ect/host:
127.0.0.1 localhost.localdomain localhost
37.187.xx.xxx ks12345xxx.kimsufi.com ks12345xxx
/ect/hostname:
ks12345xxx.kimsufi.com
/etc/sesolve.conf:
nameserver 127.0.0.1
nameserver 213.186.33.99
search ovh.net
During Kerberos installation I get the following defaults:
Kerberos version 5 realm: KIMSUFI.COM
Is that right? Server can't be reached by kimsufi.com as this is my hoster's domain
Kerberos servers for your realm:
Empty by default. What shall I put in? Nothing or my hostname ks12345xxx?
Administrative server for your Kerberos realm:
Empty by default. What shall I put in? Nothing or my hostname ks12345xxx?
During SAMBA4 provisoning by "samba-tool domain provision" I am getting these defaults:
Realm [KIMSUFI.COM]:
Same concern as with Kerberos installation: Is that right, kimsufi.com does NOT point to my server
Domain [KIMSUFI]:
Correct?
Server Role (dc, member, standalone) [dc]:
DNS backend [SAMBA_INTERNAL]:
These are okay.
DNS forwarder IP address [127.0.0.1]:
Is that correct?
At the end I get this output:
Server Role: active directory domain controller
Hostname: ks12345xxx
NetBIOS Domain: KIMSUFI
DNS Domain: kimsufi.com
and in /etc/samba/smb.conf
[global]
workgroup = KIMSUFI
realm = KIMSUFI.COM
netbios name = KS12345xxx
server role = active directory domain controller
Can this configuration be right despite the fact that kimsufi.com does not lead to my server?
Or will I need to buy an extra domain like mysamba4server.net?
Thanks for any clearing advice or proposals.
Best Answer
Regarding Kerberos configuration
Samba as an AD/DC ships and runs its own Kerberos server (KDC). So there should not be a need to separately install and configure the kerberos server.
Also, Samba's provisioning tool (
samba-tool domain provision
) produces an examplekrb5.conf
file at the end. You should be able to simply copy that to/etc/krb5.conf
.Regarding DNS configuration
You chose to use Samba's internal DNS server, which is the standard safe choice. If your
resolv.conf
file already contained127.0.0.1
as nameserver entry before, then you probably need to do some changes. Assuming that your server was not a DNS server before, you should not modifyresolv.conf
before runningsamba-tool domain provision
. Thensamba-tool
would propose213.186.33.99
from yourresolv.conf
as the DNS forwarder, and this would be the correct choice. This is the DNS server to which Samba will forward all requests that are not for its own domain.After Samba's provisioning is done, you should change your
resolv.conf
to only list127.0.0.1
as nameserver. And it should containkimsufi.com
as domain and search entries. But see below for comments on using this domain.Regarding using the domain kimsufi.com
Your Samba server needs to be authoritative for the DNS domain that you are using as realm/domain for the provision. That means that you should not use the domain of your hoster or any other domain that exists externally.
Whether you need to buy a new domain depends on how you want your new Samba AD domain to be accessed:
mydomain.private
and have your AD server own it and have your AD clients use it.myaddom.somedomain.com
, but you need control over it. That being said, it is not very advisable to expose an AD server on the internet, so hopefully you are using the first approach.More information
See the Samba AD DC HOWTO for more information.