Running Samba shares on Ubuntu 20.04 LTS (Focal Fossa)

I few days ago I was helping a client to move some systems to run under Linux. They are quite used to Windows environments and they would like to have an environment where they could have a workflow similar to the one they have using Windows servers.

Environment

  • Windows 2016 Domain Controller
  • Windows 10 Workstations
  • Ubuntu 20.04 LTS (Focal Fossa) Application Server
  • Sudoers must be granted via Active Directory group

Requirements

  • Log to Linux servers using Active Directory account
  • Ability to copy files from Windows workstations to Linux servers using Windows Explorer
  • Ability to use ACLs on Linux in similar way to how they are done in Windows

Solution

SSSD Configuration

Hostname & DNS

Set a proper hostname for your server with correct domain component.

1
sudo hostnamectl set-hostname myubuntu.example.com

Disable systemd-resolve

Ubuntu 20.04 comes with systemd-resolve which you need to disable for the server to access your network DNS directly.

1
2
3
4
sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved
sudo unlink /etc/resolv.conf
sudo vim /etc/resolv.conf

Install required packages

A number of packages are required for joining an Ubuntu 20.04 system to Active Directory (AD) domain.

1
2
sudo apt update
sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

Discover Active Directory domain

The realm discover command returns complete domain configuration and a list of packages that must be installed for the system to be enrolled in the domain.

1
sudo realm discover example.com

1
2
3
4
5
6
7
8
9
10
11
12
13
example.com
type: kerberos
realm-name: EXAMPLE.COM
domain-name: example.com
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin

Ensure that all listed packages are also installed.

Join Active Directory (AD) domain

An AD administrative user account is required for integrating your Linux machine with Windows Active Directory domain. Check and confirm AD admin account and the password.

The realm join command will set up the local machine for use with a specified domain by configuring both the local system services and the entries in the identity domain. The command has a number of options which can be checked with:

1
sudo realm join -U Administrator example.com

Test your new configuration.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
realm list
example.com
type: kerberos
realm-name: EXAMPLE.COM
domain-name: example.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U@example.com
login-policy: allow-realm-logins

Edit /usr/share/pam-configs/mkhomedir and set Default: yes to get it enabled.

1
2
3
4
5
6
7
Name: Create home directory on login
Default: yes
Priority: 0
Session-Type: Additional
Session-Interactive-Only: yes
Session:
optional pam_mkhomedir.so

Activate your configuration.

1
sudo pam-auth-update

Ensure “activate mkhomedir” is selected, it should have [*]

Tune your setup

In my scenario I’ve decided to tune some things because I’m dealing with just one domain.

  • full_name_format = %1$s to show just username omitting domain name
  • use_fully_qualified_names = True removed to omit domain name
  • fallback_homedir = /home/%u to create homedirs with just username
  • default_domain_suffix = example.com to have a default domain since we are omitting it

Final version of /etc/sssd/sssd.conf:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[sssd]
domains = example.com
config_file_version = 2
services = nss, pam
default_domain_suffix = example.com
[domain/example.com]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u
ad_domain = example.com
# use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad
full_name_format = %1$s

Whenever there is a change in sssd.conf, restart is required.

1
sudo systemctl restart sssd

Test it

Status should be running.

1
systemctl status sssd

If the integration is working, it should be possible to get an AD user info.

1
2
id jrgcombr
uid=1783929917(jrgcombr) gid=1784800513(domain users) groups=1783870513(domain users),435833711(example_group),435833701(linux_sudoers)

Configure sudoers

Adjust your visudo to linux_sudoers

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
%linux_sudoers ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d

Samba Configuration

Install packages

1
sudo apt install samba

Adjust your smb.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
[global]
workgroup = EXAMPLE
realm = EXAMPLE.NET
security = ads
kerberos method = secrets and keytab
server string = %h server (Samba, Ubuntu)
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
idmap config * : backend = tdb
idmap config * : range = 100000-199999
idmap config EXAMPLE: backend = sss
idmap config EXAMPLE: range = 200000-2147483647
usershare allow guests = yes
[example_share]
path = /var/example_share
read only = no
browsable = true
writable = yes
inherit permissions = yes
valid users = @example_group
map archive = no

Fix guests mapping on Ububtu

Ubuntu default installation has an issue with S-1-5-32-546 mapping.

1
sudo net groupmap add sid=S-1-5-32-546 unixgroup=nogroup type=builtin

Well-known security identifiers in Windows operating systems

Install acl

Ubuntu does not come with acl packages installed but the filesystem does come with acl enabled by default.

1
sudo apt install acl

Configure share permissions

Adjust permission to only example_group members can work on shared files from samba share and from Linux as well.

1
2
3
chmod 2770 /var/example_share
chown root:example_group /var/example_share
setfacl -m g:example_group:rwx,d:g:example_group:rwx /var/example_share

Check it

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
getfacl /var/example_share
# file: .
# owner: root
# group: example_group
# flags: -s-
user::rwx
group::rwx
group:example_group:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:example_group:rwx
default:mask::rwx
default:other::---

Enable samba

1
2
sudo systemctl enable smbd
sudo systemctl start smbd

Conclusion

Setup is now done, by now you should have one samba active directory integrated, clients authenticating via Kerberos and one flat uid/gid structre.