Index > Help Tutorials > Samba4 on Ubuntu 14.04 LTS

Assumptions

IP:     10.10.10.30
Name:   dc1
Realm:  devlab.nt

Be root, its easier than typing sudo almost all commands

sudo bash

Let start with setting up static IP address.

cat null > /etc/network/interfaces
nano /etc/network/interfaces

Paste or type the following and save the file

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 10.10.10.30
netmask 255.255.255.0
network 10.10.10.0
broadcast 10.10.10.255
gateway 10.10.10.1
dns-nameservers 10.10.10.30 10.10.10.1
dns-search devlab.nt

Change the hostname

echo "dc1" > /etc/hostname

Verify the host file, make adjustment if needed

nano /etc/hosts

Verify the following entries are in the file, save and exit

127.0.0.1 localhost
10.10.10.30 dc1.devlab.nt dc1

Install time server, time is very important especially in AD enviornment

sudo apt-get install ntp

Adjust the time, you can use any server

service ntp stop; ntpdate -B 0.ubuntu.pool.ntp.org; service ntp start

Set the file system required for AD object permission

nano /etc/fstab

Past the following in the file, replace xxxxx with the actual UUID of your root hard drive. Easy way is to copy the whole line, comment the original line and adjust the new line as per following

UUID=xxxxxxxx  / ext4 user_xattr,acl,barrier=1,errors=remount-ro,relatime 0 1

Install acl package and mount the file system with new setting, reboot the machine to verify the settings

sudo apt-get install acl; mount -a; reboot

Now lets install the actual samba and relevant packages

sudo apt-get install samba krb5-user smbclient ldap-utils ldb-tools -y

There should be three question, first should be already answered/fill with devlab.nt. Next two answers are as follows

Default Kerberos version 5 realm: DEVLAB.NT
Kerberos servers for your realm: dc1
Administrative server for your Kerberos realm: dc1

Backup the original samba configuration and do the domain provision, smb.conf will be created later during domain provision

mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
samba-tool domain provision --use-rfc2307 --realm devlab.nt --domain DEVLAB --adminpass Test123 --server-role=dc --dns-backend=SAMBA_INTERNAL --use-xattr=yes

Note down the krb5.conf path from following line because we need this later on, you will see this line at the end when provision is done
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Now let place the krb5.conf in place, off course backup the original first

mv /etc/krb5.conf /etc/krb5.conf.orig; cp /var/lib/samba/private/krb5.conf /etc/

Or you can simple use the symlink as well

ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf

Now go ahead and change the dns setting to 10.10.10.30 only

nano /etc/network/interfaces

Remove 10.10.10.1 from the dns-nameservers line and save and exit
Now change the dns forwarder address from samba config, replace 10.10.10.30 to your isp dns address or 8.8.8.8

nano /etc/samba/smb.conf

Setup administrator password to never expire, by default the password will expire in 42 days

samba-tool user setexpiry administrator --noexpiry

Now reboot the system for changes to take effect, you can restart services but that might not work always so why not restart

reboot

Get ticket

kinit administrator

Now setup the reverse zone and add ptr record for dc1.

samba-tool dns zonecreate dc1 10.10.10.in-addr.arpa; samba-tool dns add dc1 10.10.10.in-addr.arpa 30 PTR dc1.devlab.nt.

Now reboot the system again for changes to take effect, you can restart services but that might not work always so why not restart

reboot

Now check the dns setting by running following entries. There should not be any error from the output of these commands

host -t A devlab.nt
host -t SRV _ldap._tcp.devlab.nt.
host -t SRV _kerberos._udp.devlab.nt.
host -t A dc1.devlab.nt.
host -t PTR 10.10.10.30

DON'T PROCEED IF YOU GET ANY ERROR FROM THE OUTPUT OF ABOVE COMMANDS
Check samba domain setting

smbclient -L localhost -U%

Check the samba connectivity

smbclient //localhost/netlogon -U 'administrator' -c 'ls'

Now lets ldif file for separate OUs for poeple, groups, and machines

cat << eot > ou.ldif
dn: OU=people,DC=devlab,DC=nt
changetype: add
objectClass: top
objectClass: organizationalunit
description: People OU

dn: OU=groups,DC=devlab,DC=nt
changetype: add
objectClass: top
objectClass: organizationalunit
description: Groups OU

dn: OU=machines,DC=devlab,DC=nt
changetype: add
objectClass: top
objectClass: organizationalunit
description: Machines OU
eot

now lets add the above ldif

ldbmodify -H /var/lib/samba/private/sam.ldb ou.ldif

Create our test user

samba-tool user add rkhan Test123 --userou=ou=people --use-username-as-cn --surname="Khan" --given-name="Ryaz" --mail-address=rkhan@devlab.nt --home-drive=H

Optionally make rkhan domain admin so it can be used for domain join etc.

samba-tool group addmembers 'Domain Admins' rkhan

Finally change the fowarder dns in samba configuration, otherwise you might not have internet access. I have to change this address to get internet working on dc01 and all members computers so

nano /etc/samba/smb.conf

Change the dns forward ip value to working dns ip address of your enviornment, save and exit. Now reboot the machine to reflect the changes.

reboot

If you dont see any error then our reverse zone is working Now its time to join the machines, dont forget to change the dns setting of machines in question by pointing their dns to 10.10.10.30

Roaming Profiles

sudo mkdir -m 770 /profiles
sudo chmod g+s /profiles
sudo chown root:users /profiles

Next we will append the the following to /etc/samba/smb.conf:

cat << EOT >> /etc/samba/smb.conf
[profiles]
        path = /profiles
        read only = no
EOT

Restart services

smbcontrol all reload-config

Administrative commands

View/change password setting, change values accordingly if needed

samba-tool ntacl sysvolreset
smbcontrol all reload-config
samba-tool domain passwordsettings show
samba-tool domain passwordsettings set --help
--complexity
--store-plaintext
--history-length
--min-pwd-length
--min-pwd-age
--max-pwd-age
samba-tool domain passwordsettings set --complexity on
samba-tool domain passwordsettings set --history-length 8
samba-tool domain passwordsettings set --min-pwd-length 10
samba-tool domain passwordsettings set --min-pwd-age 30
samba-tool domain passwordsettings set --max-pwd-age 90
samba-tool domain level raise --domain-level 2008_R2 --forest-level 2008_R2
samba-tool domain level show

LDAP Authentication

Install the packages we need

apt-get install nslcd libsasl2-modules-gssapi-mit kstart

Add service account which will be used for binding AD

samba-tool user create __nslcd__ --random-password

Add the service principle name for this service account

samba-tool spn add nslcd/dc01.devlab.nt __nslcd__

Export keytab for this service account

samba-tool domain exportkeytab /etc/krb5.nslcd.keytab --principal=__nslcd__

Change the permission of new keytab file

chown nslcd:root /etc/krb5.nslcd.keytab; chmod 600 /etc/krb5.nslcd.keytab

Now tell nslcd to use this service account and key on restart

nano /etc/init.d/nslcd

Find K5START_PRINCIPAL and K5START_KEYTAB and comment both line. Now just paste following two lines before K5START_CCFILE line

K5START_KEYTAB=/etc/krb5.nslcd.keytab
K5START_PRINCIPAL="__nslcd__"

Now get ticket for nslcd user and store it in /tmp

k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k /tmp/nslcd.tkt

Now configure the nslcd deamon and to use the above settins

mv /etc/nslcd.conf /etc/nslcd.conf.orig; nano /etc/nslcd.conf

And simply paste the following.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://dc01.devlab.nt/

# The search base that will be used for all queries.
base cn=users,dc=devlab,dc=nt

# The LDAP protocol version to use.
#ldap_version 3

###################
#Custom AD mappings
###################
#Replace objectSid:... with the domain SID

nss_min_uid 1000
pam_authz_search (!(userAccountControl:1.2.840.113556.1.4.803:=2))

filter passwd (&(objectClass=user)(!(objectClass=computer)))
map passwd uid sAMAccountName
map passwd uidNumber objectSid:S-1-5-21-2180207617-2439552426-3592756590
map passwd gidNumber primaryGroupID
map passwd homeDirectory "${unixHomeDirectory:-/home/$sAMAccountName}"
map passwd loginShell "${loginShell:-/bin/bash}"

filter shadow (&(objectClass=user)(!(objectClass=computer)))
map shadow uid sAMAccountName
map shadow shadowLastChange pwdLastSet

filter group (objectClass=group)
map group cn sAMAccountName
map group gidNumber objectSid:S-1-5-21-2180207617-2439552426-3592756590

#=============================
#       Authentication       #
#=============================

# Simple bind authentication
#binddn cn=nslcd,cn=users,dc=devlab,dc=nt        
#bindpw xxxxx        

# Kerberos authentication
sasl_mech GSSAPI
sasl_realm DEVLAB.NT
krb5_ccname /tmp/nslcd.tkt

Get your domain sid and copy the sid

net getlocalsid devlab

Now edit the nslcd configuration file and replace/paste the existing sid with your domain sid

nano /etc/nslcd.conf

Last but not least step to edit nsswitch.conf

nano /etc/nsswitch.conf

And add following somewhere in the file, make sure to comment out the old one

passwd:         files ldap
group:          files ldap
shadow:         files ldap

Now restart the service.

service nslcd restart

Now make the key available every time your restart the computer/dc

nano /etc/rc.local

And add the following above exit 0, otherwise you have to issue this command on every restart for things to work

k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k /tmp/nslcd.tkt

Testing...

getent group
getent passwd
getent shadow
ldapsearch -x -LLL -b dc=devlab,dc=nt 'samAccountName=rkhan' -D cn=rkhan,cn=users,dc=devlab,dc=nt -w Test123

All above command should give you accounts information from AD along with local accounts.
At this point any ad user can ssh to local machine