Post #2 How To Install and Manage SAMBA Active Directory in Ubuntu Linux Server 22.04

 How To Install and Manage SAMBA Active Directory in Ubuntu Linux Server 22.04


Important for Linux System Administrators and Network Engineers

Topics Covered : 


1. Installing Samba as AD-DC
2. Testing Name Resolution (DNS).
3. Join a Windows 10 Client to Domain
4. Installing Microsoft RSAT to Manage AD
5. Create users in AD.
6. Mapped Drives using AD Users and Computer
7. Install software using GPO and MSI Packages.


Installing Samba as AD-DC

we need to give our server an identity. 
first one, give hostname. so that computers can find the server on the network

$ sudo vi /etc/hosts

127.0.0.1 localhost
192.168.1.69 homeserver.home.com homeserver


give static ip address :

$ sudo vi /etc/netplan/00-installer-config.yaml

network: 
ethernets: 
enp0s3: 
dhcp4: false
addresses: [192.168.1.69/24]
gateway4: 192.168.1.1
nameservers: 
addresses: [192.168.1.69, 8.8.8.8]
version: 2

$ sudo netplan apply

(beware! if you're connected to the machine through a SSH session, it will be disconnected. as your server will be assined a static IP Address. Connect to the machine through new IP address.)

also, restart the server once. to make the changes take affect. 

$ ssh homeserver@192.168.1.69


Installing SAMBA as AD-DC : 

set new root password : 

$ sudo passwd root

su
(enter your password)
then continue : 

apt install -y samba winbind krb5-config smbclient dnsutils net-tools

Default kerberos realm : HOME.COM (GIVE ANYTHING YOU WANT)

Kerberos servers for your realm : homeserver.home.com (it is the fully qualified domain name)

Administrative server for your Kerberos realm : homeserver.home.com

after the installation has been finished, we will continue to backup the original smb configuration file : 

mv /etc/samba/smb.conf /etc/samba/smb.conf.original


now, we are going to set up samba provision : 

samba-tool domain provision --use-rfc2307 --interactive

realm : HOME.COM
Domain : HOME
Server role : dc
DNS Backend : SAMBA_INTERNAL
DNS Forwarder IP Address : 8.8.8.8

now, the next thing we want to do is to copy the generated krb5 from the samba private directory to etc directory : 

cp /var/lib/samba/private/krb5.conf /etc/

vim /etc/resolv.conf 

nameserver 192.168.1.69
options edns0 trust-ad
search home.com


now, we are going to disable some services we are not going to need : 

systemctl disable --now smbd nmbd winbind systemd-resolved.service


next, you should unmask the samba ad : 

systemctl unmask samba-ad-dc.service
(we need to do this if we install addc, and there are some other services or programs dependent on this, this might create a conflict)

systemctl enable --now samba-ad-dc.service

type and check if smbd and samba both are listening to incoming/outgoing connections : 

netstat -antp | egrep 'smbd|samba'

if not, restart the ubuntu server.


check for ping replies : 

ping homeserver.home.com
ping google.com

now we have ad service running, we are able to resolve dns to ip address and we have communication over the network.

Now at this point, you have to open up a Windows client machine. (Let's say Windows 10)


Setup static IP and DNS : 

Right click windows button > network connections > change adapter settings > change the settings of the current adapter

ipv4 > 
static ip : 192.168.1.70
subnet mask : 255.255.255.0
gateway : 192.168.1.1

dns > 
preferred : 192.168.1.69
alternate : 8.8.8.8

now, check if the windows client is able to resolve the hostname of the ubuntu server : 
cmd > 
ping homeserver.home.com

got replies? then its all good!

go to : right click on 'This PC' > Properties > Advanced system settings > computer name > change > 

Give in a new computer name for example : computer01

Now in domain : 
home.com

username : administrator 
password : (your password while setting up addc in ubuntu)

you'll get a really nice message saying 'welcome to this domain'
restart your client computer.

download and install microsoft RSAT tool into the windows client machine.
reboot the client. 


Setup Microsoft MMC for Remote System Management : 

win + r 
mmc (press enter)

file > add snap in > 

add : 
active directory users and computer 
computer management 
> browse > 
enter the object name to select : homeserver
click check names 
click ok
finish
add : DNS
group policy management 
default domain controllers policy

finally click OK 
file > save as > save it in desktop > name it as "home_mmc"

now, if you expand active directory users and computers > home.com > users
here, if we notice, that we have all the users and groups in my domain.
so if you want to create a new users : 
right click on users > new > user
fill the information. (let's say John Smith) 

username/loginname : smith
pass : abcd@1234

press ok.

now. you'll notice the user under the list. right click on that user > properties

here, you can manage everything about this user. 

goto account tab > logon hours (you can set logon hours for that user.)
you can also set from where the user is allowed to logon. (from log on to... button)

you can disable or reset the password from 'account options' list.

the 'computers' section shows all the computers that we join into the domain will show up.


Creating Organizational units : 
home.com > right click on it > new > Organizational unit > techsupport (let's say i have a department known as tech support)
click ok

now. let's say, John Smith is the part of techsupport department. 
so, we can move John to techsupport department. so go to users and right click on john smith > Move > techsupport > click ok
now john smith is the part of techsupport organizational unit of your company..


View DNS Server Configuration : 

DNS > homeserver.home.com > forward lookup zones > home.com 
now you can view the computers and their ip addresses. 


View Share Folders, Sessions and Open Files : 

Computer Management (homeserver.home.com) > system tools > shared folders > shares
now you can view the shares.
sessions - here you can see the current sessions going on. 
open files - here you can see all the open files on the server. 


Creating Network Shares in Ubuntu Server : SAMBA : 

this section explains how to create a network share in the domain controller and how to map those shares automatically to all the users on the network using Group Policy .

steps : 

goto ssh console of ubuntu server : 
now,

cat /etc/samba/smb.conf 

[global]
        dns forwarder = 8.8.8.8
        netbios name = HOMESERVER
        realm = HOME.COM
        server role = active directory domain controller
        workgroup = HOME
        idmap_ldb:use rfc2307 = yes

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/home.com/scripts
        read only = No

here, you will notice that these are two shares in samba config file.

there is a command that will allow you to display all the shares on your server : 

sudo smbclient -L localhost -N

now. we are gonna create two shares. one for apps, and the other one for data : 

sudo mkdir -p /var/lib/samba/sysvol/home.com/apps
sudo mkdir -p /var/lib/samba/sysvol/home.com/data

now, next thing we'll have to do is to make an entry in the smb.conf file for these two directories that we created .. 

sudo vim /etc/samba/smb.conf

add these two entries : 

[apps]
path = /var/lib/samba/sysvol/home.com/apps
read only = yes

[data] 
path = /var/lib/samba/sysvol/home.com/data
read only = no

save it. 

now, if we do this again, we should notice the new shares : 

sudo smbclient -L localhost -N

notice the permissions on the sysvol/home.com directory : 

sudo ls -l /var/lib/samba/sysvol/home.com/

the first three are for the root, then user, and then for others.

drwxrwx---+

change the permissions of the two new directories : 

sudo chmod 775 /var/lib/samba/sysvol/home.com/apps
sudo chmod 775 /var/lib/samba/sysvol/home.com/data

drwxrwxr-x+ (users and groups have all the permissions but, others have only read and execute. it makes sense, in order to execute something , we need to have read permissions.)

now lets go back to windows client : 

refresh the share folder now, we will notice two new shares : apps and data.

so now , we can map those network shares on the network (Interesting part) : 


Mapping Network Shares using GPO : 

Group policy management > forest > domains > home.com > group policy objects 
(as we create an ADDC, by default these two objects gets created.(default domain controllers policy, default domain policy))

right click on group policy objects > new > 
Name 'Mapped Drives Policy'
click ok

the Mapped Drives Policy will be created. right click on it > Edit 
under 'User Configuration', expand Preferences > windows settings > drive maps

right click on the white space > new > mapped drive >
leave the action as 'update'
Location : \\homeserver\apps
reconnect : tick
label as : apps
drive letter : Use : J(or anything you want.)
click apply click ok.

right click on the white space > new > mapped drive >
leave the action as 'update'
Location : \\homeserver\data
reconnect : tick
label as : data
drive letter : Use : K
click apply click ok.

now, basically when you apply GP , its a two step process. you create the GPO and the second one is to link the GPO to the domain or the Organizational Unit. 

under Group Policy management > forest > domains > home.com > right click on it > link an existing GPO > Mapped Drive policy > ok > ok.

now if we go to Mapped Drive Policy under Group Policy Objects, we should notice Link Enabled as YES
it means that everyone inside that domain is going to be affected by this policy. okay?

let's go ahead and open This PC.
notice, that we don't have either apps or data shares available. 
because, everytime we create a gpo, we need to enforce it so : 

win + r 
cmd 
gpupdate /force
(this will force pulling of the group policy from the domain controller resulting in availability of our mapped drives which can be accessed from 'this pc')

now we can see both of our shares in This PC. 

Installing MSI Packages using GPO (Automate the installation process so that the next time user logs on, the software is automatically installed. convenient right?) : 

move the msi packages to 'apps' share in server through winscp or directly logging in.
for say, 7zip msi package.

now, 
open mmc console 
under Group Policy Management > forest > domains > home.com > group policy object > right click > new > 
Name : 7zip Installation Policy 
click ok (gets created...)
right click on it > Edit 
under Computer Configuration > policies > software settings > software installation 
right click > new > package 
go to This PC > apps > 7zip msi file > click open.
check 'Assigned' click ok.
close.

again. you need to link this policy : 
under Group policy management > forest > domains > right click home.com > link an existing GPO > select 7zip Installation Policy.
click ok > ok.

now, open cmd
and if we do :
gpupdate /force
we get a notification about restarting our computer. 
cancel it, and restart it manually.. 
after restarting, you will notice that 7 zip has already been installed automatically..

nice yet? yes. 

Restrict Access to Control Panel (or any specific apps within the os) and Running login scripts using GPO's : 

open mmc : 

expand group policy objects right click on it > new 
name : Restrict Control Panel Policy
click ok
under group policy objects , right click on Restrict Control Panel Policy > edit 
goto User Configuration > policies > administratives templates > control panel
prohibit access to control panel and pc settings (double click on it)
set 'Enabled' click ok. 
that should be it.

now, we need to link this policy again.

BUT! but if we link it at the domain level, it's gonna affect all the users at the domain level including the AD administrator too! 

and we don't want that do we? 

so, what we will do is : 
remember we created an OU? right click on 'techsupport' > link an existing GPO > Restrict control panel access. 

done.

now try login using smith's account : 

Username : smith
Password : abcd@1234

try to access Control Panel and Settings App. 

BONUS : How to Provide every users their own Personal Network Drive?
Sounds Interesting Right? Follow up! 

So, the first thing we have to do is to plan how many users are going to have their own personal drive. 

Hence, make a rough note of the user names. For example : employee001, employee002.

The folder must exist inside the Ubuntu Server's /home directory for this to work. 
(I don't know why it doesn't work when its inside /var/lib/samba/sysvol)

Create multiple directories with the usernames you would use later on : 

mkdir -p /home/vaibhav/drives/employee001
mkdir -p /home/vaibhav/drives/employee002
mkdir -p /home/vaibhav/drives/employee003
mkdir -p /home/vaibhav/drives/employee004
... and so on.

edit the smb.conf file : 
vim /etc/samba/smb.conf

add all those shares in the file : 

For example : 

[employee001]
                path = /home/vaibhav/drives/employee001
                read only = no

[employee002]
                path = /home/vaibhav/drives/employee002
                read only = no

[employee003]
                path = /home/vaibhav/drives/employee003
                read only = no

and so on.. 

Now, we have to create the users : 

 expand active directory users and computers > home.com > users
right click on users > new > user

create users : 

employee001
employee002
employee003

.. etc.

Now, open the mmc file : 
Goto :

Group Policy Objects> right click on Mapped Drives Policy > Edit 
under 'User Configuration', expand Preferences > windows settings > drive maps

right click on the white space > new > mapped drive >
leave the action as 'update'
Location : \\homeserver\%username%
reconnect : tick
label as : Personal Drive
drive letter : Use : J(or anything you want.)
click apply click ok.

Now, when any of the employee logs in with his ID, he will get their own personal drive automounted under 'This PC' folder.


Thanks for Reading!
Location: Chandrapura, Jharkhand 828403, India

Comments

Post a Comment

Popular posts from this blog

"The Elevator to Realms" Act 11: Beneath the Surface

Kriti   They say time changes everything... But, I often wonder if that's always true.  I sit on my bed, scrolling mindlessly through Instagram. We have our English paper the next day and I seemed to be least bothered about it.  "Damn it...", I said to myself and locked the phone instantly before I tossed it over the bed. I can't help but reflect on how much my life has shifted in the past few months. Things were actually simpler before. It was simpler before Aaryan turned out to be someone entirely different before I realized that love-if that's what I could even call it-could turn into poison.  How could I even start trusting people after such an incident? How could I even solely love a person after all this... Aaryan wasn't just toxic; he was suffocating. He'd been controlling and manipulative, slowly isolating me from everyone I cared about. I didn't realize it at first; I was too blinded by the idea of being in a relationship. Maybe it was just me...
Read more

"The Elevator to Realms" Act 12: Comeback

Image
  Vaibhav I sat hunched over my laptop, the pale glow of the screen casting sharp shadows across my face. The time on the corner of the screen read 1:30 AM. I was not even remotely tired. I searched and rummaged through tabs and browsed various universities in Bangalore. In another tab, I had a question from Quora open. It said, "How to get into good Colleges. Should I consider dropping a year?" Familiar stuff every student has to go through at least once in their life — the late-night panic scrolls, the self-doubt spirals, and that overwhelming feeling of being a tiny dot in a giant, competitive universe. I leaned back in my chair, letting out a tired sigh. The chair creaked under the weight of my thoughts more than my body. My eyes felt dry, but sleep wasn’t anywhere in sight. Maybe a cup of coffee would help, or maybe it would just give me something to do other than spiralling into yet another search for it. I pushed my chair back and stood up, the room bathed in dim yello...
Read more

"The Elevator to Realms" Act 14: The Silence Between Pulses

Image
  Vaibhav The house was quiet, the kind of silence only early evening brings. Just before street dogs begin barking and the pressure cookers hiss in every household in the colony. A faint hum of the ceiling fan spinning at a very low speed spun above my head as I lay staring at its blades. I was lost.. I just stared at the blades and tried to follow their path. My wrist still throbbed, but the bandages Kriti had carefully wrapped gave me a strange sense of comfort and calmness. I looked at the bandages and let out a sigh. I got up and stared outside my room's window...  Thinking. Is my life really messed up? Where should I put my focus? The supernatural or focus on my life. My career and studies. Which one? I felt helpless and confused. Which one to figure out first? .. I gave a look at that drawer. That stone... It was flickering and pulsing just like before, like it was immortal. I hadn't told anyone. Not even my parents. Damnit. Should I tell them? They deserve to know all ...
Read more