Install Samba to join to Active Directory

Join SAMBA to Active Directory domain and File, Directory, and Share Access Controls


Step 1: Install the Required Packages

Code:
apt-get install krb5-user
apt-get install winbind samba



Step 2: Edit the /etc/krb5.conf File

Code:
[libdefaults]
default_realm = CONNECTA.LOCAL
ticket_lifetime = 24000

[realms]
CONNECTA.LOCAL = {
kdc = mercury.connecta.local
admin_server = mercury.connecta.local
default_domain = CONNECTA.LOCAL
}

[domain_realm]
.connecta.local = CONNECTA.LOCAL
connecta.local = CONNECTA.LOCAL
.kereberos.server = mercury.connecta.local


Step 3:
Edit /etc/samba/smb.conf
Notes: Change the NETBIOS name parameter to be correct for the server. Make a backup copy of the original file!!! ) Make the edits. The configuration shown is the bare minimum and doesn't share anything.
Code:
[global]
workgroup = CONNECTA
security = ads
netbios name =COPPELIUS001
realm = CONNECTA.LOCAL
preferred master = yes
encrypt passwords = yes
log file = /var/log/samba/%m
winbind separator = +
password server = mercury.connecta.local
idmap uid = 600-20000
idmap gid = 600-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
guest account = nobody
template shell = /bin/bash
nt acl support = true

2) Test the configuration with the "testparm" command
Code:
testparm
Step 4: Edit /etc/nsswitch.conf to look like the example below
Code:
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis


Step 5: Modify the PAM settings

1) /etc/pam.d/common-account should contain only the following lines
Code:
account sufficient pam_winbind.so account required pam_unix.so

2) /etc/pam.d/common-auth should contain only the following lines
Code:
auth sufficient pam_winbind.so auth required pam_unix.so nullok_secure use_first_pass

3) Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below
Code:
password required pam_unix.so nullok obscure min=4 max=50 md5

4) Make sure the /etc/pam.d/common-session file contains the following line
Code:
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
Step 6: Make a directory to hold domain user home directories
Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file

Code (if you want to use WORKGROUP):
mkdir /home/DOMAIN

Step 7: Initialize Kerberos

1) Code:
kinit domain_admin_account@CONNECTA.LOCAL
Next check to be sure you got a ticket from the domain controller It's possible that With ADMINISTRATOR you have problem, then you must change ADMINSITRATOR's password on Active-Directory!!

2)KLIST Shows the current ticket(s):
Code:
klist

Step 8: Join the system to the set Computer name in /etc/hosts to fully qualified name (example: aspirin.CONNECTA.LOCAL)

Code:
net ads join -U administrator@CONNECTA.LOCAL

Error:
kinit(v5): Clock skew too great while getting initial => The time at server and client are not same, and must be synchronized.


Step 9: Restart Samba-related Services (Or reboot the server)

Note: The order is important

Code:
/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start


Step 8: Enable ACL (Access Control List) support for the file system

Code:
mount / -o remount,acl

If you want to add it at startup, edit /etc/fstab in the following way:

/dev/hda1 / ext3 defaults,acl 0 0

Now set up ACL tools, which allows us to assign ACL to files:

Code:
# apt-get install acl


Step 9: Make a directory for sharing

Example:

Code:
mkdir /home/masoud/share/newtest
chgrp "Domain Users" /home/masoud/share/newtest



Step 10: add share properties in smb.conf

Code:

[newtest]
path = /data
available = yes
browsable = yes
read only = no
public = yes
writable = yes
security mask = 0777
force security mode = 0
directory security mask = 0777
force directory security mode = 0
nt acl support = yes
store dos attributes = yes
dos filemode = yes


Step 11-1: Share permission management in WINDOWS

1. Launch the NT4 Server Manager and click on the Samba server you
want to administer. From the menu select Computer, then click on
Shared Directories.
2. Click on the share that you wish to manage and click the Properties
tab, then click the Permissions tab. Now you can add or change access
control settings as you wish.


or:

from Control Panel -> Administrative Tools
run Computer Management:

1. After launching the MMC with the Computer Management snap-in,
click the menu item Action and select Connect to another computer.
If you are not logged onto a domain you will be prompted to enter a
domain login user identifier and a password. This will authenticate
you to the domain. If you are already logged in with administrative
privilege, this step is not offered.
2. If the Samba server is not shown in the Select Computer box, type in
the name of the target Samba server in the field Name:. Now click the
on [+] next to System Tools, then on the [+] next to Shared Folders
in the left panel.
3. In the right panel, double-click on the share on which you wish to
set access control permissions. Then click the tab Share Permissions.
It is now possible to add access control entities to the shared folder.
Remember to set what type of access (full control, change, read) you
wish to assign for each entry


Warning:
Be careful. If you take away all permissions from the Everyone user without removing this user, effectively no user will be able to access the share. This is a result of what is known as ACL precedence. Everyone with no access means that MaryK who is part of the group Everyone will have no access even if she is given explicit full control access.


Step 11-2: Share permission management in UBUNTU

setfacl: This utility sets Access Control Lists (ACLs) of files and directories.
-R : Recursive
-m : Modify
-x : Delete

Code:
setfacl -R -m user:abrakhim:rwx /home/masoud/share/newtest


geftacl: This utility shows Access Control Lists (ACLs) of files and directories.

Code:
getfacl /home/masoud/share/newtest



===============================================================================

Map a Windows Folder to a Ubuntu Directory:

kinit abrakhim@CONNECTA.LOCAL

sudo mount -t cifs -o username=abrakhim //10.66.66.83/C$ /home/masoud/share/abrakhim