Including Ubuntu-based Samba Server in AD Domain
In our previous work, we examined what Active Directory and Samba are and what are the advantages of their joint work. It also examined the process of building Samba from source and including it in a domain, all from the command line. It should be recognized that building any of the source code is not common practice in modern Linux distributions. More often, repositories are used to install software. This makes the installation process more user friendly and simple. Additional packages necessary for the installed software to work can also be automatically involved, which again makes life much easier and eliminates the need to study the lists of necessary pre-installed packages. Currently, there is a tendency to the widespread use of graphical interfaces. You can discuss the pros and cons for a long time, but the fact remains: more and more users and even system administrators prefer to use the GUI for a significant number of tasks. In this article, we will try to consider the process of installing and joining a Samba domain using the command line and repositories, as well as including Samba in a domain using the graphical interface of the SADMS utility.
According to statistics, Openstat Ubuntu is the 4th in the list of the most popular operating systems for web servers, and its popularity is growing rapidly. In our case, this is the Ubuntu Server 12.04 LTS distribution. You can find the distribution on the official Ubuntu website .
To get started, consider enabling a Ubuntu-based server in an AD domain using the command line. The process is described in detail in the documentation on the Ubuntu website .
We will need Kerberos, Samba and Winbind. Before installing them, it is recommended to update the system:
After successfully installing the updates, install Kerberos, Samba and Winbind:
In this command,
krb5-user is the package for the Kerberos protocol, which is used for authentication on Windows;
samba - allows you to become a member of a domain;
winbind - allows you to use a user account from ActiveDirectory.
When using the graphical interface, you can use the Synaptic package manager. It is worth noting that by default in Ubuntu Server 12.04 LTS there is no graphical interface, it can be installed separately if necessary:
After that, you need to configure all the components for working with the domain. The test domain is called LAB.LOCAL, the domain controller is lab-dc1.lab.local, with IP 192.168.7.2, the server name is testubuntu.
First of all, you need to configure DNS on the host running Ubuntu (the domain controller will be the DNS server), and also register the correct search domain. To do this, edit the /etc/resolv.conf file so that it contains the following information:
To apply the changes, you must restart the network service:
You should also make sure that the server name in the / etc / hostname file is correct:
The next step is to configure time synchronization with the domain controller. It is very important not to forget about this moment, because if the time difference is more than five minutes, we will not be able to receive a ticket from Kerberos.
If the network has an exact time server, then you can use it or any public one:
Automatic synchronization is configured using ntpd, this daemon will periodically synchronize. First you need to install it:
Now you need to make changes to the file
Then you need to restart the daemon
The next step is to configure authorization through the Kerberos protocol. You will need to edit the file
At this stage, you can verify that we can log in to the domain. To do this, use the following command:
Instead
If the command did not lead to errors, then everything is correct and the domain will give you a Kerberos ticket. You can verify that the ticket has been received by running the command:
You can delete all tickets with the command
So, we will consider that authorization was successful; it's time to configure the domain entry directly.
Another file that interests us is
After editing
She will check the configuration for errors and give a summary of it:
Apparently, the correct parameters were set for the computer to become a member of the domain. Now it's time to try to directly enter the domain. To do this, use the following command:
And if successful, the command output should be something like this:
If there are no more messages, then everything went well.
Try using ping by name from another member of the domain to make sure that everything worked properly in the domain.
You can also use the command
If there are no problems, the output of the command will be as follows:
But sometimes, after a message about joining a domain, this error appears:
Before figuring out why DNS is not updated, restart your computer after entering the domain! It is possible that this will solve the problem.
If this does not help, it is recommended that you check the DNS settings again: with a high degree of probability the reason will be in them. After that, you need to remove the computer from the domain and try to repeat the process again.
If everything went without errors, then the computer is successfully included in the domain. You can go to the domain controller and verify this.
If you need to somehow work with domain users, for example, configure SMB balls with access control, then in addition to Samba itself, you will also need Winbind, a special daemon that serves to connect the local Linux user and group management system to the Active Directory server.
Simply put, Winbind is needed if you want to see domain users on your computer with Ubuntu.
Winbind allows you to project all users and all AD groups into your Linux system by assigning them IDs from a given range. Thus, you can designate domain users as owners of folders and files on your computer and perform any other operations related to users and groups.
All the same file is used to configure Winbind
Now restart the Winbind and Samba daemon in the following order:
After the restart, verify that Winbind has established trust with the AD command
and also that Winbind saw users and groups from AD, with commands
These two teams should list the users and groups from the domain, respectively.
So, Winbind works, but it is not yet integrated into the system.
In order for your Ubuntu to transparently work with domain users (in particular, so that you can designate domain users as the owners of folders and files), you must tell Ubuntu to use Winbind as an additional source of information about users and groups.
To do this, change the two lines in the file
adding winbind to them at the end:
Now check that Ubuntu is asking Winbind for user and group information by doing
The first command should return to you the entire contents of your file
Perhaps, say at home or in a hurry, you will want to perform all these manipulations in graphical mode. For these purposes, there is a SADMS package, about which there is information on the Ubuntu website . And on the site you can find out everything about this package and download it. Let's look at the package interface:
Fig. 1. General view of the main tab.
The winbind, smb and nmb statuses are displayed here, and there is an indication of the computer connecting to the domain.
Fig. 2. Starting smb and nmb.
Fig. 3. Tab "Data".
Here we must specify the data that will be used to connect to the domain. By default, the fields are filled out by developers, for example. The developers of the package are French, so don't be confused by examples like "administrateur" instead of the usual "Administrator".
Fig. 4. Automatic capture of some parameters.
We click on "Define" - and some of the parameters are picked up automatically. The rest will have to be filled in manually. All these parameters were used during configuration from the command line.
Fig. 5. Filling in the remaining fields.
Fill in the fields. Pay special attention here: Netbios domain name must be written in capital letters, otherwise we get a Kerberos error, as it turned out in this case. If everything is filled out correctly, click on “Install” - and SADMS includes the machine in the domain.
Fig. 6. The machine is successfully included in the domain.
Fig. 7. The menu "Checks".
From the “Checks” menu we can perform tests on various operations. You can also run all tests from the command line, as described previously.
Fig. 8. An example of the output of a test for domain membership.
Fig. 9. Network test results.
Fig. 10. Checking the availability of the machine on the domain controller.
The server is in the list of domain machines along with our other servers.
So, we looked at installing Samba and including it in a domain - using both the command line and the graphical interface. Using the graphical interface can significantly speed up and simplify the setup, but at the same time it does not allow to understand the whole mechanics of the process, and can also seriously complicate the process of finding errors. On the other hand, the CLI (Command Line Interface), although it provides absolute control over everything, is much less friendly to the user and implies that he has some working skills. Which way to use is up to you.
According to statistics, Openstat Ubuntu is the 4th in the list of the most popular operating systems for web servers, and its popularity is growing rapidly. In our case, this is the Ubuntu Server 12.04 LTS distribution. You can find the distribution on the official Ubuntu website .
1.Inclusion of a Ubuntu-based Samba server in an AD domain using the command line
To get started, consider enabling a Ubuntu-based server in an AD domain using the command line. The process is described in detail in the documentation on the Ubuntu website .
2. Installing updates and necessary packages.
We will need Kerberos, Samba and Winbind. Before installing them, it is recommended to update the system:
sudo apt-get update
sudo apt-get upgrade
After successfully installing the updates, install Kerberos, Samba and Winbind:
sudo apt-get install install krb5-user samba winbind
In this command,
krb5-user is the package for the Kerberos protocol, which is used for authentication on Windows;
samba - allows you to become a member of a domain;
winbind - allows you to use a user account from ActiveDirectory.
When using the graphical interface, you can use the Synaptic package manager. It is worth noting that by default in Ubuntu Server 12.04 LTS there is no graphical interface, it can be installed separately if necessary:
sudo apt-get install ubuntu-desktop
After that, you need to configure all the components for working with the domain. The test domain is called LAB.LOCAL, the domain controller is lab-dc1.lab.local, with IP 192.168.7.2, the server name is testubuntu.
3.Setup of DNS
First of all, you need to configure DNS on the host running Ubuntu (the domain controller will be the DNS server), and also register the correct search domain. To do this, edit the /etc/resolv.conf file so that it contains the following information:
domain lab.local
search lab.local
nameserver 192.168.7.2
To apply the changes, you must restart the network service:
/etc/init.d/networking restart
You should also make sure that the server name in the / etc / hostname file is correct:
testubuntu
# Имена этого компьютера
127.0.0.1 localhost
127.0.1.1 testubuntu.lab.local testubuntu
4.Setting time synchronization.
The next step is to configure time synchronization with the domain controller. It is very important not to forget about this moment, because if the time difference is more than five minutes, we will not be able to receive a ticket from Kerberos.
If the network has an exact time server, then you can use it or any public one:
ntpdate ntp.mobatime.ru
Automatic synchronization is configured using ntpd, this daemon will periodically synchronize. First you need to install it:
sudo apt-get install ntp
Now you need to make changes to the file
/etc/ntp.conf, adding information about the time server to it:# You do need to talk to an NTP server or two (or three).
server lab-dc1.lab.local
Then you need to restart the daemon
ntpd:sudo /etc/init.d/ntp restart
5. Configure Kerberos.
The next step is to configure authorization through the Kerberos protocol. You will need to edit the file
/etc/krb5.conf. The following is the result of the edits:[libdefaults]
default_realm = LAB.LOCAL
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else }
}
fcc-mit-ticketflags = true
[realms]
LAB.LOCAL = {
kdc = lab-dc1
admin_server = lab-dc1
default_domain = LAB.LOCAL
}
[domain_realm]
.lab.local = LAB.LOCAL
lab.local = LAB.LOCAL
[login]
krb4_convert = false
krb4_get_tickets = false
At this stage, you can verify that we can log in to the domain. To do this, use the following command:
kinit user@LAB.LOCAL
Instead
user, of course, you should enter the name of an existing domain user. The domain name must be written in capital letters! If the command did not lead to errors, then everything is correct and the domain will give you a Kerberos ticket. You can verify that the ticket has been received by running the command:
klist
You can delete all tickets with the command
kdestroy
So, we will consider that authorization was successful; it's time to configure the domain entry directly.
Another file that interests us is
/etc/samba/smb.conf. In it we need a section [global]. Below is an example of a portion of a Samba configuration file with comments about the meaning of important parameters:[global]
# Эти две опции нужно писать именно в заглавном регистре, причём workgroup без
# последней секции после точки, а realm - полное имя домена
workgroup = LAB
realm = LAB.LOCAL
# Эти две опции отвечают как раз за авторизацию через AD
security = ADS
encrypt passwords = true
# Просто важные
dns proxy = no
socket options = TCP_NODELAY
# Если вы не хотите, чтобы самба пыталась при случае вылезти в лидеры в домене или рабочей группе,
# или даже стать доменконтроллером, то всегда прописывайте эти пять опций именно в таком виде
domain master = no
local master = no
preferred master = no
os level = 0
domain logons = no
# Отключить поддержку принтеров
load printers = no
show add printer wizard = no
printcap name = /dev/null
disable spoolss = yes
After editing
smb.conf, run the commandtestparm
She will check the configuration for errors and give a summary of it:
# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
Apparently, the correct parameters were set for the computer to become a member of the domain. Now it's time to try to directly enter the domain. To do this, use the following command:
net ads join -U admin -D LAB
And if successful, the command output should be something like this:
# net ads join -U admin -D LAB
Enter admin's password:
Using short domain name — LAB
Joined 'testubuntu' to realm 'lab.local'
6.Parameters used by net command
U username%password- a required parameter; instead of admin, you must substitute a username with domain administrator rights and specify a password.D DOMAIN: DOMAIN- the domain itself; it may not be indicated, but it’s better to always do it — it’s so calmer.S win_domain_controller: win_domain_controllercan be omitted, but there are times when the server does not automatically find the domain controller.createcomputer=«OU/OU/…»: AD often uses OU (Organizational Unit), is in the root of the domain OU = Office, it has OU = Cabinet; to immediately add to the desired one, you can specify this:sudo net ads join -U username createcomputer=«Office/Cabinet».
If there are no more messages, then everything went well.
Try using ping by name from another member of the domain to make sure that everything worked properly in the domain.
You can also use the command
net ads testjoin
If there are no problems, the output of the command will be as follows:
#net ads testjoin
Join is OK
But sometimes, after a message about joining a domain, this error appears:
DNS update failed!
Before figuring out why DNS is not updated, restart your computer after entering the domain! It is possible that this will solve the problem.
If this does not help, it is recommended that you check the DNS settings again: with a high degree of probability the reason will be in them. After that, you need to remove the computer from the domain and try to repeat the process again.
If everything went without errors, then the computer is successfully included in the domain. You can go to the domain controller and verify this.
If you need to somehow work with domain users, for example, configure SMB balls with access control, then in addition to Samba itself, you will also need Winbind, a special daemon that serves to connect the local Linux user and group management system to the Active Directory server.
Simply put, Winbind is needed if you want to see domain users on your computer with Ubuntu.
Winbind allows you to project all users and all AD groups into your Linux system by assigning them IDs from a given range. Thus, you can designate domain users as owners of folders and files on your computer and perform any other operations related to users and groups.
All the same file is used to configure Winbind
/etc/samba/smb.conf. Add the [global]following lines to the section :# Опции сопоставления доменных пользователей и виртуальных пользователей в системе через Winbind.
# Диапазоны идентификаторов для виртуальных пользователей и групп.
idmap uid = 10000 - 40000
idmap gid = 10000 - 40000
# Эти опции не стоит выключать.
winbind enum groups = yes
winbind enum users = yes
# Использовать домен по умолчанию для имён пользователей. Без этой опции имена пользователей и групп
# будут использоваться с доменом, т.е. вместо user - DOMAIN\user.
# Возможно именно это вам и нужно, однако обычно проще этот параметр включить.
winbind use default domain = yes
# Если вы хотите разрещить использовать командную строку для пользователей домена, то
# добавьте следующую строку, иначе в качестве shell'а будет вызываться /bin/false
template shell = /bin/bash
# Для автоматического обновления билета Kerberos модулем pam_winbind.so нужно добавить строчку
winbind refresh tickets = yes
Now restart the Winbind and Samba daemon in the following order:
sudo /etc/init.d/winbind stop
sudo smbd restart
sudo /etc/init.d/winbind start
After the restart, verify that Winbind has established trust with the AD command
# wbinfo -t
and also that Winbind saw users and groups from AD, with commands
wbinfo -u
wbinfo -g
These two teams should list the users and groups from the domain, respectively.
So, Winbind works, but it is not yet integrated into the system.
In order for your Ubuntu to transparently work with domain users (in particular, so that you can designate domain users as the owners of folders and files), you must tell Ubuntu to use Winbind as an additional source of information about users and groups.
To do this, change the two lines in the file
/etc/nsswitch.conf:passwd: compat
group: compat
adding winbind to them at the end:
passwd: compat winbind
group: compat winbind
Now check that Ubuntu is asking Winbind for user and group information by doing
getent passwd
getent group
The first command should return to you the entire contents of your file
/etc/passwd, that is, your local users plus domain users with an ID from the smb.conf range you specified . The second should do the same for groups.Incorporation of a Ubuntu-based Samba server into an AD domain using a graphical interface and SADMS.
Perhaps, say at home or in a hurry, you will want to perform all these manipulations in graphical mode. For these purposes, there is a SADMS package, about which there is information on the Ubuntu website . And on the site you can find out everything about this package and download it. Let's look at the package interface:
Fig. 1. General view of the main tab.
The winbind, smb and nmb statuses are displayed here, and there is an indication of the computer connecting to the domain.
Fig. 2. Starting smb and nmb.
Fig. 3. Tab "Data".
Here we must specify the data that will be used to connect to the domain. By default, the fields are filled out by developers, for example. The developers of the package are French, so don't be confused by examples like "administrateur" instead of the usual "Administrator".
Fig. 4. Automatic capture of some parameters.
We click on "Define" - and some of the parameters are picked up automatically. The rest will have to be filled in manually. All these parameters were used during configuration from the command line.
Fig. 5. Filling in the remaining fields.
Fill in the fields. Pay special attention here: Netbios domain name must be written in capital letters, otherwise we get a Kerberos error, as it turned out in this case. If everything is filled out correctly, click on “Install” - and SADMS includes the machine in the domain.
Fig. 6. The machine is successfully included in the domain.
Fig. 7. The menu "Checks".
From the “Checks” menu we can perform tests on various operations. You can also run all tests from the command line, as described previously.
Fig. 8. An example of the output of a test for domain membership.
Fig. 9. Network test results.
Fig. 10. Checking the availability of the machine on the domain controller.
The server is in the list of domain machines along with our other servers.
So, we looked at installing Samba and including it in a domain - using both the command line and the graphical interface. Using the graphical interface can significantly speed up and simplify the setup, but at the same time it does not allow to understand the whole mechanics of the process, and can also seriously complicate the process of finding errors. On the other hand, the CLI (Command Line Interface), although it provides absolute control over everything, is much less friendly to the user and implies that he has some working skills. Which way to use is up to you.