Author Archives: Vijai Krishnan

Samba Shares with Active Directory Login on Ubuntu Server 13.04 – Part 3

Configure Samba (#1)

Edit the file /etc/samba/smb.conf:

vi /etc/samba/smb.conf

[global]

security = ads

netbios name = SHARE                    //your samba share name.

realm = TEST.NET

password server = 192.168.1.100

workgroup = TEST

idmap uid = 500-10000000

idmap gid = 500-10000000

winbind separator = +

winbind enum users = no

winbind enum groups = no

winbind use default domain = yes

template homedir = /home/%D/%U

template shell = /bin/bash

client use spnego = yes

domain master = no

 

[COMMON]

comment = common share

path = /Raid_Mount/Common/

browseable = yes

writable = no

valid users = @”TEST+domain users”

admin users = “administrator”

 

[Public_Repo]

comment = Pulic access folder

path = /Raid_Mount/Public repo

browseable = yes

writable = yes

readonly = no

create mask = 777

directory mask = 777

valid users = @”TEST+domain users”

 

 In this configuration COMMON and Public_repo are my share folders. Just like this you can add your share folder here.

Save the file and restart all the daemons:

/etc/init.d/winbind restart

/etc/init.d/nmbd restart

/etc/init.d/smbd restart

———————————————————————————————————-

Join the domain

Make sure you still have a valid Kerberos ticket. If not, do a new kinit Administrator. Then execute the following command:

For Samba to be able the verify usernames and passwords against the Active Directory, the server must first be joined in the domain. To do that we need to use the “net ads join” command:

net ads join -S  test.net  -U administrator 
Enter password: ******* 

 

Output:
Using short domain name -- EXAMPLE
Joined 'HOSTNAME' to realm 'Test.net'
DNS Update for hostname.test.net failed: ERROR_DNS_GSS_ERROR
DNS update failed!
The DNS error can be ignored, make sure you create an A record and a PTR record manually.

The user and password must be a valid user in the domain that has the permission to join it. To verify that the server has joined the domain you can use the following commands:

net ads status -S test.net  -U administrator 
or
net ads info

Also, to be safe run the following commands:

wbinfo –u        //display list of domain users
wbinfo –g        //display list domains groups

——————————————————————————————————————————

Restart all the daemons again:

/etc/init.d/winbind restart

/etc/init.d/nmbd restart

/etc/init.d/smbd restart

——————————————————————————————————————————-

PAM

pam-auth-update            //update pam authentications.

—————————————————————————————————————————–

Check if winbind and nsswitch are correctly working:

getent passwd
        //should return a list with all users on the local system and from the active directory

getent group         

        //should return a list with all groups and their members, both from the local system and the active directory

If this does not work, go back to the nsswitch configuration section and change the compat to files.

Setting file permissions

Now that Samba is configured and the server joined the domain, the last thing to do is to set the UNIX style file permissions on the share folders. But now, you can use the users and groups in the domain as the owner and group settings of the folders and files. For example:

chown –R "vijai.krishnan" /sharefolder  
chgrp "restricted-access-group"  /sharefolder  
chmod –R g+rw  /sharefolder  

Or to make all the users in the domain able to read and write the public folder:

chgrp -R  "domain users" /sharefolder  
chmod g+rw /sharefolder  

Samba Shares with Active Directory Login on Ubuntu Server 13.04 – Part 2

Configure Kerberos

What is Kerberos?

Kerberos is a computer network authentication protocol which works on the basis of “tickets” to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

We need to set up Kerberos so that we can bind our machine against Active Directory and let users access the Samba share via the AD. Edit the /etc/krb5.conf file, remove everything and place the following in it, changing the TEST.NET domain to your own Active Directory Domain:

sudo vi /etc/krb5.conf

[libdefaults]

ticket_lifetime = 24000

default_realm = TEST.NET

forwardable = true

default_tgs_entypes = rc4-hmac des-cbc-md5

default_tkt__enctypes = rc4-hmac des-cbc-md5

permitted_enctypes = rc4-hmac des-cbc-md5

dns_fallback = yes

 

[realms]

TEST.NET = {

kdc = 192.168.1.100

default_domain = test.net

}

 

[domain_realm]

.test.net = TEST.NET

test.net = TEST.NET

 

[appdefaults]

pam = {

debug = false

ticket_lifetime = 36000

renew_lifetime = 36000

forwardable = true

krb4_convert = false

}

 

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

We are now going to test Kerberos by getting a ticket for the Active Directory Administrator User.

sudo kinit Administrator

Password for Administrator@TEST.NET: ********

Now we check if we got a valid ticket:

sudo klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: Administrator@TEST.NET

Valid starting Expires Service principal

3/11/2013 08:20 21/11/2013 15:11 krbtgt/TEST.NET@TEST.NET

renew until 28/11/2013 06:11

—————————————————————————————————————————————————–

Configure nsswitch

nsswitch is used to tell the system that the AD users are also valid users. We are going to configure it to accept winbind users from the AD domain server.

Edit the file /etc/nsswitch.conf in order to have the following contents:

sudo vi /etc/nsswitch.conf
passwd:        winbind compat
group:        winbind compat
shadow:        winbind compat
hosts:             files dns wins
networks:           files dns
protocols:          db files
services:           db files
ethers:             db files
rpc:                db files
netgroup:           nis

Note that this might not work for you. If you have issues with the users later on, change these lines to this:


passwd:      files winbind

shadow:      files winbind

group:      files winbind

Samba Shares with Active Directory Login on Ubuntu Server 13.04 – Part 1

This tutorial shows you how to set up a SAMBA server which use Active Directory user and group authentication.

Samba, Winbind, Kerberos and nsswitch configuration allows you to have a Linux machine serving files via SMB, where your authentication and authorization for the files and folders is done via ADS.

—————————————————————————————————————————–

Introduction

The data used in this tutorial:

  • Active Directory Domain:     test.net
  • Realm/workgroup:         TEST
  • Active Directory Server IP:     192.168.1.100 (Also DNS and NTP)

This setup is tested with the following software:

  • Ubuntu Server 13.04
  • Samba 3.6.3
  • Active Directory on Windows Server 2008 mixed with Windows Server 2012.
  • Active Directory on Windows Server 2003 mixed with Windows Server 2008

——————————————————————————————————————————-

Overview

A summary of the steps we are going to do:

  • Install Packages
  • Configure NTP & DNS
  • Configure Kerberos
  • Configure nsswitch
  • Configure Samba
  • Join the Domain
  • Configure Samba shares
  • Test the setup

—————————————————————————————————————————-

Install Packages

On a freshly installed Ubuntu Server 13.04, install the following packages.

sudo apt-get install ntp krb5-user samba smbfs smbclient winbind

krb5, Kerberos will ask some questions about your domain and Administrative user.

———————————————————————————————————–

Configure NTP & DNS

Active Directory (Kerberos in general) is very picky about the system time, so configure NTP to sync the time against your Active Directory NTP server. Edit /etc/ntp.conf:

sudo vi /etc/ntp.conf

server 192.168.1.100

Edit your /etc/resolv.conf file and change the DNS to your Active Directory DNS servers:

sudo vi /etc/resolv.conf

nameserver 192.168.1.100

search test.net