Un serveur de domaine est incontournable dans une entreprise. Cela permet de centraliser la gestion des comptes utilisateurs de votre entreprise. Cependant, la mise en place d’un tel serveur peut-être couteux.
Un domaine sous Windows Server se base sur le protocole LDAP. Sachez que ce protocole est le même avec Samba AD.
Vous pouvez donc parfaitement faire cohabiter un serveur de domaine Linux avec un parc informatique sous Windows 7/8/8.1/10.
N’ayez pas peur, sa mise en place est simple et vous pourrez gérer le serveur de la même manière qu’avec Windows grâce au RSAT.
La mise en place va se diviser en quatre étapes:
- Préparez votre serveur debian
- Installer et configurer Samba AD
- Création de votre domaine
- Mise en service du domaine Samba
Etape 1 – Préparez votre serveur debian
Changez le nom de votre machine en y ajoutant votre futur nom de domaine
root@srvdc:~# vi /etc/hostname
root@srvdc:~# vi /etc/hostname
srvdc.office.local
root@srvdc:~# vi /etc/hostname
srvdc.office.local
Faites la même chose dans le fichier hosts
root@srvdc:~# vi /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.254 srvdc.office.local srvdc
root@srvdc:~# vi /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.254 srvdc.office.local srvdc
root@srvdc:~# vi /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.254 srvdc.office.local srvdc
Attribuez une adresse IP fixe à votre machine
root@srvdc:~# vi /etc/network/interfaces
address 192.168.10.254/24
root@srvdc:~# vi /etc/network/interfaces
auto ens33
iface ens33 inet static
address 192.168.10.254/24
gateway 192.168.10.1
root@srvdc:~# vi /etc/network/interfaces
auto ens33
iface ens33 inet static
address 192.168.10.254/24
gateway 192.168.10.1
Redémarrez votre serveur
root@srvdc:~# reboot
Etape 2 – Installer et configurer Samba AD
Une fois connecté en root, insérez la commande suivante:
root@srvdc:~# apt -y install samba krb5-config winbind smbclient
root@srvdc:~# apt -y install samba krb5-config winbind smbclient
root@srvdc:~# apt -y install samba krb5-config winbind smbclient
Vu que notre serveur est configuré en adressage statique, sélectionnez No
If your computer gets IP address information from a DHCP server on the
network, the DHCP server may also provide information about WINS servers
("NetBIOS name servers") present on the network. This requires a change
to your smb.conf file so that DHCP-provided WINS settings will
automatically be read from /var/lib/samba/dhcp.conf.
The dhcp-client package must be installed to take advantage of this
Modify smb.conf to use WINS settings from DHCP?
If your computer gets IP address information from a DHCP server on the
network, the DHCP server may also provide information about WINS servers
("NetBIOS name servers") present on the network. This requires a change
to your smb.conf file so that DHCP-provided WINS settings will
automatically be read from /var/lib/samba/dhcp.conf.
The dhcp-client package must be installed to take advantage of this
feature.
Modify smb.conf to use WINS settings from DHCP?
<Yes> <No>
If your computer gets IP address information from a DHCP server on the
network, the DHCP server may also provide information about WINS servers
("NetBIOS name servers") present on the network. This requires a change
to your smb.conf file so that DHCP-provided WINS settings will
automatically be read from /var/lib/samba/dhcp.conf.
The dhcp-client package must be installed to take advantage of this
feature.
Modify smb.conf to use WINS settings from DHCP?
<Yes> <No>
Mettez votre nom de domaine (ex: office.local)
When users attempt to use Kerberos and specify a principal or user name
without specifying what administrative Kerberos realm that principal
belongs to, the system appends the default realm. The default realm may
also be used as the realm of a Kerberos service running on the local
machine. Often, the default realm is the uppercase version of the local
Default Kerberos version 5 realm:
OFFICE.LOCAL_____________________________________________________________
When users attempt to use Kerberos and specify a principal or user name
without specifying what administrative Kerberos realm that principal
belongs to, the system appends the default realm. The default realm may
also be used as the realm of a Kerberos service running on the local
machine. Often, the default realm is the uppercase version of the local
DNS domain.
Default Kerberos version 5 realm:
OFFICE.LOCAL_____________________________________________________________
<Ok>
When users attempt to use Kerberos and specify a principal or user name
without specifying what administrative Kerberos realm that principal
belongs to, the system appends the default realm. The default realm may
also be used as the realm of a Kerberos service running on the local
machine. Often, the default realm is the uppercase version of the local
DNS domain.
Default Kerberos version 5 realm:
OFFICE.LOCAL_____________________________________________________________
<Ok>
Spécifiez le nom de votre serveur complet (avec nom de domaine)
Enter the hostnames of Kerberos servers in the SRV.WORLD Kerberos
realm separated by spaces.
Kerberos servers for your realm:
SRVDC.OFFICE.LOCAL_______________________________________________________
Enter the hostnames of Kerberos servers in the SRV.WORLD Kerberos
realm separated by spaces.
Kerberos servers for your realm:
SRVDC.OFFICE.LOCAL_______________________________________________________
<Ok>
Enter the hostnames of Kerberos servers in the SRV.WORLD Kerberos
realm separated by spaces.
Kerberos servers for your realm:
SRVDC.OFFICE.LOCAL_______________________________________________________
<Ok>
Une nouvelle fois
Enter the hostname of the administrative (password changing) server for
the SRV.WORLD Kerberos realm.
Administrative server for your Kerberos realm:
SRVDC.OFFICE.LOCAL_______________________________________________________
Enter the hostname of the administrative (password changing) server for
the SRV.WORLD Kerberos realm.
Administrative server for your Kerberos realm:
SRVDC.OFFICE.LOCAL_______________________________________________________
<Ok>
Enter the hostname of the administrative (password changing) server for
the SRV.WORLD Kerberos realm.
Administrative server for your Kerberos realm:
SRVDC.OFFICE.LOCAL_______________________________________________________
<Ok>
Samba est correctement installé et configuré
Etape 3 – Création de votre domaine
Renommez le fichier de configuration d’origine
root@smb:~# mv /etc/samba/smb.conf /etc/samba/smb.conf.org
root@smb:~# mv /etc/samba/smb.conf /etc/samba/smb.conf.org
root@smb:~# mv /etc/samba/smb.conf /etc/samba/smb.conf.org
Lancez la provision du domaine
root@smb:~# samba-tool domain provision
root@smb:~# samba-tool domain provision
root@smb:~# samba-tool domain provision
Laissez le choix par défaut pour les quatre premières demandes en validant par la touche Entrée
Realm [OFFICE.LOCAL]: Domain [OFFICE]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
Realm [OFFICE.LOCAL]: Domain [OFFICE]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
Realm [OFFICE.LOCAL]: Domain [OFFICE]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
Si vous avez déjà configuré des redirecteurs sur votre serveur appuyez sur Entrée, sinon, entrez l’adresse IP du serveur de votre choix
DNS forwarder IP address (write 'none' to disable forwarding) [1.1.1.1]:
DNS forwarder IP address (write 'none' to disable forwarding) [1.1.1.1]:
DNS forwarder IP address (write 'none' to disable forwarding) [1.1.1.1]:
Entrez deux fois votre mot de passe de la session Administrator
Administrator password:
Retype password:
Administrator password:
Retype password:
Si tout se passe bien voici ce qui devrait apparaitre à l’écran
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up the privileges database
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
Adding DomainDN: DC=office,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers and extended rights
Modifying users container
Adding computers container
Modifying computers container
Setting up well known security principals
Setting up sam.ldb users and groups
Creating CN=MicrosoftDNS,CN=System,DC=office,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
Once the above files are installed, your Samba AD server will be ready to use
Server Role: active directory domain controller
DOMAIN SID: *-*-*-**-**********-**********-**********
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
Adding DomainDN: DC=office,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers and extended rights
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=office,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
Once the above files are installed, your Samba AD server will be ready to use
Server Role: active directory domain controller
Hostname: srvdc
NetBIOS Domain: OFFICE
DNS Domain: office.local
DOMAIN SID: *-*-*-**-**********-**********-**********
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
Adding DomainDN: DC=office,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers and extended rights
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=office,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
Once the above files are installed, your Samba AD server will be ready to use
Server Role: active directory domain controller
Hostname: srvdc
NetBIOS Domain: OFFICE
DNS Domain: office.local
DOMAIN SID: *-*-*-**-**********-**********-**********
Etape 4 – Mise en service du domaine Samba
Copiez le fichier de configuration Kerberos dans le répertoire etc
root@srvdc:~# cp /var/lib/samba/private/krb5.conf /etc/
root@srvdc:~# cp /var/lib/samba/private/krb5.conf /etc/
root@srvdc:~# cp /var/lib/samba/private/krb5.conf /etc/
Stoppez les services SMB, NMB et Bind
root@srvdc:~# systemctl stop smbd nmbd winbind
root@srvdc:~# systemctl stop smbd nmbd winbind
root@srvdc:~# systemctl stop smbd nmbd winbind
Désactivez les Services
root@srvdc:~# systemctl disable smbd nmbd winbind
root@srvdc:~# systemctl disable smbd nmbd winbind
root@srvdc:~# systemctl disable smbd nmbd winbind
Rendez visible le service Samba AD DC
root@srvdc:~# systemctl unmask samba-ad-dc
root@srvdc:~# systemctl unmask samba-ad-dc
root@srvdc:~# systemctl unmask samba-ad-dc
Démarrez le service
root@srvdc:~# systemctl start samba-ad-dc
root@srvdc:~# systemctl start samba-ad-dc
root@srvdc:~# systemctl start samba-ad-dc
Activez le service
root@srvdc:~# systemctl enable samba-ad-dc
root@srvdc:~# systemctl enable samba-ad-dc
root@srvdc:~# systemctl enable samba-ad-dc
Vérifiez le satut de Samba AD
root@smb:~# smbclient -L localhost -U%
IPC$ IPC IPC Service (Samba 4.9.5-Debian)
Reconnecting with SMB1 for workgroup listing.
root@smb:~# smbclient -L localhost -U%
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.9.5-Debian)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP NAS
root@smb:~# smbclient -L localhost -U%
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.9.5-Debian)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP NAS
Verifiez le niveau du domaine
root@smb:~# samba-tool domain level show
Domain and forest function level for domain 'DC=office,DC=local'
Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2
root@smb:~# samba-tool domain level show
Domain and forest function level for domain 'DC=office,DC=local'
Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2
root@smb:~# samba-tool domain level show
Domain and forest function level for domain 'DC=office,DC=local'
Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2
Ajoutez un premier utilisateur (ex: alex)
root@smb:~# samba-tool user create alex
root@smb:~# samba-tool user create alex
root@smb:~# samba-tool user create alex
Entrez le mot de passe utilisateur
User 'alex' created successfully
New Password:
Retype Password:
User 'alex' created successfully
New Password:
Retype Password:
User 'alex' created successfully
Cet article totalise 4 778 vues
Merci pour votre visite! 
J’aime ça :
J’aime chargement…
7 commentaires
DARMALINGON Philippe · 19 décembre 2019 à 15h46
Merci pour votre aide pour mes stagiaires
Alex BACHER · 21 décembre 2019 à 15h47
Bonjour, merci pour votre message.
Pierre Malard · 3 décembre 2020 à 17h42
Bonjour,
Très bonne doc mais ou est LDAP ?
Comme accéder aux services LDAP via un browser LDAP ?
Merci
Alex BACHER · 3 décembre 2020 à 17h50
Bonjour, merci pour votre retour
vous pouvez faire des manipulation sur LDAP en ligne de commandes depuis votre serveur Linux ou de manière plus familière, vous pouvez gérer votre domaine LDAP de la même manière qu’avec un serveur Windows en installant les RSAT sur votre ordinateur Windows comme indiqué au début de l’article. Voici un article qui en parle: https://frama.link/5kqUvnt-
Pierre Malard · 3 décembre 2020 à 18h13
Je n’ai pas été assez précis dans ma question :
Quel est le bind DN de l’administrateur (p.e cn=admin,dc=domaine) ?
Où est écrite la configuration LDAP ?
Merci
Alex BACHER · 3 décembre 2020 à 18h21
Vous pouvez retrouver selon moi ces informations dans le fichier /etc/samba/smb.conf
Benjamin Katschmarsky · 14 décembre 2020 à 15h17
Bonjour, qu’en est-il de la faille ZeroLogon? Dans la version de Samba qui serait installée aujourd’hui (14/12/2020) la faille est-elle comblée?