Samba (Ubuntu 18.04) Join Windows 2016 AD as Domain Member
SAMBA.org has an easy understandabl wiki on wiki.samba.org:
[update]This URL as well:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
Clean Previous Installation and config
If you have install and config before, better do below step for a clean setup to avoid mess:
a. Verify no any Samba related processes are running:
#ps ax | egrep "samba|smbd|nmbd|winbindd"
Shutdown those process if listed.
b. Backup smb.conf if needed, to list the path to the file, enter:
#smbd -b | grep "CONFIGFILE"
c. Remove all Samba database files, such as *.tdb and *.ldb. To list the folders containing Samba databases:
#smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"
Software need installed
apt install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind cifs-utils smbclient
Config DNS (FQDN must be setup)
/etc/hosts:
root@client1:~# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 client1
192.168.10.6 client1.example.com client1'
#The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
/etc/network/interfaces:
root@client1:~# cat /etc/network/interfaces
#This file describes the network interfaces available on your system
#and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
#The loopback network interface
auto lo
iface lo inet loopback
#The primary network interface
auto eth0
iface eth0 inet static
address 192.168.10.6
gateway 192.168.10.1
netmask 255.255.255.0
broadcast 192.168.10.255
dns-nameservers 192.168.10.2 192.168.10.3
dns-search example.com
Config Kerberos
root@CLIENT1:~# cat /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
[logging]
default = FILE:/var/log/krb5libs.log
kdc = /FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
Config NTP
root@UNAS:~# cat /etc/ntp.conf
#Local clock. Note that is not the "localhost" address!
server 127.127.1.0
fudge 127.127.1.0 stratum 10
#Where to retrieve the time from
server dc1.example.com iburst prefer
server dc2.example.com iburst
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
#Access control
#Default restriction: Disallow everything
restrict default ignore
#No restrictions for "localhost"
restrict 127.0.0.1
#Enable the time sources only to only provide time to this host
restrict dc1.example.com mask 255.255.255.255 nomodify notrap nopeer noquery
restrict dc2.example.com mask 255.255.255.255 nomodify notrap nopeer noquery
Config smb.conf by using rid idmap:
root@CLIENT1:~# cat /etc/samba/smb.conf
========== Global Settings ============
[global]
#Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = EXAMPLE
#server string is the equivalent of the NT Description field
server string = %h server (Samba, Ubuntu)
password server = 192.168.10.2,192.168.10.3
security = ADS
realm = EXAMPLE.COM
netbios name = CLIENT1
log file = /var/log/samba/%m.log
log level = 1
username map = /etc/samba/user.map
idmap config * : range = 3000-7999
idmap config * : backend = tdb
idmap config EXAMPLE : backend = rid
idmap config EXAMPLE : range = 10000 - 999999
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = true
winbind offline logon = true
winbind enum groups = yes
winbind enum users = yes
winbind separator = /
winbind refresh tickets = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
[homes]
comment = Home Directories
path = /home/%U
valid users = example.com/%U
read only = No
browseable = No
root preexec = /root/mkhome.sh %U %G
In case when domain user browser by File Explorer, make home dir automaticaly:
root@CLIENT1:~# cat /root/mkhome.sh
#!/bin/bash
user=$1
group=$2
home=/home/$1
if [ ! -d $home ] ; then
mkhomedir_helper $user 0077
fi
Link AD administrator as root:
root@CLIENT1:~# cat /etc/samba/user.map
!root = EXAMPLE\Administrator
In case AD user log into Ubuntu, add below into /etc/pam.d/common-session, just after session pam_unix.so:
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
Config Name Service Switch
root@CLIENT1:~# cat /etc/nsswitch.conf
#/etc/nsswitch.conf
#Example configuration of GNU Name Service Switch functionality.
#If you have the glibc-doc-reference and info packages installed, try:
info libc "Name Service Switch" for information about this file.
#passwd: compat
passwd: files winbind systemd
#group: compat
group: files winbind systemd
#shadow: compat
shadow: files
gshadow: files
hosts: files dns
hosts: files dns wins
networks: files
networks: files dns
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Reboot & add host to an Active Directory & Testing:
root@client1:~# net ads join -U Administrator
Enter administrator's password: xxxxxx
Using short domain name -- EXAMPLE
Joined 'CLIENT1' to dns domain 'example.com'
root@client1:~# klist
root@client1:~# wbinfo --ping-dc
checking the NETLOGON for domain[EXAMPLE] dc connection to "dc1.example.com" succeeded
root@client1:~# wbinfo -g
domain computers
cert publishers
domain users
domain guests
ras and ias servers
domain admins
schema admins
enterprise admins
group policy creator owners
allowed rodc password replication group
denied rodc password replication group
enterprise read-only domain controllers
cloneable domain controllers
protected users
key admins
enterprise key admins
read-only domain controllers
domain controllers
dnsadmins
dnsupdateproxy
root@client1:~#
Notice
When kinit,klist, wbinfo, getent testing are all passed, while su username failed due to authority, try below (make sure libnss-winbind, libpam-winbind, libpam-krb5 installed and pam_winbind.so was included in the file):
root@client1:/home/helen# cat /etc/pam.d/common-account
#here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
root@client1:/home/helen# cat /etc/pam.d/common-auth
#here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass