SAMBA Shares with Active Directory Authentication

samba share with Active directory authenticationAs a samba domain member, samba server is connected to the Active directory domain and it can serve the permissions to files and folders using  Active directory Users and Groups. Rather than creating the local dummy accounts in samba server, samba shares can be integrated to use Active Directory Authentication  which means that AD Users and Groups can be assigned to samba shares with controlled permissions. All we need is Samba, a DC serving AD, winbind and nsswitch.

This tutorial is based on Red Hat Enterprise Linux and samba 3 and I assume that you already have installed the samba,smbclient,winbind packages. Also make sure that the DNS Server [nameserver] and NTP is configured properly. If the Time synchronization is not working properly, AD authentication issues might occur.

Configuring Kerberos

Kerberos is installed as a part of the domain controller and its main functions are to Authenticate and Grant Access to the resources for clients communicating over a non secure network. More information can  be found at Microsoft's Article using this link.

In order to setup Kerberos for our machine, edit the /etc/krb5.conf file as following:

[libdefaults]
  ticket_lifetime = 24h
  default_realm = YourDomain.COM
  forwardable = true

[realms]
  YourDomain.COM = {
    kdc = 10.x.x.x #Replace with your DC IP Address
    default_domain = YourDomain.COM
  }

[domain_realm]
  .YourDomain.com = YourDomain.COM
  YourDomain.com = YourDomain.COM

[kdc]
  profile = /etc/krb5kdc/kdc.conf

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }

[logging]
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmin.log
  default = FILE:/var/log/krb5lib.log

Test the Kerberos by requesting a Ticket to Active Directory DC. You can use any account with Domain Admin privileges. Issue the following command

[root]# kinit Administrator
Password for Administrator@YourDomain.com:

Now find out if  a valid ticket was issued ? Result should be something like this

[root]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@YourDomain.COM

Valid starting     Expires            Service principal
07/10/17 08:48:32  07/8/17 18:48:41  krbtgt/YourDomain.COM@YourDomain.COM
        renew until 07/8/17 08:48:32


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Configure nsswitch

As per the Red Hat’s man page nsswitch is defined as “The Name Service Switch (NSS) configuration file, /etc/nsswitch.conf, is used by the GNU C Library to determine the sources from which to obtain name-service information in a range of categories, and in what order. Each category of information is identified by a database name.”

Edit the /etc/nsswitch.conf configuration file by adding the winbind option at the end.

passwd: files winbind
shadow: files winbind
group: files winbind

Join the Domain

Execute the following command in order to join your linux machine to the Domain

[root]# net ads join -U Administrator #or any account which can join computers to the domain

Enter the password for Admin user. You should have a success message. After that we should be able to see the AD Users and AD groups. In order to verify issue the following command:

[root]# wbinfo -u #lists the AD Users if domain join was successful

[root]# wbinfo -g #lists the AD groups

[root]# wbinfo -i gusingh #will provide the information about user gusingh

Configure SAMBA Server

Finally Edit the samba configuration file at /etc/samba/smb.conf

#======================= Global Settings =====================================
[global]
#
 workgroup = YourDomain
 netbios name = etl-cogd
#AD System Authentication
 security = ads
 realm = YourDomain.COM
 domain master = no
 local master = no
 preferred master = no
 #testing password
 max protocol = SMB2 #forcing if need the max samba version 2. can be commented based on your needs
#Printers
 load printers = yes
 cups options = raw
 # Works both in samba 3.2 and 3.6.
 idmap backend = tdb
 idmap uid = 10000-99999
 idmap gid = 10000-99999
 # no .tld
 idmap config YourDomain:backend = rid
 idmap config YourDomain:range = 10000-9999
 winbind enum users = yes
 winbind enum groups = yes
 # This way users log in with username instead of username@YourDomain.org
 winbind use default domain = yes
 # Inherit groups in groups
 winbind nested groups = yes
 winbind refresh tickets = yes
 winbind offline logon = true
 # Becomes /home/example/username
 template homedir = /home/%D/%U
 # No shell access
 template shell = /bin/false
 client use spnego = yes
 ;client ntlmv2 auth = yes
 encrypt passwords = yes
 restrict anonymous = 2
 log file = /var/log/samba/samba.log
 log level = 2

Configure Samba v3 Shares

First create the shared folder wherever you wish to locate it. I will use /sharedFolder and assign the proper permissions.

[root]# mkdir /sharedFolder
[root]# chmod 0770 /sharedFolder
[root]# chgrp -R "domain users" /sharedFolder

Make the Share accessible for Users or AD Groups

[sharedFolder]
 comment = IT Share Folder Test
 path = /sharing/IT/
 valid users = @"YourDomain\MisUsers", @"YourDomain\username"
 force group = "domain users"
 writable = yes
 read only = no
 force create mode = 0660
 create mask = 0777
 directory mask = 0777
 force directory mode = 0777
 hide unreadable = yes

Restart the Samba Service using

[root]# service smb restart

Testing Samba Share with Active Directory Authentication

In order to test the samba share with active directory authentication, simply open the run prompt and navigate to shared path i.e. \\your-server\sharedFolder

Share your thoughts

*