.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. |date| date::

.. meta::
  :description: Installing and configuring Samba-AD on Debian
  :keywords: install, Debian, Samba-AD, documentation

.. _server_install_samba_debian:

***********************************************
Installing and configuring Samba-AD on Debian
***********************************************

.. warning::

  If you haven’t already done so, follow the previous page to :ref:`prepare your Debian server <server_prepare_debian>` to configure the network and machine name of your new machine.

.. include:: samba_config_server-samba_config_server-server_install_samba_debian_repo.rst.inc

Instantiating the Active Directory Samba domain
===============================================

.. _configure_kerberos_debian:

Configuring Kerberos
""""""""""""""""""""

* Modify the file :file:`/etc/krb5.conf` and **replace all its contents by the following 4 lines** by specifying the Active Directory domain of your organization (here *MYDOMAIN.LAN*).

.. attention::

  The ``default_realm`` must absolutely be written in **UPPER CASE LETTERS**!!

.. code-block:: bash

  [libdefaults]
    default_realm = MYDOMAIN.LAN
    dns_lookup_kdc = true
    dns_lookup_realm = false

Setting up Samba
----------------

* Delete the file :file:`/etc/samba/smb.conf` if it has already been generated (it will be regenerated by the instantiation command):

  .. code-block:: bash

    rm -f /etc/samba/smb.conf

* On Debian, we need to stop all fileserver services :

  .. code-block:: bash

    systemctl stop samba winbind nmbd smbd

* Configure Samba with the role of domain controller. In the following line, you will think about changing both the name of the *kerberos kingdom*, and the short name of the domain (netbios name):

  .. code-block:: bash

    samba-tool domain provision --realm=MYDOMAIN.LAN --domain MYDOMAIN --server-role=dc

* Reset the *administrator* password:

  .. code-block:: bash

    samba-tool user setpassword administrator

* Check the line ``dns forwarder = xxx.xxx.xxx`` in your file :file:`/etc/samba/smb.conf`.
  It must point to a valid :abbr:`DNS (Domain Name Service)` server, e.g.:

  .. code-block:: bash

    dns forwarder = 1.1.1.1

* Reconfigure the DNS resolution for the local machine. In the network interface file :file:`/etc/resolv.conf`, replace the following line with the following line:

  .. code-block:: bash

    search mydomain.lan
    nameserver 127.0.0.1
    nameserver 1.1.1.1

* The Samba domain creation script creates an unnecessary :file:`/var/lib/samba/private/krb5.conf` file.
  It must be removed and replaced by a symbolic link to the :file:`/etc/krb5.conf` file:

  .. code-block:: bash

    rm -f /var/lib/samba/private/krb5.conf
    ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf

* Activate Samba so that it starts automatically at the next reboot:

  .. code-block:: bash

    systemctl disable samba winbind nmbd smbd
    systemctl mask samba winbind nmbd smbd
    systemctl unmask samba-ad-dc
    systemctl enable samba-ad-dc

* Reboot the machine with a :command:`reboot` to verify that Samba reboots:

* After rebooting, ensure that kerberos is properly configured and that you get a :abbr:`TGT (Ticket Granting Ticket)`:

  .. attention::

    The default administrator is **administrator** in English (type the account password *administrator*, if it does not return anything or you get a message about the password expiration, it is OK).

  .. code-block:: bash

    kinit administrator
    klist

* Test the DNS:

  .. code-block:: bash

    dig @localhost google.fr
    dig @localhost srvads.mydomain.lan
    dig -t SRV @localhost _ldap._tcp.mydomain.lan

Validating the new installation with a Windows client
=====================================================

* Join a machine to the domain.

* From this machine, verify access to system shares :file:`\\mydomain.lan\\sysvol` and :file:`\\mydomain.lan\\netlogon`.

To manage your new domain, the management interfaces must be installed on a Windows workstation.
The Samba command line is efficient for many administrative tasks, but some tasks will be easier to perform with the graphical tool :abbr:`RSAT (Remote Server Administration Tools)`.

You will find by yourself your optimal balance between command line and RSAT with the operating experience of your Samba.

* :ref:`Install RSAT on your management machine <samba_install_RSAT>`.

Once RSAT is installed:

* Create and delete a DNS record from the DNS Active Directory console.

* Create and delete a user account or a machine account from the :guilabel:`Users and Computers Active Directory console`.

Great, if you’ve made it this far, then everything is going well and you have a new Samba Active Directory domain up and running.

Now we will :ref:`configure the DNS service in hybrid mode <server_install_hybrid_dns_debian>` to improve the performance of your Samba-AD.
