Skip to main content

Raymii.org Logo (IEC resistor symbol)logo

Quis custodiet ipsos custodes?
Home | About | All pages | RSS Feed | Gopher

Samba Shares with Active Directory Login on Ubuntu 12.04

Published: 27-06-2013 | Author: Remy van Elst | Text only version of this article


Table of Contents


This tutorial shows you how to set up a SAMBA server which authenticates allusers to an Active Directory, including group based permissions. It uses Samba,Winbind, Kerberos and nsswitch. This allows you to have a Linux machine servingfiles via SMB, where your authentication and autorization for the files andfolders is done via Active Directory.

If you like this article, consider sponsoring me by trying out a Digital OceanVPS. With this link you'll get $100 credit for 60 days). (referral link)

We are actually doing two things, we bind a Linux machine to the ActiveDirectory (but we disable shell access for the users), and we then configureSamba to accept these users to the shares we set up.

Introduction

The data used in this tutorial:

This setup is tested with the following software:

Overview

A summary of the steps we are going to do:

You need to have a privileged account to join the Active Directory Domain.

Install Packages

On a freshly installed Ubuntu Server 12.04 we need to install the followingpackages to get started:

apt-get install ntp krb5-user samba smbfs smbclient winbind

krb5, Kerberos will ask some questions about your domain and a privileged user.You can enter through this, we are going to put our own config files.

Configure NTP & DNS

Active Directory (Kerberos in general) is very picky about the system time, soconfigure NTP to sync the time against your Active Directory NTP server. Edit/etc/ntp.conf:

server 10.0.23.1

Now also edit your /etc/resolv.conf (or /etc/network/interfaces) file andchange the DNS to your Active Directory DNS servers:

# /etc/resolv.confnameserver 10.0.23.1search example.org# /etc/network/interfacesiface eth0 inet static    [...]    dns-nameservers 10.0.23.1    dns-search example.org

We do this because Active Directory uses DNS for a lot of things. You can alsosetup your standard DNS servers to use an Active Directory DNS server as firstupstream.

Configure Kerberos

What is Kerberos?

Kerberos is a computer network authentication protocol which works on the basis of "tickets" to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a clientserver model and it provides mutual authenticationboth the user and the server verify each other's identity.

A good article on how Kerberos is used in Active Directory can be found here:http://technet.microsoft.com/en-us/library/bb742516.aspx

We need to set up Kerberos so that we can bind our machine against ActiveDirectory and let users access the Samba share via the AD. Edit the/etc/krb5.conf file, remove everything and place the following in it, changingthe EXAMPLE.ORG domain to your own Active Directory Domain:

[libdefaults]  ticket_lifetime = 24h  default_realm = EXAMPLE.ORG  forwardable = true[realms]  EXAMPLE.ORG = {    kdc = 10.0.23.1    default_domain = EXAMPLE.ORG  }[domain_realm]  .example.org = EXAMPLE.ORG  example.org = EXAMPLE.ORG[kdc]  profile = /etc/krb5kdc/kdc.conf[appdefaults]  pam = {    debug = false    ticket_lifetime = 36000    renew_lifetime = 36000    forwardable = true    krb4_convert = false  }[logging]  kdc = FILE:/var/log/krb5kdc.log  admin_server = FILE:/var/log/kadmin.log  default = FILE:/var/log/krb5lib.log

We are now going to test Kerberos by getting a ticket for the Active DirectoryAdministrator User. Make sure you have the password ready:

kinit AdministratorPassword for Administrator@EXAMPLE.ORG:

Now we check if we got a valid ticket:

klistTicket cache: FILE:/tmp/krb5cc_0Default principal: Administrator@EXAMPLE.ORGValid starting    Expires           Service principal27/06/2013 07:17  27/06/2013 17:17  krbtgt/EXAMPLE.ORG@EXAMPLE.ORG        renew until 28/06/2013 07:17

If this is not correct, check your Kerberos and DNS and NTP (time) settings andtry again.

Configure nsswitch

nsswitch is used to tell the system that the Active Directory users are alsovalid users. We are going to configure it to also accept winbind users, which iswhat Samba uses after it has bound to the domain.

Edit the /etc/nsswitch.conf and change the passwd, shadow and grouplines to look like this:

passwd:         compat winbindgroup:          compat winbindshadow:         compat winbind

Note that this might not work for you. If you have issues with the users lateron, change these lines to this:

 passwd:            files winbind shadow:            files winbind group:             files winbind

The NetBSD man page explains more than the Ubuntu man page: http://www.daemon-systems.org/man/nsswitch.conf.5.html

Configure Samba (#1)

Now we need to set up Samba to also support the domain. Edit/etc/samba/smb.conf and remove everything, then place the following in it:

[global]    # No .tld    workgroup = EXAMPLE    # Active Directory System    security = ads    # With .tld    realm = EXAMPLE.ORG    # Just a member server    domain master = no    local master = no    preferred master = no    # Disable printing error log messages when CUPS is not installed.    printcap name = /etc/printcap    load printers = no    # Works both in samba 3.2 and 3.6.            idmap backend = tdb    idmap uid = 10000-99999    idmap gid = 10000-99999    # no .tld    idmap config EXAMPLE:backend = rid    idmap config EXAMPLE:range = 10000-9999    winbind enum users = yes    winbind enum groups = yes    # This way users log in with username instead of username@example.org    winbind use default domain = yes    # Inherit groups in groups    winbind nested groups = yes    winbind refresh tickets = yes    winbind offline logon = true    # Becomes /home/example/username    template homedir = /home/%D/%U    # No shell access    template shell = /bin/false    client use spnego = yes    client ntlmv2 auth = yes    encrypt passwords = yes    restrict anonymous = 2    log file = /var/log/samba/samba.log    log level = 2

Save the file and restart all the daemons:

/etc/init.d/winbind restart/etc/init.d/nmbd restart/etc/init.d/smbd restart

Join the domain

Make sure you still have a valid Kerberos ticket. If not, do a new kinitAdministrator. Then execute the following command:

net ads join -U administrator

Output is like this:

Enter Administrator's password:Using short domain name -- EXAMPLEJoined 'HOSTNAME' to realm 'Example.org'DNS Update for hostname.example.org failed: ERROR_DNS_GSS_ERRORDNS update failed!

The DNS error can be ignored, make sure you create an A record and a PTR recordmanually.

Restart all the daemons again:

/etc/init.d/winbind restart/etc/init.d/nmbd restart/etc/init.d/smbd restart

Also update PAM:

pam-auth-update

Now see if you can list the domain users and groups:

wbinfo -u # lists all the users in the domainwbinfo -g # lists all the groups in the domain

And also check if winbind and nsswitch are correctly working:

getent passwd # should return a list with all users on the local system and from the active directorygetent group # should return a list with all groups and their members, both from the local system and the active directory

If this does not work, go back to the nsswitch configuration section and changethe compat to files.

Configure Samba (#2): Shares

This setup reflects an average business. Two departments with their own share,and one dump folder for everyone. And a folder for the CEO so that he feelsspecial. Do note that it is a good idea to clean the Dropbox every night with acronjob, but let your users know that that happens.

We are going to create the shares. First create the folders on the system:

mkdir -p /sharing/{marketing,research,ceo,dropbox}chmod -R 0770 /sharing/chgrp -R "Domain Users" /sharing/

Add the shares to /etc/samba/smb.conf:

[Marketing]    comment = Marketing    path = /sharing/marketing/    valid users = @EXAMPLE\marketing    force group = marketing    writable = yes    read only = no    force create mode = 0660    create mask = 0777    directory mask = 0777    force directory mode = 0770    access based share enum = yes    hide unreadable = yes[Research]    comment = Research    path = /sharing/research    valid users = @EXAMPLE\development, @EXAMPLE\research    force group = "domain users"    writable = yes    read only = no    force create mode = 0660    create mask = 0777    directory mask = 0777    force directory mode = 0770    access based share enum = yes    hide unreadable = yes[Dropbox]    comment = Daily Emptied Dropbox    path = /sharing/dropbox    valid users = "@EXAMPLE\Domain Users"    force group = "domain users"    writable = yes    read only = no    force create mode = 0660    create mask = 0777    directory mask = 0777    force directory mode = 0770    access based share enum = yes    hide unreadable = yes[CEO]    comment = CEO Only    path = /sharing/ceo    valid users = EXAMPLE\ceo    force group = "domain users"    writable = yes    read only = no    force create mode = 0660    create mask = 0777    directory mask = 0777    force directory mode = 0770    access based share enum = yes    hide unreadable = yes

As you can see, an active directory group is defined with an @, and a userwithout. Also, when there are spaces in the groupname, you escape that withquotes: "@EXAMPLE\Domain Users".

You can find a lot of information on the smb.conf file in the man page:https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html

Why do we force the mode on files and folders? Because of problems with MSword, according to the Samba documentation: https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html#id2615334

Afterwards restart samba:

/etc/init.d/smbd restart

Testing it

Create a few accounts in the groups used (set expiry date to 1 day so you don'tforget to remove them) and use those accounts to test the shares. Create filesand folders as one user, try to edit and remove them as another user. Also tryto access the shares with a non-privileged user.

If you run into errors, check your log files in /var/log/samba. Make sure thatthe capitalization and spelling is correct in the valid users part of thesamba config file, and also check the permissions on the folders themselves withls -la. You can set valid users = any to make check if there are errors ornot. The testparm command is also very helpful for the samba config file part.

Tags: active-directory, kerberos, ldap, microsoft, nsswitch, samba, smb, tutorials, ubuntu, winbind