Ubuntu SAMBA Active Directory Member Server

Thanks http://phreek.org/guides/ubuntu-samba-active-directory-member-server

This guide details the steps necessary to configure a SAMBA member server on Ubuntu 13.10, 13.04, 12.10, 12.04, 11.10 or 11.04 in an existing Windows Active Directory domain. It is assumed that you have already installed a basic, functional server and configured details such as hostname, IP, DNS, timezone, etc. If you are performing a fresh Ubuntu install, select the OpenSSH server and Samba file server packages at the end of the installation.

 

  1. Updated 08-Oct-2013: These instructions are still current for Ubuntu 13.10.
  1. Updated 02-May-2013: These instructions are still current for Ubuntu 13.04.

 

For the purposes of this guide, the environment details are as follows. You will need to substitute your own values as necessary:

  1. LAN subnet: 10.1.1.0/24
  2. AD domain: test.local
  3. DC name: tstdc1.test.local
  4. DC IP: 10.1.1.1
  5. SAMBA name: tstms1.test.local
  6. SAMBA IP: 10.1.1.2

My /etc/network/interfaces is configured as:

  1. # The loopback network interface
  2. auto lo
  3. iface lo inet loopback
  4. # The primary network interface
  5. auto eth0
  6. iface eth0 inet static
  7. address 10.1.1.2
  8. netmask 255.255.255.0
  9. gateway 10.1.1.254
  10. dns-nameservers 10.1.1.1
  11. dns-search test.local

After modifying your network config file, you’ll need to restart your networking services:

  1. sudo service networking restart

 

Prior to commencing the instructions in this guide, you should have performed a package update:

  1. sudo apt-get update
  2. sudo apt-get upgrade -y

Install the necessary packages accepting blank values for Kerberos prompts as we’ll modify them later:

  1. sudo apt-get install -y ntp krb5-user samba winbind libnss-winbind libpam-winbind

Ensure time is synchronised against your domain controller(s). Edit /etc/ntp.conf:

  1. # Comment out all existing “server x.ntp.org” lines then add:
  2. server 10.1.1.1

Restart NTPd and check your time is synchronised correctly:

  1. sudo service ntp restart
  2. date

If you did not select your timezone during installation you can reconfigure it:

  1. sudo dpkg-reconfigure tzdata

Edit /etc/nsswitch.conf and update the following lines:

  1. passwd: compat winbind
  2. group: compat winbind

Edit /etc/samba/smb.conf with the following. Remember to match to your environment where necessary:

  1. [global]
  2. workgroup = TEST
  3. server string = Samba Server Version %v
  4. security = ads
  5. realm = TEST.LOCAL
  6. domain master = no
  7. local master = no
  8. preferred master = no
  9. socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
  10. use sendfile = true
  11. # read raw = yes # Should provide a performance increase but currently untested, YMMV
  12. # write raw = yes # Should provide a performance increase but currently untested, YMMV
  13. idmap config * : backend = tdb
  14. idmap config * : range = 100000-299999
  15. idmap config TEST : backend = rid
  16. idmap config TEST : range = 10000-99999
  17. winbind separator = +
  18. winbind enum users = yes
  19. winbind enum groups = yes
  20. winbind use default domain = yes
  21. winbind nested groups = yes
  22. winbind refresh tickets = yes
  23. template homedir = /home/%D/%U
  24. template shell = /bin/bash
  25. client use spnego = yes
  26. client ntlmv2 auth = yes
  27. encrypt passwords = yes
  28. restrict anonymous = 2
  29. log file = /var/log/samba/log.%m
  30. max log size = 50
  31. #============================ Share Definitions ==============================
  32. [testshare]
  33. comment = Test share
  34. path = /samba/testshare
  35. read only = no
  36. valid users = @”TEST+Domain Users”
  37. force group = “Domain Users”
  38. directory mode = 0770
  39. force directory mode = 0770
  40. create mode = 0660
  41. force create mode = 0660
  42. # Hide share from users who don’t have access
  43. access based share enum = yes
  44. # Hide files/directories if user doesn’t have read access
  45. hide unreadable = yes

Edit /etc/krb5.conf to match the following:

  1. [logging]
  2. default = FILE:/var/log/krb5libs.log
  3. kdc = FILE:/var/log/krb5kdc.log
  4. admin_server = FILE:/var/log/kadmind.log
  5. [libdefaults]
  6. default_realm = TEST.LOCAL
  7. ticket_lifetime = 24h
  8. forwardable = yes
  9. [appdefaults]
  10. pam = {
  11. debug = false
  12. ticket_lifetime = 36000
  13. renew_lifetime = 36000
  14. forwardable = true
  15. krb4_convert = false
  16. }

Test that Kerberos authentication is working:

  1. kinit administrator
  2. # Enter the TEST\administrator password when prompted
  3. # If authentication is successful you will be returned to the command prompt without any error messages.

If you get an error from kinit that it “cannot resolve servers for KDC” edit /etc/resolv.conf and make sure you’re only using your AD server for DNS and only searching your AD domain then retry kinit administrator:

  1. nameserver 10.1.1.1
  2. search test.local

List your Kerberos ticket:

  1. klist
  2. # Should show something similar to
  3. #
  4. # Credentials cache: FILE:/tmp/krb5cc_1001
  5. # Principal: administrator@TEST.LOCAL
  6. #
  7. # Issued Expires Principal
  8. # May 20 14:51:31 May 21 00:51:31 krbtgt/TEST.LOCAL@TEST.LOCAL

Join SAMBA to the domain:

  1. sudo net ads join -U administrator
  2. # Enter the TEST\administrator password when prompted.
  3. #
  4. # If successful, should report “Joined <server> to realm ‘test.local'”.
  5. #
  6. # If you see a message about being unable to create a DNS entry, open the DNS MMC on your DC and create an “A” record for your SAMBA server manually.

Restart the SAMBA services:

  1. sudo service winbind restart
  2. sudo service smbd restart
  3. sudo service nmbd restart

Test that Winbind can list your AD users and groups:

  1. wbinfo -u
  2. # Lists AD users
  3. wbinfo -g
  4. # List AD groups
  5. getent passwd
  6. # Should list AD users at bottom with UIDs in the 10000+ range
  7. getent group
  8. # Should list AD groups at bottom with GIDs in the 10000+ range

Create the location for the test share specified above:

  1. sudo mkdir -p /samba/testshare
  2. sudo chmod 0770 /samba/testshare
  3. sudo chgrp “Domain Users” /samba/testshare

Configuration is complete. You should now be able to browse to \\tstms1\testshare.