Ubuntu 16.04: Windows Authentication for Samba File Sharing

These instructions are designed to allow you to take a Ubuntu 16.04 installation, and turn it into a file server using Samba, and attach it to a domain so that domain users can login.  Specifically:

  • Use Kerberos to join the system to a domain
  • Use Kerberos to provide user and group authentication
  • Use Samba to provide file shares
  • Use Samba + Kerberos to allow group authentication to file shares

Other notes:

  • You can use either Ubuntu Desktop or Server for this. Be advised that the Desktop version will use more RAM and processing time to keep the GUI running, vs the Server version.
  • I have not thoroughly vetted this for security vulnerabilities. These instructions do not include server hardening.
  • I include “sudo” at the beginning of each command, because I’m assuming that you just setup the Ubuntu machine and have a local user with sudo rights. If you are running as root, you can disregard the sudo.
  • There is no warranty, expressed or implied, regarding these instructions. Use at your own risk.
  1. Gather your information together. You will need to know:
    1. Domain name for your Windows domain. It doesn’t matter if you have a Windows or Samba domain controller. You will need both the full name, and the short name. For these examples, I will be using the domain name widgets.local, and the short name widgets. When users login to their Windows desktops, they see Domain: WIDGETS.
    2. Domain Controllers (DCs) for your Windows domain. For this example, I will be using 2 domain controllers, dc1.widgets.local and dc2.widgets.local. Your domain controllers should be running DNS and be configured correctly.
    3. IP addresses of your Domain Controllers. They should be static IPs. If they are not, make them static IPs.
    4. The IP address you wish to use for this server. Make your life easy, and give it a static IP address.
    5. Domain administrator credentials, used to join the server to the domain.
    6. Make sure that forward and reverse DNS are properly configured for the new Ubuntu machine.
    7. Hostname for your new machine. I’m using fs1.widgets.local / fs1 as my hostname. Replace accordingly.
  2. Install Ubuntu 16.04. (This guide will likely work for Ubuntu 15 as well)
  3. Install ssh (optional) – makes it much easier to copy/paste.
  4. Disable the built-in DNS with Ubuntu. It gets very confused if the server is not sending requests directly to the DCs.
    1. Edit /etc/resolv.conf with your favorite editor
      1. You should have entries like this:

      2. Replace and with the IP addresses of your DCs. If you have more than 2 DCs, just add more lines.
      3. Replace widgets.local with your full domain name.
  5. Edit your hosts file. When Ubuntu creates your hosts file, it does not create it in such a way that it is useful to Kerberos / Samba for authentication purposes.
    1. Your hosts file should look something like this:
    2. Replace fs1 / fs1.widgets.local with your hostname / domain
  6. Install ntp
  7. Configure ntp. Edit /etc/ntp.conf with your favorite editor.
    1. Comment out the “pool” lines
    2. For each DC, add a line like this:
  8. Add necessary packages for samba, kerberos, winbind, etc:

    1. It will prompt you when installing the kerberos to provide your full domain name, like widgets.local. USE ALL CAPS: WIDGETS.LOCAL
  9. Edit /etc/krb5.conf with your favorite editor.
    1. Delete the contents, unless you’re with an institution whose domain controller information is already in there. If you’re with that institution, why are you reading my guide? They probably have a script to do this!
    2. Add the following code, replacing WIDGETS.LOCAL, dc1.widgets.local, etc with your own servers:
    3. I have only included one domain controller in my example. If you want to use multiple domain controllers, you can just duplicate the kdc and admin_server lines for additional DCs.
  10. Let’s test:

    Replace Administrator with the domain administrator account you’re using to join it to the domain. If it works, you should see no output.
  11. Edit /etc/samba/smb.conf
    1. Here is my example. I hard-coded the IP of my DC into this, but that’s not necessarily a great idea. Try it without the “password server” line first.
  12. Restart Samba and Winbind services after changing the smb.conf file:
  13. Test out authentication:
  14. Everything OK so far? Join it to the domain:

    1. Replace Administrator with your Domain Administrator login. It will ask you for the password for this login.
  15. Restart winbind:
  16. Test it out.
    1. Grab a list of users:
    2. Grab a list of groups:
  17. If you don’t have any errors yet, great! Now it’s time to share a folder over Samba.
    1. This guide is assuming that Samba is going to take care of the permissions when sharing this folder, and all the folders underneath this one are shared the same. There are a lot of resources that can help you set it up so that you can set individual folder and file permissions, but this one focuses on a deadly simple single folder / single group.
    2. Create the folder to share (if you haven’t already).
    3. Make sure that everyone can read/write/etc to that folder.
    4. Edit /etc/samba/smb.conf and add this entry to the bottom. I have named my share “images” and am using the domain group called “image editors”. Change accordingly. the path is the path to the folder you just created.
    5. Restart samba.
    6. Test! Any user in that group should be able to  delete / modify / create files and folders within that share.