Setting Up A Raspberry Pi Domain Member

I started this post because the samba official docs were too general for my purposes and maybe this will help someone else.

This page explains how to set up a Raspberry Pi as a domain member This will not explain how to set up file shares. I will be using the domain members for projects like creating a cluster that authenticates against the DC on the cluster.

I have already set up the domain controller.

Install The Operating System

There are a million web sites out there explaining how to install Raspberry Pi OS. For my purposes to get them onto my network I do the following.

Download the Raspberry Pi Imager from the Raspberry Pi foundation for your OS.
Install Raspberry Pi Imager following the directions for your OS. I am using MacOS Ventura for this.
Open Rasberry Pi Imager it should look like this..

Click the “CHOOSE OS” button. A window like the following will appear. According to documentation on the Raspberry Pi web site you should typically select the 32-bit version of the os. This is fine however the default OS has a desktop which we don’t need. Select the Raspberry Pi OS (other) option

Click “Raspberry Pi OS Lite (Legacy)”. As of right now the Bullseye version of Samba is not working.

Now that the OS has been selected click on the gear to set up the “Advanced Options”

The “Advanced Options” window will look like this

I set the following Items
- Set hostname – it does not really matter we will update this later anyway
- Enable SSH – I run the pi headless (no monitor) and ssh into it so this is require if you are doing the same. I use password authentication for now.
- Set username and password – set a username and password.
- Configure wireless LAN – I don’t set this but you can if you feel inclined to do so.
- Set local settings – I set this to my local time zone. You should do the same.
- Play Sound when finished – Checked
- Eject Media when finished – Checked
  Enable telemetry – Not checked
Now click the “CHOOSE STORAGE” button.
In the “Storage” window select the sim card that you want to write the OS to. In this case it is “NORELSYS 1081CS1 Media = 63.9 GB”

The “WRITE” button will be enabled now. Click it.

A warning will pop up telling you that you are about to erase the data on the media. If you are comfortable with what it is telling you click “YES.”

On MacOS a dialog pops up to enter your password. I assume that this has to do with the fact that you are modifying a disk. Enter your username, password and click OK

The imager will write your OS. This will take a bit of time and varies depending on how fast your SD card is.

If successful you should see something like the following. Click “Continue” and close the Imager software. We are done with it right now.

Load the SD card into your Pi and turn it on.

Setting A Static IP

The next step varies a bit so I won’t go into details. You need to configure your Pi to use a static IP. The DC acts as a DNS server to the clients so it can’t be moving around on your network.

First I use my Edgerouter X router to determine what the initial IP is of the Pi and set it to a static IP on the router. I do this by getting the list of IPs being leased on the router. On my router it looks like this and you can see the leased IPs. There are only two and it is pretty easy to spot the Pi. I would click “Map Static IP”

Then I set the static IP. Here I set it to 192.168.3.51 to not conflict with the domain controller. If you changed the IP you will need to reboot the Pi so it updates its IP.

Also it is important to note that you should set up DHCP settings on your router to automatically set the DNS and domain names on the clients. This can be done manually but it is much easier to do it in the router. Note that I have set DNS 1 to the domain controller and DNS 2 to Google. I have also set the domain name to lan.maltshoppe.com.

Update The Pi

ssh into the Pi that will be the DC controller using your favorite terminal. I like iTerm2. The first time you log in you will get warnings about new keys. Accept them and when it you should see something like this.

Now update your package source list by running…

$sudo apt update

Some scroll by and look like this when done

Now upgrade (this will take some time) the system typing

$sudo apt upgrade -y

I like to install vim for editing text files. You can use whatever editor you like. Nano included in Rasbpian OS

$sudo apt install vim -y

Initial Config

To make future things easier I like to configure some basic settings using the raspi-config utility

Start raspi-config

$sudo raspi-config

In the raspi-config main menu select “1 – System Options”

You will get a note about valid system names. Select the only option “OK”

Now enter the name of the system. In this case “pinfs”

Now back in the main menu select “Advanced Options”

Select “Expand File System”

A bunch of stuff will happen and then this menu will pop up. Select “OK”

Update Time Syncronization

To synchronize the time between the client and server edit the following file.

sudo vim /etc/systemd/timesyncd.conf

In the file update the NTP setting to point to the Domain Controller

#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.
#
# Entries in this file show the compile time defaults.
# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See timesyncd.conf(5) for details.

[Time]
NTP=192.168.3.50
#FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org
#RootDistanceMaxSec=5
#PollIntervalMinSec=32
#PollIntervalMaxSec=2048

Enable and restart the time services

sudo systemctl start systemd-timesyncd
sudo systemctl enable systemd-timesyncd
sudo systemctl status systemd-timesyncd * check to see if it is syncronized

Update Other Stuff

There are still a couple of other

Open /etc/hosts

sudo vim /etc/hosts

Verify that the /etc/hosts file on the DC correctly resolves the fully-qualified domain name (FQDN) and short host name to the LAN IP address of the DC.

127.0.0.1 localhost
192.168.3.51 pidnfs.lan.maltshoppe.com pinfs

Open /etc/resolve.conf to confirm that the DNS servers and search parameters are set correctly.

sudo vim /etc/resolv.conf

Confirm that the values are correct. You should see the name of the domain and the DNS servers listed. The first one should be the IP of this machine; The domain controller. Do not attempt to edit this file. You have to update these parameters with nmtui or they will be overwritten when you reboot the Pi.

# Generated by resolvconf
search lan.maltshoppe.com
nameserver 192.168.3.50
nameserver 192.168.3.1

Install Samba

Install samba

sudo apt-get install acl attr samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind krb5-config krb5-user dnsutils

The following config window will be displayed. Accept the default. You should see the correct domain.

Setting up a Basic `smb.conf` File

Before Joining the domain edit the /etc/samba/smb.conf file

sudo vim /etc/samba/smb.conf

To look like

# Global parameters
[global]
        log file = /var/log/samba/%m.log
        log level = 10
        realm = LAN.MALTSHOPPE.COM
        security = ADS
        server role = member server
        template homedir = /home/%U
        template shell = /bin/bash
        username map = /usr/local/samba/etc/user.map
        winbind use default domain = Yes
        workgroup = LAN
        idmap config * : range = 10000-9999999
        idmap config * : backend = autorid

Mapping the Domain Administrator Account to the Local `root` User

Create the /usr/local/samba/etc/user.map file with the following content:

!root = LAN\Administrator

Join the Domain

Run the following command to join the domain

sudo samba-tool domain join lan.maltshoppe.com MEMBER -U Administrator

Configuring the Name Service Switch

Edit /etc/nsswitch.conf

sudo vim /etc/nsswitch.conf