This guide will detail how to setup an Ubuntu 14.x server as a SAMBA Active Directory member server. There have been some configuration changes since earlier Ubuntu releases due to the adoption of the latest stable SAMBA 4.1 release.

  1. Ensure you have a working AD DC with a statically assigned IP.
  2. When installing Ubuntu and configuring networking, ensure you set the DNS server to your AD DC and configure NTP time sync against your DC.
  3. Install required packages
    sudo apt-get install -y samba krb5-user winbind libnss-winbind libpam-winbind
    # Press enter at the Kerberos realm prompt, we'll customise that later
  4. Edit /etc/nsswitch.conf and change these lines:
    passwd: compat winbind
    group: compat winbind
  5. Rename /etc/samba/smb.conf and then make it (substituting your own NetBIOS and AD domain settings):
        workgroup = TEST
        server string = Samba Server Version %v
        security = ads
        realm = TEST.LOCAL
        domain master = no
        local master = no
        preferred master = no
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
        use sendfile = true
        idmap config * : backend = tdb
        idmap config * : range = 100000-299999
        idmap config TEST : backend = rid
        idmap config TEST : range = 10000-99999
        winbind separator = +
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        winbind nested groups = yes
        winbind refresh tickets = yes
        template homedir = /home/%D/%U
        template shell = /bin/false
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        restrict anonymous = 2
        log file = /var/log/samba/log.%m
        max log size = 50
    #============================ Share Definitions ==============================
        comment = Test share
        path = /samba/testshare
        read only = no
        @valid users = "Domain Users"
        force group = "Domain Users"
        directory mode = 0770
        force directory mode = 0770
        create mode = 0660
        force create mode = 0660
  6. Rename /etc/krb5.conf then make it (again substituting your own NetBIOS and AD domain settings):
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log
        default_realm = TEST.LOCAL
        ticket_lifetime = 24h
        forwardable = yes
        pam = {
            debug = false
            ticket_lifetime = 36000
            renew_lifetime = 36000
            forwardable = true
            krb4_convert = false
  7. Test Kerberos authentication against your Windows DC
    kinit administrator
    # Enter your AD password
    # If it was successful you should be returned to the command prompt
  8. List Kerberos tickets
    # Credentials cache: FILE:/tmp/krb5cc_1001
    # Principal: administrator@TEST.LOCAL
    # Issued Expires Principal
    # May 20 14:51:31 May 21 00:51:31 krbtgt/TEST.LOCAL@TEST.LOCAL
  9. Join SAMBA to the domain:
    sudo net ads join -U administrator
    # Enter the TEST\administrator password when prompted.
    # If successful, should report "Joined  to realm 'test.local'".
    # If you see a message about being unable to create a DNS entry, open the DNS MMC on your DC and create an "A" record for your SAMBA server manually.
  10. Test Winbind:
    sudo update-rc.d winbind defaults
    sudo service winbind start
    wbinfo -u
    # Lists AD users
    wbinfo -g
    # Lists AD groups
    getent passwd
    # Should list AD users at the bottom with UIDs in the 10000+ range
    getent group
    # Should list AD groups at the bottom with GIDs in the 10000+ range
  11. Create your share:
    sudo mkdir -p /samba/testshare
    sudo chown "administrator":"domain users" /samba/testshare
    sudo chmod 0770 /samba/testshare
  12. Restart SAMBA services to ensure everything is ready:
    service winbind restart
    service nmbd restart
    service smbd restart
  13. You should then be able to browse your SAMBA share from your Windows server/client without any authentication prompts.


Leave a Reply

Your email address will not be published. Required fields are marked *