Samba4 and Kerberos configuration on a dedicated server

Question

I try to set up Samba 4 on a dedicated server from kimsufi.com but I have difficulties configuring Kerberos and Samba4.

I am very confused about IP, Realm, Domain, NetBIOS, DNS etc. in Kerberos and Samba. All tutorials I found by Google seem to deal with homeservers in a LAN and show domains like TEST.LOCAL but my machine in the internet with an IP different to 192.168...

My question is: How is the config in my specific case?

---

Details of my server (Debian 7.8):

Hostname: ks12345xxx.kimsufi.com

IP: 37.187.xx.xxx

---

/ect/host:

127.0.0.1 localhost.localdomain localhost

37.187.xx.xxx ks12345xxx.kimsufi.com ks12345xxx

---

/ect/hostname:

ks12345xxx.kimsufi.com

---

/etc/sesolve.conf:

nameserver 127.0.0.1

nameserver 213.186.33.99

search ovh.net

---

During Kerberos installation I get the following defaults:

Kerberos version 5 realm: KIMSUFI.COM

Is that right? Server can't be reached by kimsufi.com as this is my hoster's domain

Kerberos servers for your realm:

Empty by default. What shall I put in? Nothing or my hostname ks12345xxx?

Administrative server for your Kerberos realm:

Empty by default. What shall I put in? Nothing or my hostname ks12345xxx?

---

During SAMBA4 provisoning by "samba-tool domain provision" I am getting these defaults:

Realm [KIMSUFI.COM]:

Same concern as with Kerberos installation: Is that right, kimsufi.com does NOT point to my server

Domain [KIMSUFI]:

Correct?

Server Role (dc, member, standalone) [dc]:

DNS backend [SAMBA_INTERNAL]:

These are okay.

DNS forwarder IP address [127.0.0.1]:

Is that correct?

---

At the end I get this output:

Server Role: active directory domain controller

Hostname: ks12345xxx

NetBIOS Domain: KIMSUFI

DNS Domain: kimsufi.com

---

and in /etc/samba/smb.conf

[global]

workgroup = KIMSUFI

realm = KIMSUFI.COM

netbios name = KS12345xxx

server role = active directory domain controller

---

Can this configuration be right despite the fact that kimsufi.com does not lead to my server?

Or will I need to buy an extra domain like mysamba4server.net?

Thanks for any clearing advice or proposals.

Answer 1

Regarding Kerberos configuration

Samba as an AD/DC ships and runs its own Kerberos server (KDC). So there should not be a need to separately install and configure the kerberos server.

Also, Samba's provisioning tool (samba-tool domain provision) produces an example krb5.conf file at the end. You should be able to simply copy that to /etc/krb5.conf.

Regarding DNS configuration

You chose to use Samba's internal DNS server, which is the standard safe choice. If your resolv.conf file already contained 127.0.0.1 as nameserver entry before, then you probably need to do some changes. Assuming that your server was not a DNS server before, you should not modify resolv.conf before running samba-tool domain provision. Then samba-tool would propose 213.186.33.99 from your resolv.conf as the DNS forwarder, and this would be the correct choice. This is the DNS server to which Samba will forward all requests that are not for its own domain.

After Samba's provisioning is done, you should change your resolv.conf to only list 127.0.0.1 as nameserver. And it should contain kimsufi.com as domain and search entries. But see below for comments on using this domain.

Regarding using the domain kimsufi.com

Your Samba server needs to be authoritative for the DNS domain that you are using as realm/domain for the provision. That means that you should not use the domain of your hoster or any other domain that exists externally.

Whether you need to buy a new domain depends on how you want your new Samba AD domain to be accessed:

1. If you want to use it in an isolated network, then you can simply make up a domain like mydomain.private and have your AD server own it and have your AD clients use it.
2. If instead you want your AD server to be reachable over the internet via an officially known internet domain, then you should own such a domain. This does not require a full domain. it could in principle also be a subdomain of an existing domain like myaddom.somedomain.com, but you need control over it. That being said, it is not very advisable to expose an AD server on the internet, so hopefully you are using the first approach.

More information

See the Samba AD DC HOWTO for more information.