Ubuntu 15 SAMBA AD Member Server

This guide will detail how to setup an Ubuntu 15.x server as a SAMBA Active Directory member server. There have been some configuration changes since earlier Ubuntu releases due to the adoption of the latest stable SAMBA 4.1 release.

Update 03-10-2015: Also works on Debian 8.2
Update 08-10-2015: Also works on Ubuntu 15.10

  1. Ensure you have a working AD DC with a statically assigned IP.
  2. When installing Ubuntu and configuring networking, ensure you set the DNS server to your AD DC(s) and configure NTP time sync against your DC.
  3. Install required packages
    sudo apt-get install -y samba krb5-user winbind libnss-winbind libpam-winbind
    # Press enter at the Kerberos realm prompt, we'll customise that later
  4. Update /etc/nsswitch.conf:
    sudo sed -i 's/passwd:\s*compat/passwd: compat winbind/' /etc/nsswitch.conf
    sudo sed -i 's/group:\s*compat/group: compat winbind/' /etc/nsswitch.conf
  5. Rename /etc/samba/smb.conf and then make it (substituting your own NetBIOS and AD domain settings):
    [global]
        workgroup = TEST
        server string = Samba Server Version %v
        security = ads
        realm = TEST.LOCAL
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
        use sendfile = true
    	 
        idmap config * : backend = tdb
        idmap config * : range = 100000-299999
        idmap config TEST : backend = rid
        idmap config TEST : range = 10000-99999
        winbind separator = +
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        winbind refresh tickets = yes
    
        restrict anonymous = 2
        log file = /var/log/samba/log.%m
        max log size = 50
    		 
    #============================ Share Definitions ==============================
    		 
    [testshare]
        comment = Test share
        path = /samba/testshare
        read only = no
        force group = "Domain Users"
        directory mask = 0770
        force directory mode = 0770
        create mask = 0660
        force create mode = 0660
    
  6. Rename /etc/krb5.conf then make it (again substituting your own NetBIOS and AD domain settings):
    [logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log
    		 
    [libdefaults]
        default_realm = TEST.LOCAL
        ticket_lifetime = 24h
        forwardable = yes
    		 
    [appdefaults]
        pam = {
            debug = false
            ticket_lifetime = 36000
            renew_lifetime = 36000
            forwardable = true
            krb4_convert = false
        }
    
  7. Test Kerberos authentication against your Windows DC
    kinit administrator
    # Enter your AD password
    # If it was successful you should be returned to the command prompt

    List Kerberos tickets

    klist
    # Credentials cache: FILE:/tmp/krb5cc_1001
    # Principal: [email protected]TEST.LOCAL
     
    #
    # Issued Expires Principal
    # May 20 14:51:31 May 21 00:51:31 krbtgt/TEST.LOCAL@TEST.LOCAL
    
  8. Join SAMBA to the domain:
    sudo net ads join -U administrator
    
    # Enter the TEST\administrator password when prompted.
    #
    # If successful, should report "Joined <server> to realm 'test.local'".
    #
    # If you see a message about being unable to create a DNS entry, open the DNS MMC on your DC and create an "A" record for your SAMBA server manually.
    
  9. Restart SAMBA and Winbind services and then restart them again (they seem to need it):
    sudo systemctl enable nmbd; sudo systemctl restart nmbd
    sudo systemctl enable smbd; sudo systemctl restart smbd
    sudo systemctl enable winbind; sudo systemctl restart winbind
    sudo systemctl restart winbind
    sudo systemctl restart nmbd
    sudo systemctl restart smbd
  10. Test Winbind is resolving AD users:
    wbinfo -u
    # Should list AD users
     
    wbinfo -g
    # Should list AD groups
     
    getent passwd
    # Should list AD users at the bottom with UIDs in the 10000+ range
     
    getent group
    # Should list AD groups at the bottom with GIDs in the 10000+ range
    
  11. Create your share:
    sudo mkdir -p /samba/testshare
    sudo chown "administrator":"domain users" /samba/testshare
    sudo chmod 0770 /samba/testshare
  12. You should then be able to browse your SAMBA share from your Windows server/client without any authentication prompts.

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*
Website