Linux based Samba Share: Active Directory integration with Kerberos

Table of Contents

Permanently assign DNS servers
#

You should not directly modify the /etc/resolv.conf file, nor would the changes remain permanent. Use resolvconf to change DNS settings.


`sudo apt install resolvconf`	Install resolvconf
`sudo systemctl status resolvconf.service`	Check Status
`sudo vi /etc/resolvconf/resolv.conf.d/head`	Edit config

Add entries for your domain controller and default gateway

nameserver 192.168.60.2 # Example: Domain Controller
nameserver 192.168.60.1 # Example: Default Gateway / Router


`sudo systemctl restart resolvconf.service`	Restart both services
`sudo systemctl restart systemd-resolved.service`	Restart both services
`sudo cat /etc/resolv.conf`	Check DNS settings

Adapt hosts file
#

Add the Domain Controller and the Domain Controllers fully qualified domain name (FQDN) to the /etc/hosts file, vi /etc/hosts.

Example:

127.0.0.1 localhost SAMBA.YOUR.DOMAIN # Example: your samba domain name
127.0.1.1 fake_hostname # Does not matter

192.168.60.2 YOUR.DOMAIN # Example: Domain Controller IP & domain name
192.168.60.2 DC.YOUR.DOMAIN # Example: Domain Controller IP & fully qualified domain name

Check DNS resolution with nslookup:
nslookup YOUR.DOMAIN
nslookup DC.YOUR.DOMAIN Also check with FQDN

Install Realmd and Samba
#


`sudo apt install realmd samba`	Install realmd and samba
`sudo hostnamectl hostname samba.YOUR.DOMAIN`	Define Domain name for Samba Server
`hostnamectl`	Check new hostname
`realm discover YOUR.DOMAIN`	Check if Domain Controller is available
`realm discover TDC.YOUR.DOMAIN`	Also check with FQDN

Join the Domain
#

Create an Active Directory user with the permissions to Domain Administrator privileges. In this example the user is called “Admin”.

Join the Domain:

sudo realm join -v --membership-software=samba --client-software=winbind  YOUR.DOMAIN -U 'Admin@your.domain'

Write down the domain short name from the join domain command.
Optional to leave the domain use the following command:
realm leave YOUR.DOMAIN -U 'Admin@your.domain'

Add Winbind to nsswitch
#

Edit the nsswitch.conf file with vi /etc/nsswitch.conf and add winbind to passwd and group. The edited config file should look like follows:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files systemd winbind
group:          files systemd winbind
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Winbind should be enabled by default and it should not be necessary to restart the service, but here a the Commands to do so:


`/usr/sbin/update-rc.d winbind enable`	Enable winbind
`/usr/sbin/service winbind restart`	Restart winbind

Edit smb.conf to create a share: vi /etc/samba/smb.conf.
Here is an example for a simple share, add it add the end of the cmb.conf file. Create a directory to store the files of the share, in this example /samba is used:

[samba-test-share]
    path = /samba
    comment = Storage share
    writable = yes
    guest ok = no

After the smb.conffile modified it is necessary to restart the samba service, use the following commands to do so:


`/etc/init.d/smbd restart`	Restart samba service
`/etc/init.d/smbd stop`	Stop samba service
`/etc/init.d/smbd start`	Start samba service
Old Commands
`service smbd restart`	Restart samba service
`service smbd stop`	Stop samba service
`service smbd start`	Start samba service

Troubleshooting: /etc/netplan
#

Check your network settings, the standard configuration file is /etc/netplan/00-installer-config.yaml but check the /etc/netplan/ for custom configuration files.

If you don’t use DHCP to assign IP addresses, define an custom IP under addresses and define your default gateway / router under routes and your domain controller and default gateway / router in the nameservers section.

network:
  version: 2
  renderer: networkd
  ethernets:
    ens33:
      addresses:
        - 192.168.30.10/24
      nameservers:
        search: [your.domain]
        addresses: [192.168.60.2, 192.168.60.1]
      routes:
        - to: default
          via: 192.168.60.1

Mount Samba Share to Linux host
#


`apt update`	Update package manager
`apt install smbclient`	Install samba library
`apt install cifs-utils`	Install cifs-utilis package
`mkdir /mountpoint`	Create directory for Samba-Share mount
`vi /root/.sambacredentials`	Create hidden file for samba credentials
`chmod 400 /root/.sambacredentials`	Permissions: Owner read only

Insert your Domain credentials into .sambacredentials file:

# Should look like this
username=user@domain
password=password

Temporary mount Samba Share
#

sudo mount -t cifs -o rw,vers=3.0,credentials=/root/.sambacredentials //IP/share /mountpoint

To unmount the Samba Share use:
umount /mountpoint

Note: It is not possible to mount a share while a user is in the mountpoint directory.

Permanently mount Samba Share:
#


`vi /etc/fstab`	Open fstab
`//IP/share /mountpoint cifs vers=3.0,credentials=/root/.sambacredentials`	Add Samba Share
`mount -a`	Reload fstab

Permanently assign DNS servers #

Adapt hosts file #

Install Realmd and Samba #

Join the Domain #

Add Winbind to nsswitch #

Troubleshooting: /etc/netplan #

Mount Samba Share to Linux host #

Temporary mount Samba Share #

Permanently mount Samba Share: #