# Samba Active Directory [TOC] ## Software Needed ### Kerberos - [Kerberos]() ### Client AD software - [realmd](https://www.freedesktop.org/software/realmd/docs/guide-active-directory-client.html) - sssd - winbind ## Server Setup(Ubuntu 20.04) > Reference: https://adamtheautomator.com/samba-active-directory/ - Users information ```bash= sudo samba-tool user create <username> sudo samba-tool user list ``` ### SOP > Ref: [How to Perform a Samba Active Directory Install on Linux(Ubuntu 20.04)] ```shell= sudo hostnamectl set-hostname sambaad.pearl.lan sudo vi /etc/hosts ``` ``` 10.22.149.11 sambaad.pearl.lan sambaad ``` ```shell= hostname -f ping -c3 sambaad.pearl.lan ``` ```shell= sudo systemctl disable --now systemd-resolved sudo unlink /etc/resolv.conf sudo vi /etc/resolv.conf ``` ``` nameserver 10.22.149.11 nameserver 163.22.2.2 search pearl.lan ``` ```shell= sudo chattr +i /etc/resolv.conf ``` >`sudo chattr -i /etc/resolv.conf` ```shell= sudo apt update sudo apt install -y acl attr samba samba-dsdb-modules samba-vfs-modules smbclient winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user dnsutils chrony net-tools ``` > `sudo dpkg-reconfigure krb5-config` ```shell= sudo systemctl disable --now smbd nmbd winbind sudo systemctl unmask samba-ad-dc sudo systemctl enable samba-ad-dc ``` ```shell= sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.orig sudo samba-tool domain provision ``` > - Realm, Domain, Server role, DNS backend: Press Enter. > - DNS Forwarder: 163.22.2.2 > - Set admin passwd. ```shell= sudo mv /etc/krb5.conf /etc/krb5.conf.orig sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf sudo systemctl start samba-ad-dc sudo systemctl status samba-ad-dc ``` - NTP ```shell= sudo chown root:_chrony /var/lib/samba/ntp_signd/ sudo chmod 750 /var/lib/samba/ntp_signd/ sudo vi /etc/chrony/chrony.conf ``` ``` bindcmdaddress 10.22.149.11 allow 10.22.0.0/16 ntpsigndsocket /var/lib/samba/ntp_signd ``` ```shell= sudo systemctl restart chronyd sudo systemctl status chronyd ``` - Verify ```shell= host -t A pearl.lan host -t A sambaad.pearl.lan host -t SRV _kerberos._udp.pearl.lan host -t SRV _ldap._tcp.pearl.lan smbclient -L pearl.lan -N ``` ```shell= kinit Administrator@PEARL.LAN klist ``` ### Other settings - Disable Samba4 Password Expiration ```bash= sudo samba-tool user setexpiry Administrator --noexpir ``` ## Client Setup :::info - Joined Clients - [x] [Windows](https://hackmd.io/Qk803ALDRy62_1PuLsGVDw#Windows) - [x] [Ubuntu](https://hackmd.io/Qk803ALDRy62_1PuLsGVDw#Ubuntu) - [x] [FreeBSD](https://hackmd.io/Qk803ALDRy62_1PuLsGVDw#FreeBSD) - [x] NAS(Synology) - [ ] VMware Esxi ::: ### Windows - [Windows PC - Joining and Logging In to Samba Active Directory Domain](https://adamtheautomator.com/samba-active-directory/) ```shell= Get-NetAdapter -Name "*" Set-DNSClientServerAddress "Ethernet" –ServerAddresses ("10.22.21.50","1.1.1.1") Get-DNSClientServerAddress ping sambaad.pearl.ncnu.org ping pearl.ncnu.org Add-Computer -DomainName "pearl.ncnu.org" -Restart ``` - Before creat the user on SambaAD. Plz delete the user account in localhost without removing the user's data. - 先新增一個管理者帳號 Admin，登入 Admin 後將原使用者降級 - 從控制台刪除該使用者帳號並保留使用者資料 - 將使用者資料從 Admin 的桌面移動至C:\Users 底下 ### Ubuntu - [Ubuntu - How to Connect with Samba to Linux Active Directory](https://adamtheautomator.com/linux-active-directory/#Joining_Linux_Clients_to_Samba_Active_Directory) ```shell= sudo apt install -y realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli ``` ```shell= vi /etc/realmd.conf ``` ``` [users] default-home = /home/%U default-shell = /usr/local/bin/bash [active-directory] default-client = sssd os-name = Linux Ubuntu [service] automatic-install = no [pearl.lan] fully-qualified-names = no automatic-id-mapping = yes user-principal = yes manage-system = yes ``` ```shell= sudo kinit administrator@PEARL.LAN sudo klist ``` ```shell= sudo realm join --verbose pearl.ncnu.org --user-principal=UbuntuMintDesktop/administrator@PEARL.LAN --unattended ``` ```shell= vi /etc/sssd/sssd.conf ``` ``` ad_gpo_access_control = permissive ``` ```shell= pam-auth-update realm list id <username> ``` #### Old users on Ubuntu - Before creat the user on SambaAD. Plz delete the user account in localhost without removing the user's data. ```shell= sudo deluser ``` ### FreeBSD - [Joining Unix-like systems to an Active Directory](https://ogris.de/samba/unix-active-directory.html) - [FreeBSD: Setup Samba as an AD Domain Member](https://blog.andreev.it/2016/08/93-freebsd-setup-samba-as-an-ad-domain-member/) ```shell= sudo vi /etc/hosts ``` ``` 10.22.149.11 sambaad.pearl.lan pearl.lan ``` ```shell= sudo vi /etc/rc.conf ``` ``` samba_server_enable="YES" winbindd_enable="YES" ``` ```shell= sudo vi /etc/resolv.conf ``` ``` search pearl.lan nameserver 10.22.149.11 nameserver 163.22.2.2 ``` ```shell= host -t A pearl.lan sudo pkg update sudo pkg install samba4 ``` ```shell= sudo vi /usr/local/etc/smb4.conf ``` ``` [global] workgroup = PEARL realm = PEARL.LAN security = ADS idmap uid = 10000-20000 idmap gid = 10000-20000 template shell = /usr/local/bin/bash template homedir = /home/%U winbind use default domain = true winbind offline logon = false dns proxy = no winbind enum groups = yes winbind enum users = yes winbind expand groups = 5 password server = sambaad.pearl.lan ``` ```shell= sudo vi /etc/nsswitch.conf ``` ``` group: files winbind group_compat: nis hosts: files dns netgroup: compat networks: files passwd: files winbind passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files ``` ```shell= net ads join -U Administrator sudo service samba_server start wbinfo -u ``` ```shell= sudo vi /etc/ssh/sshd_config ``` ``` PasswordAuthentication yes ChallengeResponseAuthentication no ``` ```shell= sudo vi /etc/pam.d/sshd ``` ``` # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_unix.so no_warn try_first_pass auth required /usr/local/lib/pam_winbind.so use_first_pass # account account sufficient /usr/local/lib/pam_winbind.so account required pam_nologin.so account required pam_login_access.so account required pam_unix.so # session session required pam_permit.so session required /usr/local/lib/pam_winbind.so mkhomedir # password password sufficient pam_unix.so no_warn try_first_pass password required /usr/local/lib/pam_winbind.so use_first_pass ``` ```shell= sudo vi /etc/pam.d/system ``` ``` # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_winbind.so auth required pam_unix.so no_warn try_first_pass n ullok # account account sufficient /usr/local/lib/pam_winbind.so account required pam_login_access.so account required pam_unix.so # session session required pam_lastlog.so no_fail # password password sufficient /usr/local/lib/pam_winbind.so password required pam_unix.so no_warn try_first_pass ``` ```shell= sudo reboot ``` #### Old users on FreeBSD - Before creat the user on SambaAD. Plz delete the user account in localhost without removing the user's data. ```shell= sudo rmuser # Do not remove user's home dir! ``` ### NAS ## Reference - [Member Server in an Active Directory Domain](https://ubuntu.com/server/docs/samba-active-directory) - [Samba 4 DC AD LDAP Installation on Ubuntu 20.04](https://www.youtube.com/watch?v=KJuzyYrdMSw&ab_channel=CompuMatter%2CLLC) - [Setting up Samba as a Domain Member](https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member) - [Create an Active Directory Infrastructure with Samba4 on Ubuntu](https://github.com/conankiz/Ubuntu-20.04/blob/main/AD/Create%20an%20Active%20Directory%20Infrastructure%20with%20Samba4%20on%20Ubuntu.md) - [LDAP vs. Active Directory: What's the Difference?](https://www.okta.com/identity-101/ldap-vs-active-directory/)