Samba4 and Kerberos configuration on a dedicated server

kerberos dedicated-server samba4

Regarding Kerberos configuration

Samba as an AD/DC ships and runs its own Kerberos server (KDC). So there should not be a need to separately install and configure the kerberos server.

Also, Samba's provisioning tool (samba-tool domain provision) produces an example krb5.conf file at the end. You should be able to simply copy that to /etc/krb5.conf.

Regarding DNS configuration

You chose to use Samba's internal DNS server, which is the standard safe choice. If your resolv.conf file already contained 127.0.0.1 as nameserver entry before, then you probably need to do some changes. Assuming that your server was not a DNS server before, you should not modify resolv.conf before running samba-tool domain provision. Then samba-tool would propose 213.186.33.99 from your resolv.conf as the DNS forwarder, and this would be the correct choice. This is the DNS server to which Samba will forward all requests that are not for its own domain.

After Samba's provisioning is done, you should change your resolv.conf to only list 127.0.0.1 as nameserver. And it should contain kimsufi.com as domain and search entries. But see below for comments on using this domain.

Regarding using the domain kimsufi.com

Your Samba server needs to be authoritative for the DNS domain that you are using as realm/domain for the provision. That means that you should not use the domain of your hoster or any other domain that exists externally.

Whether you need to buy a new domain depends on how you want your new Samba AD domain to be accessed:

  1. If you want to use it in an isolated network, then you can simply make up a domain like mydomain.private and have your AD server own it and have your AD clients use it.
  2. If instead you want your AD server to be reachable over the internet via an officially known internet domain, then you should own such a domain. This does not require a full domain. it could in principle also be a subdomain of an existing domain like myaddom.somedomain.com, but you need control over it. That being said, it is not very advisable to expose an AD server on the internet, so hopefully you are using the first approach.

More information

See the Samba AD DC HOWTO for more information.

Related

How to makesure VM is in Para virtualization mode on XEN?
Unable to connect to AWS RDS instance
EC2 instance not responding to ping
LDAP Auth with checking the group user belongs to?
Public Share with Samba4 AD DC does not work
iptables error: No chain/target/match by that name?
How to remove hosts from zabbix template?
Adding a new local user hangs netplwiz on server 2008 R2
Can we put random entries on DNS
Having trouble setting up a nginx web server on Amazon EC2
nginx on fedora fastcgi not working
Do I need node.js to use Angularjs?