Running Samba shares on Ubuntu 20.04 LTS (Focal Fossa)

I few days ago I was helping a client to move some systems to run under Linux. They are quite used to Windows environments and they would like to have an environment where they could have a workflow similar to the one they have using Windows servers.

Environment

• Windows 2016 Domain Controller
• Windows 10 Workstations
• Ubuntu 20.04 LTS (Focal Fossa) Application Server
• Sudoers must be granted via Active Directory group

Requirements

• Log to Linux servers using Active Directory account
• Ability to copy files from Windows workstations to Linux servers using Windows Explorer
• Ability to use ACLs on Linux in similar way to how they are done in Windows

Solution

• Usage of SSSD - System Security Services Daemon https://sssd.io/

• Usage of Samba https://samba.org/

SSSD Configuration

Hostname & DNS

Set a proper hostname for your server with correct domain component.

sudo hostnamectl set-hostname myubuntu.example.com

Disable systemd-resolve

Ubuntu 20.04 comes with systemd-resolve which you need to disable for the server to access your network DNS directly.

sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved
sudo unlink /etc/resolv.conf
sudo vim /etc/resolv.conf

Install required packages

A number of packages are required for joining an Ubuntu 20.04 system to Active Directory (AD) domain.

sudo apt update
sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

Discover Active Directory domain

The realm discover command returns complete domain configuration and a list of packages that must be installed for the system to be enrolled in the domain.

sudo realm discover example.com

example.com
  type: kerberos
  realm-name: EXAMPLE.COM
  domain-name: example.com
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin

Ensure that all listed packages are also installed.

Join Active Directory (AD) domain

An AD administrative user account is required for integrating your Linux machine with Windows Active Directory domain. Check and confirm AD admin account and the password.

The realm join command will set up the local machine for use with a specified domain by configuring both the local system services and the entries in the identity domain. The command has a number of options which can be checked with:

sudo realm join -U Administrator example.com

Test your new configuration.

realm  list

example.com
  type: kerberos
  realm-name: EXAMPLE.COM
  domain-name: example.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %U@example.com
  login-policy: allow-realm-logins

Edit /usr/share/pam-configs/mkhomedir and set Default: yes to get it enabled.

Name: Create home directory on login
Default: yes
Priority: 0
Session-Type: Additional
Session-Interactive-Only: yes
Session:
        optional                        pam_mkhomedir.so

Activate your configuration.

sudo pam-auth-update

Ensure “activate mkhomedir” is selected, it should have [*]

Tune your setup

In my scenario I’ve decided to tune some things because I’m dealing with just one domain.

• full_name_format = %1$s to show just username omitting domain name
• use_fully_qualified_names = True removed to omit domain name
• fallback_homedir = /home/%u to create homedirs with just username
• default_domain_suffix = example.com to have a default domain since we are omitting it

Final version of /etc/sssd/sssd.conf:

[sssd]
domains = example.com
config_file_version = 2
services = nss, pam
default_domain_suffix = example.com

[domain/example.com]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u
ad_domain = example.com
# use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad
full_name_format = %1$s

Whenever there is a change in sssd.conf, restart is required.

sudo systemctl restart sssd

Test it

Status should be running.

systemctl status sssd

If the integration is working, it should be possible to get an AD user info.

id jrgcombr
uid=1783929917(jrgcombr) gid=1784800513(domain users) groups=1783870513(domain users),435833711(example_group),435833701(linux_sudoers)

Configure sudoers

Adjust your visudo to linux_sudoers

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
%linux_sudoers ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

Samba Configuration

Install packages

sudo apt install samba

Adjust your smb.conf

[global]

   workgroup = EXAMPLE
   realm = EXAMPLE.NET
   security = ads
   kerberos method = secrets and keytab

   server string = %h server (Samba, Ubuntu)

   log file = /var/log/samba/log.%m
   max log size = 1000
   logging = file

   panic action = /usr/share/samba/panic-action %d

   obey pam restrictions = yes

   unix password sync = yes

   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

   pam password change = yes
   map to guest = bad user

   idmap config * :              backend = tdb
   idmap config * :              range   = 100000-199999
   idmap config EXAMPLE: backend = sss
   idmap config EXAMPLE: range   = 200000-2147483647

   usershare allow guests = yes

[example_share]
   path = /var/example_share
   read only = no
   browsable = true
   writable = yes
   inherit permissions = yes
   valid users = @example_group
   map archive = no

Fix guests mapping on Ububtu

Ubuntu default installation has an issue with S-1-5-32-546 mapping.

sudo net groupmap add sid=S-1-5-32-546 unixgroup=nogroup type=builtin

Well-known security identifiers in Windows operating systems

Install acl

Ubuntu does not come with acl packages installed but the filesystem does come with acl enabled by default.

sudo apt install acl

Configure share permissions

Adjust permission to only example_group members can work on shared files from samba share and from Linux as well.

chmod 2770 /var/example_share
chown root:example_group /var/example_share
setfacl -m g:example_group:rwx,d:g:example_group:rwx /var/example_share

Check it

getfacl /var/example_share

# file: .
# owner: root
# group: example_group
# flags: -s-
user::rwx
group::rwx
group:example_group:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:example_group:rwx
default:mask::rwx
default:other::---

Enable samba

sudo systemctl enable smbd
sudo systemctl start smbd

Conclusion

Setup is now done, by now you should have one samba active directory integrated, clients authenticating via Kerberos and one flat uid/gid structre.