Samba Join Windows 2016 AD as Domain Member (update)

Posted on | In

Samba (Ubuntu 18.04) Join Windows 2016 AD as Domain Member

SAMBA.org has an easy understandabl wiki on wiki.samba.org:

[update]This URL as well:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Clean Previous Installation and config

If you have install and config before, better do below step for a clean setup to avoid mess:
a. Verify no any Samba related processes are running:

#ps ax | egrep "samba|smbd|nmbd|winbindd"

Shutdown those process if listed.

b. Backup smb.conf if needed, to list the path to the file, enter:

#smbd -b | grep "CONFIGFILE"

c. Remove all Samba database files, such as *.tdb and *.ldb. To list the folders containing Samba databases:

#smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"
Software need installed
apt install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind cifs-utils smbclient
Config DNS (FQDN must be setup)

/etc/hosts:

root@client1:~# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 client1
192.168.10.6 client1.example.com client1'

#The following lines are desirable for IPv6 capable hosts

::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

/etc/network/interfaces:

root@client1:~# cat /etc/network/interfaces
#This file describes the network interfaces available on your system
#and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

#The loopback network interface
auto lo
iface lo inet loopback

#The primary network interface
auto eth0
iface eth0 inet static
address 192.168.10.6
gateway 192.168.10.1
netmask 255.255.255.0
broadcast 192.168.10.255
dns-nameservers 192.168.10.2 192.168.10.3
dns-search example.com
Config Kerberos
root@CLIENT1:~# cat /etc/krb5.conf
[libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_realm = false
    dns_lookup_kdc = true
[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = /FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
Config NTP
root@UNAS:~# cat /etc/ntp.conf
#Local clock. Note that is not the "localhost" address!
server 127.127.1.0
fudge 127.127.1.0 stratum 10

#Where to retrieve the time from
server dc1.example.com iburst prefer
server dc2.example.com iburst
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp

#Access control
#Default restriction: Disallow everything
restrict default ignore

#No restrictions for "localhost"
restrict 127.0.0.1

#Enable the time sources only to only provide time to this host
restrict dc1.example.com mask 255.255.255.255 nomodify notrap nopeer noquery
restrict dc2.example.com mask 255.255.255.255 nomodify notrap nopeer noquery
Config smb.conf by using rid idmap:
root@CLIENT1:~# cat /etc/samba/smb.conf

  ========== Global Settings ============
  [global]
  #Change this to the workgroup/NT-domain name your Samba server will part of
  workgroup = EXAMPLE

  #server string is the equivalent of the NT Description field
  server string = %h server (Samba, Ubuntu)

  password server = 192.168.10.2,192.168.10.3
  security = ADS
  realm = EXAMPLE.COM
  netbios name = CLIENT1

  log file = /var/log/samba/%m.log
  log level = 1

  username map = /etc/samba/user.map
  idmap config * : range = 3000-7999
  idmap config * : backend = tdb
  idmap config EXAMPLE : backend = rid
  idmap config EXAMPLE : range = 10000 - 999999

  template shell = /bin/bash
  template homedir = /home/%U
  winbind use default domain = true
  winbind offline logon = true
  winbind enum groups = yes
  winbind enum users = yes
  winbind separator = /
  winbind refresh tickets = yes
  vfs objects = acl_xattr
  map acl inherit = yes
  store dos attributes = yes

  [homes]
  comment = Home Directories
  path = /home/%U
  valid users = example.com/%U
  read only = No
  browseable = No
  root preexec = /root/mkhome.sh %U %G

In case when domain user browser by File Explorer, make home dir automaticaly:

root@CLIENT1:~# cat /root/mkhome.sh
#!/bin/bash
user=$1
group=$2
home=/home/$1

if [ ! -d $home ] ; then
mkhomedir_helper $user 0077
fi

Link AD administrator as root:

root@CLIENT1:~# cat /etc/samba/user.map
!root = EXAMPLE\Administrator

In case AD user log into Ubuntu, add below into /etc/pam.d/common-session, just after session pam_unix.so:

session required        pam_unix.so
session required        pam_mkhomedir.so skel=/etc/skel/ umask=0077
Config Name Service Switch
root@CLIENT1:~# cat /etc/nsswitch.conf

#/etc/nsswitch.conf
#Example configuration of GNU Name Service Switch functionality.
#If you have the glibc-doc-reference and info packages installed, try:
info libc "Name Service Switch" for information about this file.
#passwd: compat
passwd: files winbind systemd

#group: compat
group: files winbind systemd

#shadow: compat
shadow: files
gshadow: files

hosts: files dns
hosts: files dns wins

networks: files
networks: files dns

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis
Reboot & add host to an Active Directory & Testing:
root@client1:~# net ads join -U Administrator
Enter administrator's password: xxxxxx
Using short domain name -- EXAMPLE
Joined 'CLIENT1' to dns domain 'example.com'

root@client1:~# klist

root@client1:~# wbinfo --ping-dc
checking the NETLOGON for domain[EXAMPLE] dc connection to "dc1.example.com" succeeded

root@client1:~# wbinfo -g
domain computers
cert publishers
domain users
domain guests
ras and ias servers
domain admins
schema admins
enterprise admins
group policy creator owners
allowed rodc password replication group
denied rodc password replication group
enterprise read-only domain controllers
cloneable domain controllers
protected users
key admins
enterprise key admins
read-only domain controllers
domain controllers
dnsadmins
dnsupdateproxy
root@client1:~#

Notice

When kinit,klist, wbinfo, getent testing are all passed, while su username failed due to authority, try below (make sure libnss-winbind, libpam-winbind, libpam-krb5 installed and pam_winbind.so was included in the file):

root@client1:/home/helen# cat /etc/pam.d/common-account
#here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore]        pam_winbind.so

root@client1:/home/helen# cat /etc/pam.d/common-auth
#here are the per-package modules (the "Primary" block)
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass