How to Integrate windows Active Directory and Samba in Ubuntu
Sponsored Link
Samba is an Open Source/Free Software suite that provides seamless file and print services to SMB/CIFS clients." Samba is freely available, unlike other SMB/CIFS implementations, and allows for interoperability between Linux/Unix servers and Windows-based clients.
Install samba and kerberos in Ubuntu
sudo aptitude install krb5-user
sudo aptitude install samba smbfs smbclient winbind
Configure samba
Now likewise-open and samba packages use separate secrets.tdb (samba password file) files,We need to create a symlink to be /var/lib/samba
Take a backupof existing file
sudo mv /var/lib/samba/secrets.tdb /var/lib/samba/secrets.tdb.orig
Create a link to /var/lib/samba
sudo ln -s /etc/samba/secrets.tdb /var/lib/samba
Configuring samba and kerberos
Edit /etc/samba/smb.conf file
sudo vi /etc/samba/smb.conf
Note:- replace ug01 netbios name with your own
Change the following parameters
[global]
security = ads
netbios name = ug01
realm = DOMAIN.INTERNAL
password server = domainserver.domain.internal
workgroup = DOMAIN
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
Save and exit the file
Test the configuration with the testparm command
Kerberos Configuration
Edit the /etc/krb5.conf File
sudo vi /etc/krb5.conf
Change the following lines
[logging]
default = FILE10000:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.INTERNAL
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
DOMAIN.INTERNAL = {
kdc = domainserver.domain.internal
admin_server = domainserver.domain.internal
default_domain = DOMAIN.INTERNAL}
[domain_realm]
.domain.internal = DOMAIN.INTERNAL
domain.internal = DOMAIN.INTERNAL
Save and exit the file
Configuring nsswitch file
Edit /etc/nsswitch.conf to look like the example below
sudo vi /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Save and exit the file
Modify the PAM settings
- /etc/pam.d/common-account should contain only the following lines
account sufficient pam_winbind.so
account required pam_unix.so
- /etc/pam.d/common-auth should contain only the following lines
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
- Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below
password required pam_unix.so nullok obscure min=4 max=50 md5
- Make sure the /etc/pam.d/common-session file contains the following line
session required pam_mkhomedir.so umask=0022 skel=/etc
Make a directory to hold domain user home directories
Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file
mkdir -p /home/DOMAIN
Initialize Kerberos
sudo kinit [email protected]
Note:- write $FQDN_OF_YOUR_DOMAIN in capitals as you did in your krb5.conf file.You can check you’ve obtained your ticket with klist
Next check to be sure you got a ticket from the domain controller
sudo klist
If you didn't add your ubuntu server to windows AD use the following command
net ads join -U Adminstrator@$FQDN_OF_YOUR_DOMAIN
Restart Samba-related Services (Or reboot the server)
Note: If you are stopping and starting services the order is important
sudo /etc/init.d/samba stop
sudo /etc/init.d/winbind stop
sudo /etc/init.d/samba start
sudo /etc/init.d/winbind start
Restart SSH and Test Connectivity
Note: If you rebooted the server in the previous step, just try and login.
sudo /etc/init.d/ssh restart
ssh useraccount@server
If you can login using your active directory username and password then everything is working fine.
Configure SUDO
First you need to create a group in Active Directory called UbuntuAdmins and add the names of people whom you want to be able to use sudo to admin the server.
Next, add the UbuntuAdmins group to the /etc/sudoers so these users can use sudo
%UbuntuAdmins ALL=(ALL) ALL
Useful Commands
List the derived UNIX GID values for Active Directory groups
for gid in $(wbinfo -r <username>); \
do SID=$(wbinfo -G $gid);GROUP=$(wbinfo -s $SID); echo $gid is $GROUP; done
See the Active Directory SID for a particular named user
wbinfo –n <username>
Reference from here
Sorry to be obtuse but:
For the smb.conf you say to change the parameters, but those do not seem to be in the default config. Is that the resulting config, i.e. the whole of smb.conf? I assume we also need to change the DOMAIN values to match our environment?
Similar questions for the krb5.conf file.
Awesome.. I was looking for this nearly for an year now.. Let me give a try in a couple of days. Good Job, keep it up..!!!
Cheers
Ramesh
WOW, something i was searching for long… let me test it
I hope it will work with Readhat LInux also
Regards,
Vinod
Thank you very much for sharing this.
I’ve just followed this instruction to integrate Windows AD with Ubuntu (7.10) but failed.
It won’t let me login after I reboot Ubuntu and always says “Login incorrect”.
Any idea?
Thanks again.
Hi,
You said
Take a backupof existing file
sudo mv /var/lib/samba/secrets.tdb /var/lib/samba/secrets.tdb.orig
Create a link to /var/lib/samba
sudo ln -s /etc/samba/secrets.tdb /var/lib/samba
Could it be possible that the command is “cp” instead of “mv” in the first sudo. Otherwise the next link won’t work either.
Regards,
Bernard Tremblay
Sorry,
I just found out it was OK.
My mistake,
Forget precedent post!
Happy finger triggered too fast…
This is great! It used to be so difficult to get this working in past releases; thanks for researching and showing the simple procedure that works!
I did see one little problem: the “skel” directory is not specified correctly in /etc/pam.d/common-session; it should be:
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
Otherwise, the newly created home directory is not populated correctly.
A little clarity may be in order here.
As I see it since you only once say to change something you typed:
That indicates to me that everything else is entered verbatim. For example instead of entering my own domain information where you have DOMAIN.INTERNAL, I enter DOMAIN.INTERNAL.
This seems wrong to me. I don’t honestly know how to proceed. It gets more maddening in krb5.conf because: 1. it seems to have been populated with my FQDN where you say I should enter DOMAIN.INTERNAL, 2. you’ve used DOMAIN.INTERNAL and domain.internal
and 3. the some of the lines are only vaguely similar but enough so that I think they suffice for what you say to enter.
So off I go looking for some other tutorial to compare with. I’m sure to be more confused by the end of all this.
To answer my question above, you do indeed need to use your local domain name where DOMAIN.INTERNAL is listed. But I can confirm that something after the krb5.conf edits above breaks login for me. I cp’d every file to a .orig file first so it was easy to revert.
I followed the procedure, rebooted the server.
I try and log in as a user and get the message that my password will expire in 9 days (which is correct, my AD password is due to expire).
I click on OK and then get a message: “Incorrect User name or password, letter must be typed in the correct case”
and am back at login.
But I did, AD authenticated, so why am I being blocked?
Hi Everyone,
I picked up an issue when using Likewise-open and the above how-to to get my Samba shares to use ADS integration. It kept on prompting for a password and the ADS usernames did not work!
I am currently running child domains on Server 2003 R2 platform. This changes the ADS schema and the ‘net ads join ….’ command does not allow you to join the domain.
If you used Likewise-open to join the domain. Please use this tutorial:
http://www.likewisesoftware.com/resources/user_documentation/Likewise-Samba-Guide.pdf
You do not need to change the krb5.conf, nsswith.conf or the PAM authentication config files at all!
I hope this saves someone from the late nights I went through to find it.
Regards,
Craig
# Ken Leja Says: Your comment is awaiting moderation.
January 12th, 2009 at 6:00 am
I was getting the following errors in auth.log and could not login as administrator without getting an error on login “User not known to the underlying authentication module”
auth.log:
Jan 11 22:33:44 myserver login[5180]: pam_winbind(login:auth): getting password (0×00000000)
Jan 11 22:33:44 myserver login[5180]: pam_winbind(login:auth): user ‘ADMINISTRATOR’ granted access
Jan 11 22:33:44 myserver login[5180]: pam_unix(login:account): could not identify user (from getpwnam(administrator))
Jan 11 22:33:44 myserver login[5180]: User not known to the underlying authentication module
This turned out to be an issue with nsswitch.conf so I tweaked it as follows after reading the following HOWTO http://localhost:901/swat/help/Samba3-HOWTO/FastStart.html in SWAT. Change the following lines as shown.
nsswitch.conf:
passwd: compat winbind
group: compat winbind
hosts: files dns wins winbind
My appologies I pasted the wrong text in the previous post.
Very informative article, which I found quite useful. Cheers ,Jay
Thank You!!!, this guide is very simple and usefull, i was trying many days validate samba in W2k8, until found this guide
What is the best way to implement ADS/Samba intergration?
In the nsswitch.conf edits there’s a linebreak problem. Instead of
passwd: compat
winbindgroup: compat winbind
It should read
passwd: compat winbind
group: compat winbind
most of the login incorrect problems reported by the commenters are likely to be caused by this edit problem.
@Amanibhavam
Thankyou i have corrected the problem
You can add
obey pam restrictions = yes
in smb.conf. If you use this, the home directory is created by pam when a user connect to his home directory shared with samba
Sorry for my english.
Will give this a try, thanks again for sharing this great tutorial.=) cheers!
Was trying to get likewise and samba to enable me to share folders to Windows from Ubuntu 12.04 It seems that Ubuntu is not supported (after 11.10)!
Can you offer any suggestions?
Thanks