Install Samba Active Directory on Ubuntu 20.04/22.04
Introduction
n
Do you need a centralised User Authentication Server but don't wanna pay additional licensing cost? Samba is a Free and Open Source Solution (FOSS) that can be used to achieve the same. Earlier Samba only had file sharing and printer sharing capabilities, but in Samba 4.0 Active Directory capabilities were introduced.
nn
This tutorial will teach you how to install Samba Active Directory on a Ubuntu Desktop or Server 20.04.
n
Prerequisites
- An Ubuntu 20.04 server. (Server’s name will be ad, the domain will be example.lan, and the IP address is 192.168.21.3).n
- A user account with sudo privileges.n
- A Windows 10 / 11 Pro computer on the same network as the Ubuntu server.n
Set Up Server Hostname
Setup server's identity in the network by assigning server's hostname and FQDN (Fully Qualified Domain Name)
nn
Open Terminal on Ubuntu with ctrl + alt + t shortcut and set hostname with the following command
# set up the hostnamenhostnamectl set-hostname adedit /etc/hosts file using nano text editor
sudo nano /etc/hostsAdd the following lines to the bottom of the file. Save (ctrl + o) and Exit (ctrl + x) the file.
# setup FQDN ad.example.lan n192.168.21.3 ad.example.lan ad
Verify the FQDN of the Samba server
# verify FQDNnhostname -f n# verify FQDN is resolved to the Samba IP addressnping -c3 ad.example.lan
n
Disabling the DNS Resolver
The system-resolved service controls the DNS config and is not suitable for Samba Active Directory. We need to disable system-resolved service and replace the /etc/resolv.conf file
nn
Disable and stop system-resolved service
# stop and disable systemd-resolved servicensudo systemctl disable --now systemd-resolvedRemove the symbolic link to the file /etc/resolv.conf
# remove the symlink file /etc/resolv.confnsudo unlink /etc/resolv.confNow create a new /etc/resolv.conf file
# create a new /etc/resolv.conf filentouch /etc/resolv.confAdd the following lines to /etc/resolv.conf file
# Samba server IP addressnnameserver 192.168.21.3nn# fallback resolvernnameserver 1.1.1.1nn# main domain for Sambansearch example.lan
Make the /etc/resolv.conf file immuatable, meaning that the resolver would not change the file for any reason
# add attribute immutable to the file /etc/resolv.confnsudo chattr +i /etc/resolv.confInstalling Samba
n
Refresh Ubuntu Server's package index
sudo apt updateInstall Samba with all dependencies
sudo apt install -y acl attr samba samba-dsdb-modules samba-vfs-modules smbclient winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user dnsutils chrony net-toolsn
In the middle of the installation a pop-up will appear asking for
n
Default Kerberos Version 5 realm: EXAMPLE.LANn
# stop and disable samba services - smbd, nmbd, and winbindnsudo systemctl disable --now smbd nmbd winbindnn
# activate samba-ad-dc servicensudo systemctl unmask samba-ad-dcnn
# enable samba-ad-dc servicensudo systemctl enable samba-ad-dcnn
# backup default Samba configuration filensudo mv /etc/samba/smb.conf /etc/samba/smb.conf.orignn
# provisioning Samba Active Directorynsudo samba-tool domain provisionnn
# rename default Kerberos configuration to krb5.conf.orignsudo mv /etc/krb5.conf /etc/krb5.conf.orignn
# copy the Kerberos configuration generated by the samba-toolnsudo cp /var/lib/samba/private/krb5.conf /etc/krb5.confnn
# start samba-ad-dc servicensudo systemctl start samba-ad-dcnn
# verify samba-ad-dc servicensudo systemctl status samba-ad-dcnn
# allow group _chrony to read the directory ntp_signdnsudo chown root:_chrony /var/lib/samba/ntp_signd/nn
# change the permission of the directory ntp_signdnsudo chmod 750 /var/lib/samba/ntp_signd/nn
# bind the chrony service to IP address of the Samba ADnbindcmdaddress 192.168.21.3nn
# allow clients on the network to connect to the Chrony NTP servernallow 192.168.21.3/24nn
# specify the ntpsigndsocket directory for the Samba ADnntpsigndsocket /var/lib/samba/ntp_signdnn
# restart chronyd servicensudo systemctl restart chronydnn
# verify chronyd service statusnsudo systemctl status chronydnn
# verify domain example.lannhost -t A example.lannn
# verify domain ad.example.lannhost -t A ad.example.lannn
# verify SRV record for _kerberosnhost -t SRV _kerberos._udp.example.lannn
# verify SRV record for _ldapnhost -t SRV _ldap._tcp.example.lannn
# checking available resources on Samba ADnsmbclient -L example.lan -Nnn
# authenticate to Kerberos using administratornkinit administrator@EXAMPLE.LANn
# verify list cached Kerberos ticketsnklistn
# create a new user in Sambansudo samba-tool user create bkm bkm_password22nn
# checking users on Sambansudo samba-tool user list
