The information in this thread has been moved to https://help.ubuntu.com/community/Sa...egrationScript
A thread for discussion of the wiki page only can be found here http://ubuntuforums.org/showthread.php?t=2012421
Samba Complete Active Directory Domain Integration
tested on windows 2003r2/2008r2
What this procedure will do
If all runs well you will have a Linux machine completely integrated with your Active Directory server. The shared folders permissions will be managed from your samba server and it will use groups and users taken directly from your AD Domain Controller. Just follow this guide and use the attached script!
This procedure was tested with a Linux machine running Ubuntu10.04 and both Windows Server2003 and WindowsServer2008r2 as AD Server.
This procedure is taken from a lot of guides but you can find the best guide that I've could find here: http://wiki.samba.org/index.php/Samb...tive_directory
It's perfectly explicated in all its section and it treats every part more deeply than this one. I really recommend to consult it for every doubt.
To join your Linux machine to your Active Directory Domain you need:
- access to a Windows Domain Controller with a Domain Administrator account
- access to a Linux machine with administrator account (sudoer or root account)
- the archive provided with this guide extracted in a folder (do not move or edit the “templates” folder or its content)
For testing I really recommend to use a Linux virtual machine for the first time if it is possible.
It's important that the name of the machine you will add to domain has a name shorter than 15 characters. If not you must modify it in /etc/hostname and in /etc/hosts file with your preferred text editor (vi,nano,gedit) and restart the machine:
sudo nano /etc/hostname
sudo nano /etc/hosts
Kerberos is time-dependent, so you may have to make sure that the machine time is correct using a protocol like NTP. So synchronize your Linux machine time and date with the same NTP server of your domain with:
You can also make this command running regularly with crontab:
sudo ntpdate your.domain.ntp.server
In this way the command will run at 12:00 o'clock every day with root privilege (visit http://www.crontabrocks.org/ for more information about crontab).
# m h dom mon dow command
00 12 * * * ntpdate your.domain.ntp.server
It is also important that your DNS is properly configured as your domain DNS; you can do that using a network manager (like network-manager or wicd) or modifying the /etc/resolv.conf file with the proper configuration. An example:
sudo nano /etc/resolv.conf
Note that if you using a network manager program it's probably that your /etc/resolv.conf configuration will be ignored and replaced by an auto-generated one.
Now test your configuration with the “nslookup” command using both server name and his IP; the result might be something like this:
If you changed the name maybe it's better to reboot the machine.
The first thing to do is to edit AD_join.sh variables: open it with your favorite editor
and modify only the variables in the first part of the script editing only between “quotation_marks”:
do not modify under the WARNING line unless you know what you're doing (in Italy we say “Cazzi tua!”)
Be sure that AD_join.sh has the execution bit set. Open a terminal, change location in the containing directory, and run the script with root privilege:
Now you can run the script
sudo chmod +x AD_join.sh
The script will install samba, winbind and kerberos in your machine and will change the original configurations files name in *.bkp in order to preserve them (also the entire /etc/pam.d/ directory will be copied to /etc/pam.d.bkp). Then it puts the new files (smb.conf, krb5.conf, nsswitch.conf, system-auth) in proper directories and restart the necessary services.
Remember that when kerberos visual configuration appear you have to say just <OK> leaving blank the text field.
Testing and Joining
It's time to test your configuration and try to join in your Active Directory domain.
First of all test your samba configuration file, open a terminal and digit:
If all runs well you will see your samba's configuration. If not, the program will say you in which line of smb.conf file there is problem. In this case you can try to correct it or you can comment it out with "#" or ";".
Note that probably Samba will warn you about "winbind separator = +" line, but that should be okay.
Now try to join domain with the command:
Change "administrator" with proper domain's administrator name.
sudo net ads join -U your_domain_admin
If all runs well the domain's administrator password is requested. If not, it's possible that your network connection parameter for DNS server is not properly configured, modify your network configuration or run:
If all it's right you will see a "SUCCES" message in your terminal.
sudo net ads join -S your_server_IP_or_name -U your_domain_admin
Reboot your machine.
Now you can test the joining with:
this gives the domain's users list
this gives the domain's groups list
this checks if your_domain_user using password connect to the domain
sudo wbinfo -a your_domain_user
You can also check the Winbind nsswitch module with getent:
Note that even if the procedure it's a success, is not sure that "getent" command gives the expected results.
For testing your Kerberos configuration use this:
Replace "your_domain_user" with an existing user name and replace "YOUR_DOMAIN.LOCAL" with your domain name. If all is set correctly your_domain_user's password is requested. If not a kinit error will be prompted in terminal; in this case you might check your Kerberos configuration. Remember it's important CASE SENSITIVENESS.
Your Linux machine is now joined to your Active Directory.
Now you can:
- manage permissions and access to your shared resource from your samba server
- log on the Linux machine using your domain's credentials
- browse shares on your Linux machine from your domain computers
Try to log in trough ssh
at “password:” enter your domain user password
Every time you log on the Linux machine with domain credentials a new home it's created for that user in /home/YOUR_DOMAIN/your_domain_user.
In order to secure those home folders, once them are created, you may run
So your user's homes will be private but accessible from “Domain Admins” members. You may wish to automate this by scheduling this commands using cron or crontab, because when a new user logs in the home directory just created has 755 permissions and “Domain Users” as group, so all users can browse each other homes. (and that's not such a deal. In italian “Bella merda!”)
sudo chgrp “domain admins” /home/MY_DOMAIN/*
sudo chmod 700 /home/MY_DOMAIN/*
If you want you can read the /etc/samba/smb.conf.bkp (recommended) file to understand what each field signifies. You can also uncomment the end of /etc/samba/smb.conf file in order to share a “test” folder (be sure to modify the field with the correct path and info). Remember that every time you change the /etc/samba/smb.conf file you might to restart the service with:
Manage folder's accesses editing the "valid users" field with the proper users and or groups.
sudo service smbd restart
The syntax is as follow:
Note: no spaces between = and @
valid users =@YOUR_DOMAIN+your_group YOUR_DOMAIN+your_user
This allow all the users of the Active Directory group "your_group" to access the shared folder and to the Active Directory user "your_user" also.
If your groups name have spaces like "Group Name with Spaces" is necessary to put quotation marks:
Pay attention to the case sensitiveness of the domain names.
valid users =@"YOUR_DOMAIN+Group Name with Spaces"
There are a lot of fields you can add or modify in your samba configuration: you can find some example in the preconfigured file (smb.conf) like the “admin user” field or the “[homes]” sharing option (with which you can share user's home folders to them as they login).
Feel free to do all the experiments you want and please, if you find something interesting, post it here!
idQp posted some trubleshooting (here the post http://ubuntuforums.org/showthread.p...erbiss&page=10) tested on Debian 6.0
ccsaway posted this (http://ubuntuforums.org/showthread.php?t=1580505&page=11):
If you get this error msg:
"Failed to join domain: failed to connect to AD: Strong(er) authentication required"
you must add the following line to your smb.conf (GLOBAL Settings):
client ldap sasl wrapping = sign
this is because of an microsoft update that enables the ldap signing requirement to your AD.
edit: this howto worked for me on debian 6.0 (squeeze) and windows server 2008 r2
just installed it on 11.10. works great! THANK YOU SOOOOOOOOOO MUCH
Had to do just one extra thing though,
apt-get install krb5-user to test if kinit was working
Couple of things I did after
net groupmap add ntgroup="Domain Users" unixgroup=users
net groupmap add ntgroup="Domain Guests" unixgroup=nogroup
net groupmap add ntgroup="Domain Admins" unixgroup=root