Index > Help Tutorials > Samba4 on Ubuntu 18.04 LTS sudo apt-get install ntp ntpdate acl attr libacl1-dev libattr1-dev -y
update time
service ntp stop; ntpdate -B 0.ubuntu.pool.ntp.org; service ntp start
nano /etc/fstab
update hard disk mount point to match following, your UUID will be different for sure
UUID=157cfa3d-d56d-468c-b7b7-9d35c5e406f1 / ext4 user_xattr,acl,barrier=1,errors=remount-ro 0 1
Optional but recommended reboot
reboot
install samba packages
sudo apt-get install samba krb5-user smbclient ldap-utils ldb-tools winbind dnsutils libpam-winbind libnss-winbind -y
answer like following
Default Kerberos version 5 realm: TESTLAB.LOCAL
Kerberos servers for your realm: dc1
Administrative server for your Kerberos realm: dc1
configure samba
mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
samba-tool domain provision
update kerbros
mv /etc/krb5.conf /etc/krb5.conf.orig; ln -sf /var/lib/samba/private/krb5.conf /etc/
disable resolv.conf auto generation
ll /etc/resolv.conf
rm /etc/resolv.conf
cat << eot >> /etc/resolv.conf
search testlab.local
nameserver 127.0.0.1
eot
stop and disable/enable some serices
systemctl stop smbd nmbd winbind systemd-resolved
systemctl disable smbd nmbd winbind systemd-resolved
systemctl unmask samba-ad-dc
systemctl start samba-ad-dc
systemctl enable samba-ad-dc
check domain level
samba-tool domain level show
test it
kinit administrator
you should see following
Password for administrator@TESTLAB.LOCAL:
Warning: Your password will expire in 41 days on Thu 22 Nov 2018 10:53:44 AM EST
optionally reboot server
reboot
test it again to make sure everything is working as expected
kinit administrator
you should see following, if you dont then something need to be reconfigured, go figure !
Password for administrator@TESTLAB.LOCAL:
Warning: Your password will expire in 41 days on Thu 22 Nov 2018 10:53:44 AM EST
DNS Setup
samba-tool dns zonecreate dc1 10.10.10.in-addr.arpa; samba-tool dns add dc1 10.10.10.in-addr.arpa 30 PTR dc1.testlab.local.
check
host -t A testlab.local
host -t SRV _ldap._tcp.testlab.local.
host -t SRV _kerberos._udp.testlab.local.
host -t A dc1.testlab.local.
host -t PTR 10.10.10.30
Testing
smbclient -L localhost -U%
Check the samba connectivity
smbclient //localhost/netlogon -U 'administrator%Test123' -c 'ls'
populate Samba4/AD structure
cat << eot > ou.ldif
dn: OU=People,DC=testlab,DC=local
changetype: add
objectClass: top
objectClass: organizationalunit
description: People OU
dn: OU=Groups,DC=testlab,DC=local
changetype: add
objectClass: top
objectClass: organizationalunit
description: Groups OU
dn: OU=Machines,DC=testlab,DC=local
changetype: add
objectClass: top
objectClass: organizationalunit
description: Machines OU
eot
add the above ldif data
ldbmodify -H /var/lib/samba/private/sam.ldb ou.ldif
add first user
samba-tool user create rkhan Test123 --userou=ou=People --use-username-as-cn --surname="Khan" --given-name="Ryaz" --mail-address=rkhan@testlab.local
make rkhan domain admin
samba-tool group addmembers 'Domain Admins' rkhan
edit rkhan
ldbedit -e nano -H /var/lib/samba/private/sam.ldb cn=rkhan
Local authentication
nano /etc/samba/smb.conf
add following under global tag
# winbind configs
winbind enum users = yes
winbind enum groups = yes
winbind offline logon = false
encrypt passwords = yes
ldap server require strong auth = no
# home directory and login shell
template homedir = /srv/samba/homes/%U
template shell = /bin/bash
test samba config and restart service
testparm; /etc/init.d/samba-ad-dc restart
update pam authentication and select "Create home directory on login"
sudo pam-auth-update
mv /etc/nsswitch.conf /etc/nsswitch.conf.orig
cat << eot >> /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
eot
update pam password
mv /etc/pam.d/common-password /etc/pam.d/common-password.orig
cat << eot >> /etc/pam.d/common-password
# here are the per-package modules (the "Primary" block)
password [success=2 default=ignore] pam_unix.so obscure sha512
#password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass
password [success=1 default=ignore] pam_winbind.so try_first_pass
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
eot
make sure to disable/stop services
sudo systemctl disable winbind.service
sudo systemctl stop winbind.service
restart server
reboot
check it
getent group; getent passwd
wbinfo -u; wbinfo -i administrator
create profiles
sudo mkdir -p /srv/samba/homes
sudo chgrp -R "Domain Users" /srv/samba/homes
sudo chmod 1750 /srv/samba/homes
create share for homes
cat << eot >> /etc/samba/smb.conf
[homes]
comment = Users profiles
path = /srv/samba/homes
browseable = No
read only = No
force create mode = 0600
force directory mode = 0700
csc policy = disable
store dos attributes = yes
vfs objects = acl_xattr
eot
restart samba
/etc/init.d/samba-ad-dc restart
now you should be able to join machine to domain, login to domain from windows, login locallay
su - rkhan
Commands
search administrator data
ldbsearch -H /var/lib/samba/private/sam.ldb cn=administrator
samba-tool domain passwordsettings show
samba-tool domain passwordsettings set --help
--complexity
--store-plaintext
--history-length
--min-pwd-length
--min-pwd-age
--max-pwd-age
samba-tool domain passwordsettings set --complexity off
samba-tool domain passwordsettings set --history-length 2
samba-tool domain passwordsettings set --min-pwd-length 6
samba-tool domain passwordsettings set --min-pwd-age 60
samba-tool domain passwordsettings set --max-pwd-age 180
samba-tool domain level show
add new group
samba-tool group add Radius --groupou=ou=Groups
add member to group
samba-tool group addmembers Radius rkhan
⇑ 
