Ubuntu and Samba active directory authentication
EDIT: heads up! This does not work on Ubuntu 16.04, for whatever reason. Currently playing detective to try and find out!
There is a lot of disparity on the internet on how to setup active directory (we’ll call this AD) with Ubuntu (or any other Linux distro I guess). I spent around 2 days trying to sort through the crap, spinning up new VMs and failing. Turns out adding Ubuntu to the AD is rather painless. I was just looking at old blog posts, old documentation and things that were just plain wrong. I’ve tested this with Ubuntu 14.04. Basically, just follow this link. Just in case that it ever goes away or changes, I’m going to write a skimmed down version of it here.
Make sure you have the required packages:
sudo apt-get install krb5-user samba sssd ntp
It will ask for your realm during the install and this is whatever you’ve configured your domain to be with AD, but all in capitals. In my case, this was
Add this to your
/etc/samba/smb.conf (change IBEX or IBEX.COM to whatever your domain is)
[global] workgroup = IBEX client signing = yes client use spnego = yes kerberos method = secrets and keytab realm = IBEX.COM security = ads
There is no config file by default. Edit
[sssd] services = nss, pam config_file_version = 2 domains = IBEX.COM [domain/IBEX.COM] id_provider = ad access_provider = ad override_homedir = /home/%d/%u enumerate = true
default_shell = /bin/bash # so the user uses the bash shell, see addendum at the bottom of this post
For sake of sanity, change the permissions of the file. SSSD will fail to start if it has incorrect permissions:
sudo chown root:root /etc/sssd/sssd.conf && sudo chmod 600 /etc/sssd/sssd.conf
Modify hosts file
/etc/hosts and add
10.0.0.5 server_name server_name.ibex.com where server_name is equal to the name of the server you’re currently working on and the IP is of course, the IP address of the server.
Join the AD
Restart your services to make sure they all have the new configurations
sudo service ntp restart && sudo restart smbd && sudo start sssd
Get a Kerberos ticket
sudo kinit Administrator
Verify the ticket
You should now see that you have a ticket. Time to join the AD
sudo net ads join -k
~~If you get a warning about “No DNS domain configured”, you’ve messed up the hosts file. Go back and check it all.~~
Edit: you can safely ignore this error.
You can now login to your server with your AD credentials!
By default, an AD user has not got an home directory. To add one add
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
Add your share
/etc/samba/smb.conf to add your share:
[dove-www] path = /var/www browseable = yes read only = no
On Windows, go to your machine name. Now use a username and password from AD. Don’t forget to prefix IBEX (or whatever your domain is) to your username. E.g. IBEX\james
If all has gone well, you should now be able to browse your linux box with Samba with your AD credentials.
It is most definitely worth adding
default_shell = /bin/bash to your
/etc/sssd/sssd.conf. Using the sh shell instead of bash will drive you up the wall! Don't forget to restart your sssd service after making any changes.