Including Ubuntu-based Samba Server in AD Domain

    In our previous work, we examined what Active Directory and Samba are and what are the advantages of their joint work. It also examined the process of building Samba from source and including it in a domain, all from the command line. It should be recognized that building any of the source code is not common practice in modern Linux distributions. More often, repositories are used to install software. This makes the installation process more user friendly and simple. Additional packages necessary for the installed software to work can also be automatically involved, which again makes life much easier and eliminates the need to study the lists of necessary pre-installed packages. Currently, there is a tendency to the widespread use of graphical interfaces. You can discuss the pros and cons for a long time, but the fact remains: more and more users and even system administrators prefer to use the GUI for a significant number of tasks. In this article, we will try to consider the process of installing and joining a Samba domain using the command line and repositories, as well as including Samba in a domain using the graphical interface of the SADMS utility.
    According to statistics, Openstat Ubuntu is the 4th in the list of the most popular operating systems for web servers, and its popularity is growing rapidly. In our case, this is the Ubuntu Server 12.04 LTS distribution. You can find the distribution on the official Ubuntu website .

    1.Inclusion of a Ubuntu-based Samba server in an AD domain using the command line

    To get started, consider enabling a Ubuntu-based server in an AD domain using the command line. The process is described in detail in the documentation on the Ubuntu website .

    2. Installing updates and necessary packages.

    We will need Kerberos, Samba and Winbind. Before installing them, it is recommended to update the system:
    sudo apt-get update
    sudo apt-get upgrade

    After successfully installing the updates, install Kerberos, Samba and Winbind:
    sudo apt-get install install krb5-user samba winbind

    In this command,
    krb5-user is the package for the Kerberos protocol, which is used for authentication on Windows;
    samba - allows you to become a member of a domain;
    winbind - allows you to use a user account from ActiveDirectory.
    When using the graphical interface, you can use the Synaptic package manager. It is worth noting that by default in Ubuntu Server 12.04 LTS there is no graphical interface, it can be installed separately if necessary:
    sudo apt-get install ubuntu-desktop

    After that, you need to configure all the components for working with the domain. The test domain is called LAB.LOCAL, the domain controller is lab-dc1.lab.local, with IP, the server name is testubuntu.

    3.Setup of DNS

    First of all, you need to configure DNS on the host running Ubuntu (the domain controller will be the DNS server), and also register the correct search domain. To do this, edit the /etc/resolv.conf file so that it contains the following information:
    domain lab.local
    search lab.local

    To apply the changes, you must restart the network service:
    /etc/init.d/networking restart

    You should also make sure that the server name in the / etc / hostname file is correct:
    It is also necessary to edit the / etc / hosts file so that it contains an entry with the fully qualified domain name of the computer and with a short host name, referring to one of the internal IPs:
    # Имена этого компьютера	localhost	testubuntu.lab.local	testubuntu

    4.Setting time synchronization.

    The next step is to configure time synchronization with the domain controller. It is very important not to forget about this moment, because if the time difference is more than five minutes, we will not be able to receive a ticket from Kerberos.
    If the network has an exact time server, then you can use it or any public one:

    Automatic synchronization is configured using ntpd, this daemon will periodically synchronize. First you need to install it:
    sudo apt-get install ntp

    Now you need to make changes to the file /etc/ntp.conf, adding information about the time server to it:
    # You do need to talk to an NTP server or two (or three).
    server lab-dc1.lab.local

    Then you need to restart the daemon ntpd:
    sudo /etc/init.d/ntp restart

    5. Configure Kerberos.

    The next step is to configure authorization through the Kerberos protocol. You will need to edit the file /etc/krb5.conf. The following is the result of the edits:
    	default_realm = LAB.LOCAL
    	kdc_timesync = 1
    	ccache_type = 4
    	forwardable = true
    	proxiable = true
    	v4_instance_resolve = false
    	v4_name_convert = {
    		host = {
    			rcmd = host
    			ftp = ftp
    		plain = {
    			something = something-else		}
    	fcc-mit-ticketflags = true

    	LAB.LOCAL = {
    		kdc = lab-dc1
    		admin_server = lab-dc1
    		default_domain = LAB.LOCAL

    	.lab.local = LAB.LOCAL
    	lab.local = LAB.LOCAL
    	krb4_convert = false
    	krb4_get_tickets = false

    At this stage, you can verify that we can log in to the domain. To do this, use the following command:
    kinit user@LAB.LOCAL

    Instead user, of course, you should enter the name of an existing domain user. The domain name must be written in capital letters!
    If the command did not lead to errors, then everything is correct and the domain will give you a Kerberos ticket. You can verify that the ticket has been received by running the command:

    You can delete all tickets with the command

    So, we will consider that authorization was successful; it's time to configure the domain entry directly.
    Another file that interests us is /etc/samba/smb.conf. In it we need a section [global]. Below is an example of a portion of a Samba configuration file with comments about the meaning of important parameters:
    # Эти две опции нужно писать именно в заглавном регистре, причём workgroup без
       # последней секции после точки, а realm - полное имя домена 
       workgroup = LAB
       realm = LAB.LOCAL

     # Эти две опции отвечают как раз за авторизацию через AD
       security = ADS
       encrypt passwords = true
       # Просто важные 
       dns proxy = no 
       socket options = TCP_NODELAY

     # Если вы не хотите, чтобы самба пыталась при случае вылезти в лидеры в домене или рабочей группе,
       # или даже стать доменконтроллером, то всегда прописывайте эти пять опций именно в таком виде
       domain master = no
       local master = no
       preferred master = no
       os level = 0
       domain logons = no

    # Отключить поддержку принтеров
       load printers = no
       show add printer wizard = no
       printcap name = /dev/null
       disable spoolss = yes

    After editing smb.conf, run the command

    She will check the configuration for errors and give a summary of it:
    # testparm
    Load smb config files from /etc/samba/smb.conf
    Loaded services file OK.
    Server role: ROLE_DOMAIN_MEMBER
    Press enter to see a dump of your service definitions

    Apparently, the correct parameters were set for the computer to become a member of the domain. Now it's time to try to directly enter the domain. To do this, use the following command:
    net ads join -U admin -D LAB 

    And if successful, the command output should be something like this:
    # net ads join -U admin -D LAB
    Enter admin's password:
    Using short domain name — LAB 
    Joined 'testubuntu' to realm 'lab.local'

    6.Parameters used by net command

    1. U username%password - a required parameter; instead of admin, you must substitute a username with domain administrator rights and specify a password.
    2. D DOMAIN: DOMAIN- the domain itself; it may not be indicated, but it’s better to always do it — it’s so calmer.
    3. S win_domain_controller: win_domain_controller can be omitted, but there are times when the server does not automatically find the domain controller.
    4. createcomputer=«OU/OU/…»: AD often uses OU (Organizational Unit), is in the root of the domain OU = Office, it has OU = Cabinet; to immediately add to the desired one, you can specify this:
      	sudo net ads join -U username createcomputer=«Office/Cabinet».

    If there are no more messages, then everything went well.
    Try using ping by name from another member of the domain to make sure that everything worked properly in the domain.
    You can also use the command
    net ads testjoin

    If there are no problems, the output of the command will be as follows:
    #net ads testjoin
    Join is OK

    But sometimes, after a message about joining a domain, this error appears:
    DNS update failed!

    Before figuring out why DNS is not updated, restart your computer after entering the domain! It is possible that this will solve the problem.
    If this does not help, it is recommended that you check the DNS settings again: with a high degree of probability the reason will be in them. After that, you need to remove the computer from the domain and try to repeat the process again.
    If everything went without errors, then the computer is successfully included in the domain. You can go to the domain controller and verify this.
    If you need to somehow work with domain users, for example, configure SMB balls with access control, then in addition to Samba itself, you will also need Winbind, a special daemon that serves to connect the local Linux user and group management system to the Active Directory server.
    Simply put, Winbind is needed if you want to see domain users on your computer with Ubuntu.
    Winbind allows you to project all users and all AD groups into your Linux system by assigning them IDs from a given range. Thus, you can designate domain users as owners of folders and files on your computer and perform any other operations related to users and groups.
    All the same file is used to configure Winbind /etc/samba/smb.conf. Add the [global]following lines to the section :
    # Опции сопоставления доменных пользователей и виртуальных пользователей в системе через Winbind.
       # Диапазоны идентификаторов для виртуальных пользователей и групп.
       idmap uid = 10000 - 40000
       idmap gid = 10000 - 40000
       # Эти опции не стоит выключать.
       winbind enum groups = yes
       winbind enum users = yes
       # Использовать домен по умолчанию для имён пользователей. Без этой опции имена пользователей и групп
       # будут использоваться с доменом, т.е. вместо user - DOMAIN\user.
       # Возможно именно это вам и нужно, однако обычно проще этот параметр включить. 
       winbind use default domain = yes
       # Если вы хотите разрещить использовать командную строку для пользователей домена, то
       # добавьте следующую строку, иначе в качестве shell'а будет вызываться /bin/false
       template shell = /bin/bash
       # Для автоматического обновления билета Kerberos модулем нужно добавить строчку
       winbind refresh tickets = yes

    Now restart the Winbind and Samba daemon in the following order:
    sudo /etc/init.d/winbind stop
    sudo smbd restart
    sudo /etc/init.d/winbind start 

    After the restart, verify that Winbind has established trust with the AD command
    # wbinfo -t

    and also that Winbind saw users and groups from AD, with commands
    wbinfo -u
    wbinfo -g

    These two teams should list the users and groups from the domain, respectively.
    So, Winbind works, but it is not yet integrated into the system.
    In order for your Ubuntu to transparently work with domain users (in particular, so that you can designate domain users as the owners of folders and files), you must tell Ubuntu to use Winbind as an additional source of information about users and groups.
    To do this, change the two lines in the file /etc/nsswitch.conf:
    passwd:         compat
    group:          compat

    adding winbind to them at the end:
    passwd:         compat winbind
    group:          compat winbind

    Now check that Ubuntu is asking Winbind for user and group information by doing
    getent passwd
    getent group

    The first command should return to you the entire contents of your file /etc/passwd, that is, your local users plus domain users with an ID from the smb.conf range you specified . The second should do the same for groups.

    Incorporation of a Ubuntu-based Samba server into an AD domain using a graphical interface and SADMS.

    Perhaps, say at home or in a hurry, you will want to perform all these manipulations in graphical mode. For these purposes, there is a SADMS package, about which there is information on the Ubuntu website . And on the site you can find out everything about this package and download it. Let's look at the package interface:

    Fig. 1. General view of the main tab.

    The winbind, smb and nmb statuses are displayed here, and there is an indication of the computer connecting to the domain.

    Fig. 2. Starting smb and nmb.

    Fig. 3. Tab "Data".

    Here we must specify the data that will be used to connect to the domain. By default, the fields are filled out by developers, for example. The developers of the package are French, so don't be confused by examples like "administrateur" instead of the usual "Administrator".

    Fig. 4. Automatic capture of some parameters.

    We click on "Define" - and some of the parameters are picked up automatically. The rest will have to be filled in manually. All these parameters were used during configuration from the command line.

    Fig. 5. Filling in the remaining fields.

    Fill in the fields. Pay special attention here: Netbios domain name must be written in capital letters, otherwise we get a Kerberos error, as it turned out in this case. If everything is filled out correctly, click on “Install” - and SADMS includes the machine in the domain.

    Fig. 6. The machine is successfully included in the domain.

    Fig. 7. The menu "Checks".

    From the “Checks” menu we can perform tests on various operations. You can also run all tests from the command line, as described previously.

    Fig. 8. An example of the output of a test for domain membership.

    Fig. 9. Network test results.

    Fig. 10. Checking the availability of the machine on the domain controller.

    The server is in the list of domain machines along with our other servers.
    So, we looked at installing Samba and including it in a domain - using both the command line and the graphical interface. Using the graphical interface can significantly speed up and simplify the setup, but at the same time it does not allow to understand the whole mechanics of the process, and can also seriously complicate the process of finding errors. On the other hand, the CLI (Command Line Interface), although it provides absolute control over everything, is much less friendly to the user and implies that he has some working skills. Which way to use is up to you.

    Also popular now: