Monday, May 05, 2008

Integrating Ubuntu Hardy Heron 8.04 with Active Directory

I have three primary goals with integrating Ubuntu Server with Active Directory:
  • Join the server to the domain
  • Allow domain admins to be Ubuntu Server administrators
  • Allow Windows clients in domain groups access to Samba shares
Goal #1: Join the Server to the Domain

Thanks to this post for helping with this portion. The steps are:
  1. sudo apt-get update
  2. sudo apt-get install likewise-open
  3. sudo domainjoin-cli join fqdn.of.your.domain Administrator
  4. sudo update-rc.d likewise-open defaults
  5. sudo /etc/init.d/likewise-open start
Goal #2: Allow Active Directory Domain Administrators to Administer Ubuntu

Ubuntu Forums to the rescue... thanks, gotee12. This will allow members of the Domain Admins AD group to issue sudo commands. From a command prompt:
  1. visudo
  2. Add this line to the resulting file:
Note the carat symbol to substitute for spaces.

Goal #3: Allow Windows Clients in Domain Groups to Access Samba Shares

*** UPDATE *** My friend Chris got the plumbing to wire up Likewise Open with Samba figured out. Good grief, this was opaque:

Now you have to set up your shares. The shares are defined as individual text files under /var/lib/samba/usershares. Create a file in this folder named with the name of the share (e.g. "test") and contents like the following, but be careful--match the spaces and casing with nothing extra, and **make sure the file name is in all lowercase regardless of the casing of the share name**:
usershare_acl=<Group SID>:<access modifier>
For example:
To get the SID of the group that will have access to enter in the usershare_acl row, execute:
wbinfo -n "DOMAIN\group"
(S-1-1-0 is Everyone.)

The access modifiers after the group SID are as follows:
  • R - read-only
  • F - full access
  • D - deny access
The last thing you need do is to set the permissions on the shared folder itself. I found it easiest to give world-writable permissions to the folder, as it seemed not to dereference my group memberships at the folder permission level (unlike Samba at the share level). So:
chmod -R 0777 /path/to/shared/folder
If anyone knows how to get the group security to work at the folder level so it need not be world-writable, I'd appreciate a comment. I tried:
chgrp -R 'DOMAIN\group' /path/to/shared/folder
chmod -R 2770 /path/to/shared/folder
...but I kept getting access denied.

*** UPDATE 2 *** I had to grant read access to everyone for the usershares folder to avoid 'cannot stat' errors by ordinary users:
chmod o+r /var/lib/samba/usershares

Original post for this section follows:

Oooh, I haven't managed to get this one to work. I can issue successful commands like the following while logged on to the Ubuntu machine with my domain credentials:

smbclient -k -L //dmsc01
OS=[Windows Server 2003 R2 3790 Service Pack 2] Server=[Windows Server 2003 R2 5.2]

Sharename Type Comment
--------- ---- -------
C$ Disk Default share
ADMIN$ Disk Remote Admin
OS=[Windows Server 2003 R2 3790 Service Pack 2] Server=[Windows Server 2003 R2 5.2]

Server Comment
--------- -------

Workgroup Master
--------- -------

So SOMETHING's working, but I can't manage to get remote machines to connect to hosted shares. I've tried the following smb.conf (key lines included):

workgroup = mydomain
security = ads
encrypt passwords = yes
idmap uid = 10000-40000
idmap gid = 10000-40000
template homedir = /dev/null
template shell = /bin/false
winbind separator = \
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 300
winbind nested groups = yes

path = /tmp
browseable = yes
writeable = yes
guest ok = no

All I get when attempting to connect, however, is errors like the following in the client logs:

[2008/05/05 10:27:14, 1] libads/kerberos_verify.c:ads_secrets_verify_ticket(237)
ads_secrets_verify_ticket: failed to fetch machine password
[2008/05/05 10:27:14, 1] smbd/sesssetup.c:reply_spnego_kerberos(316)
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!

And from the log.winbindd-idmap:

[2008/05/05 10:25:11, 1] nsswitch/idmap_tdb.c:idmap_tdb_alloc_init(397)
idmap uid range missing or invalid
idmap will be unable to map foreign SIDs
[2008/05/05 10:25:11, 0] nsswitch/idmap.c:idmap_alloc_init(750)
ERROR: Initialization failed for alloc backend, deferred!

Any ideas?


  1. Assuming you (or other readers) have likewise-open and samba installed, try this:

    in smb.conf, set

    security = user

    save and restart samba

    in Nautilus, rt-click the folder you want to share, and pick Sharing Options.

    Check the appropriate boxes and click Create Share.

    seems to work well in a limited way.

  2. Shawn, any chance you could post your working smb.conf?

  3. Hi.
    I'm sorry, maybe I did something wrong, but there's no /usr/centeris directory containing anything regarding idmap on my system.
    I'm running Ubuntu Server Hardy 8.04 with Likewise Open, installed via apt-get.
    Could you give me a hand? Thanks! Actually, I want to put access control on files using AD groups, and allow access to samba shares using AD groups as well. When using a line like:
    in my smb.conf, samba complains since it doesn't understand usershare_acl.

  4. Jürgen, just follow the instructions on the centeris bit exactly--the path doesn't exist, but you're going to link it there so it looks like it does.

  5. Hi Arthur,
    did you manage to give acces to a shared folder just to an AD group?
    I have been trying doing it a week but I cannot find the solution.
    Any help will be appreciated.