Ubuntu AD Member File Server

Hello Experts,

I am looking to deploy a Ubuntu file server which is integrated with an existing AD domain. We would like to be able to access the Ubuntu shares using the users Windows credentials.

What is the current best way of accomplishing this task and is there a good tutorial available explaining the process? We have pursued a solution using Like-wise Open and Samba in the past but our attempts we unsuccessful.

Kind regards,

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daniel HelgenbergerCommented:
There are several tutorials (I will not google them for you here though). Linux file servers work great with Active Directory and are quite performant by the way.

I just want make point in a minor but nevertheless imported detail: User Identification.

In Windows, users and groups are identified by SID (UUID) numbers. In Linux, this is not the case - users and groups are identified by UID and GID numbers. These are not compatible, since they need to be written on file bases on the file system itself.

Samba does overcome this by mapping SID's to certain UID/GID numbers by default. This is fine as long as you have only one linux fileserver. If you use several, you need to set samba to look up the GID/UID in active directory.
Active Directory objects have under extended (advanced) two attributes, called GID / UID number. You need to set these explicitly for every user / group on your domain, as well as the primary group.
This can be painstaking process if you need to do that for hundreds of users, however.

Bottom line: Get Likewise / PBIS to work! I have this running flawlessly on our servers.
PBIS will 'hash' SIDs and assign a GID/UID on this hash basis; which always solves to the same combination on any file server running Likewise/PBIS. Quite cool.

To get samba working with PBIS, you need to perform these steps on your fileserver, assuming you use the default installation path:
/opt/pbis/bin/domainjoin-cli join domain.com
/opt/pbis/bin/samba-interop-install --install

Open in new window

Do not forget the interop install! It sets up the machine password cache. This way SSO/Kerberos will work.
Then you need to configure samba share accordingly. In or setup, I found it best to configure these options for a share:
force create mode = 664
directory mask = 775
force directory mode = 775
valid users = @"DOMAIN\domain users", @"DOMAIN\domain admins"
write list = @DOMAIN\staffgroup, @"DOMAIN\domain admins"
read list = @"DOMAIN\domain users", @"DOMAIN\domain admins"
force group = DOMAIN\staffgroup

Open in new window

I set up the 'staffgroup' to be the primary group for the users which need to access the share. Our (san) file system does not support ACLs. This is the reason I use the force settings. If you use ACLs (any newer FS can do this) then you will not need it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
plokij5006Author Commented:
I have installed both Samba4 and PBIS, both of which installed correctly. PBIS allowed the machine to join the windows domain successfully and I was able to configure the Samba share using user accounts that have been gathered from AD.

We still have the issue where when attempting to connect to the share from a Windows client, authentication fails when using AD credentials. The only way to connect to the share is by allowing 'everyone' access.
plokij5006Author Commented:
We have documented our work as working through this issue that may help someone in the future. Helge000 many thanks for your assistance on the matter.

Install Ubuntu Server
1.      Build Linux VM
2.      Install light weight GUI on server -> sudo aptitude install --without-recommends ubuntu-desktop
3.      Reboot Server Sudo reboot
4.      Log into server
5.      Download and Install PBIS
wget http://download.beyondtrust.com/PBISO/7.1.0/1203/pbis-open-
chmod +x pbis-open-
sudo ./pbis-open-
6.      Test ping domain.local > If it fails modify hosts file manually
sudo gedit /etc/hosts
add IP address domain.local hostname
7.      Join AD domain -> sudo domainjoin-cli join example.local Administrator
        sudo /opt/pbis/bin/samba-interop-install --install
8.      Reboot
9.      Snap Shot Volume
10.      Install Samba sudo apt-get install samba
11.      Modify the /etc/samba/smb.conf file

#======================= Global Settings =======================
   workgroup = [DOMAIN]
   server string = %h server
   wins server =
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = ADS
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = no
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user

   idmap uid = 10000-33554431
   idmap gid = 10000-33554431

   usershare allow guests = yes

#======================= Share Definitions =======================

path = /share
read only = no
guest ok = no
browseable = yes
force create mode = 664
directory mask = 775
force directory mode = 775
valid users = @"DOMAIN\domain users", @"DOMAIN\domain admins"
write list = @DOMAIN\staffgroup, @"DOMAIN\domain admins"
read list = @"DOMAIN\domain users", @"DOMAIN\domain admins"
force group = DOMAIN\staffgroup
12.      Install Samba GUI system-config-samba for GUI
13.      Test the configuration file testparm \etc\samba\smb.conf
14.      Create a test share
Comment = This is a test share
Path = /share
Browseable = yes
Read only = no
Valid users = DOMAIN\USER
Writeable = yes
Guest ok = yes

Configure share settings
mkdir /share
chmod a+rx /share
chown DOMAIN\\USER /share/
15.      Test shares from Windows Environment
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.