Goals

• Building Samba from the source.
• Provisioning Samba Active Directory Domain Controller (AD DC).
• Creating shared folders with permissions depending on the domain controller.
• Configuring Samba to allow services to authenticate over StartTLS encryption.
• Setting Samba DC up to share folders.
• Giving some users different permissions on the shared folders.

Warning: I wrote this guide in the old days to be my personal guide, I did not intend to make it public, even though, I am sharing it here now so I may help somebody hopefully. So please keep that in mind while reading to not judge the writing style.

Building Samba from Source

At first, install the following Samba dependencies, they are needed for Samba compilation:

sudo apt install make python-dev build-essential libgnutls28-dev libacl1-dev libldap2-dev

Download the latest stable version of Samba from www.samba.org, and extract it:

wget https://download.samba.org/pub/samba/stable/samba-4.5.0.tar.gz
tar xzf samba-4.5.0.tar.gz
cd samba-4.5.0

In the root directory of Samba’s source code (the folder you extracted), execute configure script:

./configure

The main purpose of configure script is to create Makefile (a file used by the command make, includes some compilation and installation configuration). Configure script enables you to set various options, (like installation paths, enable or disable parts of Samba). Normally, the default settings does exactly what you need. For more information please refer to Samba Wiki.

Compile Samba:

make

Install Samba:

sudo make install

Configuring System

Make sure that:

• Your hostname is your fully qualified domain name (FQDN).
• Your hosts file resolves your FQDN and your short hostname to your host’s static IP address.
• Your resolv.conf file has your domain controller IP address and your default gateway IP address as nameservers, and your domain as domain-search.

If any of the previous configuration was not correct, your domain controller will not work.

For more information about how to adapt your hostname, hosts file or resolv.conf file, please refer to First Boot Configuration guide.

(optional) If you build Samba from source, consider putting the directories Samba installation directories in your $PATH variable:

export PATH=/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH

With that, you can use Samba binaries directly in command line during this session without needing to type the full path.

Provisioning Samba Active Directory Domain Controller

Start provisioning your domain controller:

samba-tool domain provision --use-rfc2307 --interactive

Fill out the information:

    Realm [NOURELDIN.LOCAL]: Your full domain in upper case.
    Domain [NOURELDIN]: Your short domain in upper case (your direct location in domain hierarchy).
    Server Role (dc, member, standalone) [dc]: (dc to use Samba as domain controller).
    DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: (SAMBA_INTERNAL to use Samba built-in DNS server).
    DNS forwarder IP address: Your default gateway IP address (If your Samba internal DNS server failed to resolve any hostname or domain, it will forward the DNS query to this address "your default gateway", which may know who can resolve it).
    Administrator password: Choose your domain controller administrator password.

Samba suggests the default settings to provision, if your system is configured properly, then the default settings are mostly the best choice. You may have to enter your default gateway IP address in DNS forwarder IP address instead of what Samba suggests.

--use-rfc2307 parameter: Enables NIS extensions. They allow a central management of Unix attributes (UIDs, shells, GIDs, etc.) inside Active Directory. It is recommended to always enable this feature during the provisioning. There are no disadvantages in not using it, but you may later find yourself in a situation where the central management of Unix account/group information becomes a requirement.

Start Samba:

samba

Use smbclient tool to test that Samba provides the AD DC default shares “netlogon” and “sysvol”:

smbclient -L localhost -U%

The output should look similar to this:

Domain=[NOURELDIN] OS=[Unix] Server=[Samba 4.x.y]

            Sharename       Type      Comment
            ---------       ----      -------
            netlogon        Disk
            sysvol          Disk
            IPC$            IPC       IPC Service (Samba 4.x.y)
    Domain=[NOURELDIN] OS=[Unix] Server=[Samba 4.x.y]

            Server               Comment
            ---------            -------

            Workgroup            Master
            ---------            -------

SYSVOL folder stores the server’s copy of public data and files for the domain. These files consist of group or user policy information. The information stored in the SYSVOL folder is copied to all domain controllers on the respective domain.

NETLOGIN folder: Its main purpose is to store logon scripts.

To test that authentication is working, you should try to connect to the “netlogon” share, using the Domain Administrator account that was created during provisioning:

smbclient //localhost/netlogon -UAdministrator -c 'ls'

The output should look similar to this:

    Domain=[NOURELDIN] OS=[Unix] Server=[Samba 4.x.y]
     .                                   D        0  Sat Jul  5 08:40:00 2015
     ..                                  D        0  Sat Jul  5 08:40:00 2015

                   49386 blocks of size 524288. 42093 blocks available

Test that DNS is working properly, run the following commands, you should not get any error:

    host -t SRV _ldap._tcp.noureldin.local.
    host -t SRV _kerberos._udp.noureldin.local.
    host -t A dc1.noureldin.local.

If one of the previous tests failed, then check that resolv.conf file has your DNS nameserver as first choice.

Configuring Kerberos

Install kerberos package:

sudo apt install krb5-user

During installation, you will be asked to enter some information:

    - Default Kerberos version 5 realm: Your domain in upper case (NOURELDIN.LOCAL).
    - Kerberos servers for your realm: The servers allowed to communicate with kerberos, use your short hostname (server01).
    - Administrative server for your Kerberos realm: The servers allowed to administrate passwords, use your short hostname (server01).

(Optional) Or instead of entering the information during installation, you can use an auto-generated simple Kerberos configuration file, which was created during DC provisioning:

sudo ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf

Test that we can get Kerberos ticket for our user:

kinit administrator@NOURELDIN.LOCAL

The realm (domain) must always be in UPPER CASE or it will not work.

View the received ticket by using klist command:

klist

The output should look similar to this:

    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: administrator@NOURELDIN.LOCAL

    Valid starting       Expires              Service principal
    08.09.2015 14:27:45  09.09.2015 00:27:45  krbtgt/NOURELDIN.LOCAL@NOURELDIN.LOCAL
        renew until 09.09.2015 14:27:42

Now you can try joining any windows PC in your LAN to your DC.

Configuring Samba StartTLS

StartTLS is a new encryption method where you can use the default LDAP port 389 and it is a development of the old encryption method LDAPS where you have to use port 636.

To allow (or force) other services to authenticate against active directory using StartTLS encryption, you need to generate server certificate for Samba, and then tell samba about the that certificate and about the CA/ICAs stack file (in case of using ICAs to sign the server certificate). For more information about certificates please refer to Easy-RSA guide.

After generating the certificate, edit Samba configuration file:

sudo vim /usr/local/samba/etc/smb.conf

To tell Samba about the server certificate (cert-key pair) and the stack file, add the following directives into global section in smb.conf file:

tls enabled = yes
tls keyfile = /etc/ssl/samba.key
tls certfile = /etc/ssl/samba.crt
tls cafile = /etc/ssl/ca.crt

Sharing Folders with Custom Permissions

We are going to share a folder, make it accessible over the libacl1-dev with the name MyShare, and make it readable by all users on LAN, but only writable by some users in our LDAP backend (Active Directory).

Create a folder you want to share and make it accessible by Samba:

sudo mkdir /var/shared
sudo chown samba:samba /var/shared
sudo chmod 775 /var/shared

Edit Samba configuration file:

sudo vim /usr/local/samba/etc/smb.conf

Add the following lines:

[MyShare]
path = /var/shared
create mask = 755
directory mask = 755
browsable = yes
guest ok = yes
read only = yes
write list = username1 username2 username3

You can use valid users directive to make the folder not readable by any body except the valid users.

valid users = username1 username2 username3

The file will be be accessible over the network like this: \\<ServerAddressOrName>\MyShare, for example:

\\192.168.1.10\MyShare

Control Password Configuration

You can use samba-tool to control password settings (e.g. disabling password expiration or minimum password length). To view the available options execute the command:

samba-tool domain passwordsettings show

And to view how to change an option:

samba-tool domain passwordsettings set --help

Some Tricks

Auto Mounting Shared Folders Dynamically

From group policy of your domain controller, you can configure the shared folders to be network drives to be mounted automatically as network drives when any member of your domain controller uses his active directory account to login to windows.

In case you want to mount a dynamically named folder (e.g. a folder has the name of the logged-in user), use one of these environment variables %LogonUser% or %UserName% while configuring the group policy to refer to currently logged in user, and I recommend specifying the exact drive mounting letter, to avoid any possible conflicts.