Categories
SysOps

How to create Samba Active Directory server

Create Samba Active Directory server using Debian Bullseye.

Preparations

Update package index.

$ sudo apt update

Upgrade operating system.

$ sudo apt upgrade

Ensure that hostname is defined.

$ sudo hostnamectl --static set-hostname ad.octocat.lab

Inspect hosts file which should be in its initial state.

$ cat /etc/hosts
127.0.0.1       localhost
#10.10.10.10     ad.octocat.lab ad

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Ensure that systemd-resolved service is disabled.

$ systemctl status systemd-resolved.service 
● systemd-resolved.service - Network Name Resolution
     Loaded: loaded (/lib/systemd/system/systemd-resolved.service; disabled; vendor preset: enabled)
     Active: inactive (dead)
       Docs: man:systemd-resolved.service(8)
             man:org.freedesktop.resolve1(5)
             https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
             https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients

DNS resolver should point to DNS server that will be used later as a forwarder.

$ cat /etc/resolv.conf 
nameserver 10.10.0.1

Samba AD server should have a static IP address assigned.

$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback
$ cat /etc/network/interfaces.d/eth0 
auto eth0
iface eth0 inet static
        address 10.10.10.10
        netmask 255.255.0.0
        gateway 10.10.0.1

These steps will save you time later.

Install NTP service

Install chrony NTP daemon.

$ sudo apt install chrony

Disable chrony service as it will be configured later.

$ sudo systemctl disable --now chrony

Install DNS service

Install bind9 DNS daemon.

$ sudo apt install bind9

Disable bind service as it will be configured later.

$ sudo systemctl disable --now bind

Install Samba AD service

Install required Samba and Kerberos packages.

$ sudo DEBIAN_FRONTEND=noninteractive apt-get install -y samba smbclient winbind krb5-user krb5-config 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  attr dirmngr gnupg gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm ibverbs-providers libarchive13 libassuan0 libavahi-client3
  libavahi-common-data libavahi-common3 libboost-iostreams1.74.0 libboost-thread1.74.0 libcephfs2 libcups2 libgfapi0 libgfrpc0 libgfxdr0 libglusterfs0
  libgpgme11 libgssrpc4 libibverbs1 libkadm5clnt-mit12 libkadm5srv-mit12 libkdb5-10 libksba8 libldb2 libnl-3-200 libnl-route-3-200 libnpth0 libnspr4 libnss3
  libpython3.9 librados2 librdmacm1 libsmbclient libtalloc2 libtdb1 libtevent0 liburing1 libwbclient0 libyaml-0-2 pinentry-curses python3-cffi-backend
  python3-cryptography python3-dnspython python3-gpg python3-ldb python3-markdown python3-pygments python3-requests-toolbelt python3-samba python3-talloc
  python3-tdb python3-yaml samba-common samba-common-bin samba-dsdb-modules samba-libs samba-vfs-modules tdb-tools
Suggested packages:
  dbus-user-session pinentry-gnome3 tor parcimonie xloadimage scdaemon krb5-k5tls lrzip cups-common krb5-doc pinentry-doc python-cryptography-doc
  python3-cryptography-vectors python3-sniffio python3-trio python-markdown-doc python-pygments-doc ttf-bitstream-vera ctdb ldb-tools smbldap-tools ufw
  heimdal-clients cifs-utils libnss-winbind libpam-winbind
The following NEW packages will be installed:
  attr dirmngr gnupg gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm ibverbs-providers krb5-config krb5-user libarchive13
  libassuan0 libavahi-client3 libavahi-common-data libavahi-common3 libboost-iostreams1.74.0 libboost-thread1.74.0 libcephfs2 libcups2 libgfapi0 libgfrpc0
  libgfxdr0 libglusterfs0 libgpgme11 libgssrpc4 libibverbs1 libkadm5clnt-mit12 libkadm5srv-mit12 libkdb5-10 libksba8 libldb2 libnl-3-200 libnl-route-3-200
  libnpth0 libnspr4 libnss3 libpython3.9 librados2 librdmacm1 libsmbclient libtalloc2 libtdb1 libtevent0 liburing1 libwbclient0 libyaml-0-2 pinentry-curses
  python3-cffi-backend python3-cryptography python3-dnspython python3-gpg python3-ldb python3-markdown python3-pygments python3-requests-toolbelt python3-samba
  python3-talloc python3-tdb python3-yaml samba samba-common samba-common-bin samba-dsdb-modules samba-libs samba-vfs-modules smbclient tdb-tools winbind
0 upgraded, 72 newly installed, 0 to remove and 0 not upgraded.
Need to get 44.6 MB of archives.
After this operation, 149 MB of additional disk space will be used.
[...]

Ensure that Samba services are disabled.

$ sudo systemctl disable --now samba-ad-dc.service smbd.service nmbd.service winbind.service

Remove default configuration.

$ sudo unlink /etc/samba/smb.conf
$ sudo unlink /etc/krb5.conf 

Configure Samba Ad service

Provision Samba Active Direcotry.

$ sudo samba-tool domain provision --realm OCTOCAT.LAB \
                                   --domain OCTOCAT \
                                   --server-role dc \
                                   --dns-backend BIND9_DLZ \
                                   --adminpass oct0passwOrd \
                                   --use-rfc2307 \
                                   --option="interfaces=lo eth0" \
                                   --option="bind interfaces only=yes"
INFO 2021-09-30 14:08:32,340 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2122: Looking up IPv4 addresses                                                                                                
INFO 2021-09-30 14:08:32,340 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2139: Looking up IPv6 addresses                                                                                                
WARNING 2021-09-30 14:08:32,341 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2146: No IPv6 address will be assigned                                                                                      
INFO 2021-09-30 14:08:32,547 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2290: Setting up share.ldb                                                                                                     
INFO 2021-09-30 14:08:32,556 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2294: Setting up secrets.ldb                                                                                                   
INFO 2021-09-30 14:08:32,570 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2299: Setting up the registry                                                                                                  
INFO 2021-09-30 14:08:32,597 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2302: Setting up the privileges database                                                                                       
INFO 2021-09-30 14:08:32,615 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2305: Setting up idmap db                                                                                                      
INFO 2021-09-30 14:08:32,631 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2312: Setting up SAM db                                                                                                        
INFO 2021-09-30 14:08:32,634 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #897: Setting up sam.ldb partitions and settings                                                                                
INFO 2021-09-30 14:08:32,634 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #909: Setting up sam.ldb rootDSE                                                                                                
INFO 2021-09-30 14:08:32,636 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1322: Pre-loading the Samba 4 and AD schema                                                                                    
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs                    

INFO 2021-09-30 14:08:32,680 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1400: Adding DomainDN: DC=octocat,DC=lab                                                                                       
INFO 2021-09-30 14:08:32,695 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1432: Adding configuration container                                                                                           
INFO 2021-09-30 14:08:32,708 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1447: Setting up sam.ldb schema                                                                                                
INFO 2021-09-30 14:08:34,461 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1465: Setting up sam.ldb configuration data                                                                                    
INFO 2021-09-30 14:08:34,558 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1506: Setting up display specifiers                                                                                            
INFO 2021-09-30 14:08:35,791 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1514: Modifying display specifiers and extended rights                                                                         
INFO 2021-09-30 14:08:35,816 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1521: Adding users container                                                                                                   
INFO 2021-09-30 14:08:35,817 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1527: Modifying users container                                                                                                
INFO 2021-09-30 14:08:35,818 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1530: Adding computers container                                                                                               
INFO 2021-09-30 14:08:35,819 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1536: Modifying computers container                                                                                            
INFO 2021-09-30 14:08:35,820 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1540: Setting up sam.ldb data                                                                                                  
INFO 2021-09-30 14:08:35,913 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1570: Setting up well known security principals                                                                                
INFO 2021-09-30 14:08:35,942 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1584: Setting up sam.ldb users and groups                                                                                      
INFO 2021-09-30 14:08:36,026 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1592: Setting up self join                                                                                                     
Repacking database from v1 to v2 format (first record CN=FRS-Replica-Set-Type,CN=Schema,CN=Configuration,DC=octocat,DC=lab)                                                                                                     
Repack: re-packed 10000 records so far                                                                          
Repacking database from v1 to v2 format (first record CN=siteLinkBridge-Display,CN=419,CN=DisplaySpecifiers,CN=Configuration,DC=octocat,DC=lab)                                                                                 
Repacking database from v1 to v2 format (first record CN=RpcServices,CN=System,DC=octocat,DC=lab)               
INFO 2021-09-30 14:08:36,928 pid:458 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1143: Adding DNS accounts                                                                                                      
INFO 2021-09-30 14:08:36,937 pid:458 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1177: Creating CN=MicrosoftDNS,CN=System,DC=octocat,DC=lab                                                                     
INFO 2021-09-30 14:08:36,949 pid:458 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1190: Creating DomainDnsZones and ForestDnsZones partitions                                                                    
INFO 2021-09-30 14:08:36,974 pid:458 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1195: Populating DomainDnsZones and ForestDnsZones partitions                                                                  
Repacking database from v1 to v2 format (first record DC=ad,DC=octocat.lab,CN=MicrosoftDNS,DC=DomainDnsZones,DC=octocat,DC=lab)                                                                                                 
Repacking database from v1 to v2 format (first record DC=_kerberos._tcp.dc,DC=_msdcs.octocat.lab,CN=MicrosoftDNS,DC=ForestDnsZones,DC=octocat,DC=lab)                                                                           
INFO 2021-09-30 14:08:37,291 pid:458 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1276: See /var/lib/samba/bind-dns/named.conf for an example configuration include file for BIND                                
INFO 2021-09-30 14:08:37,291 pid:458 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1278: and /var/lib/samba/bind-dns/named.txt for further documentation required for secure DNS updates                          
INFO 2021-09-30 14:08:37,344 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2026: Setting up sam.ldb rootDSE marking as synchronized                                                                       
INFO 2021-09-30 14:08:37,346 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2031: Fixing provision GUIDs                                                                                                   
INFO 2021-09-30 14:08:37,902 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2364: A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf                    
INFO 2021-09-30 14:08:37,902 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2366: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
INFO 2021-09-30 14:08:37,972 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2096: Setting up fake yp server settings                                                                                       
INFO 2021-09-30 14:08:38,017 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #489: Once the above files are installed, your Samba AD server will be ready to use                                             
INFO 2021-09-30 14:08:38,018 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #494: Server Role:           active directory domain controller                                                                 
INFO 2021-09-30 14:08:38,018 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #495: Hostname:              ad                                                                                                 
INFO 2021-09-30 14:08:38,018 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #496: NetBIOS Domain:        OCTOCAT                                                                                            
INFO 2021-09-30 14:08:38,018 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #497: DNS Domain:            octocat.lab                                                                                        
INFO 2021-09-30 14:08:38,018 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #498: DOMAIN SID:            S-1-5-21-3581266272-3984212215-1130392956 

Alter DNS resolver to point to this server.

$ cat << EOF | sudo tee /etc/resolv.conf 
search octocat.lab
nameserver 10.10.10.10
EOF

Copy Kerberos configuration.

$ sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

Display initial Kerberos configuration.

$ cat /etc/krb5.conf 
[libdefaults]
        default_realm = OCTOCAT.LAB
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]
OCTOCAT.LAB = {
        default_domain = octocat.lab
}

[domain_realm]
        ad = OCTOCAT.LAB

Create a link to a keytab file.

$ sudo ln -s /var/lib/samba/private/secrets.keytab /etc/krb5.keytab

List keytab contents.

$ sudo klist -k /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 HOST/ad@OCTOCAT.LAB
   1 HOST/ad.octocat.lab@OCTOCAT.LAB
   1 AD$@OCTOCAT.LAB
   1 HOST/ad@OCTOCAT.LAB
   1 HOST/ad.octocat.lab@OCTOCAT.LAB
   1 AD$@OCTOCAT.LAB
   1 HOST/ad@OCTOCAT.LAB
   1 HOST/ad.octocat.lab@OCTOCAT.LAB
   1 AD$@OCTOCAT.LAB

Display Samba configuration.

$ cat /etc/samba/smb.conf 
# Global parameters
[global]
        bind interfaces only = Yes
        interfaces = lo eth0
        dns forwarder = 10.10.0.1
        netbios name = AD
        realm = OCTOCAT.LAB
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = OCTOCAT
        idmap_ldb:use rfc2307 = yes

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/octocat.lab/scripts
        read only = No

Ensure that DNS forwarder is defined.

Configure NTP service

Determine ntp_signd socket location.

$ sudo samba -b | grep NTP_SIGND_SOCKET_DIR
   NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd

Create directory if it does not exist.

$ sudo mkdir /var/lib/samba/ntp_signd

Set proper permissions.

$ sudo chgrp _chrony /var/lib/samba/ntp_signd
$ sudo chmod 750 /var/lib/samba/ntp_signd

Delete default pool.

$ sudo sed -i -e "/\# Use Debian vendor zone./,+2d" /etc/chrony/chrony.con

Define Debian NTP pool as a source.

$ cat << EOF | sudo tee /etc/chrony/sources.d/debian-pool.sources
pool 0.debian.pool.ntp.org iburst
pool 1.debian.pool.ntp.org iburst
pool 2.debian.pool.ntp.org iburst
pool 3.debian.pool.ntp.org iburst
EOF

Create a server configuration.

$ cat << EOF | sudo tee /etc/chrony/conf.d/server.conf
bindaddress 10.10.10.10
allow 10.10.0.1/16
ntpsigndsocket  /var/lib/samba/ntp_signd
EOF

Use Unix domain command socket for command and monitoring access.

$ cat << EOF | sudo tee /etc/chrony/conf.d/cmd.conf
bindcmdaddress /var/run/chrony/chronyd.sock
cmdport 0
EOF

Enable service.

$ sudo systemctl enable --now  chrony

Configure DNS service

Determine Samba configuration directory for BIND.

$ sudo smbd -b | grep BINDDNS
   BINDDNS_DIR: /var/lib/samba/bind-dns

Determinae BIND version.

$ sudo named -v
BIND 9.16.15-Debian (Stable Release) 

Ensure that proper database version is used.

$ sudo cat /var/lib/samba/bind-dns/named.conf
# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include "/var/lib/samba/bind-dns/named.conf";

#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
    # For BIND 9.8.x
    # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";

    # For BIND 9.9.x
    # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";

    # For BIND 9.10.x
    # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";

    # For BIND 9.11.x
    # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";

    # For BIND 9.12.x
    # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_12.so";

    # For BIND 9.14.x
    # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_14.so";

    # For BIND 9.16.x
    database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_16.so";
};

Include these dynamically loadable zones.

$ sudo cat  /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/bind-dns/named.conf";

Ensure that Kerberos keytab is provided for DNS updates.

$ cat /etc/bind/named.conf.options 
options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable 
        // nameservers, you probably want to use them as forwarders.  
        // Uncomment the following block, and insert the addresses replacing 
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        listen-on-v6 { any; };

        tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
};

Enable DNS server.

$ sudo systemctl enable --now named

Start Samba AD service

Unmask samba-ad-dc service.

$ sudo systemctl unmask samba-ad-dc.service

Start and enable samba-ad-dc service.

$ sudo systemctl enable --now samba-ad-dc.service

Inspect service status.

$ systemctl status samba-ad-dc.service
● samba-ad-dc.service - Samba AD Daemon
     Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2021-09-30 14:13:44 CEST; 12s ago
       Docs: man:samba(8)
             man:samba(7)
             man:smb.conf(5)
   Main PID: 743 (samba)
     Status: "samba: ready to serve connections..."
      Tasks: 56 (limit: 1105)
     Memory: 165.9M
        CPU: 5.246s
     CGroup: /system.slice/samba-ad-dc.service
             ├─743 samba: root process
             ├─744 samba: tfork waiter process(745)
             ├─745 samba: task[s3fs] pre-fork master
             ├─746 samba: tfork waiter process(747)
             ├─747 samba: task[rpc] pre-fork master
             ├─748 samba: tfork waiter process(750)
             ├─749 samba: tfork waiter process(752)
             ├─750 samba: task[nbt] pre-fork master
             ├─751 samba: tfork waiter process(753)
             ├─752 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
             ├─753 samba: task[wrepl] pre-fork master
             ├─754 samba: tfork waiter process(756)
             ├─755 samba: tfork waiter process(758)
             ├─756 samba: task[ldap] pre-fork master
             ├─757 samba: tfork waiter process(760)
             ├─758 samba: task[rpc] pre-forked worker(0)
             ├─759 samba: tfork waiter process(764)
             ├─760 samba: task[cldap] pre-fork master
             ├─761 samba: tfork waiter process(762)
             ├─762 samba: task[kdc] pre-fork master
             ├─763 samba: tfork waiter process(766)
             ├─764 samba: task[rpc] pre-forked worker(1)
             ├─765 samba: tfork waiter process(769)
             ├─766 samba: task[drepl] pre-fork master
             ├─767 samba: tfork waiter process(770)
             ├─768 samba: tfork waiter process(773)
             ├─769 samba: task[rpc] pre-forked worker(2)
             ├─770 samba: task[winbindd] pre-fork master
             ├─771 samba: tfork waiter process(775)
             ├─772 samba: tfork waiter process(777)
             ├─773 samba: task[kdc] pre-forked worker(0)
             ├─774 samba: tfork waiter process(778)
             ├─775 samba: task[ntp_signd] pre-fork master
             ├─776 samba: tfork waiter process(780)
             ├─777 samba: task[rpc] pre-forked worker(3)
             ├─778 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
             ├─779 samba: tfork waiter process(782)
             ├─780 samba: task[kcc] pre-fork master
             ├─781 samba: tfork waiter process(784)
             ├─782 samba: task[kdc] pre-forked worker(1)
             ├─783 samba: tfork waiter process(785)
             ├─784 samba: task[dnsupdate] pre-fork master
             ├─785 samba: task[kdc] pre-forked worker(2)
             ├─786 samba: tfork waiter process(787)
             ├─787 samba: task[kdc] pre-forked worker(3)
             ├─794 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
             ├─795 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
             ├─796 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
             ├─798 samba: tfork waiter process(799)
             ├─799 samba: task[ldap] pre-forked worker(0)
             ├─800 samba: tfork waiter process(801)
             ├─801 samba: task[ldap] pre-forked worker(1)
             ├─802 samba: tfork waiter process(803)
             ├─803 samba: task[ldap] pre-forked worker(2)
             ├─804 samba: tfork waiter process(805)
             └─805 samba: task[ldap] pre-forked worker(3)

Post installation steps

List DNS zones.

$ samba-tool dns zonelist ad -U administrator
Password for [OCTOCAT\administrator]: *********
  2 zone(s) found

  pszZoneName                 : octocat.lab
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
  pszDpFqdn                   : DomainDnsZones.octocat.lab

  pszZoneName                 : _msdcs.octocat.lab
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED 
  pszDpFqdn                   : ForestDnsZones.octocat.lab

Create a reverse DNS zone.

$ samba-tool dns zonecreate -U administrator ad.octocat.lab 10.10.in-addr.arpa 
Password for [OCTOCAT\administrator]: *********
Zone 10.10.in-addr.arpa created successfully

List DNS zones.

$ samba-tool dns zonelist ad.octocat.lab -U administrator
Password for [OCTOCAT\administrator]: *********
  3 zone(s) found

  pszZoneName                 : octocat.lab
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
  pszDpFqdn                   : DomainDnsZones.octocat.lab

  pszZoneName                 : 10.10.in-addr.arpa
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
  pszDpFqdn                   : DomainDnsZones.octocat.lab

  pszZoneName                 : _msdcs.octocat.lab
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED 
  pszDpFqdn                   : ForestDnsZones.octocat.lab

Check DNS entry.

$ dig ad.octocat.lab +short
10.10.10.10

Display machine account details.

$ net ads info
LDAP server: 10.10.10.10
LDAP server name: ad.octocat.lab
Realm: OCTOCAT.LAB
Bind Path: dc=OCTOCAT,dc=LAB
LDAP port: 389
Server time: Thu, 30 Sep 2021 20:33:23 CEST
KDC server: 10.10.10.10
Server time offset: 0
Last machine account password change: Thu, 30 Sep 2021 14:08:36 CEST

Perform CLDAP query to get information about domain controller.

$ net ads lookup
Information for Domain Controller: 10.10.10.10

Response Type: LOGON_SAM_LOGON_RESPONSE_EX
GUID: 6b95767e-3fc5-4660-aed6-1ee5f55b9365
Flags:
        Is a PDC:                                   yes
        Is a GC of the forest:                      yes
        Is an LDAP server:                          yes
        Supports DS:                                yes
        Is running a KDC:                           yes
        Is running time services:                   yes
        Is the closest DC:                          yes
        Is writable:                                yes
        Has a hardware clock:                       yes
        Is a non-domain NC serviced by LDAP server: no
        Is NT6 DC that has some secrets:            no
        Is NT6 DC that has all secrets:             yes
        Runs Active Directory Web Services:         no
        Runs on Windows 2012 or later:              no
Forest: octocat.lab
Domain: octocat.lab
Domain Controller: ad.octocat.lab
Pre-Win2k Domain: OCTOCAT
Pre-Win2k Hostname: AD
Server Site Name: Default-First-Site-Name
Client Site Name: Default-First-Site-Name
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff

Installation complete.