How to join Ubuntu/Samba to a Windows 2003 Active Directory domain

Ingredients:

• A Windows network with an Active Directory server (like Windows Server 2003)
• Ubuntu Linux 5.10 installed
• TCP/IP setup properly (the Linux machine taking its address by DHCP from the Windows server)
• No firewall yet on the Linux machine! First get it working, then secure it.

More info:

• http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html
• http://justlinux.com/forum/archive/index.php/t-118512.html

We assume that Ubuntu Linux has been installed.

Install the following packages with the Synaptic Package Manager. You may need to specify “universe” as an extra source for packages.

• Samba (version 3):
  • samba
  • samba-common (installed by default)
  • smbclient (installed by default)
  • winbind
• Kerberos:
  • krb5-config
  • krb5-user
• ... and any packages that might be needed to meet dependencies.

Edit the following configuration files. We assume the following:

• The local DNS domain is mycompany.local
• The Windows 2003 server is obelix.mycompany.local

[global]
security = ADS
realm = MYCOMPANY.LOCAL
workgroup = mycompany
password server = obelix.mycompany.local
wins support = no
wins server = 10.0.20.202
invalid users = root
# Winbind settings
idmap uid = 10000-20000
idmap gid = 10000-20000
# For testing
debuglevel = 2

# A shared folder for testing purposes
[SharedFolder]
path = /home/onno2/Shared_Folder
available = yes
public = yes
writable = yes
force create mode = 0666
force directory mode = 0777

Make sure the path (/home/onno2/Shared_Folder or whatever you choose) exists and that the rights are set properly (chmod 777 <mapnaam> or something similar)

[libdefaults]
 default_realm = MYCOMPANY.LOCAL
 krb4_config = /etc/krb.conf
 krb4_realms = /etc/krb.realms
 kdc_timesync = 1
 ccache_type = 4
 forwardable = true
 proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
 v4_instance_resolve = false
 v4_name_convert = {
  host = {
   rcmd = host
   ftp = ftp
  }
  plain = {
   something = something-else
  }
 }
[realms]
MYCOMPANY.LOCAL = {
        kdc = obelix.mycompany.local
        admin_server = obelix.mycompany.local
}
[domain_realm]
 .mycompany.local = OBELIX.MYCOMPANY.LOCAL
 mycompany.local = OBELIX.MYCOMPANY.LOCAL
[login]
 krb4_convert = true
 krb4_get_tickets = true

The only change here was adding winbind twice.

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd:         compat winbind
group:          compat winbind
shadow:         compat
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

/etc/init.d/samba restart
/etc/init.d/winbind restart

net ads join -U administrator If this doesn’t work, check the logs in Linux (/var/log/samba/*) and Windows.

testparm to check if your smb.conf has a correct syntax.
kinit onno@MYCOMPANY.LOCAL test if kerberos works properly.
wbinfo -u should give a list of users.
wbinfo -g should give a list of groups.
getent passwd should give a list of users in the passwd style.
getent group should give a list of groups.
ls -ltr /var/log/samba gives a list of log files, sorted by time of last change.
smbclient -L <hostname> -U onno should give you a list of available shares.

If this all works properly, try to access the share (/home/onno2/Shared_Folder) from any Windows machine in the domain by using network neighbourhood.

If all works, try setting up your favorite firewall. I like Shorewall.