Ubuntu and Samba active directory authentication

EDIT: heads up! This does not work on Ubuntu 16.04, for whatever reason. Currently playing detective to try and find out!

There is a lot of disparity on the internet on how to setup active directory (we’ll call this AD) with Ubuntu (or any other Linux distro I guess). I spent around 2 days trying to sort through the crap, spinning up new VMs and failing. Turns out adding Ubuntu to the AD is rather painless. I was just looking at old blog posts, old documentation and things that were just plain wrong. I’ve tested this with Ubuntu 14.04. Basically, just follow this link. Just in case that it ever goes away or changes, I’m going to write a skimmed down version of it here.

Make sure you have the required packages:

sudo apt-get install krb5-user samba sssd ntp

It will ask for your realm during the install and this is whatever you’ve configured your domain to be with AD, but all in capitals. In my case, this was IBEX.COM

Configure samba

Add this to your /etc/samba/smb.conf (change IBEX or IBEX.COM to whatever your domain is)

[global]
workgroup = IBEX
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = IBEX.COM
security = ads

SSSD configuration

There is no config file by default. Edit /etc/sssd/sssd.conf

[sssd]
services = nss, pam
config_file_version = 2
domains = IBEX.COM

[domain/IBEX.COM]
id_provider = ad
access_provider = ad
override_homedir = /home/%d/%u
enumerate = true

default_shell = /bin/bash # so the user uses the bash shell, see addendum at the bottom of this post

For sake of sanity, change the permissions of the file. SSSD will fail to start if it has incorrect permissions:

sudo chown root:root /etc/sssd/sssd.conf && sudo chmod 600 /etc/sssd/sssd.conf

Modify hosts file

Edit /etc/hosts and add 10.0.0.5 server_name server_name.ibex.com where server_name is equal to the name of the server you’re currently working on and the IP is of course, the IP address of the server.

Join the AD

Restart your services to make sure they all have the new configurations sudo service ntp restart && sudo restart smbd && sudo start sssd

Get a Kerberos ticket sudo kinit Administrator

Verify the ticket sudo klist

You should now see that you have a ticket. Time to join the AD sudo net ads join -k

~~If you get a warning about “No DNS domain configured”, you’ve messed up the hosts file. Go back and check it all.~~

Edit: you can safely ignore this error.

You can now login to your server with your AD credentials!

Home directories

By default, an AD user has not got an home directory. To add one add

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

to /etc/pam.d/common-session

Add your share

Edit /etc/samba/smb.conf to add your share:

[dove-www]
path = /var/www
browseable = yes
read only = no

Test

On Windows, go to your machine name. Now use a username and password from AD. Don’t forget to prefix IBEX (or whatever your domain is) to your username. E.g. IBEX\james

If all has gone well, you should now be able to browse your linux box with Samba with your AD credentials.

Addendum

It is most definitely worth adding default_shell = /bin/bash to your /etc/sssd/sssd.conf. Using the sh shell instead of bash will drive you up the wall! Don't forget to restart your sssd service after making any changes.