Join Ubuntu to Active Directory with Samba

Posted on by Simon

I’ve set up my own Active Directory domain using Samba 4 as the primary domain controller. The steps below is how I’ve been able to join client machines into that service. There’s another method using SSSD as well, which I’ll post next. However, as far as I understand, the winbind solution is required for Samba to be able to share folders to AD users. I might be wrong though.

apt update
apt upgrade
apt install vim samba libnss-winbind libpam-winbind
mv /etc/samba/smb.conf /etc/samba/old_smb.conf
cat <<EOT >/etc/samba/smb.conf
#======================= Global Settings =======================
[global]
   log file = /var/log/samba/%m.log
   log level = 1

   workgroup = XX
   security = ADS
   realm = XX.EXAMPLE.ORG
   #winbind refresh tickets = yes
   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

   # Allow login within specifying domain
   winbind use default domain = yes

# For testing purposes only (remove for production), add these lines:
   winbind enum users = yes
   winbind enum groups = yes

# Disable printing
   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes

# Active Directory ID mapping
   idmap config * : backend = tdb
   idmap config * : range = 3000-7999
   idmap config XX: unix_nss_info = yes
   idmap config XX: backend = ad
   idmap config XX: schema_mode = rfc2307
   idmap config XX: range = 10000-999999
   idmap config XX: unix_nss_info = yes

   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes
EOT

cat <<EOT >/etc/krb5.conf
[libdefaults]
        default_realm = XX.EXAMPLE.ORG
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        dns_lookup_realm = false
        dns_lookup_kdc = true
EOT

vim /etc/nsswitch.conf
# Add 'winbind' at the end of passwd and group entries
# Like:
passwd:         files systemd winbind
group:          files systemd winbind

# Join the client to AD
net ads join -U administrator

# Enable smbd to host files
systemctl enable smbd
systemctl start smbd
# Enable winbind to take care of authentication
systemctl enable winbind
systemctl start winbind

# getent should list all AD-users  and groups with these commands.
getent passwd
getent group

# Allow sudo for Domain Administrators
echo '%domain\ admins ALL=(ALL) ALL' >>/etc/sudoers

Leave a Reply

Your email address will not be published. Required fields are marked *