Integrating Ubuntu Hardy Heron 8.04 with Active Directory

I have three primary goals with integrating Ubuntu Server with Active Directory:

• Join the server to the domain
• Allow domain admins to be Ubuntu Server administrators
• Allow Windows clients in domain groups access to Samba shares

Goal #1: Join the Server to the Domain

Thanks to this post for helping with this portion. The steps are:

1. sudo apt-get update
2. sudo apt-get install likewise-open
3. sudo domainjoin-cli join fqdn.of.your.domain Administrator
4. sudo update-rc.d likewise-open defaults
5. sudo /etc/init.d/likewise-open start

Goal #2: Allow Active Directory Domain Administrators to Administer Ubuntu

Ubuntu Forums to the rescue... thanks, gotee12. This will allow members of the Domain Admins AD group to issue sudo commands. From a command prompt:

1. visudo
2. Add this line to the resulting file:

%YOURDOMAINNAME\\domain^admins ALL=(ALL) ALL

Note the carat symbol to substitute for spaces.

Goal #3: Allow Windows Clients in Domain Groups to Access Samba Shares

*** UPDATE *** My friend Chris got the plumbing to wire up Likewise Open with Samba figured out. Good grief, this was opaque:
http://chrplunk.blogspot.com/2008/06/allow-windows-clients-in-active.html

Now you have to set up your shares. The shares are defined as individual text files under /var/lib/samba/usershares. Create a file in this folder named with the name of the share (e.g. "test") and contents like the following, but be careful--match the spaces and casing with nothing extra, and **make sure the file name is in all lowercase regardless of the casing of the share name**:

#VERSION 2
path=/path/to/shared/folder
comment=
usershare_acl=<Group SID>:<access modifier>
guest_ok=y

For example:

#VERSION 2
path=/testShare
comment=
usershare_acl=S-1-1-0:F
guest_ok=y

To get the SID of the group that will have access to enter in the usershare_acl row, execute:

wbinfo -n "DOMAIN\group"

(S-1-1-0 is Everyone.)

The access modifiers after the group SID are as follows:

• R - read-only
• F - full access
• D - deny access
  

The last thing you need do is to set the permissions on the shared folder itself. I found it easiest to give world-writable permissions to the folder, as it seemed not to dereference my group memberships at the folder permission level (unlike Samba at the share level). So:

chmod -R 0777 /path/to/shared/folder

If anyone knows how to get the group security to work at the folder level so it need not be world-writable, I'd appreciate a comment. I tried:

chgrp -R 'DOMAIN\group' /path/to/shared/folder
chmod -R 2770 /path/to/shared/folder

...but I kept getting access denied.

*** UPDATE 2 *** I had to grant read access to everyone for the usershares folder to avoid 'cannot stat' errors by ordinary users:

chmod o+r /var/lib/samba/usershares

Original post for this section follows:

Oooh, I haven't managed to get this one to work. I can issue successful commands like the following while logged on to the Ubuntu machine with my domain credentials:

smbclient -k -L //dmsc01
OS=[Windows Server 2003 R2 3790 Service Pack 2] Server=[Windows Server 2003 R2 5.2]

   Sharename       Type      Comment
   ---------       ----      -------
   C$              Disk      Default share
   IPC$            IPC       Remote IPC
   ADMIN$          Disk      Remote Admin
OS=[Windows Server 2003 R2 3790 Service Pack 2] Server=[Windows Server 2003 R2 5.2]

   Server               Comment
   ---------            -------

   Workgroup            Master
   ---------            -------

So SOMETHING's working, but I can't manage to get remote machines to connect to hosted shares. I've tried the following smb.conf (key lines included):

workgroup = mydomain
security = ads
realm = MYDOMAIN.LOCAL
encrypt passwords = yes
idmap uid = 10000-40000
idmap gid = 10000-40000
template homedir = /dev/null
template shell = /bin/false
winbind separator = \
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 300
winbind nested groups = yes

#=====================Shares====================
[tmp]
path = /tmp
browseable = yes
writeable = yes
guest ok = no

All I get when attempting to connect, however, is errors like the following in the client logs:

[2008/05/05 10:27:14, 1] libads/kerberos_verify.c:ads_secrets_verify_ticket(237)
ads_secrets_verify_ticket: failed to fetch machine password
[2008/05/05 10:27:14, 1] smbd/sesssetup.c:reply_spnego_kerberos(316)
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!

And from the log.winbindd-idmap:

[2008/05/05 10:25:11, 1] nsswitch/idmap_tdb.c:idmap_tdb_alloc_init(397)
idmap uid range missing or invalid
idmap will be unable to map foreign SIDs
[2008/05/05 10:25:11, 0] nsswitch/idmap.c:idmap_alloc_init(750)
ERROR: Initialization failed for alloc backend, deferred!

Any ideas?