Samba Shares with Active Directory Login on Ubuntu Server 13.04 – Part 3

By | November 13, 2013

Configure Samba (#1)

Edit the file /etc/samba/smb.conf:

vi /etc/samba/smb.conf

[global]

security = ads

netbios name = SHARE                    //your samba share name.

realm = TEST.NET

password server = 192.168.1.100

workgroup = TEST

idmap uid = 500-10000000

idmap gid = 500-10000000

winbind separator = +

winbind enum users = no

winbind enum groups = no

winbind use default domain = yes

template homedir = /home/%D/%U

template shell = /bin/bash

client use spnego = yes

domain master = no

 

[COMMON]

comment = common share

path = /Raid_Mount/Common/

browseable = yes

writable = no

valid users = @”TEST+domain users”

admin users = “administrator”

 

[Public_Repo]

comment = Pulic access folder

path = /Raid_Mount/Public repo

browseable = yes

writable = yes

readonly = no

create mask = 777

directory mask = 777

valid users = @”TEST+domain users”

 

 In this configuration COMMON and Public_repo are my share folders. Just like this you can add your share folder here.

Save the file and restart all the daemons:

/etc/init.d/winbind restart

/etc/init.d/nmbd restart

/etc/init.d/smbd restart

———————————————————————————————————-

Join the domain

Make sure you still have a valid Kerberos ticket. If not, do a new kinit Administrator. Then execute the following command:

For Samba to be able the verify usernames and passwords against the Active Directory, the server must first be joined in the domain. To do that we need to use the “net ads join” command:

net ads join -S  test.net  -U administrator 
Enter password: ******* 

 

Output:
Using short domain name -- EXAMPLE
Joined 'HOSTNAME' to realm 'Test.net'
DNS Update for hostname.test.net failed: ERROR_DNS_GSS_ERROR
DNS update failed!
The DNS error can be ignored, make sure you create an A record and a PTR record manually.

The user and password must be a valid user in the domain that has the permission to join it. To verify that the server has joined the domain you can use the following commands:

net ads status -S test.net  -U administrator 
or
net ads info

Also, to be safe run the following commands:

wbinfo –u        //display list of domain users
wbinfo –g        //display list domains groups

——————————————————————————————————————————

Restart all the daemons again:

/etc/init.d/winbind restart

/etc/init.d/nmbd restart

/etc/init.d/smbd restart

——————————————————————————————————————————-

PAM

pam-auth-update            //update pam authentications.

—————————————————————————————————————————–

Check if winbind and nsswitch are correctly working:

getent passwd
        //should return a list with all users on the local system and from the active directory

getent group         

        //should return a list with all groups and their members, both from the local system and the active directory

If this does not work, go back to the nsswitch configuration section and change the compat to files.

Setting file permissions

Now that Samba is configured and the server joined the domain, the last thing to do is to set the UNIX style file permissions on the share folders. But now, you can use the users and groups in the domain as the owner and group settings of the folders and files. For example:

chown –R "vijai.krishnan" /sharefolder  
chgrp "restricted-access-group"  /sharefolder  
chmod –R g+rw  /sharefolder  

Or to make all the users in the domain able to read and write the public folder:

chgrp -R  "domain users" /sharefolder  
chmod g+rw /sharefolder