Samba 4 Active Directory controller with Windows 7 roaming profiles + Linux login – The complete guide

Recently, we decided to rebuild our office setup with Samba 4, which ships with the Ubuntu 14.04 packages. At pludoni, we'd like to create virtual working spaces, so that users can use every computer and have their profile synchronized. Ideally, so that you can set one password and log in to all internal company services. As different users have different requirements, the login should work across Windows PCs (I look at you, MS Office and Adobe Creative Suite), Linux workstations and the developer server. Besides this, various services, like Gitlab and Chat-server should query the same authentication database.

During the last few days, we achieved most of our goals with the setup. I want to record how we progressed with this blog post for future reference and happy Googlers :).

Definitions

In the following guide, we assume these settings:

• pdc.pludoni.com - DNS name of the machine dedicated as the Primary Domain Controller. I suggest, using a virtual machine with bridged network (as forwarding the gazillion ports is kind of a hassle) or a dedicated server
• PDC - Netbios name of the PDC
• PDC01 - working group name (has to differ from netbios name)
• Ubuntu 14.04 server edition for Domain controllers
• Ubuntu 14.04 desktop for the Linux clients
• Windows 7 SP2 Professional for Windows clients

Setting up the domain controller

Starting off with a fresh Ubuntu 14.04 server edition, we followed this guide:

Kerberos

apt-get install samba krb5-config libpam-smbpass nfs-kernel-server winbind

(nfs-kernel-server is not necessary, see later for Ubuntu clients)

Run kerberos-config if it didn't show up during installation:

dpkg-configure krb5-config

Answer the questions:

• Default Kerberos Realm: PDC.PLUDONI.COM
• Kerberos servers for your realm: pdc.pludoni.com
• Administrative server for your Kerberos realm: pdc.pludoni.com

Samba

Run: samba-tool domain provision

Answer:

• Real: PDC.PLUDONI.COM
• Domain: PDC01
• Role: <Enter>
• DNS Backend: <Enter>
• DNS Forwarder: <Enter your DNS server's IP>
• Admin password (hereafter referenced as PASSWORD)
• reboot
• samba-tool domain level raise --domain-level 2008_R2 --forest-level 2008_R2
• Password settings, adjust as necessary: samba-tool domain passwordsettings set --complexity=off --min-pwd-length=6 --max-pwd-age=0

After that, edit /etc/samba/smb.conf and add the profiles section. Also increasing the log level might be helpful for debugging if there are problems later on

# Global parameters
[global]
        workgroup = PDC01
        realm = PDC.PLUDONI.COM
        netbios name = PDC
        server role = active directory domain controller
        dns forwarder = 
log level = 3 # <--- Might want to add this

[netlogon]
        path = /var/lib/samba/sysvol/pdc.pludoni.com/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[profiles] # <---- ADD here
   path = /var/lib/samba/sysvol/pdc.pludoni.com/profiles
   read only = no

After a fresh reboot, that's it for the PDC! :) That didn't hurt, did it?

Optional: NFS-exports

Windows has it's roaming profiles. To achieve something similar for the Linux workstations, we just mount a home folder via NFS. As we installed a nfs-kernel-server we added a /etc/exports to make it possible for the clients to mount the folder:

# /etc/exports

"/ubuntu-homes/" 192.168.2.0/255.255.255.0(rw,async,no_root_squash,insecure)

Don't forget to mkdir /ubuntu-homes && service nfs-kernel-server restart afterwards.

Setting up Windows clients with roaming profiles

After fiddling around, we successfully applied the following procedure to several clients:

1. Install Windows on a client, if not already done
2. Add registry entries in regedit.exe (source):

   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
   
   DomainCompatibilityMode = 1 (dword)
   
   DNSNameResolutionRequired = 0 (dword)
   
   

3. Make sure the DNS-Server in your network settings is the PDC server IP
4. Make sure the clock is in sync with the PDC – Login won't work if the difference is too large!
5. Join domain:
   1. Right click on My Computer in start menu
   2. Click on Change Settings in the right bottom
   3. Click "Change"
   4. Check "Member of": pdc.pludoni.com, OK
   5. There should be a login prompt, use: Administrator, PASSWORD
   6. You should be able to join the domain. If it didn't work, you should check the DNS settings first and then consult the Samba log on the PDC (/var/log/samba/log.*)
   7. reboot.

Repeat steps 1 through 5 for every additional windows pc.

Initial Samba profile setup (once)

• Try to reach the samba shares via explorer: \\pdc.pdc.pludoni.com\
• You should be able to change the settings of the Profiles folder (Security tab) and set the permissions accordingly (full access/read/write etc.) this is important, otherwise roaming won't work
• Inside profiles, create a folder with the name of user + '.V2' for each user, like: {username}.V2, e.g. stefan.V2
• Download Microsoft Remote Server Administration Tools http://www.microsoft.com/en-us/download/details.aspx?id=7887
• Install it (takes a long time), and activate it:

(from the MS site)
 5. In the Programs and Features area, click Turn Windows features on or off.
 6. If you are prompted by User Account Control to enable the Windows Features dialog box to open, click Continue.
 7. In the Windows Features dialog box, expand Remote Server Administration Tools.
 8. Select the remote management tools that you want to install.

• Run it, create your users under Users section. Don't forget to add an E-Mail, if you want to log in to Gitlab (and other services which require that field).
• Don't forget to add a profile path, to make use of roaming profiles, e.g.: \\pdc.pdc.pludoni.com\profiles\%USERNAME% (USERNAME will be replaced by the interface)

Done with windows! Try to log out and log in with another user to check if roaming profiles work.

Setting up Ubuntu desktop clients

Using samba and not LDAP as the primary authentication backend was a little tricky. After several tries we went with PBIS (formerly known as Likewise-open), which had a really easy setup Original Guide Summary of the guide, for future reference in case of site offline

Download

cd ~
sudo wget http://download.beyondtrust.com/PBISO/8.0.1/linux.deb.x64/pbis-open-8.0.1.2029.linux.x86_64.deb.sh
sudo chmod +x pbis-open-8.0.1.2029.linux.x86_64.deb.sh
sudo ./pbis-open-8.0.1.2029.linux.x86_64.deb.sh

# Answer questions (no, yes)

/opt/pbis/bin/domainjoin-cli join --disable ssh pdc.pludoni.com Administrator
# type Administrator Password
# wait for SUCCESS
sudo /opt/pbis/bin/config UserDomainPrefix PDC01
sudo /opt/pbis/bin/config AssumeDefaultDomian true
sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash
sudo /opt/pbis/bin/config HomeDirTemplate %H/local/%D/%U

Change some settings in /etc/pam.d/common-session:

sudo vi /etc/pam.d/common-session

# Find the line that states the following:
# session sufficient pam lsass.so
# Replace it with:
# session [success=ok default=ignore] pam_lsass.so

Activate manual login for the login screen (Lightdm):

# sudo vi /usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf

allow-guest=false
greeter-show-manual-login=true

We had some problems with the greeter. If it doesn't work, create a new file under /usr/share/lightdm/lighdm.conf.d/99-custom.conf with the same settings.

Allow "Domain Admins" to use sudo in /etc/sudoers.d/samba. Make sure the file has chmod 0440 /etc/sudoers.d/samba:

%domain^admins ALL=(ALL) ALL

We also wanted a kind of roaming profile with Ubuntu, but eventually decided to separate, as we didn't like mixing the two, which results in a folder mess and long Windows log in/out times, as Windows has to sync the whole directory. PBIS doesn't help with that requirement. After fiddling a little with samba-clients, we ran into problems with the permission systems, so we decided to go the easy route: just mount a folder with all the profiles via NFS at boot time, using fstab:

pdc.pludoni.com:/ubuntu-homes /home/local/PDC01 nfs rw 0 0

Initial mount: mkdir /home/local/PDC01 && mount /home/local/PDC01

Warning if using dual boot

If you plan to run Windows and Ubuntu alongside each other on a single machine, make sure, to tell Ubuntu to use local time for the hardware clock. Otherwise, Windows will have the wrong time and Samba Login won't work because of this. One way to fix it:

# add this line in /etc/default/rcS
UTC=no

After reboot, check if date == hwclock -r. If it is still in the wrong timezone, running 'ntpdate -u ntp.ubuntu.com && hwclock -w might help.

Bonus feature: Provide a file bookmark to the Windows roaming profile

New users will have a home folder created from /etc/skel on the workstations.

mkdir -p /etc/skel/.config/autostart
vim /etc/skel/.config/autostart/mount_windows.desktop

[Desktop Entry]
Type=Application
Exec=/usr/local/bin/mount_windows
Hidden=false
NoDisplay=false
X-GNOME-Autostart-enabled=true
Name[de_DE]=Automount windows
Name=Automount windows
Comment[de_DE]=
Comment=

And create a executable file under /usr/local/bin/mount_windows:

#!/bin/bash
sleep 5
echo "file://$HOME/Dokumente
file://$HOME/Musik
file://$HOME/Bilder
file://$HOME/Videos
file://$HOME/Downloads
smb://pdc.pdc.pludoni.com/profiles/$USER.V2 Windows-Profil on pdc
" > ./.config/gtk-3.0/bookmarks

This will reset the user's bookmarks to the default (here German!) + a Samba share. Adjust to your needs :). You can also put apps into the Autostart for each user the same way (e.g. Chat-App or time-tracker)

Connecting various services via LDAP

Besides using Samba for authentication, you can use plain LDAP to connect different services, e.g. ejabberd, Gitlab, Jenkins, Bugtracker, CRM, ...

The command ldapsearch helps to find out necessary fields and filters:

ldapsearch -h pdc.pludoni.com -D 'cn=Administrator,cn=Users,dc=pdc,dc=pludoni,dc=com' -x -W -b 'cn=Users,dc=pdc,dc=pludoni,dc=com' '(objectClass=person)'

For opportunistic Googlers and future reference, here are the configurations for some services we use:

Gitlab

Gitlab needs an e-Mail for each user. Make sure it is provided in the Active Directory Users & Groups.

# Gitlab gitlab.yml
host: 'pdc.pludoni.com'
base: 'cn=Users,dc=pdc,dc=pludoni,dc=com'
port: 389
uid: 'samaccountname'
method: 'plain'
bind_dn: 'cn=Administrator,cn=Users,dc=pdc,dc=pludoni,dc=com'
password: 'PASSWORD'

ejabberd

# ejabberd.cfg
{auth_method, ldap}.
{ldap_servers, ["pdc.pludoni.com"]}.
{ldap_encrypt, none}.
{ldap_port, 389}.
{ldap_rootdn, "cn=Administrator,cn=Users,dc=pdc,dc=pludoni,dc=com"}.
{ldap_password, "PASSWORD"}.
{ldap_base, "cn=Users,dc=pdc,dc=pludoni,dc=com"}.
{ldap_uids, [{"sAMAccountName", "%u"}]}.
{ldap_filter, "(objectClass=person)"}.

Errbit

# Errbit error tracking
production:
  host: pdc.pludoni.com
  port: 389
  attribute: sAMAccountName
  base: cn=Users,dc=pdc,dc=pludoni,dc=com
  admin_user: cn=Administrator,cn=Users,dc=pdc,dc=pludoni,dc=com
  admin_password: 'PASSWORD'
  # group_base:
  ssl: false
  uid: "sAMAccountName"

Jenkins

• Server: pdc.pludoni.com
• Root-DN: dc=pdc,dc=pludoni,dc=com
• Users: cn=Users
• Filter: samaccountname={0}
• Group: (empty)
• Manager-DN: cn=Administrator,cn=Users,dc=pdc,dc=pludoni,dc=com

Troubleshooting

If login or joining a domain doesn't work:

1. Make sure, DNS works: nslookup pdc.pludoni.com has meaningful result
2. Check the clocks
3. Make sure Profile folders are accessible via samba (e.g. on Windows just enter \\pdc.pdc.pludoni.com\profiles\, also might want to check the Windows access rights again.
4. Check the PDC logs (tail -f /var/logs/samba/log.samba and tail -f /var/logs/samba/log.smbd)

Possible improvements

Add security. If you don't trust your users very much, enable LDAP encryption, think about Samba access rules, and add a manager account instead of using the Administrator account for the services.

In future, we'd like to add more things:

• Configure e-mail server to use LDAP (maybe using Zarafa)
• Add (Open)VPN to enable remote login
• Think about regular backup of the roaming-profiles and NFS-homes

This guide was developed from sweat and tears by my collegue Akos Toth and me.