Ubuntu SAMBA Active Directory Member Server

IMG_2933

nstall the necessary packages accepting blank values for Kerberos prompts as we’ll modify them later:

  1. sudo aptget install y ntp krb5user samba winbind libnsswinbind libpamwinbind

Ensure time is synchronised against your domain controller(s). Edit /etc/ntp.conf:

  1. # Comment out all existing “server x.ntp.org” lines then add:
  2.  
  3. server 10.1.1.1

Restart NTPd and check your time is synchronised correctly:

  1. sudo service ntp restart
  2. date

If you did not select your timezone during installation you can reconfigure it:

  1. sudo dpkgreconfigure tzdata

Edit /etc/nsswitch.conf and update the following lines:

  1. passwd: compat winbind
  2. group: compat winbind

Edit /etc/samba/smb.conf with the following. Remember to match to your environment where necessary:

  1. [global]
  2. workgroup = TEST
  3. server string=SambaServerVersion%v
  4. security = ads
  5. realm = TEST.LOCAL
  6. domain master =no
  7. local master =no
  8. preferred master =no
  9. socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
  10. use sendfile =true
  11. # read raw = yes # Should provide a performance increase but currently untested, YMMV
  12. # write raw = yes # Should provide a performance increase but currently untested, YMMV
  13.  
  14. idmap config *: backend = tdb
  15. idmap config *: range =100000299999
  16. idmap config TEST : backend = rid
  17. idmap config TEST : range =1000099999
  18. winbind separator =+
  19. winbind enum users = yes
  20. winbind enum groups = yes
  21. winbind usedefault domain = yes
  22. winbind nested groups = yes
  23. winbind refresh tickets = yes
  24. template homedir =/home/%D/%U
  25. template shell =/bin/bash
  26.  
  27. client use spnego = yes
  28. client ntlmv2 auth = yes
  29. encrypt passwords = yes
  30. restrict anonymous =2
  31. log file =/var/log/samba/log.%m
  32. max log size =50
  33. #============================ Share Definitions ==============================
  34. [testshare]
  35. comment =Test share
  36. path =/samba/testshare
  37. read only =no
  38. valid users =@“TEST+Domain Users”
  39. force group=“Domain Users”
  40. directory mode =0770
  41. force directory mode =0770
  42. create mode =0660
  43. force create mode =0660
  44. # Hide share from users who don’t have access
  45. access based share enum= yes
  46. # Hide files/directories if user doesn’t have read access
  47. hide unreadable = yes

Edit /etc/krb5.conf to match the following:

  1. [logging]
  2. default= FILE:/var/log/krb5libs.log
  3. kdc = FILE:/var/log/krb5kdc.log
  4. admin_server = FILE:/var/log/kadmind.log
  5. [libdefaults]
  6. default_realm = TEST.LOCAL
  7. ticket_lifetime =24h
  8. forwardable = yes
  9. [appdefaults]
  10. pam ={
  11. debug =false
  12. ticket_lifetime =36000
  13. renew_lifetime =36000
  14. forwardable =true
  15. krb4_convert =false
  16. }

Test that Kerberos authentication is working:

  1. kinit administrator
  2.  
  3. # Enter the TEST\administrator password when prompted
  4. # If authentication is successful you will be returned to the command prompt without any error messages.

If you get an error from kinit that it “cannot resolve servers for KDC” edit /etc/resolv.conf and make sure you’re only using your AD server for DNS and only searching your AD domain then retry kinit administrator:

  1. nameserver 10.1.1.1
  2. search test.local

List your Kerberos ticket:

  1. klist
  2.  
  3. # Should show something similar to
  4. #
  5. # Credentials cache: FILE:/tmp/krb5cc_1001
  6. # Principal: administrator@TEST.LOCAL
  7. #
  8. # Issued Expires Principal
  9. # May 20 14:51:31 May 21 00:51:31 krbtgt/TEST.LOCAL@TEST.LOCAL

Join SAMBA to the domain:

  1. sudo net ads join U administrator
  2.  
  3. # Enter the TEST\administrator password when prompted.
  4. #
  5. # If successful, should report “Joined <server> to realm ‘test.local'”.
  6. #
  7. # If you see a message about being unable to create a DNS entry, open the DNS MMC on your DC and create an “A” record for your SAMBA server manually.

Restart the SAMBA services:

  1. sudo service winbind restart
  2. sudo service smbd restart
  3. sudo service nmbd restart

Test that Winbind can list your AD users and groups:

  1. wbinfo u
  2. # Lists AD users
  3.  
  4. wbinfo g
  5. # List AD groups
  6.  
  7. getent passwd
  8. # Should list AD users at bottom with UIDs in the 10000+ range
  9.  
  10. getent group
  11. # Should list AD groups at bottom with GIDs in the 10000+ range

Create the location for the test share specified above:

  1. sudo mkdir p /samba/testshare
  2. sudo chmod 0770/samba/testshare
  3. sudo chgrp “Domain Users”/samba/testshare

Configuration is complete.

0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*