Ubuntu 9.04 Samba Server Integrated With Active Directory

Want to support HowtoForge? Become a subscriber!
 
Submitted by mislam (Contact Author) (Forums) on Wed, 2009-08-12 17:34. :: Ubuntu | Samba | Storage

Ubuntu 9.04 Samba Server Integrated With Active Directory

This howtos describes how an Ubuntu 9.04 Samba server is integrated with Active Directory, and how to use Winbind; the Linux server sees the domain users and groups transparently. I assume that your Ubuntu server is installed and ready to be configured with Samba.

Now first things first. We need to install a few apps before we can proceed with the configuration. So in order to install anything you have to make sure you type sudo every time , but it is annoying every time to type sudo. So what I usually do is:

username@ubuntuserver:~$ sudo su

In the prompt just type the password for the current username.

Then you will get this:

root@ubuntuserver:/home/username#

Now we need to install samba, krb5-user and winbind. To do this just type:

root@ubuntuserver:/home/username# apt-get update

root@ubuntuserver:/home/username# apt-get install samba  krb5-user  winbind

Once you finish installing those then start configuring krb5.conf (/etc/krb5.conf). But before we make changes, we need to make sure we back up the original file first. So we do the following:

root@ubuntuserver:/home/username#  cp /etc/krb5.conf   /etc/krb5.conf.bak

Once we have done the backup we can start configuing krb5.conf by doing: 

 root@ubuntuserver:/home/username# nano /etc/krb5.conf 

[logging]

default = FILE:/var/log/krb5.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log


[libdefaults]
default_realm = EXAMPLE.NET
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24000

[realms]
EXAMPLE.NET = {
kdc = yourdomaincontroller.example.net
admin_server = yourdomaincontroller.example.net
default_domain = EXAMPLE.NET }

[domain_realm]
.example.net = EXAMPLE.NET
example.net = EXAMPLE.NET

 

Testing Kerberos:

root@ubuntuserver:/home/username# kinit Administrator@EXAMPLE.NET

Password for Administrator@EXAMPLE.NET: **********

root@ubuntuserver:/home/username# klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@EXAMPLE.NET
Valid starting          Expires                  Service principal
08/06/09 12:09:34 08/06/09 22:09:39  krbtgt/EXAMPLE.NET@EXAMPLE.NET
                 renew until 08/07/09  12:09:34

Kerberos  4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

 

SAMBA configuration:

Below is the example of the Samba file, /etc/samba/smb.conf, which I have configured for my Ubuntu server. But before we configure the original smb.conf, we have to make sure that we back up the smb.conf to smb.confbak.

root@ubuntuserver:/home/username# cp /etc/samba/smb.conf /etc/samba/smb.confbak
root@ubuntuserver:/home/username# nano /etc/samba/smb.conf

#/etc/samba/smb.conf
[global]


workgroup = EXAMPLE
realm = EXAMPLE.NET
netbios name = yourservername
server string = %h server (Samba %v, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = ADS
domain master = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
template homedir = /home/%D/%U
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
winbind separator = +
usershare allow guests = yes

Once we've finished configuring, then we need to check if the configuration is working using testparm. So please type:

root@ubuntuserver:/home/username# testparm

Once the Samba configuration test has finished, then stop and start the winbind service and restart the Samba service:

root@ubuntuserver:/home/username# /etc/init.d/winbind stop
root@ubuntuserver:/home/username# /etc/init.d/samba restart
root@ubuntuserver:/home/username# /etc/init.d/winbind start

Now add your Ubuntu server to the AD Domain by typing:

root@ubuntuserver:/home/username# net ads join -U Administrator@EXAMPLE.NET

Administrator's Password:*********

Using short domain name - EXAMPLE
Joined 'yourservername' to realm 'EXAMPLE.NET'

That's it. Your server 'yourservername' will appear under the 'computers' in your Active Directory. So now it's up to you to move which 'OU' you want to keep your new Samba member server. Once you've successfully added your new Samba server to the AD, the next step will be to make some changes in the 'nsswitch.conf' to set up winbind authentication.

So at the prompt just type:

root@ubuntuserver:/home/username# nano /etc/nsswitch.conf

# /etc/nsswitch.conf

passwd: compat winbind
group:  compat winbind
shadow: compat winbind

hosts:     files dns wins
networks:  files dns

protocols:   db files
services:    db files
ethers:      db files
rpc:         db files

netgroup:     nis

After that save all the changes you have made and restart the Samba and winbind services.

Make sure the winbind is working, to do that type the following:

root@ubuntuserver:/home/username# wbinfo -u

Administrator
Guest
User1
User2

root@ubuntuserver:/home/username# wbinfo -g

Domain Admins
Sales
HR
Helpdesk Stuff

You can also find out the domain controller information by typing the following:

root@ubuntuserver:/home/username# net ads info

LDAP server: 192.168.x.x
LDAP server name: yourdomaincontroller.example.net
Realm: EXAMPLE.NET
Bind Path: dc=EXAMPLE, dc=NET
LDAP port: 389
Server time: tHU, 06 aUG 2009 15:36:46 EST
KDC server: 192.168.x.x
Server time offset: 1
root@ubuntuserver:/home/username#

That's all. I hope it helps.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by bgabor (not registered) on Fri, 2011-10-21 10:04.

Documentation is very helpful, but there are a little different on Ubuntu 11.04. Based on the documentation when I tried to join AD with "net ads join -U Administrator@EXAMPLE.NET" command I ran into this error:

Failed to join domain: failed to connect to AD: Malformed representation of principal

 If I clear the right side of the username it was succesful:

"net ads join -U Administrator"


 

 

Submitted by onyangoliech (registered user) on Mon, 2011-02-07 14:25.

net ads join -U Administrator@DOMAIN.AC.KE
Enter Administrator's password:

Failed to join domain: failed to find DC for domain DOMAIN.AC.KE

Submitted by Anonymous (not registered) on Fri, 2010-07-16 21:59.
Very helpfull howto, I did that the hard way checking lots of info and eventually I got it done, wish I had this guide before :D
Submitted by Anonymous (not registered) on Sun, 2010-01-03 01:31.
This procedure also works for joining a Samba 4 ADS style domain
Submitted by Anonymous (not registered) on Sat, 2009-12-19 02:18.
This article was good, but it could have been better if it included how to setup the shares so that the domain users or domain groups could be utilized.  Took me some searching elsewhere but found that you can use setup shares with the line Valid Users =@domain name+groupname for groups or Valid Users ="@domainname+group name" if the group name is two words.  To add users individually just add domainname+username without the @ symbol in front.  Separate each user or group with a space.
Submitted by Max Kimambo (not registered) on Sun, 2009-10-18 22:13.

Hello

I followed the tutorial to the point, but i am getting an Error when trying to join the domain. 

 net ads join -U Administrator@MMRP.ORG
what i get is

libads/kerberos.c:ads_kinit_password(362)
  kerberos_kinit_password Administrator@MMRP.ORG@MMRP.ORG failed: Malformed representation of principal
Failed to join domain: failed to connect to AD: Malformed representation of principal

Which does make sense the domain name is appended twice, but the real and the domain are defined as per the guide above and this is a clean install of ubuntu 9.04 32 bit server 

Any suggestions? 

If i find a solution on google will post it here. 

 

regards,

 

Max.

Submitted by xplicit (not registered) on Tue, 2009-10-27 08:04.

Just use: net ads join -U Administrator

without domain name

Submitted by walerm (not registered) on Mon, 2009-10-26 23:56.

Hello Max

If you look closer to at your error msg, you can see that the realm is showing up twice.

kerberos_kinit_password Administrator@MMRP.ORG@MMRP.ORG failed: Malformed representation of principal

 The correct command would then be: net ads join -U Administrator

 I also had to run /etc/init.d/winbind restart after editing nsswitch.conf to have a successful run of the winfo -u and winfo -g commands :)

 morten

 

Submitted by Samuel (not registered) on Mon, 2011-07-25 16:40.
Hy

required with this command could resolve the above error thank you
Submitted by Kumar (not registered) on Sat, 2009-08-29 04:46.

Hi..

This is an very nice document, without any knowledge we can integrate Samba and AD, It helps a lot.

Thanks you very much for such simple document.

Regards,

Kumar

 

Submitted by KenP (not registered) on Sat, 2009-08-15 17:11.

Hi, I wonder why we need Administrator account to join the domain?

 As I understand, if you already have a computer account in your AD domain, all you need is your own domain username and password. Does this work with samba/winbind?

Submitted by Anonymous (not registered) on Mon, 2009-08-17 08:11.

I wonder too, but it works that way for Windows too. Your AD account is not enough.

Submitted by chern0byl (not registered) on Sun, 2009-12-13 05:39.

Hi there!

 I'm still doubtful about this. I'm currently trying to setup an ubuntu system to use AD authentication without the need to actually join the ubuntu system to the AD domain since the host is already in the domain because is was previously a windows xp system host which i'm trying to migrate to linux now with the same hostname as it was set in windows.

 I still was not successfull, but i'm able to query the AD domain using the commands like:

 net ads info

 So using a previous windows AD host as a linux host will work? Was anyone successfull doing something like this?

 Cheers,

 Nuno.

Submitted by mislam (not registered) on Mon, 2009-08-17 03:59.
My understanding is as long as you are member of domain admin or helpdesk admin , you should be able to add PC or Server to the domain. but i dont thing being a domain users only  wont let you do that. i just used as example by using administrator. Thanks
Submitted by Anonymous (not registered) on Wed, 2009-09-02 05:55.

Actually, the ability to add a computer to the domain is controlled by a security policy (group policy).  It's called "Add workstations to domain", and is described by Microsoft here:

 http://technet.microsoft.com/en-us/library/cc976452.aspx

 By default any authenticated user can add computers to a domain (up to ten of them, no idea why that number but there it is).  I once had a rather honest co-worker let me know that I'd never changed that on our domain controller and he was able to set up VMs at will and add them to the domain, which he probably figured was messing with our Windows CALs count and I would probably care.  Needless to say, I turned that "feature" off right quick.

Submitted by Anonymous (not registered) on Fri, 2009-08-14 19:53.
Use "sudo -i" instead of "sudo su".
Submitted by matey (registered user) on Thu, 2009-08-13 15:33.

Thanks for the instructions.

It is very helpful. 

I was wondering and I think that the (users) rights to files and folders on the Windows side has to be set in the Samba/Linux server.

Please correct me if I am wrong and if you could show some examples of it that will be great! (or the link if its already there)

 

Thanks a Lot!