I have not found any complete guides on how to configure Samba to do access control on shares using Active Directory users and groups. I finally worked it out on an Ubunutu 22 VM and documented the steps.
Note: this guide reflects my understanding of the subject and I might be wrong... :)
sudo apt install sssd-ad sssd-tools realmd adcli samba winbind
sudo apt samba winbind
This installs klist
and kinit
.
sudo apt install krb5-user
This joins the computer to the AD domain through realm.
sudo realm join -v domain.tld
Note: replace
domain.tld
with your AD DNS name.
After joining, you should be able to login using an AD user:
sudo login
And enter an AD credential. Login through SSH won't work.
sudo pam-auth-update --enable mkhomedir
Edit /etc/samba/smb.conf
with the following:
[global]
workgroup = DOMAIN
realm = DOMAIN.TLD
security = ADS
kerberos method = secrets and keytab
Note: Replace DOMAIN with your AD domain's name, and DOMAIN.TLD with your AD domain's DNS name.
The last line tells samba to write computer account password to not only the samba secrets file but to keytab too.
Also add idmap
configuration. My understanding is that this will map windows users to Linux user id's for Samba.
[global]
idmap config * : backend = tdb
idmap config * : range = 10000-19999
idmap config DOMAIN : backend = nss
idmap config DOMAIN : range = 200000-2000200000
Note: replace
DOMAIN
with your AD domain's name (not DNS name).
Add the following line to /etc/sssd/sssd.conf
:
ad_update_samba_machine_account_password = true
This line tells sssd to write computer account password not only to keytab but to the samba secrets file too.
sudo systemctl restart sssd
sudo systemctl restart smbd
sudo systemctl enable winbind
sudo systemctl start winbind
This joins the computer to the domain through net too. Yes, you need to join through net
too, not just through realm
.
sudo net ads join -U Administrator
Note: replace Administrator with the username that has permissions to join computers to the domain.
Create the share directory:
mkdir /srv/share1
Add a share definition to /etc/samba/smb.conf
:
[share1]
path = /srv/share1
read only = no
Set permissions on the directory:
sudo chgrp "DOMAIN\\groupname" /srv/share1
This will allow DOMAIN\\groupname
owner access to the directory. Customize permissions as needed through chgrp
, chown
and chmod
.
Then, restart samba so it picks up the new share.
sudo systemctl restart smbd
Now you should be able to access the share using Kerberos auth from a domain joined Windows computer.