Install Samba Active Directory on Ubuntu 20.04/22.04

Introduction

n

Do you need a centralised User Authentication Server but don’t wanna pay additional licensing cost? Samba is a Free and Open Source Solution (FOSS) that can be used to achieve the same. Earlier Samba only had file sharing and printer sharing capabilities, but in Samba 4.0 Active Directory capabilities were introduced.

nn

This tutorial will teach you how to install Samba Active Directory on a Ubuntu Desktop or Server 20.04.

n

Prerequisites

    n

  • An Ubuntu 20.04 server. (Server’s name will be ad, the domain will be example.lan, and the IP address is 192.168.21.3).

    • n

  • A user account with sudo privileges.

    • n

  • A Windows 10 / 11 Pro computer on the same network as the Ubuntu server.

    • n

Set Up Server Hostname

Setup server’s identity in the network by assigning server’s hostname and FQDN (Fully Qualified Domain Name)

nn

Open Terminal on Ubuntu with ctrl + alt + t shortcut and set hostname with the following command

# set up the hostnamenhostnamectl set-hostname ad

edit /etc/hosts file using nano text editor

sudo nano /etc/hosts

Add the following lines to the bottom of the file. Save (ctrl + o) and Exit (ctrl + x) the file.

# setup FQDN ad.example.lan n192.168.21.3    ad.example.lan    ad

Verify the FQDN of the Samba server

# verify FQDNnhostname -f  n# verify FQDN is resolved to the Samba IP addressnping -c3 ad.example.lan

n

Disabling the DNS Resolver

The system-resolved service controls the DNS config and is not suitable for Samba Active Directory. We need to disable system-resolved service and replace the /etc/resolv.conf file

nn

Disable and stop system-resolved service

# stop and disable systemd-resolved servicensudo systemctl disable --now systemd-resolved

Remove the symbolic link to the file /etc/resolv.conf

# remove the symlink file /etc/resolv.confnsudo unlink /etc/resolv.conf

Now create a new /etc/resolv.conf file

# create a new /etc/resolv.conf filentouch /etc/resolv.conf

Add the following lines to /etc/resolv.conf file

# Samba server IP addressnnameserver 192.168.21.3nn# fallback resolvernnameserver 1.1.1.1nn# main domain for Sambansearch example.lan

Make the /etc/resolv.conf file immuatable, meaning that the resolver would not change the file for any reason

# add attribute immutable to the file /etc/resolv.confnsudo chattr +i /etc/resolv.conf

Installing Samba

n

Refresh Ubuntu Server’s package index

sudo apt update

Install Samba with all dependencies

sudo apt install -y acl attr samba samba-dsdb-modules samba-vfs-modules smbclient winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user dnsutils chrony net-tools

n

In the middle of the installation a pop-up will appear asking for

n

Default Kerberos Version 5 realm: EXAMPLE.LAN

n

# stop and disable samba services - smbd, nmbd, and winbindnsudo systemctl disable --now smbd nmbd winbind

nn

# activate samba-ad-dc servicensudo systemctl unmask samba-ad-dc

nn

# enable samba-ad-dc servicensudo systemctl enable samba-ad-dc

nn

# backup default Samba configuration filensudo mv /etc/samba/smb.conf /etc/samba/smb.conf.orig

nn

# provisioning Samba Active Directorynsudo samba-tool domain provision

nn

# rename default Kerberos configuration to krb5.conf.orignsudo mv /etc/krb5.conf /etc/krb5.conf.orig

nn

# copy the Kerberos configuration generated by the samba-toolnsudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

nn

# start samba-ad-dc servicensudo systemctl start samba-ad-dc

nn

# verify samba-ad-dc servicensudo systemctl status samba-ad-dc

nn

# allow group _chrony to read the directory ntp_signdnsudo chown root:_chrony /var/lib/samba/ntp_signd/

nn

# change the permission of the directory ntp_signdnsudo chmod 750 /var/lib/samba/ntp_signd/

nn

# bind the chrony service to IP address of the Samba ADnbindcmdaddress 192.168.21.3

nn

# allow clients on the network to connect to the Chrony NTP servernallow 192.168.21.3/24

nn

# specify the ntpsigndsocket directory for the Samba ADnntpsigndsocket /var/lib/samba/ntp_signd

nn

# restart chronyd servicensudo systemctl restart chronyd

nn

# verify chronyd service statusnsudo systemctl status chronyd

nn

# verify domain example.lannhost -t A example.lan

nn

# verify domain ad.example.lannhost -t A ad.example.lan

nn

# verify SRV record for _kerberosnhost -t SRV _kerberos._udp.example.lan

nn

# verify SRV record for _ldapnhost -t SRV _ldap._tcp.example.lan

nn

# checking available resources on Samba ADnsmbclient -L example.lan -N

nn

# authenticate to Kerberos using administratornkinit administrator@EXAMPLE.LAN

n

# verify list cached Kerberos ticketsnklist

n

# create a new user in Sambansudo samba-tool user create bkm bkm_password22

nn

# checking users on Sambansudo samba-tool user list

Leave a Reply

Your email address will not be published. Required fields are marked *