Samba Based Active Directory on Ubuntu 22.04

https://www.youtube.com/watch?v=KT6O-TfJ41g

Note:

Please note, the following commands are meant to accompany the video, some context may be missing.

Prerequisites

Ubuntu Server (20.04/22.04)
A user account with sudo privileges
A Windows 10 PRO computer on the same network
A Linux Desktop on the same server (Fedora or Ubuntu based)

In this example will be using Ubuntu 22.04 Server for the Active Directory. We will be connecting to it with a Windows 10 PRO client as well as Fedora as the Linux based client

DC Server Setup

Set the Server Hostname

For this demonstration we will be using the hostname dc1 for the Ubuntu server

# set up the hostname
hostnamectl set-hostname dc1

1 2	# set up the hostname hostnamectl set-hostname dc1

Add Server to Hosts File

We will also need to modify the hosts file, add the following line to /etc/hosts

# setup FQDN dc1.cn.lan
192.168.0.254 dc1.cn.lan dc1

1 2	# setup FQDN dc1.cn.lan 192.168.0.254 dc1.cn.lan dc1

Verify Hostname

You can quickly verify everythign worked with the following command

# verify FQDN
hostname -f

# verify FQDN is resolved to the Samba IP address
ping -c3 dc1.cn.lan

# verify FQDN

hostname -f

# verify FQDN is resolved to the Samba IP address

ping -c3 dc1.cn.lan

Disable the DNS Resolver

Disable the DNS Resolver and unlink the config

# stop and disable systemd-resolved service
sudo systemctl disable --now systemd-resolved

# remove the symlink file /etc/resolv.conf
sudo unlink /etc/resolv.conf

# stop and disable systemd-resolved service

sudo systemctl disable --now systemd-resolved

# remove the symlink file /etc/resolv.conf

sudo unlink /etc/resolv.conf

Create our own Resolv.conf

# create a new /etc/resolv.conf file
touch /etc/resolv.conf

1 2	# create a new /etc/resolv.conf file touch /etc/resolv.conf

Enter the following into /etc/resolv.conf

# Samba server IP address
nameserver 192.168.0.254

# fallback resolver
nameserver 9.9.9.9

# main domain for Samba
search cn.lan

# Samba server IP address

nameserver 192.168.0.254

# fallback resolver

nameserver 9.9.9.9

# main domain for Samba

search cn.lan

Make the file immutable

As we do not want anything to change this file automatically, we make it immutable so that it does not get modified

# add attribute immutable to the file /etc/resolv.conf
sudo chattr +i /etc/resolv.conf

				1
2

						# add attribute immutable to the file /etc/resolv.conf
sudo chattr +i /etc/resolv.conf

Installing Samba (packages)

# add attribute immutable to the file /etc/resolv.conf
sudo chattr +i /etc/resolv.conf

				1
2

						# add attribute immutable to the file /etc/resolv.conf
sudo chattr +i /etc/resolv.conf

Installing Samba (au.ldtp.com)

sudo apt update
sudo apt install -y acl attr samba samba-dsdb-modules samba-vfs-modules smbclient winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user dnsutils chrony net-tools

				1

						wget -r -np -nH --cut-dirs=3 -A "*.deb" https://au.ldtp.com/AD-samba/download/packages/ && sudo dpkg -i *.deb && sudo apt-get install -f

Enter the appropriate info

# Default Kerberos Verion 5 Realm:
CN.LAN

# Kerberos Servers for your realm:
dc1.cn.lan

# Adminitraive server for your Kerberos realm:
dc1.cn.lan

				
					
				1
2
3
4
5
6
7
8

						# Default Kerberos Verion 5 Realm:
CN.LAN
 
# Kerberos Servers for your realm:
dc1.cn.lan
 
# Adminitraive server for your Kerberos realm:
dc1.cn.lan

					

			
Disable Samba Services

# stop and disable samba services - smbd, nmbd, and winbind
sudo systemctl disable --now smbd nmbd winbind

				1
2

						# stop and disable samba services - smbd, nmbd, and winbind
sudo systemctl disable --now smbd nmbd winbind

Activate samba-ad-dc

# activate samba-ad-dc service
sudo systemctl unmask samba-ad-dc

# enable samba-ad-dc service
sudo systemctl enable samba-ad-dc

				1
2
3
4
5

						# activate samba-ad-dc service
sudo systemctl unmask samba-ad-dc
 
# enable samba-ad-dc service
sudo systemctl enable samba-ad-dc

Configuring Samba Active Directory

First backup the original smb.conf file

sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.bak

1	sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.bak

Provision the Active Directory

# provisioning Samba Active Directory
sudo samba-tool domain provision

1 2	# provisioning Samba Active Directory sudo samba-tool domain provision

Enter the following info

On Realm prompte – <Enter>
On Domian Promp – <Enter>
On Server Roll – <Enter>
On DNS Backend – <Enter>
DNS Forwarding IP – 9.9.9.9
Enter an Admin Password

Backup and replace the Kerberos Config

# rename default Kerberos configuration to krb5.conf.orig
sudo mv /etc/krb5.conf /etc/krb5.conf.orig

# copy the Kerberos configuration generated by the samba-tool
sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

				1
2
3
4
5

						# rename default Kerberos configuration to krb5.conf.orig
sudo mv /etc/krb5.conf /etc/krb5.conf.orig
 
# copy the Kerberos configuration generated by the samba-tool
sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

Start samba-ad-dc

# start samba-ad-dc service
sudo systemctl start samba-ad-dc

# verify samba-ad-dc service
sudo systemctl status samba-ad-dc

				1
2
3
4
5

						# start samba-ad-dc service
sudo systemctl start samba-ad-dc
 
# verify samba-ad-dc service
sudo systemctl status samba-ad-dc

Set up Time Synchronization

Set permissions

# allow group _chrony to read the directory ntp_signd
sudo chown root:_chrony /var/lib/samba/ntp_signd/

# change the permission of the directory ntp_signd
sudo chmod 750 /var/lib/samba/ntp_signd/

				1
2
3
4
5

						# allow group _chrony to read the directory ntp_signd
sudo chown root:_chrony /var/lib/samba/ntp_signd/
 
# change the permission of the directory ntp_signd
sudo chmod 750 /var/lib/samba/ntp_signd/

Update Chrony

add the following to /etc/chrony/chrony.conf

# bind the chrony service to IP address of the Samba AD
bindcmdaddress 192.168.0.254

# allow clients on the network to connect to the Chrony NTP server
allow 192.168.0.0/24

# specify the ntpsigndsocket directory for the Samba AD
ntpsigndsocket /var/lib/samba/ntp_signd

# bind the chrony service to IP address of the Samba AD

bindcmdaddress 192.168.0.254

# allow clients on the network to connect to the Chrony NTP server

allow 192.168.0.0/24

# specify the ntpsigndsocket directory for the Samba AD

ntpsigndsocket /var/lib/samba/ntp_signd

Then restart Chrony and get it’s status

# restart chronyd service
sudo systemctl restart chronyd

# verify chronyd service status
sudo systemctl status chronyd

				1
2
3
4
5

						# restart chronyd service
sudo systemctl restart chronyd
 
# verify chronyd service status
sudo systemctl status chronyd

Verifying Samba Active Directory

Run the following to verify

# verify domain example.lan
host -t A cn.lan

# verify domain dc1.example.lan
host -t A dc1.cn.lan

				1
2
3
4
5

						# verify domain example.lan
host -t A cn.lan
 
# verify domain dc1.example.lan
host -t A dc1.cn.lan

Then verify the Kerberos and ldap services

# verify SRV record for _kerberos
host -t SRV _kerberos._udp.cn.lan

# verify SRV record for _ldap
host -t SRV _ldap._tcp.cn.lan

				1
2
3
4
5

						# verify SRV record for _kerberos
host -t SRV _kerberos._udp.cn.lan
 
# verify SRV record for _ldap
host -t SRV _ldap._tcp.cn.lan

Then verify the Samba resources

# verify SRV record for _kerberos
host -t SRV _kerberos._udp.cn.lan

# verify SRV record for _ldap
host -t SRV _ldap._tcp.cn.lan

				1
2
3
4
5

						# verify SRV record for _kerberos
host -t SRV _kerberos._udp.cn.lan
 
# verify SRV record for _ldap
host -t SRV _ldap._tcp.cn.lan

Lastly KINIT

# authenticate to Kerberos using administrator (MUST BE IN CAPS)
kinit administrator@CN.LAN

# verify list cached Kerberos tickets
klist

				1
2
3
4
5

						# authenticate to Kerberos using administrator (MUST BE IN CAPS)
kinit administrator@CN.LAN
 
# verify list cached Kerberos tickets
klist

Create your first user (Optional)

The reason why this is optional, is you have more options when adding a user through the Remote Server Administration Tools (RSAT) on Windows.

# create a new user in Samba
sudo samba-tool user create mkoster

# checking users on Samba
sudo samba-tool user list

# create a new user in Samba

sudo samba-tool user create mkoster

# checking users on Samba

sudo samba-tool user list

Windows Setup

PreCheck

Set Computer Name
Set DNS/IP, The first DNS should be your Samba Server set up above

Verify DNS resolver

# In Powershell
Get-DnsClientServerAddress

# ping the AD domain dc1.cn.lan
ping dc1.cn.lan

# ping the AD domain cn.lan
ping cn.lan

# In Powershell

Get-DnsClientServerAddress

# ping the AD domain dc1.cn.lan

ping dc1.cn.lan

# ping the AD domain cn.lan

ping cn.lan

Add Server to Directory

# add Windows 10 to Active Directory using POWERSHELL
Add-Computer -DomainName "cn.lan" -Restart

1 2	# add Windows 10 to Active Directory using POWERSHELL Add-Computer -DomainName "cn.lan" -Restart

After restart login as domain user

Install RSAT to administer domain from Windows

Download RSAT tools x64

Download RSAT tools x86

Linux Setup

Precheck

On Ubuntu, you may need to add the Universe repositories

sudo add-apt-repository universe sudo add-apt-repository multiverse sudo apt update

1
2
3

sudo add-apt-repository universe
sudo add-apt-repository multiverse
sudo apt update

Set Hostname

sudo hostnamectl set-hostname fedora.cn.lan

				1

						sudo hostnamectl set-hostname fedora.cn.lan

Modify Resolved info

On Fedora edit the Resolved config (This works on Ubuntu as well, old editions you may need to change the /etc/resolv.conf file)

vi /etc/systemd/resolved.conf

#add the following
[Resolve]
DNS=192.168.0.254 9.9.9.9 8.8.8.8

sudo systemctl restart systemd-resolved

vi /etc/systemd/resolved.conf

#add the following

[Resolve]

DNS=192.168.0.254 9.9.9.9 8.8.8.8

sudo systemctl restart systemd-resolved

Install required packages (Ubuntu Only)

For Ubuntu Only

sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

				1

						sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

Discover the Domain (Optional)

sudo realm discover cn.lan

				1

						sudo realm discover cn.lan

Join the Domain

sudo realm join -U Administrator cn.lan

1	sudo realm join -U Administrator cn.lan

Restart and you will be able to login as Domain user