Ubuntu 20.04 and Samba integration with Active Directory using SSSD

# install required applications
su@fs:~$ sudo apt -y install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
# configure network to use ADDC as DNS server, and to use the FQDN as default search name
su@fs:~$ sudo vim /etc/netplan/00-installer-config.yaml
  version: 2
# apply the configuration
su@fs:~$ sudo netplan apply
# test if you can discover the domain
su@fs:~$ realm discover
type: kerberos
realm-name: EXAMPLE.COM
configured: no
# join the domain
su@fs:~$ realm join -U administrator
Password for administrator:
# test if you can query the domain
su@fs:~$ id
uid=687821651( gid=687800512( groups=687800512(domain
# additional configuration
su@fs:~$ sudo vim /etc/sssd/sssd.conf
# set use_fully_qualified_names to false id you want to login using username only - otherwise you must use
# modify fallback_homedir to change user home folder - I prefer /home/%d/%u
# enable auto create of home folders
su@fs:~$ sudo pam-auth-update --enable mkhomedir
# add users to sudo group
su@fs:~$ sudo usermod -aG sudo
# or add a domain group to sudoers
su@fs:~$ visudo
# append the line (with the desired group name
%Domain\ admins  ALL=(ALL:ALL) ALL
# login with user
su@fs:~$ su -
Creating directory '/home/'.
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.$ exit

# additionally, you can allow only certain users to login
su@fs:~$ sudo realm deny –all
su@fs:~$ sudo realm permit
su@fs:~$ sudo realm permit -g 'Domain Admins'

If you install krb5-user, your AD users will also get a kerberos ticket upon logging in

su@fs:~$ sudo apt install krb5-user 

su@fs:~$ su -l
Password:$ klist
Ticket cache: FILE:/tmp/krb5cc_1945601295_0twWui
Default principal: user@EXAMPLE.COM
Valid starting       Expires              Service principal
03/29/2021 08:57:32  03/29/2021 18:57:32  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 03/30/2021 08:57:32$ sudo apt install smbclient$ smbclient -k -L
        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        CertEnroll      Disk      Active Directory Certificate Services share
        ContentBuilderSCUM Disk
        D$              Disk      Default share
        E$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share
        Share           Disk
        ShareSSD        Disk
        SYSVOL          Disk      Logon server share
SMB1 disabled -- no workgroup available$  klist
Ticket cache: FILE:/tmp/krb5cc_1945601295_0twWui
Default principal: tplecko-adm@GAMEPIRES.COM
Valid starting       Expires              Service principal
03/29/2021 08:59:11  03/29/2021 18:59:11  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 03/30/2021 08:59:11
03/29/2021 08:59:40  03/29/2021 18:59:11  cifs/$ 

This part needs review since it is broken in the fresh versions

su@fs:~$ sudo apt install samba cifs-utils libwbclient-sssd
su@fs:~$ sudo vim /etc/samba/smb.conf
   workgroup = EXAMPLE
   realm = EXAMPLE.COM
   server string = %h server
   #idmap backend = lwopen
   idmap config * : backend = tdb
   idmap config * : range = 10000-199999
   idmap config EXAMPLE : backend = sss
   idmap config EXAMPLE : range = 1000000-19999999
   idmap config EXAMPLE : rangesize = 1000000
   passdb backend = tdbsam
   kerberos method = system keytab
   #secrets and keytab
   dedicated keytab file = /etc/krb5.keytab
   security = ads
   log file = /var/log/samba/log.%m
   max log size = 1000
   logging = file
   panic action = /usr/share/samba/panic-action %d
   server role = member server
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   usershare allow guests = yes
   max protocol = SMB3
   min protocol = NT1
        comment = Public share
        path = /shared/public
        read only = no
        guest ok = no
        browsable = yes
        writable = yes
        #admin users =
        valid users = Domain\ users\
        #invalid users =
        #read list =
        write list = Domain\ users\
        create mask = 0770
        directory mask = 0770
        force create mode = 0770
        force directory mode = 0770
#get your domain SID from powershell with get-addomain
su@fs:~$ sudo net setdomainsid S-1-5-21-111111111-2222222222-33333333
su@fs:~$ sudo systemctl restart smbd nmbd
Enter your comment:
89 +2 = 
  • linux/ad_integration/sssd.txt
  • Last modified: 2021-03-29 14:11
  • by tplecko