All of these steps are completed on a fresh install of Debian 12 without GUI. Include SSH server during installation.
For this example, my domain will be samba.lan, my domain controller is dc1.samba.lan and the IP address is 192.168.122.190
During the Debain 12 setup, go ahead and name your server dc1
For domain, go ahead and put in samba.lan
After install, confirm you have internet and DNS working. Go ahead and apt update and install any pending updates.
nano /etc/network/interfaces
Change it to meet your needs, but have it look similar to this (for this example, my server will be at 192.168.122.190). For now, leave the DNS at whatever is currently working, or set it to Google's or similar.
auto enp0s3
iface enp0s3 inet static
address 192.168.122.190
netmask 255.255.255.0
gateway 192.168.122.1
dns-nameservers 8.8.8.8
Just to be safe, give it a reboot and then make sure internet is still working and that you can perform public DNS lookups
This isn't strictly required, but it is recommended to make these changes to /etc/hosts:
nano /etc/hosts
192.168.122.190 dc1.samba.lan dc1
At this point, you should be able to ping dc1.samba.lan and get a response for the IP address of your domain controller.
The below will install all required samba-ad-dc packages. You'll observe a large amount of dependencies that are included based on the below. Make sure they all get installed.
apt install samba smbclient winbind krb5-user krb5-config chrony
During the installation of the krb5 packages, you'll be prompted for some information. This will get configured during domain provisioning, so just press Enter to skip these questions.
Enabling backports may allow using a newer version of Samba. This probably won't be an issue, but may not be as stable. (As of 12/19/24, Debian 12 stable uses Samba 4.17.12 and Backports uses Samba 4.21.2) To enable this,
nano /etc/apt/sources.list.d/debian-12-backports.list
and add the line:
deb http://deb.debian.org/debian bookworm-backports main
Save and close, then perform an apt update and apt upgrade
Then install the specified packages using backports
apt install -t bookworm-backports samba smbclient winbind krb5-user krb5-config chrony
These files will be replaced during provisioning, but will cause an error if they aren't removed first
rm /etc/samba/smb.conf
rm /etc/krb5.conf
I only ever use Samba's internal DNS. Make sure to set your admin password. Also, I've included --use-rfc2307. This directive allows UNIX extensions in Active Directory. These are useful if you want Linux machines to join the domain. It's not required, but there's no downside to include it.
samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=SAMBA.LAN --domain=SAMBA --adminpass=youradminpasswordhere
Copy the new krb5.conf file (do not link it - it has to be copied)
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
The below is based off an Ubuntu server install. I think Debian will simply complain that systemd-resolvd is missing. Just ignore that, if it happens
systemctl disable --now systemd-resolved
systemctl mask smbd nmbd winbind systemd-resolved
systemctl unmask samba-ad-dc
systemctl start samba-ad-dc
systemctl enable samba-ad-dc
Unlink the resolv.conf file and then create a new one
unlink /etc/resolv.conf
nano /etc/resolv.conf
Edit it to look something like this, then save it.
nameserver 192.168.122.190
search SAMBA
Since we're using Samba's internal DNS, we need to specify what DNS server it needs to use upstream. This could be the DNS of your ISP, Google, Cloudflare, your Pihole, etc. Just set it to whatever makes sense
nano /etc/samba/smb.conf
There should already be a line that says "dns forwarder = " in the [global] section Change it to look like your upstream DNS:
dns forwarder = 8.8.8.8
At this point you should be able to run
testparm
and get some data back about your configuration. If there are showstopper problems, it should complain here. If no complaints, reboot.
Once the system is back up, you'll want to make sure you can get responses back from these commands (change them to match your domain name)
host -t A samba.lan
host -t A dc1.samba.lan
host -t SRV _kerberos._udp.samba.lan
host -t SRV _ldap._tcp.samba.lan
Test that samba is serving up the paths it needs to. You should see sharenames sysvol, netlogon, IPC$
smbclient -L samba.lan -N
Finally, request a kerberos token for our administrator domain user account that we set the password for during provisioning
kinit administrator@SAMBA.LAN
and enter in the password we set. It should say something like "Password expires in 41 days."
If you made it this far, congratulations, the basic Active Directory is running. Now to manage it.
Windows clients and the domain controller need to have their clocks very closely synced. There are a few ways to handle this:
This method most closely duplicates the behavior of Windows joined to a Windows Server domain controller.
Assuming you installed chrony as part of the packages listed earlier, you only need to add two directives to the chrony.conf file. When Windows clients are getting NTP synced from a domain controller, the NTP request must be signed. chrony can do this, but needs to be told to do so.
There needs to exist a ntp_signd directory that is going to be used as a socket. This is usually located in /var/lib/samba/ntp_signd/. On Debian 12, this was created automatically. On Ubuntu 24.04, this had to be created manually.
So, confirm that the directory exists, and if not, make it.
mkdir -p /var/lib/samba/ntp_signd/
You need to set these permissions on the directory:
sudo chown root:_chrony /var/lib/samba/ntp_signd/
sudo chmod 750 /var/lib/samba/ntp_signd/
Edit the chrony conf file and make the following changes:
nano /etc/chrony/chrony.conf
# permissions on what network can authenticate.
allow 0.0.0.0/0
# Path to ntp_signd socket for domain NTP
ntpsigndsocket /var/lib/samba/ntp_signd
Restart chrony
sudo systemctl restart chrony
To test this on Windows, open a command prompt and run
w32tm /query /status
In this example, the result should indicate that the source is dc1.samba.lan and syncd by (S)NTP. If it says Local CMOS Clock, Windows is preferring to use it's own clock as a time source. If you just configured chrony, you can force Windows to start using it by
w32tm /resync
If chrony is set up properly, this sync should be very quick and succeed.
By default, with this set up Windows will only get it's time synced from the domain controller. If the computer hasn't synced with the domain controller for an extended period of time, it may fall back on the CMOS clock and the time may drift.
Per the Samba Wiki (https://wiki.samba.org/index.php/Time_Synchronisation#Configuring_Time_Synchronisation_on_a_Windows_Domain_Member) You can correct this using GPO to tell Windows to fall back on time.windows.com as an NTP source
Create a new computer configuration GPO and navigate to:
Computer Configuration, Policies, Administrative Templates, System, Windows Time Service, Time Providers
Double-click on Configure Windows NTP Client and set it to Enabled
Change the NtpServer type from NT5DS to AllSync. Leave everything else default, and click OK
Double-click on Enable Windows NTP Client and set it to Enabled
This will allow Windows to prefer to sync it's time to the DC, but will fall back to the usual Windows NTP server if the DC is unavailable.
If we assume that both the DC and Windows clients are correctly syncing their time to public NTP servers (time.windows.com, in Windows' case), it's possible to simply tell Windows to continue to do this and not rely on the DC to perform NTP at all. This is not the recommended approach, since Windows can be instructed to fall back to using time.windows.com when the DC isn't available, but the author has used this method in the past without issue.
Create a new GPO:
Computer Configuration, Policies, Administrative Templates, System, Windows Time Service, Time Providers, Configure Windows NTP Client and set it to Enabled
By default, this will configure Windows to sync to time.windows.com. Click OK.
Double-click on Enable Windows NTP Client and set it to Enabled. Click OK.
You will need a Windows Pro client. Windows 10 and 11 should work about the same, but I am following along with Windows 11 23H2 with these instructions.
Depending on how your network and DNS is set up, your Windows clients may get their DNS from a DHCP server you manage, or we have to set them manually. For this example, I will set the DNS server manually.
Make certain the timezone and clock are correct and match your Debian server
In Control Panel, View network status and tasks, Change adapter settings, find your active interface, right-click it and go to Properties, click on Internet Protocol Version 4, and choose Properties.
Click on "Use the following DNS server addresses" and put in the IP of your domain controller
192.168.122.190
Click OK, then Close. Then open a command prompt and ping samba.lan and dc1.samba.lan. Both should repond with the IP address of our domain controller.
Open Settings, System, About and click on "Domain or workgroup."
Click Change.
Click on Domain and type in samba.lan and click OK. When you are promtped for a username and password, put in administrator as your username and the password you set during provisioning. Click OK. After a moment, you should see "Welcome to the samba.lan domain." Click OK, OK, Close, Restart Now.
When Windows loads and you're at the login screen, click "Other user." Observe that it says "Sign in to: SAMBA"
Test that we can sign in with our administrator account on the domain. Because our local Windows machine also has an administrator account, we have to fully specify the domain and username:
SAMBA\administrator
and the password we set during provisioning. You should get logged in and it will say "Hi, getting things ready for you."
In most cases, Active Directory will be managed using our Windows workstation. To do that, we need to install at least two "Optional Features."
In the search box, type in optional features and click on the system settings "Optional features" suggestion. Then click on View features.
Type in RSAT and place checks next to RSAT: Active Directory Domain Services and Lightweight Directory Services Tools and RSAT: Group Policy Management Tools. Click Next, then click Add. And wait for them to be installed.
Once these are installed, you should be able to manage them mostly like you would a regular Windows Active Domain.
Other things you can do beyond the scope of this document:
- Smartcard authentication
- FreeRADIUS integration for 802.1X wifi
- Bitlocker key storage
- LAPS
- Using a password filter (based on haveibeenpwned)
You are correct