Skip to main content

Linux based Samba Share: Active Directory integration with Kerberos

698 words·
Linux Samba Share Windows Active Directory Kerberos
Table of Contents

Permanently assign DNS servers
#

You should not directly modify the /etc/resolv.conf file, nor would the changes remain permanent. Use resolvconf to change DNS settings.

sudo apt install resolvconf Install resolvconf
sudo systemctl status resolvconf.service Check Status
sudo vi /etc/resolvconf/resolv.conf.d/head Edit config

Add entries for your domain controller and default gateway

nameserver 192.168.60.2 # Example: Domain Controller
nameserver 192.168.60.1 # Example: Default Gateway / Router
sudo systemctl restart resolvconf.service Restart both services
sudo systemctl restart systemd-resolved.service Restart both services
sudo cat /etc/resolv.conf Check DNS settings

Adapt hosts file
#

Add the Domain Controller and the Domain Controllers fully qualified domain name (FQDN) to the /etc/hosts file, vi /etc/hosts.

Example:

127.0.0.1 localhost SAMBA.YOUR.DOMAIN # Example: your samba domain name
127.0.1.1 fake_hostname # Does not matter

192.168.60.2 YOUR.DOMAIN # Example: Domain Controller IP & domain name
192.168.60.2 DC.YOUR.DOMAIN # Example: Domain Controller IP & fully qualified domain name

Check DNS resolution with nslookup:
nslookup YOUR.DOMAIN
nslookup DC.YOUR.DOMAIN Also check with FQDN

Install Realmd and Samba
#

sudo apt install realmd samba Install realmd and samba
sudo hostnamectl hostname samba.YOUR.DOMAIN Define Domain name for Samba Server
hostnamectl Check new hostname
realm discover YOUR.DOMAIN Check if Domain Controller is available
realm discover TDC.YOUR.DOMAIN Also check with FQDN

Join the Domain
#

Create an Active Directory user with the permissions to Domain Administrator privileges. In this example the user is called “Admin”.

Join the Domain:

sudo realm join -v --membership-software=samba --client-software=winbind  YOUR.DOMAIN -U 'Admin@your.domain'

Write down the domain short name from the join domain command.
Optional to leave the domain use the following command:
realm leave YOUR.DOMAIN -U 'Admin@your.domain'

Add Winbind to nsswitch
#

Edit the nsswitch.conf file with vi /etc/nsswitch.conf and add winbind to passwd and group. The edited config file should look like follows:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files systemd winbind
group:          files systemd winbind
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Winbind should be enabled by default and it should not be necessary to restart the service, but here a the Commands to do so:

/usr/sbin/update-rc.d winbind enable Enable winbind
/usr/sbin/service winbind restart Restart winbind

Edit smb.conf to create a share: vi /etc/samba/smb.conf.
Here is an example for a simple share, add it add the end of the cmb.conf file. Create a directory to store the files of the share, in this example /samba is used:

[samba-test-share]
    path = /samba
    comment = Storage share
    writable = yes
    guest ok = no

After the smb.conffile modified it is necessary to restart the samba service, use the following commands to do so:

/etc/init.d/smbd restart Restart samba service
/etc/init.d/smbd stop Stop samba service
/etc/init.d/smbd start Start samba service
Old Commands
service smbd restart Restart samba service
service smbd stop Stop samba service
service smbd start Start samba service

Troubleshooting: /etc/netplan
#

Check your network settings, the standard configuration file is /etc/netplan/00-installer-config.yaml but check the /etc/netplan/ for custom configuration files.

If you don’t use DHCP to assign IP addresses, define an custom IP under addresses and define your default gateway / router under routes and your domain controller and default gateway / router in the nameservers section.

network:
  version: 2
  renderer: networkd
  ethernets:
    ens33:
      addresses:
        - 192.168.30.10/24
      nameservers:
        search: [your.domain]
        addresses: [192.168.60.2, 192.168.60.1]
      routes:
        - to: default
          via: 192.168.60.1

Mount Samba Share to Linux host
#

apt update Update package manager
apt install smbclient Install samba library
apt install cifs-utils Install cifs-utilis package
mkdir /mountpoint Create directory for Samba-Share mount
vi /root/.sambacredentials Create hidden file for samba credentials
chmod 400 /root/.sambacredentials Permissions: Owner read only

Insert your Domain credentials into .sambacredentials file:

# Should look like this
username=user@domain
password=password

Temporary mount Samba Share
#

sudo mount -t cifs -o rw,vers=3.0,credentials=/root/.sambacredentials //IP/share /mountpoint

To unmount the Samba Share use:
umount /mountpoint

Note: It is not possible to mount a share while a user is in the mountpoint directory.

Permanently mount Samba Share:
#

vi /etc/fstab Open fstab
//IP/share /mountpoint cifs vers=3.0,credentials=/root/.sambacredentials Add Samba Share
mount -a Reload fstab