Hello everyone. In this series of courses I am going to teach you how to set up a server Active Directory for networks with computers Windows with Debian (If we are going to set up a server, we are going to do it properly, firewood). In this first installment I will explain the installation and configuration of the server and in the second I will teach how to use the remote administration tools de Windows 7 and how to join the computers to the domain (Windows 7 itself and a Windows XP). Later I will make a third installment apart from how to join teams with GNU / Linux since it is something that I have yet to test.
This idea came to me while I was (or was, it depends on when you read this entry) taking a course on the strike of Microcomputer Equipment Repair Technician in which we set up a network server Windows 2008 (not RC2) and I started looking if I could implement the same under GNU / Linux and the result is really good, even my teacher was surprised at the speed of the server.
Before continuing, and surely many of you ask yourself, What is Active Directory? Well, it is the term that Microsoft uses to refer to its set of tools for network administration such as the server DNS, the administration of network users, etc.
We will need the following:
- Debian in its stable branch (in my case Wheezy 7.5 with XFCE as desktop environment)
- Samba 4
- A client with Windows 7 / 8 / 8.1 with the package to install remote server control functions (required to manage the server, such as share a folder with users). This will be explained in the next tutorial.
Setting up the server
Before continuing, we must edit some files so that everything works, especially so that the computers on the network can find the domain server.
The first thing is to give our server an address fixed IP. In the case of my Debian testing in Virtualbox use networking, which is what comes from the base, but in the real server I configure it from Network Manager, so I will explain how it is done in both.
Networking
The first file we will edit is / etc / network / interfaces.
# This file describes the network interfaces available on your system
and how to activate them. For more information, see interfaces(5).
The loopback network interface
auto lo
iface lo inet loopback
The primary network interface
auto eth0
iface eth0 inet static
address 192.168.0.67
netmask 255.255.255.0
gateway 172.26.0.1
dns-nameservers 192.168.0.67
dns-search clase.org
dns-domain clase.org
Being:
- address: the IP of our team.
- netmask: the network mask. In a small network or a home it is usually this.
- gateway: the gateway. Normally it is the IP of the router that gives us the exit to the Internet.
- dns-nameservers: Server ip DNS. In this case the server, but you can add a second, for example the publics of Google.
- The last 2 indicate the domain search name and the domain name itself.
Now we must add the following lines to / etc / hosts:
127.0.0.1 Matrix.clase.org Matrix
192.168.0.67 Matrix.clase.org Matrix
With this, the domain name will be resolved so that it can be found on the network. Matrix is the name I gave the server.
Finally we edit /etc/resolv.conf:
nameserver 192.168.0.13
In some tutorials I found, they added another nameserver line and a couple more variables, but in my case only one line was enough.
Now we restart the network service and that's it:
/etc/init.d/networking restart
Network Manager
Click with the right mouse button on the networks icon and select Edit connections. We will get the networks that we have configured, but we are only interested in the call Wired network 1 or whatever you named it. We double click on it and a new window will appear and we will go to IPv4 settings. In method select Manual. Now click on Add and fill in all the fields:
Now we go to the tab General and we make sure that it is marked All users must connect to this network. Click on Save and we left.
Installing Samba 4
In our case we are going to download and compile Samba 4 from its page because in Debian it is only available through the repository backports and it gave me dependency problems.
We're going to http://samba.org to download the latest stable version and unzip the package in a folder.
To compile it we will need to install the following packages:
apt-get install build-essential libacl1-dev libattr1-dev \
libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev \
python-dnspython gdb pkg-config libpopt-dev libldap2-dev \
dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl
Once downloaded and unzipped we open a terminal and move to the folder and execute the following commands:
./configure --enable-debug
make
make install
Now we add the new routes in the PATH. In my case in /etc/bash.bashrc to apply to all users, including root.
export PATH=$PATH:/usr/local/samba/bin:/usr/local/samba/sbin
And we also create a link inside / etc for Samba to find the configuration file:
ln -s /usr/local/samba/etc/ /etc/samba
We are going to configure the Samba server. For this we execute:
samba-tool domain provision --realm=clase.org --domain=CLASE --adminpass=Contraseña --use-rfc2307
where:
- –Realm: is the full domain name.
- –Domain: is the domain. Has to be in capital letters
- –Adminspass: is the password of the network administrator.
- –Use-rfc2307: to activate AC.
If everything goes well after a little while Samba will finish configuring itself. If you want to know all the possible options, just run:
samba-tool domain provision -h
Now we are going to edit the file /etc/samba/smb.conf. For now what interests us is the following line:
dns forwarder = 192.168.0.1
This line must point to the DNS server that gives us access to the Internet (in this case, the router). Samba takes the default configuration of the network but it is recommended to verify it.
Now we start the service:
samba
and we check the connection by executing:
smbclient -L localhost -U%
And if everything is correct we will see something similar to this:
In case it gives us a connection error, we verify the steps of the previous point. The Samba log is located in /usr/local/samba/var/log.samba
Now we are going to copy the file /usr/local/samba/private/krb5.conf a / Etc. Now we are going to check that we can connect:
kinit administrator@CLASE.ORG
Eye, the domain has to be capitalized.
Then it will ask us for the user's password (in this case the administrator's) and if we get a message similar to “Warning: Your password will expire in 40 days on Mon Jul 14 13:57:10 2014” is that it came out correctly.
And so far the first part of the tutorial. We read in the following.
Very interesting, I always wanted to know how this was done.
Is it possible to do it using SSH instead of Samba?
I understand that it is much faster and safer.
I will have to investigate about it.
FRIEND. COULD YOU EXPLAIN ME THE STEP-BY-STEP PROCEDURE TO BE ABLE TO PUT THE INTERNET FROM A SERVER WITH A WINDOWS XP OPERATING SYSTEM TO A SET OF COMPUTERS WITH A LINUX OPERATING SYSTEM AND VISEVERSA THAT IS TO SAY FROM A LINUX SERVER TO CLIENTS WITH SO WINDOWS.
Dear Lolo, that is impossible, since SSH allows a session (and other things, like transferring files and applications) through the terminal between computers with GNU Linux. While Samba what constitutes an alternative for GNU Linux of Microsoft's Active Directory system.
Son Link what he has made is a domain controller in GNU Linux.
Very good tuto. It's great for people like me who are kind of green on it. Thanks a lot
Thank you! Excellent guide. Approve…
Thank you friend, very good your guide. I hope the second part, by the way have you made him work with an ldap?
Greetings.
Very interesting, I am waiting for the continuation. Thank you. ^ _ ^
PS: I think there is a small transcription error in the / etc / network / interfaces configuration, it says dns-domian when it seems to me that dns-domain should go.
Corrected. Thanks for warning ^^
I found this article very interesting. Since I am just in the learning process and I do not have much knowledge in this matter and I want to learn more about management and administration of operating systems.
Is that useful for making shared folders in Debian or is it just going for another tutorial that aspect?
There is a Linux distribution called Resara Server based on Ubuntu that is used exclusively to build a domain controller, I tried it and it is very easy to use, I was able to join computers to the domain with that server, I leave here the howto, maybe someone will use it - http://ostechnix.wordpress.com/2012/12/31/resara-server-an-alternative-opensource-linux-domain-controller-for-windows-active-directory-controller/
Oh !!! Great, the contribution of the day .. Thank you 😉
You are welcome! 😀
Thanks for sharing. Then I take a look at it
Thanks for sharing!
regards
Excellent tutorial, I'll be waiting for the rest. I remember when I installed a PDF in Debian 6 with samba 3 and ldap. It worked but I had to use the .pol templates to edit the directives. In this case, how are these policies administered?
User and group policies have to be done from a Windows 7/8 / 8.1 client with the remote control package. It is something that I will explain in the next installment. I have been looking to see if there was a way to do it without having to resort to it, but I did not find anything and in the Samba wiki it just says it like this, at least for Windows computers, but I will keep looking, so I think it will take a little to upload the next installment.
Excellent information ... Thanks for this ...
CHEERS!!!
Excellent…. I'm quite interested in this ……. for when the second part ??? or if you have any manual of this send it to me by email ... please !! thanks
Well, throughout the week, but I couldn't tell you exactly when, since between classes and a project I'm working on, I'm busy.
Excellent tutorial….
I hope one day to put it into practice ..
Greetings and waited for the second part !!!!
The truth is that I did this once, but I didn't go into almost anything ... I want to recommend / you a tool, I don't know if you know it or not, I don't know its limitations, but to connect to an Active Directory server I had no problem, I tried it a college and it worked very well. The program is called Likewise, it does the same as everything you did with Samba, nothing more than you do not configure so much, it is something more summarized, of course you can modify what you need to your liking 🙂
Hope this can help you! Cheers
Very interesting article, I will look forward to the second installment. It was a great surprise to find out that it is possible to handle a "modern" active directory with Gnu / Linux, I remember doing it a long time ago with an NT 4 type active directory and it was a great disappointment not being able to emulate it when Microsoft changed the "structure" of your LDAP on Windows 2000 Server.
Greetings from Ecuador =]
Hi. Thanks a lot!
I have a couple of doubts ... what exactly is the active directory for?
And on the other hand, could you teach, if you can, how to audit what users do?
Greetings and thanks.
I for audior implemented this: http://chicheblog.wordpress.com/2011/01/21/como-auditar-la-actividad-de-los-usuarios-en-samba/
But if you can expand it, or add something you know, it is appreciated!
regards
Good Night, Greetings from Peru.
I have a query a little different from everything published, see to explain a little, see I have this folder configured in /etc/samba/smb.conf file
[Private]
comment = Private Folder
path = / home / Private
read only = yes
browseable = yes
guest ok = no
public = no
write list = @comercial, @gestion
valid users = @comercial, @gestion
create mask = 0777
directory mask = 0777
Now my query goes, everything works fine but when from a computer I log in with the user «pepe» belonging to the group «comercial» and from another computer I log in with the user «coco» belonging to the group «gestion», the following happens when I create a file or folder from the user "pepe" and I want to delete this directory or file created from the other PC with the user "coco" it tells me that I can't because I don't have privileges, but the author himself can delete this file or directory , you reach.
The private folder has been created from the following way:
chmod -R 777 / home / Private
They work under the same LAN network.
I use Distro Ubuntu Server 14.xx
It should be noted that what I want is for this PRIVATE folder to be managed by 2 or more users out there with the idea of working with Groups but it seems that there is something that I am missing or omitting, I hope your attention and I remain attentive to your comments.
Friend that you can achieve by removing the commas
in this way.
write list = @comercial @gestion
valid users = @comercial @gestion
Hello dear,
I would like to know if the second part of the course is still pending, I look forward to your comments and thank you.
Well, maybe not since I barely know the basics to do it and they have already asked me questions for which I have no answer, so I see that it is best not to do that second part, since, honestly, to do another part with little knowledge, and without the necessary equipment (I only have my PC and doing it with Virtual Machines is cumbersome and they do not usually throw the first time)
I'm really sorry about this, but from my point of view, it's for the best. If someone else is encouraged to do that second part because they have the knowledge, they are free to do it
Good afternoon, just today I read all the comments and I have a machine at half configuration, for this reason I find out that you will not publish the second part and I want to know if you can have an executable in a folder and several dbf tables, to access from several computers .
Please reply as soon as possible.
Dear,
I would like to know if the second part of this interesting tutorial is still pending, I thank you in advance for your attention.
Thank you.
Excellent tutorial, I hope you encourage the second part, could you tell me which are the remote server control functions tools to download and test them.
Greetings.
I congratulate you, and the second part?
Interesting article, have you released the next version?
Very good tutorial, only one question the second part, how would it be or with this tutorial ends?
I LIKE THE IDEA OF LEARNING NEW THINGS, THANK YOU DAVID FOR SHARING YOUR KNOWLEDGE,
GREETINGS
POSTSCRIPT: ON THE SUBJECT OF LEARNING I WILL TRY TO DO IT ON MY VIRTUAL MACHINE DEBIAN AS A SERVER AND WITH A GROUP OF VIRTUAL CLIENTS, ONE WITH WIN7 AND ANOTHER WITH WIN8.
This guide is incomplete, you do not specify directories, you leave things random, if I were you I would repeat it
Or you could complete it and write it yourself, we will gladly publish it for you.
how to configure a server in debian 5 to be able to connect remotely to an xp
hi how about when i do:
root @ pdc: ~ # apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev \ libgnutls-dev libreadline-dev python-dev libpam0g-dev \ python-dnspyth gdb pkg-config libpopt-dev libldap2-dev \ dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2 ac1
tells me:
Reading package lists ... Done
Building dependency tree
Reading state information ... Done
Package build-essential is not available, but is referred to by another package.
This may mean that the package is missing, has been obsolete, or
is only available from another source
E: Package build-essential has no installation candidate
any help? thanks
the repositories are not configured
I know you are not going to publish my comment. The article is pretty bad, it goes without saying how kerberos is configured, since you apply it in the requirements. Why compile Samba? Version 4 is now available. With the configuration you have set, the Kinit gives you a fixed error NT_STATUS_DENIED !. For all those interested in getting started: https://help.ubuntu.com/lts/serverguide/samba-dc.html
Keep in mind that I published this article 3 and a half years ago and when I did it, Samba 4 was not in the repositories as I say in the article, and that is why it had to be compiled, and as I already mentioned at the end I have not been able to continue it. In another course that I am in, they are teaching us this again (although something more basic) and just today I have started to try to mount it again, only in a virtual machine in this case, but it just began to give me the problem that You say and I have begun to inquire to see what happens since said error did not give it to me then. A, and thanks for sharing the link.