Setting up a Samba Active Directory Domain Controller on Debian Jessie

Tux-Win7

We will use this environment:
Domain name: LOVES
Realm: LOVER.LOVES.TESTING
Hostname: lover.loves.testing
AD DC server interface: eth0
AD DC server IP: 10.0.3.15

Debian 8 Jessie and Ubuntu >=14.04 dependencies:

# apt-get install acl attr autoconf bison build-essential \
  debhelper dnsutils docbook-xml docbook-xsl flex gdb krb5-user \
  libacl1-dev libaio-dev libattr1-dev libblkid-dev libbsd-dev \
  libcap-dev libcups2-dev libgnutls28-dev libjson-perl \
  libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl \
  libpopt-dev libreadline-dev perl perl-modules pkg-config \
  python-all-dev python-dev python-dnspython python-crypto \
  xsltproc zlib1g-dev

Kerberos setup will ask:
Default Kerberos version 5 realm: LOVER.LOVES.TESTING
Kerberos servers for your realm: lover.loves.testing
Administrative server for your Kerberos realm: lover.loves.testing

Of course, we need samba package: apt install samba

We will use samba internal DNS so uninstall BIND in case it's installed: apt-get remove bind9

Stop SAMBA and rename config:

/etc/init.d/samba stop
mv /etc/samba/smb.conf /etc/samba/smb.conf.ori

Provisioning the Samba Active Directory
samba-tool domain provision --use-rfc2307 --interactive --option="interfaces=lo eth0" --option="bind interfaces only=yes"
Realm [SAMDOM.EXAMPLE.COM]: LOVER.LOVES.TESTING
Domain [SAMDOM]: LOVES
Server Role (dc, member, standalone) [dc]: dc
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: SAMBA_INTERNAL
DNS forwarder IP address (write 'none' to disable forwarding) [10.99.0.1]: 8.8.8.8
Administrator password: (your super secret passwd)
Retype password: (your super secret passwd)

Start SAMBA:
/etc/init.d/samba start

Check if Samba provides the AD DC default shares "netlogon" and "sysvol":
smbclient -L localhost -U%

Test that authentication is working:
smbclient //localhost/netlogon -U Administrator -c 'ls'

Because this is your first Domain Controller in your AD forest, use the DCs IP and domain name in your /etc/resolv.conf:

domain lover.loves.testing
nameserver 10.0.3.15

Testing DNS:
host -t SRV _ldap._tcp.lover.loves.testing.
_ldap._tcp.lover.loves.testing has SRV record 0 100 389 lover.lover.loves.testing.

host -t SRV _kerberos._udp.lover.loves.testing.
_kerberos._udp.lover.loves.testing has SRV record 0 100 88 lover.lover.loves.testing.

host -t A lover.loves.testing.
lover.loves.testing has address 10.0.3.15

You can replace your krb5.conf file with the sample by copying or creating a symlink:
ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf

Use "kinit" to obtain a Kerberos ticket:
kinit administrator@LOVER.LOVES.TESTING

To verify that Kerberos is working and that you had received a ticket, run:
klist

Install and configure NTP:
https://wiki.samba.org/index.php/Time_syncronisation

Add a domain user:
samba-tool user add jessie

Sources:
https://wiki.samba.org/index.php/Operating_system_requirements/Dependenc...
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_C...
https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ
https://wiki.samba.org/index.php/Time_syncronisation
https://wiki.samba.org/index.php/Server_information_used_in_documentation
https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting
http://www.server-world.info/en/note?os=Debian_8&p=samba&f=4