Ubuntu AD Member File Server

Posted on 2013-09-16
Medium Priority
Last Modified: 2013-10-15
Hello Experts,

I am looking to deploy a Ubuntu file server which is integrated with an existing AD domain. We would like to be able to access the Ubuntu shares using the users Windows credentials.

What is the current best way of accomplishing this task and is there a good tutorial available explaining the process? We have pursued a solution using Like-wise Open and Samba in the past but our attempts we unsuccessful.

Kind regards,

Question by:plokij5006
  • 2
LVL 13

Accepted Solution

Daniel Helgenberger earned 2000 total points
ID: 39495747
There are several tutorials (I will not google them for you here though). Linux file servers work great with Active Directory and are quite performant by the way.

I just want make point in a minor but nevertheless imported detail: User Identification.

In Windows, users and groups are identified by SID (UUID) numbers. In Linux, this is not the case - users and groups are identified by UID and GID numbers. These are not compatible, since they need to be written on file bases on the file system itself.

Samba does overcome this by mapping SID's to certain UID/GID numbers by default. This is fine as long as you have only one linux fileserver. If you use several, you need to set samba to look up the GID/UID in active directory.
Active Directory objects have under extended (advanced) two attributes, called GID / UID number. You need to set these explicitly for every user / group on your domain, as well as the primary group.
This can be painstaking process if you need to do that for hundreds of users, however.

Bottom line: Get Likewise / PBIS to work! I have this running flawlessly on our servers.
PBIS will 'hash' SIDs and assign a GID/UID on this hash basis; which always solves to the same combination on any file server running Likewise/PBIS. Quite cool.

To get samba working with PBIS, you need to perform these steps on your fileserver, assuming you use the default installation path:
/opt/pbis/bin/domainjoin-cli join domain.com
/opt/pbis/bin/samba-interop-install --install

Open in new window

Do not forget the interop install! It sets up the machine password cache. This way SSO/Kerberos will work.
Then you need to configure samba share accordingly. In or setup, I found it best to configure these options for a share:
force create mode = 664
directory mask = 775
force directory mode = 775
valid users = @"DOMAIN\domain users", @"DOMAIN\domain admins"
write list = @DOMAIN\staffgroup, @"DOMAIN\domain admins"
read list = @"DOMAIN\domain users", @"DOMAIN\domain admins"
force group = DOMAIN\staffgroup

Open in new window

I set up the 'staffgroup' to be the primary group for the users which need to access the share. Our (san) file system does not support ACLs. This is the reason I use the force settings. If you use ACLs (any newer FS can do this) then you will not need it.

Author Comment

ID: 39498630
I have installed both Samba4 and PBIS, both of which installed correctly. PBIS allowed the machine to join the windows domain successfully and I was able to configure the Samba share using user accounts that have been gathered from AD.

We still have the issue where when attempting to connect to the share from a Windows client, authentication fails when using AD credentials. The only way to connect to the share is by allowing 'everyone' access.

Author Closing Comment

ID: 39504938
We have documented our work as working through this issue that may help someone in the future. Helge000 many thanks for your assistance on the matter.

Install Ubuntu Server
1.      Build Linux VM
2.      Install light weight GUI on server -> sudo aptitude install --without-recommends ubuntu-desktop
3.      Reboot Server Sudo reboot
4.      Log into server
5.      Download and Install PBIS
wget http://download.beyondtrust.com/PBISO/7.1.0/1203/pbis-open-
chmod +x pbis-open-
sudo ./pbis-open-
6.      Test ping domain.local > If it fails modify hosts file manually
sudo gedit /etc/hosts
add IP address domain.local hostname
7.      Join AD domain -> sudo domainjoin-cli join example.local Administrator
        sudo /opt/pbis/bin/samba-interop-install --install
8.      Reboot
9.      Snap Shot Volume
10.      Install Samba sudo apt-get install samba
11.      Modify the /etc/samba/smb.conf file

#======================= Global Settings =======================
   workgroup = [DOMAIN]
   server string = %h server
   wins server =
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = ADS
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = no
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user

   idmap uid = 10000-33554431
   idmap gid = 10000-33554431

   usershare allow guests = yes

#======================= Share Definitions =======================

path = /share
read only = no
guest ok = no
browseable = yes
force create mode = 664
directory mask = 775
force directory mode = 775
valid users = @"DOMAIN\domain users", @"DOMAIN\domain admins"
write list = @DOMAIN\staffgroup, @"DOMAIN\domain admins"
read list = @"DOMAIN\domain users", @"DOMAIN\domain admins"
force group = DOMAIN\staffgroup
12.      Install Samba GUI system-config-samba for GUI
13.      Test the configuration file testparm \etc\samba\smb.conf
14.      Create a test share
Comment = This is a test share
Path = /share
Browseable = yes
Read only = no
Valid users = DOMAIN\USER
Writeable = yes
Guest ok = yes

Configure share settings
mkdir /share
chmod a+rx /share
chown DOMAIN\\USER /share/
15.      Test shares from Windows Environment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question