This guide will detail how to setup an Ubuntu 18.x server as a SAMBA Active Directory member server. There have been some configuration changes since earlier Ubuntu releases due to the adoption of SAMBA 4.7.
- Ensure you have a working AD DC with a statically assigned IP.
- When installing Ubuntu and configuring networking, ensure you set the DNS server to your AD DC(s) and configure NTP time sync against your DC.
- Install required packages
sudo apt-get install -y samba krb5-user winbind libnss-winbind libpam-winbind # Press enter at the Kerberos realm prompt, we'll customise that later
- Update /etc/nsswitch.conf:
sudo sed -i 's/passwd:\s*compat/passwd: compat winbind/' /etc/nsswitch.conf sudo sed -i 's/group:\s*compat/group: compat winbind/' /etc/nsswitch.conf
- Rename /etc/samba/smb.conf and then make it (substituting your own NetBIOS and AD domain settings):
[global] workgroup = TEST server string = Samba Server Version %v security = ads realm = TEST.LOCAL socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072 use sendfile = true idmap config * : backend = tdb idmap config * : range = 100000-299999 idmap config TEST : backend = rid idmap config TEST : range = 10000-99999 winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind refresh tickets = yes restrict anonymous = 2 log file = /var/log/samba/log.%m max log size = 50 #============================ Share Definitions ============================== [testshare] comment = Test share path = /samba/testshare read only = no force group = "Domain Users" directory mask = 0770 force directory mode = 0770 create mask = 0660 force create mode = 0660
- Rename /etc/krb5.conf then make it (again substituting your own NetBIOS and AD domain settings):
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = TEST.LOCAL ticket_lifetime = 24h forwardable = yes [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
- Test Kerberos authentication against your Windows DC
kinit administrator # Enter your AD password # If it was successful you should be returned to the command prompt
List Kerberos tickets
klist # Credentials cache: FILE:/tmp/krb5cc_1001 # Principal: administrator@TEST.LOCAL # # Issued Expires Principal # May 20 14:51:31 May 21 00:51:31 krbtgt/TEST.LOCAL@TEST.LOCAL
- Join SAMBA to the domain:
sudo net ads join -U administrator # Enter the TEST\administrator password when prompted. # # If successful, should report "Joined <server> to realm 'test.local'". # # If you see a message about being unable to create a DNS entry, open the DNS MMC on your DC and create an "A" record for your SAMBA server manually.
- Restart SAMBA and Winbind services and then restart them again (they seem to need it):
sudo systemctl enable nmbd; sudo systemctl restart nmbd sudo systemctl enable smbd; sudo systemctl restart smbd sudo systemctl enable winbind; sudo systemctl restart winbind
- Test Winbind is resolving AD users:
wbinfo -u # Should list AD users wbinfo -g # Should list AD groups getent passwd # Should list AD users at the bottom with UIDs in the 10000+ range getent group # Should list AD groups at the bottom with GIDs in the 10000+ range
- Create your share:
sudo mkdir -p /samba/testshare sudo chown "administrator":"domain users" /samba/testshare sudo chmod 0770 /samba/testshare
- You should then be able to browse your SAMBA share from your Windows server/client without any authentication prompts.
5 Comments
Eduardo · January 13, 2021 at 10:19 am
when i use getent passwd and group the list dont show me any of my group or users from my AD, what im doing wrong?
Lauster · October 1, 2020 at 9:22 pm
For 20.04 the steps are the same except for step 4.
Since ubuntu 20.04 has a nsswitch.conf file with the following lines in it:
passwd: files systemd
group: files systemd
but once you have edited the sed command to look like this:
sed -i ‘s/passwd:\s*files systemd$/passwd: files systemd winbind/’ nsswitch.conf
sed -i ‘s/group:\s*files systemd$/group: files systemd winbind/’ nsswitch.conf
everything works as expected.
Lauster · October 1, 2020 at 9:25 pm
made a oopsie.. the path was not included ;-/
the lines are:
sed -i ‘s/passwd:\s*files systemd$/passwd: files systemd winbind/’ /etc/nsswitch.conf
sed -i ‘s/group:\s*files systemd$/group: files systemd winbind/’ /etc/nsswitch.conf
raly · February 26, 2020 at 6:44 am
Thanks a lot for guide. All commands works fine, but when I try ccess to resourse shared from windows 10 I have an error 80070043.
Geoff · March 2, 2020 at 8:58 am
1. Try performing steps 7, 9,10 again. Particularly at step 10 you should get your AD users and groups listed by each of the approperiate commands.
2. If they’re OK, make sure you’ve set the permissions correctly at step 11.
3. You are using Ubuntu 18? Things have changed slightly in 19.x and I haven’t had time to finish it off yet.
20.04 will be out soon as the next LTS so I might just ignore 19.x and focus on getting 20.04 working.