samba - Aug 2016 - Configuring Samba as a file server to use AD authentication

Hello,

I am attempting to install Samba as a file server within an Active Directory
domain to use the AD server for group authentication.
I have worked through various guides, but all leave me unable to authenticate
into the samba shares using my organizations existing user groups in Active
Directory.
I need the following configuration:

Share - users : description
Admin - Admin : This share is exclusive to its user group
Media - media users : This share is exclusive to its user group and the Admin
group
Junk - all users : This share is accessible to everyone

There are 3 different user groups that will be using this server, Admin, Media
and Everyone.

I have a Microsoft Active Directory Server (2012R2) operating as my AD server,
and an Ubuntu server operating for Samba.

I would like:
users to be authenticated each access to the share,
the process of adding/removing users to be done by the AD server.

On Tue, 23 Aug 2016 21:58:43 +0000
Kyle Manel via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> I am attempting to install Samba as a file server within an Active
> Directory domain to use the AD server for group authentication. I
> have worked through various guides, but all leave me unable to
> authenticate into the samba shares using my organizations existing
> user groups in Active Directory. I need the following configuration:
> 
> Share - users : description
> Admin - Admin : This share is exclusive to its user group
> Media - media users : This share is exclusive to its user group and
> the Admin group Junk - all users : This share is accessible to
> everyone
> 
> There are 3 different user groups that will be using this server,
> Admin, Media and Everyone.
> 
> I have a Microsoft Active Directory Server (2012R2) operating as my
> AD server, and an Ubuntu server operating for Samba.
> 
> I would like:
> users to be authenticated each access to the share,
> the process of adding/removing users to be done by the AD server.

Because you are using 2012R2 it will be a little harder, but it should
be do-able. See here:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

Because of 2012R2 (no IDMU), you will need to use the winbind 'rid'
backend.

Rowland

> On Aug 23, 2016, at 4:58 PM, Kyle Manel via samba <samba at
lists.samba.org> wrote:
> 
> Hello,
> 
> I am attempting to install Samba as a file server within an Active
Directory domain to use the AD server for group authentication.
> I have worked through various guides, but all leave me unable to
authenticate into the samba shares using my organizations existing user groups
in Active Directory.
> I need the following configuration:
> 
> Share - users : description
> Admin - Admin : This share is exclusive to its user group
> Media - media users : This share is exclusive to its user group and the
Admin group
> Junk - all users : This share is accessible to everyone
> 
> There are 3 different user groups that will be using this server, Admin,
Media and Everyone.
> 
> I have a Microsoft Active Directory Server (2012R2) operating as my AD
server, and an Ubuntu server operating for Samba.
> 
> I would like:
> users to be authenticated each access to the share,
> the process of adding/removing users to be done by the AD server.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
My apologies as I did not originally send this reply to the group.  Also, I
wasn’t aware of issues with AD2012, and I’ve edited my response, below.

Greetings!

Having recently been through similar (although my AD DC is a samba box as well),
you need to setup your samba file server as a domain member server.  This way,
you can easily control access to the shares via group membership, etc in AD.

The way to do it is to follow this guide without deviation:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
<https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member>

This is what I did, and it works.

There is a part in the guide which is about setting up the smb.conf for your
file server.  At the end of that file snippet, there is a comment that says “#
Just adding the following three lines is not enough!!” and it’s true.  You have
to determine how you are going to setup the idmap and create your configuration.
My recommendation is to use the first comment line below that, or setting up
idmap for ad, and that is another document in the wiki which you will find here:

https://wiki.samba.org/index.php/Idmap_config_ad
<https://wiki.samba.org/index.php/Idmap_config_ad>

EDIT:  Per response from Rowland Penny, the above recommendation of
idmap_config_ad is incorrect, and idmap_config_rid should be used instead:

https://wiki.samba.org/index.php/Idmap_config_rid
<https://wiki.samba.org/index.php/Idmap_config_rid>

Once you setup the smb.conf file, then you can continue on the first wiki page
linked above and, as I said, follow it directly.  If you don’t get the values
that the instructions tell you that you should get, something is wrong and needs
to be corrected.

If your samba server is built on a *nix flavor that uses SELinux, please visit
your system log file to diagnose any errors encountered and resolve those along
the way until you get the system functioning as you’d like.

Once you have it functioning without errors and joined to your domain, you can
now manage it.  You’ll have to setup the shares via the smb.conf file, which is
all documented here (and I recommend using Windows ACLs since it feels to me
like you’re using Windows workstations to access the file shares):

https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
<https://wiki.samba.org/index.php/Shares_with_Windows_ACLs>

then reload the configuration with the command:

smbcontrol all reload-config

and then the shares should be visible and accessible on your network.

I can’t say anything except that this recent file server build for me was the
first time I’ve built a samba box since 2004, and following the instructions
exactly and determining why I couldn’t get the values listed in the wiki are
what made everything work for me.

Good luck, stick to the wiki pages (and there are more of them, you can access
by clicking “User Documentation” in the left pane of those pages linked above),
and you’ll get it going.  I know the documentation sometimes is rather rough
around the edges, but it does tell you what you need to make it work.

Best,
Mike

On Wed, 24 Aug 2016 16:13:53 -0500
Michael A Weber via samba <samba at lists.samba.org> wrote:

> Good luck, stick to the wiki pages (and there are more of them, you
> can access by clicking “User Documentation” in the left pane of those
> pages linked above), and you’ll get it going.  I know the
> documentation sometimes is rather rough around the edges, but it does
> tell you what you need to make it work.
> 
> Best,
> Mike
Please don't just say that the wiki documentation is 'rather rough
around the edges', tell us what you had problems with or found hard to
understand.

If we don't know what needs fixing, how can we fix it ;-)

Rowland

Thanks for the information,

I am unclear how to implement the winbind 'rid' backend.  I've
identified that winbindd is not operating on my demo server (fresh installation
of Ubuntu 16), and am looking for some assistance if possible.

1] 'apt-get install winbind' informs me that the package is already
installed (v4.3.9), yet it is not operating;
2] Lsof -Pnl +M -i4 provides:
root at smb-srv:/home/inbay# lsof -Pnl +M -i4
COMMAND    PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dhclient  2976        0    6u  IPv4  20143      0t0  UDP *:68
lwsmd     3217        0   17u  IPv4  59606      0t0  TCP
10.10.40.164:35156->10.10.20.93:445 (ESTABLISHED)
lwsmd     3231        0   24u  IPv4  64193      0t0  TCP
10.10.40.164:40020->10.10.20.92:3268 (ESTABLISHED)
lwsmd     3231        0   26u  IPv4  64244      0t0  TCP
10.10.40.164:46136->10.10.20.93:389 (ESTABLISHED)
lwsmd     3231        0   32u  IPv4  64190      0t0  TCP
10.10.40.164:46130->10.10.20.93:389 (ESTABLISHED)
sshd      9140        0    3u  IPv4  37379      0t0  TCP *:22 (LISTEN)
nmbd     28134        0   16u  IPv4  62715      0t0  UDP *:137
nmbd     28134        0   17u  IPv4  62716      0t0  UDP *:138
nmbd     28134        0   18u  IPv4  62718      0t0  UDP 10.10.40.164:137
nmbd     28134        0   19u  IPv4  62719      0t0  UDP 10.10.40.255:137
nmbd     28134        0   20u  IPv4  62720      0t0  UDP 10.10.40.164:138
nmbd     28134        0   21u  IPv4  62721      0t0  UDP 10.10.40.255:138
smbd     28247        0   37u  IPv4  63448      0t0  TCP *:445 (LISTEN)
smbd     28247        0   38u  IPv4  63449      0t0  TCP *:139 (LISTEN)
sshd     28317        0    3u  IPv4  63824      0t0  TCP
10.10.40.164:22->10.10.40.178:65205 (ESTABLISHED)
sshd     28397     1000    3u  IPv4  63824      0t0  TCP
10.10.40.164:22->10.10.40.178:65205 (ESTABLISHED)

3] To start winbindd I visited this site
https://ubuntuforums.org/showthread.php?t=1865647 which informed to run 'net
ads join -U administrator' with my own id, which returns:
'Joined 'SMB-SRV-001' to dns domain 'domain' No DNS domain
configured for SMB-SRV.  Unable to perform DNS update.  DNS update failed:
NT_STATUS_INVALID_PARAMETER'

Upon review of the [3] winbindd is still not implemented, and I would like to
know how to get it running, as from my understanding it is part of the samba
package, and I will require it.


-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
via samba
Sent: Wednesday, August 24, 2016 2:54 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Configuring Samba as a file server to use AD authentication

On Tue, 23 Aug 2016 21:58:43 +0000
Kyle Manel via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> I am attempting to install Samba as a file server within an Active 
> Directory domain to use the AD server for group authentication. I have 
> worked through various guides, but all leave me unable to authenticate 
> into the samba shares using my organizations existing user groups in 
> Active Directory. I need the following configuration:
> 
> Share - users : description
> Admin - Admin : This share is exclusive to its user group Media - 
> media users : This share is exclusive to its user group and the Admin 
> group Junk - all users : This share is accessible to everyone
> 
> There are 3 different user groups that will be using this server, 
> Admin, Media and Everyone.
> 
> I have a Microsoft Active Directory Server (2012R2) operating as my AD 
> server, and an Ubuntu server operating for Samba.
> 
> I would like:
> users to be authenticated each access to the share, the process of 
> adding/removing users to be done by the AD server.

Because you are using 2012R2 it will be a little harder, but it should be
do-able. See here:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

Because of 2012R2 (no IDMU), you will need to use the winbind 'rid'
backend.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba