Samba4 and Kerberos configuration on a dedicated server
Regarding Kerberos configuration
Samba as an AD/DC ships and runs its own Kerberos server (KDC). So there should not be a need to separately install and configure the kerberos server.
Also, Samba's provisioning tool (samba-tool domain provision
) produces an example krb5.conf
file at the end. You should be able to simply copy that to /etc/krb5.conf
.
Regarding DNS configuration
You chose to use Samba's internal DNS server, which is the standard safe choice. If your resolv.conf
file already contained 127.0.0.1
as nameserver entry before, then you probably need to do some changes. Assuming that your server was not a DNS server before, you should not modify resolv.conf
before running samba-tool domain provision
. Then samba-tool
would propose 213.186.33.99
from your resolv.conf
as the DNS forwarder, and this would be the correct choice. This is the DNS server to which Samba will forward all requests that are not for its own domain.
After Samba's provisioning is done, you should change your resolv.conf
to only list 127.0.0.1
as nameserver. And it should contain kimsufi.com
as domain and search entries. But see below for comments on using this domain.
Regarding using the domain kimsufi.com
Your Samba server needs to be authoritative for the DNS domain that you are using as realm/domain for the provision. That means that you should not use the domain of your hoster or any other domain that exists externally.
Whether you need to buy a new domain depends on how you want your new Samba AD domain to be accessed:
- If you want to use it in an isolated network, then you can simply make up a domain like
mydomain.private
and have your AD server own it and have your AD clients use it. - If instead you want your AD server to be reachable over the internet via an officially known internet domain, then you should own such a domain. This does not require a full domain. it could in principle also be a subdomain of an existing domain like
myaddom.somedomain.com
, but you need control over it. That being said, it is not very advisable to expose an AD server on the internet, so hopefully you are using the first approach.
More information
See the Samba AD DC HOWTO for more information.