Inclusion of the Ubuntu-based Samba server in the AD domain
Our previous work examined what Active Directory and Samba are and what the advantages of their collaboration are. It also reviewed the Samba build process from source and its inclusion into the domain, and all this from the command line. It should be recognized that building something from source is not common practice in modern Linux distributions. More often, repositories are used to install software. This allows you to make the installation process more friendly and easy for the user. Also, additional packages necessary for the operation of the installed software can be automatically involved, which again makes life easier and eliminates the need to study the lists of necessary pre-installed packages. Currently, there is a trend towards the widespread use of graphical interfaces. One can discuss the pros and cons for a long time, but the fact remains that an increasing number of users and even system administrators prefer to use the GUI for a significant number of tasks. In this article we will try to consider the process of installing and integrating into the Samba domain using the command line and repositories, as well as including Samba into the domain using the SADMS utility graphical interface.
According to statistics, Openstat Ubuntu is the 4th in the list of the most popular operating systems for web servers, and its popularity is growing rapidly. In our case, this is the Ubuntu Server 12.04 LTS distribution. Find the distribution can be on the official website of Ubuntu .
To begin, consider the inclusion of a server based on Ubuntu in the AD domain using the command line. The process is described in detail in the documentation on the Ubuntu site .
We need Kerberos, Samba and Winbind. Before installing them, it is recommended to upgrade the system:
After successfully installing the updates, we install Kerberos, Samba and Winbind:
In this team,
krb5-user - package for the Kerberos protocol, which is used for authentication in Windows;
samba - allows you to become a member of the domain;
winbind - allows you to use a user account from ActiveDirectory.
When using the GUI, you can use the Synaptic package manager. It is worth noting that there is no graphical interface in Ubuntu Server 12.04 LTS by default, it can be installed separately if necessary:
After that, you need to configure all the components to work with the domain. The test domain is called LAB.LOCAL, the domain controller is lab-dc1.lab.local, with IP 192.168.7.2, the server name is testubuntu.
')
First of all, you need to configure DNS on the host running Ubuntu (the DNS server will be the domain controller), and also register the correct search domain. To do this, you need to edit the /etc/resolv.conf file so that it contains the following information:
To apply the changes, you must restart the network service:
You should also make sure that the server name in the / etc / hostname file is correct:
The next step is to set up time synchronization with the domain controller. It is very important not to forget about this moment, since if the discrepancy in time is more than five minutes, we will not be able to get a ticket from Kerberos.
If there is an exact time server on the network, you can use it or any public one:
Automatic synchronization is configured using ntpd, this daemon will periodically perform synchronization. First you need to install it:
Now you need to make changes to the
Then you need to restart the
The next step is to configure authorization via the Kerberos protocol. You will need to edit the
At this stage, you can verify that we can log in to the domain. To do this, use the following command:
Instead of
If the command did not lead to errors, then everything is correct, and the domain gives you a Kerberos ticket. You can make sure that the ticket is received by running the command:
You can delete all tickets with the command
So, we will assume that the authorization was successful; it's time to configure the domain login directly.
Another file that interests us is
After
She will check the configuration for errors and give a summary of it:
As you can see, the correct parameters were set in order for the computer to become a member of the domain. Now it's time to try to directly enter the domain. To do this, use the following command:
And if successful, the output of the command should be something like this:
If there are no more messages, then everything went well.
Try using ping by name from another domain member to make sure that everything in the domain has worked properly.
You can also use the command
If there are no problems, the output of the command will be as follows:
But sometimes after the message about joining the domain you get the following error:
Before finding out why the DNS is not updated, restart the computer after entering the domain! It is possible that this will solve the problem.
If this does not help, it is recommended to check the DNS settings again: it is very likely that they will be the cause. After that, you need to remove the computer from the domain and try to repeat the process again.
If everything went smoothly, the computer was successfully included in the domain. You can go to the domain controller and see this.
If you need to somehow work with domain users, for example, configure SMB-balls with access control, then in addition to Samba itself you will also need Winbind - a special daemon used to connect the local Linux user management system and groups to the Active Directory server.
Simply put, Winbind is needed if you want to see domain users on your Ubuntu computer.
Winbind allows you to project all users and all AD groups into your Linux system by assigning them IDs from a specified range. Thus, you can assign domain users as owners of folders and files on your computer and perform any other operations related to users and groups.
To configure Winbind, the same
Now restart the Winbind daemon and Samba in the following order:
After restarting, verify that Winbind has established a trust relationship with the AD command.
and also that Winbind saw users and groups from AD, commands
These two commands should produce a list of users and groups from the domain, respectively.
So, Winbind works, but it is not yet integrated into the system.
In order for your Ubuntu to work transparently with domain users (in particular, so that you can assign domain users as owners of folders and files), you must tell Ubuntu to use Winbind as an additional source of information about users and groups.
To do this, change two lines in the
adding winbind to them at the end:
Now check that Ubuntu is requesting user and group information from Winbind by running
The first command should return all the contents of your
Perhaps, let's say at home or in a hurry, you will want to perform all these manipulations in graphical mode. For these purposes, there is a package SADMS, about which there is information on the Ubuntu site . And on the site you can find out everything about this package and download it. Let's look at the package interface:
Fig. 1. General view of the main tab.
It displays the status of winbind, smb and nmb, and there is an indication of the connection of the computer to the domain.
Fig. 2. Run smb and nmb.
Fig. 3. “Data” tab.
Here we must specify the data that will be used to connect to the domain. By default, the fields are filled in by the developers, for example. The developers of the package are French, so don't be confused by examples like “administrateur” instead of the usual “Administrator”.
Fig. 4. Automatic capture of the parameters.
We click on "Determine" - and some parameters are picked up automatically. The rest will have to fill out manually. All these parameters were used when configuring from the command line.
Fig. 5. Filling in the remaining fields.
Fill in the fields. Pay special attention here: Netbios domain name must be spelled in BIG letters, otherwise we get an error Kerberos, as it turned out in this case. If everything is filled out correctly, click on “Install” - and SADMS switches the machine into the domain.
Fig. 6. The machine is included in the domain successfully.
Fig. 7. Menu "Checks".
From the menu "Checks" we can perform tests to perform various operations. You can also run all the tests from the command line, as described earlier.
Fig. 8. An example of the conclusion of the test for domain membership.
Fig. 9. Network test results.
Fig. 10. Check the availability of the machine on the domain controller.
The server is in the list of domain machines along with our other servers.
So, we have reviewed the installation of Samba and its inclusion in the domain - using both the command line and the graphical interface. Using the graphical interface allows you to seriously speed up and simplify the configuration, but at the same time does not allow you to understand the whole mechanics of the process, and can also seriously complicate the process of finding errors. On the other hand, the CLI (Command Line Interface), although it provides absolute control over everything, is much less user friendly and implies that it has some working skills. Which way to use is up to you.
According to statistics, Openstat Ubuntu is the 4th in the list of the most popular operating systems for web servers, and its popularity is growing rapidly. In our case, this is the Ubuntu Server 12.04 LTS distribution. Find the distribution can be on the official website of Ubuntu .
1.Include a Ubuntu-based Samba server to the AD domain using the command line
To begin, consider the inclusion of a server based on Ubuntu in the AD domain using the command line. The process is described in detail in the documentation on the Ubuntu site .
2. Installation of updates and necessary packages.
We need Kerberos, Samba and Winbind. Before installing them, it is recommended to upgrade the system:
sudo apt-get update sudo apt-get upgrade After successfully installing the updates, we install Kerberos, Samba and Winbind:
sudo apt-get install install krb5-user samba winbind In this team,
krb5-user - package for the Kerberos protocol, which is used for authentication in Windows;
samba - allows you to become a member of the domain;
winbind - allows you to use a user account from ActiveDirectory.
When using the GUI, you can use the Synaptic package manager. It is worth noting that there is no graphical interface in Ubuntu Server 12.04 LTS by default, it can be installed separately if necessary:
sudo apt-get install ubuntu-desktop After that, you need to configure all the components to work with the domain. The test domain is called LAB.LOCAL, the domain controller is lab-dc1.lab.local, with IP 192.168.7.2, the server name is testubuntu.
')
3. DNS Setup
First of all, you need to configure DNS on the host running Ubuntu (the DNS server will be the domain controller), and also register the correct search domain. To do this, you need to edit the /etc/resolv.conf file so that it contains the following information:
domain lab.local search lab.local nameserver 192.168.7.2 To apply the changes, you must restart the network service:
/etc/init.d/networking restart You should also make sure that the server name in the / etc / hostname file is correct:
testubuntu It is also necessary to edit the / etc / hosts file so that it contains a record with the fully-qualified domain name of the computer and always with a short host name that refers to one of the internal IPs: # 127.0.0.1 localhost 127.0.1.1 testubuntu.lab.local testubuntu 4. Setting time synchronization.
The next step is to set up time synchronization with the domain controller. It is very important not to forget about this moment, since if the discrepancy in time is more than five minutes, we will not be able to get a ticket from Kerberos.
If there is an exact time server on the network, you can use it or any public one:
ntpdate ntp.mobatime.ru Automatic synchronization is configured using ntpd, this daemon will periodically perform synchronization. First you need to install it:
sudo ap<i>t-get</i> install ntp Now you need to make changes to the
/etc/ntp.conf file, adding information about the time server to it: # You do need to talk to an NTP server or two (or three). server lab-dc1.lab.local Then you need to restart the
ntpd daemon: sudo /etc/init.d/ntp restart 5. Configure Kerberos.
The next step is to configure authorization via the Kerberos protocol. You will need to edit the
/etc/krb5.conf file. Below is the result of edits: [libdefaults] default_realm = LAB.LOCAL kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] LAB.LOCAL = { kdc = lab-dc1 admin_server = lab-dc1 default_domain = LAB.LOCAL } [domain_realm] .lab.local = LAB.LOCAL lab.local = LAB.LOCAL [login] krb4_convert = false krb4_get_tickets = false At this stage, you can verify that we can log in to the domain. To do this, use the following command:
kinit user@LAB.LOCAL Instead of
user , of course, it is necessary to enter the name of an existing domain user. Domain name must be written in capital letters!If the command did not lead to errors, then everything is correct, and the domain gives you a Kerberos ticket. You can make sure that the ticket is received by running the command:
klist You can delete all tickets with the command
kdestroy So, we will assume that the authorization was successful; it's time to configure the domain login directly.
Another file that interests us is
/etc/samba/smb.con f. In it, we need the [global] section. Below is an example of a portion of the Samba configuration file with comments about the meaning of important parameters: [global] # , <code>workgroup</code> # , <code>realm</code> - workgroup = LAB realm = LAB.LOCAL # AD security = ADS encrypt passwords = true # dns proxy = no socket options = TCP_NODELAY # , , # , domain master = no local master = no preferred master = no os level = 0 domain logons = no # load printers = no show add printer wizard = no printcap name = /dev/null disable spoolss = yes After
smb.conf , run the command testparm She will check the configuration for errors and give a summary of it:
# testparm Load smb config files from /etc/samba/smb.conf Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions As you can see, the correct parameters were set in order for the computer to become a member of the domain. Now it's time to try to directly enter the domain. To do this, use the following command:
net ads join -U admin -D LAB And if successful, the output of the command should be something like this:
# net ads join -U <i>admin</i> -D LAB Enter admin's password: Using short domain name — LAB Joined 'testubuntu' to realm 'lab.local' 6. Parameters used by the net command
U username%passwordis a required parameter; instead of admin, you must substitute the username with domain administrator rights and specify a password.D DOMAIN: DOMAIN- the domain itself; it is possible and not to indicate, but it is better to do it all the time - so much calmer.S win_domain_controller: win_domain_controllercan be omitted, but there are times when the server does not automatically find the domain controller.createcomputer=«OU/OU/…»: in AD, the OU (Organizational Unit) is often used, it is in the root of the domain OU = Office, in it OU = Cabinet; to immediately add to the desired, you can specify as follows:sudo net ads join -U username createcomputer=«Office/Cabinet».
If there are no more messages, then everything went well.
Try using ping by name from another domain member to make sure that everything in the domain has worked properly.
You can also use the command
net ads testjoin If there are no problems, the output of the command will be as follows:
#net ads testjoin Join is OK But sometimes after the message about joining the domain you get the following error:
DNS update failed! Before finding out why the DNS is not updated, restart the computer after entering the domain! It is possible that this will solve the problem.
If this does not help, it is recommended to check the DNS settings again: it is very likely that they will be the cause. After that, you need to remove the computer from the domain and try to repeat the process again.
If everything went smoothly, the computer was successfully included in the domain. You can go to the domain controller and see this.
If you need to somehow work with domain users, for example, configure SMB-balls with access control, then in addition to Samba itself you will also need Winbind - a special daemon used to connect the local Linux user management system and groups to the Active Directory server.
Simply put, Winbind is needed if you want to see domain users on your Ubuntu computer.
Winbind allows you to project all users and all AD groups into your Linux system by assigning them IDs from a specified range. Thus, you can assign domain users as owners of folders and files on your computer and perform any other operations related to users and groups.
To configure Winbind, the same
/etc/samba/smb.conf file is used. Add the following lines to the [global] section: # Winbind. # . idmap uid = 10000 - 40000 idmap gid = 10000 - 40000 # . winbind enum groups = yes winbind enum users = yes # . # , .. user - DOMAIN\user. # , . winbind use default domain = yes # , # , shell' /bin/false template shell = /bin/bash # Kerberos pam_winbind.so winbind refresh tickets = yes Now restart the Winbind daemon and Samba in the following order:
sudo /etc/init.d/winbind stop sudo smbd restart sudo /etc/init.d/winbind start After restarting, verify that Winbind has established a trust relationship with the AD command.
# wbinfo -t and also that Winbind saw users and groups from AD, commands
wbinfo -u wbinfo -g These two commands should produce a list of users and groups from the domain, respectively.
So, Winbind works, but it is not yet integrated into the system.
In order for your Ubuntu to work transparently with domain users (in particular, so that you can assign domain users as owners of folders and files), you must tell Ubuntu to use Winbind as an additional source of information about users and groups.
To do this, change two lines in the
/etc/nsswitch.conf file: passwd: compat group: compat adding winbind to them at the end:
passwd: compat winbind group: compat winbind Now check that Ubuntu is requesting user and group information from Winbind by running
getent passwd getent group The first command should return all the contents of your
/etc/passwd , that is, your local users plus domain users with an ID from the range you specified in smb.conf . The second should do the same for groups.The inclusion of a Ubuntu-based Samba server in the AD domain using a graphical interface and SADMS.
Perhaps, let's say at home or in a hurry, you will want to perform all these manipulations in graphical mode. For these purposes, there is a package SADMS, about which there is information on the Ubuntu site . And on the site you can find out everything about this package and download it. Let's look at the package interface:
Fig. 1. General view of the main tab.
It displays the status of winbind, smb and nmb, and there is an indication of the connection of the computer to the domain.
Fig. 2. Run smb and nmb.
Fig. 3. “Data” tab.
Here we must specify the data that will be used to connect to the domain. By default, the fields are filled in by the developers, for example. The developers of the package are French, so don't be confused by examples like “administrateur” instead of the usual “Administrator”.
Fig. 4. Automatic capture of the parameters.
We click on "Determine" - and some parameters are picked up automatically. The rest will have to fill out manually. All these parameters were used when configuring from the command line.
Fig. 5. Filling in the remaining fields.
Fill in the fields. Pay special attention here: Netbios domain name must be spelled in BIG letters, otherwise we get an error Kerberos, as it turned out in this case. If everything is filled out correctly, click on “Install” - and SADMS switches the machine into the domain.
Fig. 6. The machine is included in the domain successfully.
Fig. 7. Menu "Checks".
From the menu "Checks" we can perform tests to perform various operations. You can also run all the tests from the command line, as described earlier.
Fig. 8. An example of the conclusion of the test for domain membership.
Fig. 9. Network test results.
Fig. 10. Check the availability of the machine on the domain controller.
The server is in the list of domain machines along with our other servers.
So, we have reviewed the installation of Samba and its inclusion in the domain - using both the command line and the graphical interface. Using the graphical interface allows you to seriously speed up and simplify the configuration, but at the same time does not allow you to understand the whole mechanics of the process, and can also seriously complicate the process of finding errors. On the other hand, the CLI (Command Line Interface), although it provides absolute control over everything, is much less user friendly and implies that it has some working skills. Which way to use is up to you.
Source: https://habr.com/ru/post/171057/
All Articles