[Samba] Setting up new AD on (k)ubuntu 20.04

Thu Dec 3 20:38:33 UTC 2020

Hi all,
I've been stuck on this for a good month now trying to set up a small domain at home so that I don't have to manage users on every PC at home separately. With 4 kids doing home schooling right now this is more important than ever, although by now I spent so much time one this that I probably would've set up the users on every machine 3 times back and forth and still would've spent less time 🙂

Following the suggestions here:
https://askubuntu.com/questions/1287239/mounting-samba-share-loses-file-ownership-info
[https://cdn.sstatic.net/Sites/askubuntu/Img/apple-touch-icon@2.png?v=c492c9229955]<https://askubuntu.com/questions/1287239/mounting-samba-share-loses-file-ownership-info>
networking - Mounting samba share loses file ownership info - Ask Ubuntu<https://askubuntu.com/questions/1287239/mounting-samba-share-loses-file-ownership-info>
So I tried this solution out and it kinda works, but doesn't do what I need. It exposes the directory only of the user currently logged into samba, like this (both are actually the same folder under the hood): \\addc.mydomain.com\homes \\addc.mydomain.com\<username> but this means two things: 1) I need to be a logged in user or provide the password at mount time 2) I cannot do this at boot ...
askubuntu.com

and here:
https://askubuntu.com/questions/1292869/samba-ad-dc-no-longer-accepts-login-using-domain-accounts
[https://cdn.sstatic.net/Sites/askubuntu/Img/apple-touch-icon@2.png?v=c492c9229955]<https://askubuntu.com/questions/1292869/samba-ad-dc-no-longer-accepts-login-using-domain-accounts>
password - Samba AD DC no longer accepts login using domain accounts - Ask Ubuntu<https://askubuntu.com/questions/1292869/samba-ad-dc-no-longer-accepts-login-using-domain-accounts>
You see this is the part I really don't understand - I'm running AD DC on Samba 4.11.6 and for the love of me I wasn't able to reliably connect any domain client pc with winbind - it would come and go, couldn't be trusted.
askubuntu.com
I took the advice and set up a new AD DC in a dedicated VM (Debian 10). I also installed kubuntu fresh on one of the PCs and followed the samba wiki tutorial to join it to the domain using winbind. Here's my basic AD smb.conf:

[global]
  dns forwarder = 192.168.1.1
  netbios name = PRIMARYDC
  realm = MYDOMAIN.COM
  server role = active directory domain controller
  workgroup = MYDOMAIN
  idmap_ldb:use rfc2307 = yes
  template shell = /bin/bash
  template homedir = /home/%D/%U
  unix extensions = Yes
  vfs objects = dfs_samba4 acl_xattr recycle
[netlogon]
  path = /var/lib/samba/sysvol/mydomain.com/scripts
  read only = No
[sysvol]
  path = /var/lib/samba/sysvol
  read only = No

I tried many different tweaks before I ended up with this on the client PC:

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
security = user
   winbind refresh tickets = Yes
   map acl inherit = Yes
   store dos attributes = Yes
   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
   winbind use default domain = Yes
   bind interfaces only = Yes
   interfaces = lo eth0
   winbind enum users = Yes
   winbind enum groups = Yes
# server string is the equivalent of the NT Description field
   server string = %h server (Samba, Ubuntu)

   winbind nss info = rfc2307
   idmap config * : backend = tdb
   idmap config * : range = 3000-7999
   idmap config MYDOMAIN:backend = ad
   idmap config MYDOMAIN:schema_mode = rfc2307
   idmap config MYDOMAIN:range = 10000-999999
   idmap config MYDOMAIN:unix_nss_info = Yes
   idmap config MYDOMAIN:unix_primary_group = Yes

   template shell = /bin/bash
   template homedir = /home/%D/%U

   username map = /etc/samba/user.map

pam.d configs were updated to contain winbind entries automatically after the installation of required packages. However, not this and none of the configs I experimented with on the way resulted in workable domain join. When I ran "net ads join" it reported success, but the client was only running winbindd - smbd and nmbd weren't even starting up. And trying to run getent passwd or getent group on any domain objects gave me no results. What is even more annoying is that the unrecommended approach of using SSSD instead of winbind works like charm. What am I doing wrong? Is there a definitive tutorial somewhere on how to do it? I don't think my setup is special in any way but the use of rfc2307 schema, but even that is recommended as the default for any new domain setup such as mine. Any help will be greatly appreciated.

Cheers,
Chris