This guide will detail how to setup an Ubuntu 14.x server as a SAMBA Active Directory member server. There have been some configuration changes since earlier Ubuntu releases due to the adoption of the latest stable SAMBA 4.1 release.
- Ensure you have a working AD DC with a statically assigned IP.
- When installing Ubuntu and configuring networking, ensure you set the DNS server to your AD DC and configure NTP time sync against your DC.
- Install required packages
sudo apt-get install -y samba krb5-user winbind libnss-winbind libpam-winbind # Press enter at the Kerberos realm prompt, we'll customise that later
- Edit /etc/nsswitch.conf and change these lines:
passwd: compat winbind group: compat winbind
- Rename /etc/samba/smb.conf and then make it (substituting your own NetBIOS and AD domain settings):
[global] workgroup = TEST server string = Samba Server Version %v security = ads realm = TEST.LOCAL domain master = no local master = no preferred master = no socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072 use sendfile = true idmap config * : backend = tdb idmap config * : range = 100000-299999 idmap config TEST : backend = rid idmap config TEST : range = 10000-99999 winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = /home/%D/%U template shell = /bin/false client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = /var/log/samba/log.%m max log size = 50 #============================ Share Definitions ============================== [testshare] comment = Test share path = /samba/testshare read only = no @valid users = "Domain Users" force group = "Domain Users" directory mode = 0770 force directory mode = 0770 create mode = 0660 force create mode = 0660 - Rename /etc/krb5.conf then make it (again substituting your own NetBIOS and AD domain settings):
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = TEST.LOCAL ticket_lifetime = 24h forwardable = yes [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } - Test Kerberos authentication against your Windows DC
kinit administrator # Enter your AD password # If it was successful you should be returned to the command prompt
- List Kerberos tickets
klist # Credentials cache: FILE:/tmp/krb5cc_1001 # Principal: [email protected]TEST.LOCAL # # Issued Expires Principal # May 20 14:51:31 May 21 00:51:31 krbtgt/TEST.LOCAL@TEST.LOCAL
- Join SAMBA to the domain:
sudo net ads join -U administrator # Enter the TEST\administrator password when prompted. # # If successful, should report "Joined
to realm 'test.local'". # # If you see a message about being unable to create a DNS entry, open the DNS MMC on your DC and create an "A" record for your SAMBA server manually. - Test Winbind:
sudo update-rc.d winbind defaults sudo service winbind start wbinfo -u # Lists AD users wbinfo -g # Lists AD groups getent passwd # Should list AD users at the bottom with UIDs in the 10000+ range getent group # Should list AD groups at the bottom with GIDs in the 10000+ range
- Create your share:
sudo mkdir -p /samba/testshare sudo chown "administrator":"domain users" /samba/testshare sudo chmod 0770 /samba/testshare
- Restart SAMBA services to ensure everything is ready:
service winbind restart service nmbd restart service smbd restart
- You should then be able to browse your SAMBA share from your Windows server/client without any authentication prompts.