Active Directory Authenticated CIFS(Samba) File Sharing w/Ubuntu 20.04

A while back, we looked at setting up a CentOS 8 CIFS file server with Active Directory Authentication. This blog will go through the same exercise, except using Ubuntu Linux 20.04 LTS. While there are many approaches to making this setup work, we will look at using winbind authentication with Samba.

 

  

ACTIVE DIRECTORY AUTHENTICATED CIFS (SAMBA) FILE SHARING WT UBUNTU LINUX 20.04

 

Notes

In the examples shown below the following assumptions are made:

  1. DNS for the Active Directory Domain is properly working and is used by the Ubuntu system being joined to the Domain.
  2. The Active Directory domain name is: contoso.com
  3. The Active Directory short domain name is: CONTOSO
  4. The Active Directory Domain Controllers are: addc1.contoso.com, addc2.contoso.com, addc3.contoso.com
  5. The account Administrator@contoso.com has Domain Admin rights
  6. The accounts username1 and username2 are both in Active Directory as regular users
  7. /shares/test is a test share that username2 and username2 are allowed to connect to

 

Getting Started

To start, we need access to Microsoft Active Directory Domain Controllers. This can be through Azure Active Directory Domain Services and a working connection (including proper DNS) to the provisioned DCs or with on-premises DCs. In our examples, we will use DCs that provide DNS for the subnet hosting the Ubuntu 20.04 file server.

 

In addition to the Microsoft requirements above, we also need the Ubuntu Linux server. This can be either a physical or virtual system. We will use a virtual Ubuntu 20.04 basic server install with no optional packages added. Then always make sure to start with a fully patched system, which can be done with:

sudo apt update

sudo apt upgrade

 

If kernel updates are installed from the command above, the server should be rebooted before proceeding further.

We need to install the following packages:

sudo apt install samba samba-common samba-dsdb-modules \

samba-vfs-modules winbind libnss-winbind libpam-winbind \

krb5-config

 

Also, install any dependencies apt asks for. We will automatically get a configuration wizard:

 

Package Configuration

 

Now we are ready to configure Kerberos. The /etc/krb5.conf file should look like this:

 

[logging]

          default = FILE:/var/log/krb5libs.log

          kdc = FILE:/var/log/krb5kdc.log

          admin_server = FILE:/var/log/kadmind.log

 

[libdefaults]

          dns_lookup_realm = false

          dns_lookup_kdc = true

          ticket_lifetime = 24h

          renew_lifetime = 7d

          forwardable = true

          rdns = false

          spake_preauth_groups = edwards25519

          default_realm = CONTOSO.COM

          default_ccache_name = KEYRING:persistent:%{uid}

     pkinit_anchors = FILE:/etc/ssl/certs/ca-certificates.crt

 

[realms]

          CONTOSO.COM = {

                   kdc = addc1.contoso.com

                   kdc = addc2.contoso.com

                   kdc = addc3.contoso.com

                   default_domain = contoso.com

          }

 

[domain_realm]

          .contoso.com = CONTOSO.COM

          contoso.com = CONTOSO.COM

 

[plugins]

          localauth = {

                   module = winbind:/usr/lib/x86_64-linux-gnu/samba/krb5/winbind_krb5_locator.so

                   enable_only = winbind

          }

 

sudo mv /etc/krb5.conf /etc/krb5.conf.orig

sudo vi /etc/krb5.conf

 

Next, we want to configure Samba, and Winbind. The configuration file should be similar to this:

[global]

   log level = 0

   socket options = TCP_NODELAY

   winbind enum users = yes

   winbind enum groups = yes

   winbind refresh tickets = yes

   winbind use default domain = yes

   winbind offline logon = yes

   vfs objects = acl_xattr

   map acl inherit = yes

   store dos attributes = yes

   os level = 20

   preferred master = no

   winbind separator = +

   max log size = 50

   log file = /var/log/samba/log.%m

   dns proxy = no

 security = ads

   wins server = addc1.contoso.com

   wins proxy = no

   idmap config *:backend = tdb

   idmap config * : range = 3000-7999

   idmap config CONTOSO : backend = rid

   idmap config CONTOSO : schema_mode = rfc2307

   idmap config CONTOSO : range = 10000-9999999

   idmap config CONTOSO : unix_nss_info = yes

   idmap config CONTOSO : unix_primary_group = yes

   kerberos method = secrets and keytab

   dedicated keytab file = /etc/krb5.keytab

   realm = CONTOSO.COM

   workgroup = CONTOSO

   password server = addc1.contoso.com

   load printers = no

   printing = bsd

   printcap name = /dev/null

   disable spoolss = yes

 

[testshare]

   comment = Test Share

   path = /shares/test

   browseable = yes

   read only = no

   inherit acls = yes

   inherit permissions = yes

   create mask = 700

   directory mask = 700

   valid users = @"CONTOSO+Domain Users" CONTOSO+username1 CONTOSO+username2

   admin users = @"CONTOSO+Domain Admins"

 

To configure Samba and Winbind:

sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.orig

sudo vi /etc/samba/smb.conf

 

We should also make sure our testshare folder exists:

sudo mkdir -p /shares/test

 

Next, we need to edit /etc/nsswitch.conf

sudo vi /etc/nsswitch.conf

 

Edit the passwd: and group: lines to look like (adding “winbind” before “systemd”:

passwd:         files winbind systemd

group:         files winbind systemd

 

Now we can join the Active Directory Domain:

sudo net ads join -U Administrator

 

Now start Samba:

sudo systemctl enable --now smbd

sudo systemctl enable –-now nmbd

sudo systemctl enable –-now winbind

 

After Samba is running, we can query AD for user information:

sudo getent passwd "CONTOSO\Administrator"

 

Should return something like:

CONTOSO\administrator:*:2000500:2000513::/home/administrator@CONTOSO:/bin/bash

 

Troubleshooting 

Troubleshooting authentication issues can be particularly frustrating.

  1. In the smb.conf file above increasing the logging level can help pinpoint problems.
    1. You can look at the log in /var/log/samba/log.smbd
  2. Double-check the DNS is correct and the domain controller is resolved properly
  3. Make sure your Ubuntu server is showing up in Active Directory Users and Computers
  4. The file /var/log/secure will show authentication errors
  5. Use the “wbinfo”, "id" and "getent" programs to confirm if account information is passing to the system.

 

If you want to discuss further, contact iuvo Technologies today! 

Subscribe Here For Our Blogs:

Recent Posts

Categories

see all