Ubuntu 9.04 Samba Server Integrated With Active Directory

This howtos describes how an Ubuntu 9.04 Samba server is integrated with Active Directory, and how to use Winbind; the Linux server sees the domain users and groups transparently. I assume that your Ubuntu server is installed and ready to be configured with Samba.

Now first things first. We need to install a few apps before we can proceed with the configuration. So in order to install anything you have to make sure you type sudo every time , but it is annoying every time to type sudo. So what I usually do is:

username@ubuntuserver:~$ sudo su

In the prompt just type the password for the current username.

Then you will get this:

root@ubuntuserver:/home/username#

Now we need to install samba, krb5-user and winbind. To do this just type:

root@ubuntuserver:/home/username# apt-get update

root@ubuntuserver:/home/username# apt-get install samba  krb5-user  winbind

Once you finish installing those then start configuring krb5.conf (/etc/krb5.conf). But before we make changes, we need to make sure we back up the original file first. So we do the following:

root@ubuntuserver:/home/username#  cp /etc/krb5.conf   /etc/krb5.conf.bak

Once we have done the backup we can start configuing krb5.conf by doing: 

 root@ubuntuserver:/home/username# nano /etc/krb5.conf 

[logging]

default = FILE:/var/log/krb5.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log


[libdefaults]
default_realm = EXAMPLE.NET
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24000

[realms]
EXAMPLE.NET = {
kdc = yourdomaincontroller.example.net
admin_server = yourdomaincontroller.example.net
default_domain = EXAMPLE.NET }

[domain_realm]
.example.net = EXAMPLE.NET
example.net = EXAMPLE.NET

Testing Kerberos:

root@ubuntuserver:/home/username# kinit Administrator@EXAMPLE.NET

Password for Administrator@EXAMPLE.NET: **********

root@ubuntuserver:/home/username# klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@EXAMPLE.NET
Valid starting          Expires                  Service principal
08/06/09 12:09:34 08/06/09 22:09:39  krbtgt/EXAMPLE.NET@EXAMPLE.NET
                 renew until 08/07/09  12:09:34

Kerberos  4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

SAMBA configuration:

Below is the example of the Samba file, /etc/samba/smb.conf, which I have configured for my Ubuntu server. But before we configure the original smb.conf, we have to make sure that we back up the smb.conf to smb.confbak.

root@ubuntuserver:/home/username# cp /etc/samba/smb.conf /etc/samba/smb.confbak
root@ubuntuserver:/home/username# nano /etc/samba/smb.conf

#/etc/samba/smb.conf
[global]


workgroup = EXAMPLE
realm = EXAMPLE.NET
netbios name = yourservername
server string = %h server (Samba %v, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = ADS
domain master = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
template homedir = /home/%D/%U
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
winbind separator = +
usershare allow guests = yes

Once we've finished configuring, then we need to check if the configuration is working using testparm. So please type:

root@ubuntuserver:/home/username# testparm

Once the Samba configuration test has finished, then stop and start the winbind service and restart the Samba service:

root@ubuntuserver:/home/username# /etc/init.d/winbind stop
root@ubuntuserver:/home/username# /etc/init.d/samba restart
root@ubuntuserver:/home/username# /etc/init.d/winbind start

Now add your Ubuntu server to the AD Domain by typing:

root@ubuntuserver:/home/username# net ads join -U Administrator@EXAMPLE.NET

Administrator's Password:*********

Using short domain name - EXAMPLE
Joined 'yourservername' to realm 'EXAMPLE.NET'

That's it. Your server 'yourservername' will appear under the 'computers' in your Active Directory. So now it's up to you to move which 'OU' you want to keep your new Samba member server. Once you've successfully added your new Samba server to the AD, the next step will be to make some changes in the 'nsswitch.conf' to set up winbind authentication.

So at the prompt just type:

root@ubuntuserver:/home/username# nano /etc/nsswitch.conf

# /etc/nsswitch.conf

passwd: compat winbind
group:  compat winbind
shadow: compat winbind

hosts:     files dns wins
networks:  files dns

protocols:   db files
services:    db files
ethers:      db files
rpc:         db files

netgroup:     nis

After that save all the changes you have made and restart the Samba and winbind services.

Make sure the winbind is working, to do that type the following:

root@ubuntuserver:/home/username# wbinfo -u

Administrator
Guest
User1
User2

root@ubuntuserver:/home/username# wbinfo -g

Domain Admins
Sales
HR
Helpdesk Stuff

You can also find out the domain controller information by typing the following:

root@ubuntuserver:/home/username# net ads info

LDAP server: 192.168.x.x
LDAP server name: yourdomaincontroller.example.net
Realm: EXAMPLE.NET
Bind Path: dc=EXAMPLE, dc=NET
LDAP port: 389
Server time: tHU, 06 aUG 2009 15:36:46 EST
KDC server: 192.168.x.x
Server time offset: 1
root@ubuntuserver:/home/username#

That's all. I hope it helps.