Ubuntu 12.04 Ultimate Server Guide

Part 8: Connecting Microsoft Windows Clients

To get this working we’re going to need to make some changes to the server, installing Samba to act as an Active Directory Primary Domain Controller… thankfully, that’s a lot easier than it sounds!

Server Configuration

sudo apt-get install samba libpam-smbpass

That will install Samba and import all of your user accounts for use with Samba. Furthermore, new user accounts will automatically be synchronised with their Samba counterparts.

Let’s create a Kerberos principal for the Samba service to use, ssh into the server and run the following:

sudo kadmin.local -q "addprinc -randkey cifs/neo.danbishop.org"
sudo kadmin.local -q "addprinc -randkey cifs/neo"
sudo kadmin.local -q "ktadd -k /etc/krb5.keytab -e rc4-hmac:normal cifs/neo.danbishop.org"
sudo kadmin.local -q "ktadd -k /etc/krb5.keytab -e rc4-hmac:normal cifs/neo"

Be sure to include the encryption type when running ktadd. The default encryption type is not compatible with the Samba client utilities. You’ll notice both the FQDN and the hostname of the server have been added. I hope to clean this up soon, but at the moment this is the only way I’ve managed to be sure it will work.

Now we need to configure Samba:

sudo nano /etc/samba/smb.conf

This file contains a comprehensive and well commented list of all of Samba’s configuration settings and is well worth reading through, the changes we’re particularly interested in are detailed below though:

workgroup = danbishop.org
security = user
realm = DANBISHOP.ORG
kerberos method = system keytab
domain logons = yes
logon path = \\%N\%U\windowsprofile
logon drive = H:
logon home = \\%N\%U
logon script = logon.cmd
add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u

Most of the above simply need a # or a ; deleting from the beginning of their line in the config file to enable them.

We also need to enable some shares in the configuration file, these are found towards the end of the file under the title “Share Definitions”

[homes]
   comment = Home Directories
   browseable = no
   read only = no
   valid users = %S

[netlogon]
   comment = Network Logon Service
   path = /home/samba/netlogon
   guest ok = yes
   read only = yes
   share modes = no

Now we need to create the netlogon folder and an empty netlogon.cmd (this will be used later to run commands each time a user logs on – perhaps to mount another share, etc.):

sudo mkdir -p /home/samba/netlogon
sudo touch /home/samba/netlogon/logon.cmd

Now we just need to restart Samba to make the changes take effect:

sudo service smbd restart
sudo service nmbd restart

we also need to create a group called “machines” for Samba to use when the add machine script is run. This will happen whenever you join a new Windows machine to your domain.

sudo ldapaddgroup machines

To be able to recognise your Unix admins as Windows admins we need to map the windows admin group to the unix admin group like so:

sudo net groupmap add ntgroup="Domain Admins" unixgroup=domainadmins rid=512 type=d

You also need to give admins who are allowed to add machines to the network explicit rights to do so. The following command gives the user dan the ability to use the add machine script and therefore join windows machines to the domain.

net rpc rights grant -U dan "danbishop.org\Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege

You will almost certainly get an authentication error here, check that you have added your realm information to /etc/krb5.conf on the server (in this case neo). See the Kerberos section of this guide for how to do that. Then log out of the ssh session and back in. This will sync your samba account with your LDAP account.

Connecting Windows 7 Clients

Windows 7 requires a registry change to be able to connect to a Samba domain. Download and run this registry entry on the client machine. Once added to the registry, restart the machine (or at least the lanman service).

Now would also be a good time to run the optimisations reg file. These tweaks are NOT necessary, but they do improve login speed.

Then go to Control Panel, System and Security, System and under “Computer name, domain and workgroup settings” click “Change settings”. Click the “Change” button on the dialogue that appears and enter “DANBISHOP.ORG” in the domain box. Click ok.

You will then be prompted for the domain administrators details to join the domain, in this case username dan and associated password. It will take sometime to connect to the domain, but eventually you will be shown a dialogue box welcoming you to the DANBISHOP.ORG domain. Restart the computer and you’ll be able to login as any of your domain users.

If you get a username/password not recognised error, log the user into a linux machine (or the server itself via ssh) and you should see “Added user.” printed to the terminal. The user can now use the Samba domain.

  • Christian Oswald

    Hello,
    it’s a very useful tutorial and I learned a lot from it.
    I had also the problem with “Error adding group domainusers to LDAP” and in my case I solved it with switches TLS off in the LDAP-Server. I made it with webmin because I can’t find the correct place for it in the configuration files. I think it depends from the defaults of the ubuntu installation (in my case 14.04).
    But I have also a problem with the kerberos authentification. It works nice on the server (kadmin.local runs, kinit brings a ticket …) but from a client I get all times the error “kadmin: Cannot contact any KDC for requested realm while initializing kadmin interface”.
    I have reinstalled all, checked the configuration file of dnsmasq, krb5 … nothing helps, no firewall runs …
    I have tested a lot – ping, nslookup works and give the correct server. But nmap said that only port 749 is open on the server but in the kdc.conf is written that port 750 and 88 is used. I don’t if it’s important.
    Has anyone any idea for the reason of this error?

    Thanks,
    Christian

  • Jezzirolk

    hey Dan, i have used your guides a few times and they are great. Still work with 14.04 i dont think there was any tweaking i really had to do. i have a question though, is there a reason you disabled cache_credntials. Not saying there arent possible security reasons but i was more curious if there were other technical reasons becasue when connecting a laptop it is providing to make this a bit harder.

    –jezzirolk

    • danbishop88

      Hi Jezzirolk,

      I believe my reason for this was to do with: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1039151

      Basically, without it SSSD tends to come up before your network connection. This forces it into “offline” mode and it won’t even try to reconnect to your ldap/kerberos server until two minutes have elapsed. This prevents anyone from logging in for the full two minutes.

      A better workaround is listed in that thread, which is forcing the login screen to wait for the network to come up before appearing. I intend to move to that if I ever get round to finishing my 14.04 guide.

      Hope that helps…

      Dan

      • Jezzirolk

        Hey Dan,
        this still doesn’t really solve the issues i think, waiting for the network doesn’t do much for my case of a laptop. if i am off site it still wont connect properly unless you try to use cached credentials. Are we saying use cached credentials and then wait for network as to prevent the false negative of can not connect to ldap server? if that’s the case that might work.

        i guess the better question is if i log in off line. how does reconnecting once we end up back on a network with access to the server?

        Any thoughts on this and how to deal with the NFS mounts with laptop or systems that end up off site.

        –jezzirolk