top of page
  • Bankim Bhagat

Install Samba Active Directory on Ubuntu 20.04/22.04

Updated: Mar 12

Introduction

Do you need a centralised User Authentication Server but don't wanna pay additional licensing cost? Samba is a Free and Open Source Solution (FOSS) that can be used to achieve the same. Earlier Samba only had file sharing and printer sharing capabilities, but in Samba 4.0 Active Directory capabilities were introduced.


This tutorial will teach you how to install Samba Active Directory on a Ubuntu Desktop or Server 20.04.


Prerequisites

  • An Ubuntu 20.04 server. (Server’s name will be ad, the domain will be example.lan, and the IP address is 192.168.21.3).

  • A user account with sudo privileges.

  • A Windows 10 / 11 Pro computer on the same network as the Ubuntu server.

Set Up Server Hostname

Setup server's identity in the network by assigning server's hostname and FQDN (Fully Qualified Domain Name)


Open Terminal on Ubuntu with ctrl + alt + t shortcut and set hostname with the following command

# set up the hostname
hostnamectl set-hostname ad

edit /etc/hosts file using nano text editor

sudo nano /etc/hosts

Add the following lines to the bottom of the file. Save (ctrl + o) and Exit (ctrl + x) the file.

# setup FQDN ad.example.lan 
192.168.21.3    ad.example.lan    ad

Verify the FQDN of the Samba server

# verify FQDN
hostname -f  
# verify FQDN is resolved to the Samba IP address
ping -c3 ad.example.lan


Disabling the DNS Resolver

The system-resolved service controls the DNS config and is not suitable for Samba Active Directory. We need to disable system-resolved service and replace the /etc/resolv.conf file


Disable and stop system-resolved service

# stop and disable systemd-resolved service
sudo systemctl disable --now systemd-resolved

Remove the symbolic link to the file /etc/resolv.conf

# remove the symlink file /etc/resolv.conf
sudo unlink /etc/resolv.conf

Now create a new /etc/resolv.conf file

# create a new /etc/resolv.conf file
touch /etc/resolv.conf

Add the following lines to /etc/resolv.conf file

# Samba server IP address
nameserver 192.168.21.3

# fallback resolver
nameserver 1.1.1.1

# main domain for Samba
search example.lan



Make the /etc/resolv.conf file immuatable, meaning that the resolver would not change the file for any reason

# add attribute immutable to the file /etc/resolv.conf
sudo chattr +i /etc/resolv.conf

Installing Samba


Refresh Ubuntu Server's package index

sudo apt update

Install Samba with all dependencies

sudo apt install -y acl attr samba samba-dsdb-modules samba-vfs-modules smbclient winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user dnsutils chrony net-tools

In the middle of the installation a pop-up will appear asking for


Default Kerberos Version 5 realm: EXAMPLE.LAN


# stop and disable samba services - smbd, nmbd, and winbind
sudo systemctl disable --now smbd nmbd winbind



# activate samba-ad-dc service
sudo systemctl unmask samba-ad-dc



# enable samba-ad-dc service
sudo systemctl enable samba-ad-dc



# backup default Samba configuration file
sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.orig



# provisioning Samba Active Directory
sudo samba-tool domain provision



# rename default Kerberos configuration to krb5.conf.orig
sudo mv /etc/krb5.conf /etc/krb5.conf.orig



# copy the Kerberos configuration generated by the samba-tool
sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf



# start samba-ad-dc service
sudo systemctl start samba-ad-dc



# verify samba-ad-dc service
sudo systemctl status samba-ad-dc



# allow group _chrony to read the directory ntp_signd
sudo chown root:_chrony /var/lib/samba/ntp_signd/



# change the permission of the directory ntp_signd
sudo chmod 750 /var/lib/samba/ntp_signd/



# bind the chrony service to IP address of the Samba AD
bindcmdaddress 192.168.21.3



# allow clients on the network to connect to the Chrony NTP server
allow 192.168.21.3/24



# specify the ntpsigndsocket directory for the Samba AD
ntpsigndsocket /var/lib/samba/ntp_signd



# restart chronyd service
sudo systemctl restart chronyd



# verify chronyd service status
sudo systemctl status chronyd



# verify domain example.lan
host -t A example.lan



# verify domain ad.example.lan
host -t A ad.example.lan



# verify SRV record for _kerberos
host -t SRV _kerberos._udp.example.lan



# verify SRV record for _ldap
host -t SRV _ldap._tcp.example.lan



# checking available resources on Samba AD
smbclient -L example.lan -N



# authenticate to Kerberos using administrator
kinit administrator@EXAMPLE.LAN


# verify list cached Kerberos tickets
klist


# create a new user in Samba
sudo samba-tool user create bkm bkm_password22



# checking users on Samba
sudo samba-tool user list

107 views0 comments

Recent Posts

See All

Here is a comparison of the Logitech B100 Optical Mouse, HP Wired Mouse 100, and Dell MS116 Wired Optical Mouse: As you can see, the HP Wired Mouse 100 has the highest DPI of the three mice, making it

bottom of page