Ubuntu Server as Domain Member Server

I have created a network like the picture above, a simulation, using VMWare 9.0, because of the limitations of the equipment. It would be nice if you could use in the real network. I assume you are already familiar with using linux and windows, including windows server 2008. And the network you created, has met the following conditions:

•   a windows server 2008 R2,

·         LAN IP, 10.10.0.2, hostname (DC name) = SERVER-AD-01.NGERI.CO.ID

·         domain: NGERI.CO.ID,

·         DNS is running well

·         More options, DHCP is already running.

• Windows XP or Windows 7 as an OS users / client computer.

·         Lan IP 10.10.0.0/24, and make sure it's join the domain NGERI.CO.ID

• Install fresh Ubuntu server 12.04.1 / 12.10 (this version that I have tried, for other versions, might also be used, try it yourself.)

The domain name and IP address can be changed by your own desires. If the above conditions are met, proceed with the following:

1.      IP address. Change the IP address to static. Edit /etc/network/interfaces,

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 10.10.0.6
netmask 255.255.255.0
network 10.10.0.0
broadcast 10.10.0.255
gateway 10.10.0.1
dns-nameservers 10.10.0.2 8.8.8.8

2.      Hostname. Change the hostname in accordance with your wishes, and then save. For example-UBUNTU SERVER. Edit in /etc/hostname

SERVER-UBUNTU

In /etc/hosts, add the following line, do not forget saved.
10.10.0.6 server-ubuntu server-ubuntu.ngeri.co.id

3.       Install necessary packages & configure

# apt-get update

# apt-get install openssh-server mc vim

# apt-get install ntp krb5-user samba winbind

When you asked about configure kerberos, fill in your domain name. For example, in my case, type NGERI.CO.ID. and select ok.

Next, you will be asked about the hostname (DC name) of the domain server, in this case, type SERVER-AD-01.NGERI.CO.ID. and select OK.

And lastly, Enter the administrator password of the server domain. For example, "xxgirxx". Then select ok.

 4.      NTP. Define ntp server, to synchronize time between servers with domain member server. In /etc/ntp.conf:
server 10.10.0.2 

5.      Samba

# mv /etc/samba/smb.conf /etc/samba/smb.conf.old 

# vim /etc/samba/smb.conf.

[global]

    workgroup = NGERI

    server string = Samba Server Version %v

    security = ads

    realm = NGERI.CO.ID

    password server = xxngerixx

    domain master = no

    local master = no

    preferred master = no

    idmap backend = tdb

    idmap uid = 10000-99999

    idmap gid = 10000-99999

    idmap config TEST:backend = rid

    idmap config TEST:range = 10000-99999

    winbind separator = +

    winbind enum users = yes

    winbind enum groups = yes

    winbind use default domain = yes

    winbind nested groups = yes

    winbind refresh tickets = yes

    template homedir = /home/%D/%U

    template shell = /bin/bash

    client use spnego = yes

    client ntlmv2 auth = yes

    encrypt passwords = yes

    restrict anonymous = 2

    log file = /var/log/samba/log.%m

    max log size = 50

#========================= Share Definitions ======================

[testshare]

    comment = Test share

    path = /home/testshare

    read only = no

    valid users = @"TEST+Domain Users"

    force group = "Domain Users"

    directory mode = 0750

    force directory mode = 0750

    create mode = 0640

    force create mode = 0640

    # Hide share from users who don't have access

    access based share enum = yes

    # Hide files/directories if user doesn't read access

    hide unreadable = yes

Do not forget to saved, and of course the above configurations customized to your needs. Then create a folder for samba sharing.

# mkdir /home/testshare

6.      Authentication winbind. Edit /etc/nsswitch.conf, and update the following lines:

passwd: compat winbind

group: compat winbind

7.      Kerberos, look in / etc/krb5.conf, make sure that a few lines below, there was and is correct.

[libdefaults]

        default_realm = NGERI.CO.ID

# The following krb5.conf variables are only for MIT Kerberos.

        krb4_config = /etc/krb.conf

        krb4_realms = /etc/krb.realms

        kdc_timesync = 1

        ccache_type = 4

        forwardable = true

        proxiable = true

[realms]

        NGERI.CO.ID = {

                kdc = SERVER-AD-01.NGERI.CO.ID

                admin_server = xxngerixx

        }

[domain_realm]

        .ngeri.co.id = NGERI.CO.ID

        ngeri.co.id = NGERI.CO.ID

That’s all… now reboot…

It's time to try.

# kinit administrator

Password for administrator@NGERI.CO.ID:

# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: administrator@NGERI.CO.ID

Valid starting    Expires           Service principal

04/02/2013 21:08  05/02/2013 07:09  krbtgt/NGERI.CO.ID@NGERI.CO.ID

        renew until 05/02/2013 21:08

Join Samba to the domain:

# net ads join -U administrator

Enter administrator's password:

Using short domain name -- NGERI

Joined 'SERVER-UBUNTU' to realm 'NGERI.CO.ID'

Test that Winbind can list your AD users and groups:

# wbinfo -u

# wbinfo –g

Now, through the client computer (windows), login using the domain users. Click start-run. In the box, type \\server-ubuntu\ then click ok. A window should open showing the \\server-ubuntu\testshare.

At this time, Ubuntu has been successfully used as a Member Server, and could be server for file sharing. You must have a plan for the File Server. Which domain users can access, which files can be accessed, and so on. Of course, use the file permissions on the /etc/samba/smb.conf, to make the rules. For example, I want each domain users possessed its own folder in Drive File Server. And for the domain users do not have permissions, folders and files invisible.
On Ubuntu, create some folders.

# cd /home/share

# mkdir ngeri datauser1 datauser2

# chown ngeri ngeri

# chown user1 datauser1

# chown user2 datauser2

# chgrp “domain users”  /home/share/*

And in smb.conf

directory mode = 0700

    force directory mode = 0700

    create mode = 0600

    force create mode = 0600

Ok. At this point, I think, I do not need to explain more about this permission, because I think, you have already known about this.

Reference :
http://ubuntuforums.org/showthread.php?t=280702. I modified it based on my experiments using ubuntu 12:10.