Configuring a Raspberry Pi as an Active Directory Controller, DHCP client and
Router.
Introduction
I was working on a project that required a website that could make changes to an Active Directory
entry. To do this I obviously needed an AD server set up. Since I was working on a budget, getting a
licence for any of Microsoft Server products was out of the question, I decided to put a Pi to use for this.
The latest version of Raspbian comes with samba Version 4 in the repositories and this can be configured as
an Active Directory Controller
There are a lot of how-to guides out there for this but I found them confusing as they missed some steps, assumed
some prior knowledge of Active Directory, needs DNS properly configured plus they all required to download and
compile Samba from source which is not really required any more.
By jumping through several guides I eventually got it to work so I decided to document how I got my
set up here.
My Specifications
I needed my setup to fulfil the following criteria
1.
A domain controller for the test domain vfrontiers.net
2.
A DHCP Server to assign the necessary network information to machines on the domain
3.
I need the domain to sit on a separate subnet from my home network but still get internet access
My home network is on the 192.168.1.x/24 subnet so my domain is going to be on the
192.168.0.x/24 subnet. The PI will route between the two networks to allow domain clients internet access
The wireless network will link to the home network and the wired network will connect to
switch to provide access to the domain PC’s
Requirements
you will need the following for this project:
1.
A Raspberry Pi (I recommend a 2 or 3 model. 3 would be best as it comes with built in wireless)
2.
A blank SD card
3.
A Wireless USB dongle (unless you are using the Raspberry Pi 3 model)
4.
A working internet connection
5.
A network switch
Install OS
These instructions are for Raspbian Jessie
Download the latest image from http://www.raspberrypi.org and write it to an SD Card.
Boot up the Pi and connect it othe network, then update it.
sudo apt-get update
sudo apt-get upgrade
Configure the Wireless Connection
Edit the wpa_supplicant.conf file and add the following section (remember to replace the network
name and password with the details for your own wireless network)
network={
ssid="YOUR NETWORK NAME"
psk="YOUR NETWORK PASSWORD"
key_mgmt=WPA-PSK
}
Set a Static IP Address
This bit can cause a bit of confusion. In earlier versions of Raspbian you edited the file
/etc/network/interfaces file to set the connection.
Do not do this in Jessie. Jessie appears to uses, in my opinion, a borked version of DHCPD5 which overrides
anything you put int the interfaces file. Removing DHCPD5 just breaks the network completely.
You will need to edit the file /etc/dhcpcd.conf instead
sudo nano /etc/dhcpcd.conf
Add the following to the bottom of the script (obviously change the IP addresses to match your own setup)
interface eth0
static domain_name_servers=192.168.0.254
static ip_address=192.168.0.254
static routers=
static domain_search=vfrontiers.net
interface wlan0
static routers=192.168.1.1
static domain_name_servers=192.168.1.1
static ip_address=192.168.1.254
static domain_search=
Set the Hostname
First we need to edit the hostname file
sudo nano /etc/hostname
Change the hostname raspberrypi to something appropriate. In my case, my hostname is going to be
VFADS01 (VirtualFrontiers Active Directory Server 01)
Next edit the hosts file
sudo nano /etc/hosts
Edit the following entries, again change the hostname and domain to match your own setup.
127.0.0.1 localhost.localdoman localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.1.1 VFADS01.vfrontiers.net VFADS01
Configuring DNS
Next we want to edit the /etc/resolv.conf so that the DNS will work properly.
sudo nano /etc/resolv.conf
Edit the file so it is simiilar to the below. Change the domain name to match whatever you choose.
domain vfrontiers.net
search vfrontiers.net
nameserver 192.168.0.254
nameserver 192.168.1.1
Note the nameserver settings there. one points the Pi at it’s own wired address. This is required for the AD to
resolve itself. The other points to the router to provide internet access.
You will need to change the attribute of the resolv.conf file or it will get overwritten on the next
reboot.
sudo chattr +i /etc/resolv.conf
Configure DHCP Server
First install the isc-dhcp-server package
sudo apt-get install isc-dhcp-server
Now edit the dhcp configuration file
sudo nano /etc/dhcp/dhcpd.conf
Find and comment out the following lines (put a ‘#’ at the beginning of the line)
option domain-name "example.org";
option domain-name-servers ns1.example.org, ns2.example.org;
Uncomment the following line:
#Authoritative
Add the following to the end of the file. This will assign IP addresses in the range 192.168.0.1 to
192.168.0.100
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.1 192.168.0.100;
option broadcast-address 192.168.0.255;
option routers 192.168.0.254;
default-lease-time 600;
max-lease-time 7200;
option domain-name "local";
option domain-name-servers 192.168.0.254, 8.8.8.8;
}
We only want to run the DHCP server on the wired network.
sudo nano /etc/default/isc-dhcp-server
Find and amend the line INTERFACES=”” to INTERFACES=”eth0”
Enable network forwarding
We will use iptables to forward network packets from the wired to the wireless network.
First we need to enable IPv4 forwarding.
sudo nano /etc/sysctl.conf
uncomment the line #net.ipv4.ip_forward=1 and save the file. This change will take effect on the next reboot.
Set up iptables for IP forwarding by the following commands
sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
sudo iptables -A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
This works fine until the Pi is rebooted at which point the rules are lost.
install iptables-persistent so rules remain after reboot
sudo apt-get install iptables-persistent
Select Yes to both prompts
Install requirements
Run the following two commands to install the package requriemetns for a domain controller.
sudo apt-get install git-core python-dev libacl1-dev libblkid-dev
sudo apt-get install build-essential libacl1-dev libattr1-dev \
libblkid-dev libreadline-dev python-dev \
python-dnspython gdb pkg-config libpopt-dev libldap2-dev \
dnsutils libbsd-dev attr krb5-user docbook-xsl
When prompted, enter the details which match your setup. The first prompt will ask for the domain and the next two
should be the hostname of the Pi
Kerberos and samba realm – VFRONTIERS.NET
Kerberos hostname – VFADS01
Administrative server – VFADS01
Change the above to match your own domain name and hostname
Install Samba4 and provision the domain
Now we install Samba itself
sudo apt-get install samba smbclient
First thing is to move or delete the existing smb.conf file to let the domain provision tool generate a
new one. I like to rename it just in case I screw things up I can always go back to the original
sudo mv /etc/samba/smb.conf /etc/samba/smb.orig
provision the domain and bind it to eth0
sudo samba-tool domain provision --option="interfaces=lo eth0" --option="bind
interfaces only=yes" --use-rfc2307 --interactive
You should just be able to press enter at the prompts, except for the last section which asks whot the DNS forwarder
should be. Set it to the IP address of your router. If you set it to something else your devices will not have internet access.
Realm: VFRONTIERS.NET
Domain: VFRONTIERS
Server Role: dc
DNS Backend: SAMBA_INTERNAL
DNS Forwarder IP Address: 192.168.1.1 (The IP address of the router)
Set an Administrator password
Once complete, reboot the Pi.
Now we just need to test everything is working. Enter the following command
smbclient -L localhost -U%
The output should look like this:
Domain=[VFRONTIERS] OS=[Unix] Server=[Samba 4.1.17-Debian]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.1.17-Debian)
Domain=[VFRONTIERS] OS=[Unix] Server=[Samba 4.1.17-Debian]
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP
To test the login is working run the following command
smbclient //localhost/netlogon -UAdministrator -c 'ls'
You will be prompted for the Administrator password which you set when provisioning the domain
You should see something similar to the following:
Domain=[VFRONTIERS] OS=[Unix] Server=[Samba 4.1.17-Debian]
. D 0 Sat Mar 5 23:07:15 2016
.. D 0 Sat Mar 5 23:08:07 2016
57130 blocks of size 131072. 26070 blocks available
Now we need to check and make sure that the DNS is working
Use the following commands:
host -t SRV _ldap._tcp.vfrontiers.net.
host -t SRV _kerberos._udp.vfrontiers.net.
host -t A vfads01.vfrontiers.net.
These should all return a record. If it returns a message saying that the records were not found. First check that
resolv.conf is configured correctly. if there is still nothing found, check that smbd is running properly.
ps -ef | grep smbd
There should return at least two running processes (one being the grep command) If there is only one, try rebooting the Pi,
I found that it took at couple of reboots and then a minute of waiting before it worked properly.
Kerberos
Finally we need to configure Kerberos authentication
Copy the Kerberos Configuration file to the /etc directory
cd /etc
sudo cp /var/lib/samba/private/krb5.conf ./
Make sure it contains somewthing similar to the following:
[libdefaults]
default_realm = VFRONTIERS.NET
dns_lookup_realm = false
dns_lookup_kdc = true
Check Kerberos, get a ticket with kinit and display it. Use the realm name in upper case after the @.
kinit administrator@VFRONTIERS.NET
This should return a message saying that the password is valid for 40 days.
And that should be done. With any luck you can now plug the wired connection to your network switch and then
any Windows PC (pro or above obviously, Home versions cannot connect to domains) to the network and add it to the domain.
Log onto your PC and add it to the domain. After reboot you can log onto the PC using the Administrator username and password.
Update added - 23/07/2016
Brent Nader emailed me to advise that the latest versionof Samba 4.2 no longer includes WinBind so you may receive Access
Denied errors while testing. Brent very kindly has advised that to fix the issue you should manually install the WinBind package
with the following command and this will get you going:
apt-get install winbind samba libnss-winbind libpam-winbind krb5-config krb5-locales krb5-user
