This is a only version

Found at: raymii.org:70/SAMBA_Share_with_Active_Directory_Login_on_Ubuntu_12.04.txt

This is a text-only version of the following page on https://raymii.org:
Title       : 	Samba Shares with Active Directory Login on Ubuntu 12.04
Author      : 	Remy van Elst
Date        : 	27-06-2013
URL         : 	https://raymii.org/s/tutorials/SAMBA_Share_with_Active_Directory_Login_on_Ubuntu_12.04.html
Format      : 	Markdown/HTML
This tutorial shows you how to set up a SAMBA server which authenticates all
users to an Active Directory, including group based permissions. It uses Samba,
Winbind, Kerberos and nsswitch. This allows you to have a Linux machine serving
files via SMB, where your authentication and autorization for the files and
folders is done via Active Directory.

I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!

Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.

You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days.

We are actually doing two things, we bind a Linux machine to the Active
Directory (but we disable shell access for the users), and we then configure
Samba to accept these users to the shares we set up.
### Introduction
The data used in this tutorial:
  * Active Directory Domain: example.org
  * Realm/workgroup: example
  * Active Directory Server IP: (Also DNS and NTP)
  * Share 1: Marketing 
    * Allowed AD group: marketing
  * Share 2: Research 
    * Allowed AD groups: research, development
  * Share 3: Dropbox 
    * Allowed AD groups: Everyone with a domain account, Domain Users.
  * Share 4: CEO 
    * Allowed AD users: CEO.
This setup is tested with the following software:
  * Ubuntu 12.04
  * Samba 3.6.3
  * Active Directory on Windows Server 2008 mixed with Windows Server 2012.
  * Active Directory on Windows Server 2003 mixed with Windows Server 2008.
### Overview
A summary of the steps we are going to do:
  * Install Packages
  * Configure NTP & DNS
  * Configure Kerberos
  * Configure nsswitch
  * Configure Samba
  * Join the Domain
  * Configure Samba shares
  * Test the setup
You need to have a privileged account to join the Active Directory Domain.
### Install Packages
On a freshly installed Ubuntu Server 12.04 we need to install the following
packages to get started:
    apt-get install ntp krb5-user samba smbfs smbclient winbind
krb5, Kerberos will ask some questions about your domain and a privileged user.
You can enter through this, we are going to put our own config files.
### Configure NTP & DNS
Active Directory (Kerberos in general) is very picky about the system time, so
configure NTP to sync the time against your Active Directory NTP server. Edit
Now also edit your `/etc/resolv.conf` (or `/etc/network/interfaces`) file and
change the DNS to your Active Directory DNS servers:
    # /etc/resolv.conf
    search example.org
    # /etc/network/interfaces
    iface eth0 inet static
        dns-search example.org
We do this because Active Directory uses DNS for a lot of things. You can also
setup your standard DNS servers to use an Active Directory DNS server as first
### Configure Kerberos
What is Kerberos?
    Kerberos is a computer network authentication protocol which works on the basis of "tickets" to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a clientserver model and it provides mutual authenticationboth the user and the server verify each other's identity.
[A good article on how Kerberos is used in Active Directory can be found here:
We need to set up Kerberos so that we can bind our machine against Active
Directory and let users access the Samba share via the AD. Edit the
`/etc/krb5.conf` file, remove everything and place the following in it, changing
the `EXAMPLE.ORG` domain to your own Active Directory Domain:
      ticket_lifetime = 24h
      default_realm = EXAMPLE.ORG
      forwardable = true
      EXAMPLE.ORG = {
        kdc =
        default_domain = EXAMPLE.ORG
      .example.org = EXAMPLE.ORG
      example.org = EXAMPLE.ORG
      profile = /etc/krb5kdc/kdc.conf
      pam = {
        debug = false
        ticket_lifetime = 36000
        renew_lifetime = 36000
        forwardable = true
        krb4_convert = false
      kdc = FILE:/var/log/krb5kdc.log
      admin_server = FILE:/var/log/kadmin.log
      default = FILE:/var/log/krb5lib.log
We are now going to test Kerberos by getting a ticket for the Active Directory
Administrator User. Make sure you have the password ready:
    kinit Administrator
    Password for Administrator@EXAMPLE.ORG:
Now we check if we got a valid ticket:
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: Administrator@EXAMPLE.ORG
    Valid starting    Expires           Service principal
    27/06/2013 07:17  27/06/2013 17:17  krbtgt/EXAMPLE.ORG@EXAMPLE.ORG
            renew until 28/06/2013 07:17
If this is not correct, check your Kerberos and DNS and NTP (time) settings and
try again.
### Configure nsswitch
nsswitch is used to tell the system that the Active Directory users are also
valid users. We are going to configure it to also accept winbind users, which is
what Samba uses after it has bound to the domain.
Edit the `/etc/nsswitch.conf` and change the `passwd`, `shadow` and `group`
lines to look like this:
    passwd:         compat winbind
    group:          compat winbind
    shadow:         compat winbind
Note that this might not work for you. If you have issues with the users later
on, change these lines to this:
     passwd:            files winbind
     shadow:            files winbind
     group:             files winbind
[The NetBSD man page explains more than the Ubuntu man page: http://www.daemon-
### Configure Samba (#1)
Now we need to set up Samba to also support the domain. Edit
`/etc/samba/smb.conf` and remove everything, then place the following in it:
        # No .tld
        workgroup = EXAMPLE
        # Active Directory System
        security = ads
        # With .tld
        realm = EXAMPLE.ORG
        # Just a member server
        domain master = no
        local master = no
        preferred master = no
        # Disable printing error log messages when CUPS is not installed.
        printcap name = /etc/printcap
        load printers = no
        # Works both in samba 3.2 and 3.6.        
        idmap backend = tdb
        idmap uid = 10000-99999
        idmap gid = 10000-99999
        # no .tld
        idmap config EXAMPLE:backend = rid
        idmap config EXAMPLE:range = 10000-9999
        winbind enum users = yes
        winbind enum groups = yes
        # This way users log in with username instead of username@example.org
        winbind use default domain = yes
        # Inherit groups in groups
        winbind nested groups = yes
        winbind refresh tickets = yes
        winbind offline logon = true
        # Becomes /home/example/username
        template homedir = /home/%D/%U
        # No shell access
        template shell = /bin/false
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        restrict anonymous = 2
        log file = /var/log/samba/samba.log
        log level = 2
Save the file and restart all the daemons:
    /etc/init.d/winbind restart
    /etc/init.d/nmbd restart
    /etc/init.d/smbd restart
### Join the domain
Make sure you still have a valid Kerberos ticket. If not, do a new `kinit
Administrator`. Then execute the following command:
    net ads join -U administrator
Output is like this:
    Enter Administrator's password:
    Using short domain name -- EXAMPLE
    Joined 'HOSTNAME' to realm 'Example.org'
    DNS Update for hostname.example.org failed: ERROR_DNS_GSS_ERROR
    DNS update failed!
The DNS error can be ignored, make sure you create an A record and a PTR record
Restart all the daemons again:
    /etc/init.d/winbind restart
    /etc/init.d/nmbd restart
    /etc/init.d/smbd restart
Also update PAM:
Now see if you can list the domain users and groups:
    wbinfo -u # lists all the users in the domain
    wbinfo -g # lists all the groups in the domain
And also check if winbind and nsswitch are correctly working:
    getent passwd # should return a list with all users on the local system and from the active directory
    getent group # should return a list with all groups and their members, both from the local system and the active directory
If this does not work, go back to the nsswitch configuration section and change
the `compat` to `files`.
### Configure Samba (#2): Shares
This setup reflects an average business. Two departments with their own share,
and one dump folder for everyone. And a folder for the CEO so that he feels
special. Do note that it is a good idea to clean the Dropbox every night with a
cronjob, but let your users know that that happens.
We are going to create the shares. First create the folders on the system:
    mkdir -p /sharing/{marketing,research,ceo,dropbox}
    chmod -R 0770 /sharing/
    chgrp -R "Domain Users" /sharing/
Add the shares to `/etc/samba/smb.conf`:
        comment = Marketing
        path = /sharing/marketing/
        valid users = @EXAMPLE\marketing
        force group = marketing
        writable = yes
        read only = no
        force create mode = 0660
        create mask = 0777
        directory mask = 0777
        force directory mode = 0770
        access based share enum = yes
        hide unreadable = yes
        comment = Research
        path = /sharing/research
        valid users = @EXAMPLE\development, @EXAMPLE\research
        force group = "domain users"
        writable = yes
        read only = no
        force create mode = 0660
        create mask = 0777
        directory mask = 0777
        force directory mode = 0770
        access based share enum = yes
        hide unreadable = yes
        comment = Daily Emptied Dropbox
        path = /sharing/dropbox
        valid users = "@EXAMPLE\Domain Users"
        force group = "domain users"
        writable = yes
        read only = no
        force create mode = 0660
        create mask = 0777
        directory mask = 0777
        force directory mode = 0770
        access based share enum = yes
        hide unreadable = yes
        comment = CEO Only
        path = /sharing/ceo
        valid users = EXAMPLE\ceo
        force group = "domain users"
        writable = yes
        read only = no
        force create mode = 0660
        create mask = 0777
        directory mask = 0777
        force directory mode = 0770
        access based share enum = yes
        hide unreadable = yes
As you can see, an active directory group is defined with an `@`, and a user
without. Also, when there are spaces in the groupname, you escape that with
quotes: `"@EXAMPLE\Domain Users"`.
[You can find a lot of information on the smb.conf file in the man page:
[Why do we force the mode on files and folders? Because of problems with MS
word, according to the Samba documentation: https://www.samba.org/samba/docs/man
Afterwards restart samba:
    /etc/init.d/smbd restart
### Testing it
Create a few accounts in the groups used (set expiry date to 1 day so you don't
forget to remove them) and use those accounts to test the shares. Create files
and folders as one user, try to edit and remove them as another user. Also try
to access the shares with a non-privileged user.
If you run into errors, check your log files in `/var/log/samba`. Make sure that
the capitalization and spelling is correct in the `valid users` part of the
samba config file, and also check the permissions on the folders themselves with
`ls -la`. You can set `valid users = any` to make check if there are errors or
not. The `testparm` command is also very helpful for the samba config file part.
   [1]: https://www.digitalocean.com/?refcode=7435ae6b8212
   [2]: http://technet.microsoft.com/en-us/library/bb742516.aspx
   [3]: http://www.daemon-systems.org/man/nsswitch.conf.5.html
   [4]: https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
   [5]: https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html#id2615334
All the text on this website is free as in freedom unless stated otherwise. 
This means you can use it in any way you want, you can copy it, change it 
the way you like and republish it, as long as you release the (modified) 
content under the same license to give others the same freedoms you've got 
and place my name and a link to this site with the article as source.
This site uses Google Analytics for statistics and Google Adwords for 
advertisements. You are tracked and Google knows everything about you. 
Use an adblocker like ublock-origin if you don't want it.
All the code on this website is licensed under the GNU GPL v3 license 
unless already licensed under a license which does not allows this form 
of licensing or if another license is stated on that page / in that software:
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    GNU General Public License for more details.
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see .
Just to be clear, the information on this website is for meant for educational 
purposes and you use it at your own risk. I do not take responsibility if you 
screw something up. Use common sense, do not 'rm -rf /' as root for example. 
If you have any questions then do not hesitate to contact me.
See https://raymii.org/s/static/About.html for details.