Configuring Samba on Ubuntu Server 10.04

Ubuntu Linux Specific Guides
Post Reply
User avatar
Site Admin
Posts: 69
Joined: Wed Mar 15, 2006 8:28 pm

Configuring Samba on Ubuntu Server 10.04

Post by dedwards » Mon Oct 11, 2010 12:24 pm

The instructions below are for configuring Samba with local authentication using the samba account "samba_user". You can change "samba_user" to whatever account name you want.

1. Ensure Samba is installed by issuing the following command:

Code: Select all

sudo apt-get install samba

If Samba is installed the system will tell you it's already installed. If not, it will install it for you.

2. Edit the "/etc/samba/smb.conf file:

Code: Select all

sudo vi /etc/samba/smb.conf

Under the "[global] section of the config file ensure at a minimum the following parameters are set:

Code: Select all

null passwords = yes
guest account = samba_user
workgroup = yourworkgroup
unix password sync = yes
security = user

3. Scroll at the very end of the "smb.conf" file and create your samba share(s) by using the format below for each share.

Code: Select all

        comment = Share Description
        path = /path/to/directory/you/want/to/share
        public = yes
        guest ok = yes
        write list = @samba_user samba_user
        read only = no
        writable = yes
        printable = no
        create mode = 0770
        directory mode = 0770

Save and exit the smb.conf file.

4. Create a UNIX user to be associated with the Samba user by issuing the following command:

Code: Select all

sudo useradd -d /home/samba_user -s /bin/false -N samba_user

The "-d /home/samba_user" sets the home directory for this user. The "-s /bin/false" sets a "false" shell for that user meaning that user will not be able to logon the system and run commands since no shell is set. The "-N" switch tells the system to NOT create a group name out of that username.

Set the password for that user:

Code: Select all

sudo passwd samba_user

You will be prompted for a password twice.

5. Create a Samba user by issuing the following command:

Code: Select all

sudo smbpasswd -a samba_user

You will be prompted for a password twice. This is the password you are going to use to authenticated to the Samba shares.

6. Ensure the "samba_user" is the owner of the share.

Code: Select all

chown -R samba_user /path/to/directory/you/want/to/share

7. Reload and re-start the "smbd" service:

Code: Select all

sudo /etc/init.d/smbd reload
sudo /etc/init.d/smbd restart

OPTIONAL: Integrate Samba with Active Directory

If you have a need to integrate your Ubuntu Server with Active Directory in order to authenticated AD users to your server samba shares, it's easy enough to accomplish however, if you have implemented Samba using local authentication from the first part of the article, you must make a backup of your current Samba configuration and start with a clean fresh file.

1. Create a backup of you "/etc/samba/smb.conf" file:

Code: Select all

sudo cp /etc/samba/smb.conf /etc/samba/smb.bak

2. Delete every line in your "/etc/samba/smb.conf" file. in order to start fresh. Easiest way to do this is to edit the file with "v"i and press the "d" key twice on every line until all of them are gone and then save the file. I'm sure there is an even easier way, however, I can't think of one.

3. Next, you must install Likewise Open 6. Word of caution, DO NOT install Likewise open from the Ubuntu repositories because it simply will not work with Samba 3.4 which is the version of Samba Ubuntu Server 10.04 (Lucid) uses. Goto to the following URL:

***UPDATE 4/26/2012*** Likewise has been renamed to BeyondTrust PowerBroker® Identity Services, Open and it can be now downloaded at

Download the appropriate Likewise Open 6 Stable DEB file for your server. Ensure that if you are using a 64-Bit version of ubuntu server, you download the 64-Bit version of Likewise Open. Easiest way to download is the from the console using wget:

Code: Select all

sudo wget

Once downloaded, make the file executable:

Code: Select all

sudo chmod +x

Install the file:

Code: Select all


Accept the license agreement and proceed with the install. Enter all the appropriate information for your domain and domain controllers when the program asks. Once the installation is finished, reboot your computer.

4. Next, edit your "/etc/hosts" file:

Code: Select all

sudo vi /etc/hosts

Ensure that your file looks like the example below where "yourserver" is your Ubuntu server without the domain part, "yourdomain.local" is is the FQDN of your AD domain, "" is the IP of your domain controller, "dc.yourdomain.local" is the FQDN of your domain controller and dc is the hostname of your domain controller without the domain part:

Code: Select all yourserver.yourdomain.local yourserver localhost dc.yourdomain.local dc
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Save the file

5. Edit your "/etc/nsswitch.conf" file:

Code: Select all

sudo vi /etc/nsswitch.conf

Comment out the line that reads (Place a "#" without the double quotes in from of the line):

Code: Select all

hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4

so it looks like this:

Code: Select all

# hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4

Finally, ensure the "hosts:" line looks like this:

Code: Select all

hosts:          files dns

Save the file.

6. Next, we are going to go ahead and join the AD domain. Run the following command from the console where "yourdomain.local" is your AD domain, and "Administrator" is a domain account with privileges to join a computer to the domain:

Code: Select all

sudo /opt/pbis/bin/domainjoin-cli join yourdomain.tld Administrator

Enter the domain account password and if successful you should get the following message back:

Code: Select all

Warning: System restart requiredYour system has been configured toauthenticate to Active Directory for thefirst time. It is recommended that you restart your system to ensure that allapplications recognizethe new settings.

Reboot your machine and check in your domain controller under "Active Directory Users and Computers" and you should be able to see your Ubuntu server listed under the "Computers" container.

7. Next, we are going to ensure that each time a domain user logs in your Ubuntu server via SSH or the console that they use the "/bin/bash" shell and a folder is created for each user under "/home/YOURDOMAIN/username". So run the following two commands:

Code: Select all

sudo /opt/likewise/bin/lwconfig LoginShellTemplate /bin/bash


Code: Select all

/opt/likewise/bin/lwconfig HomeDirTemplate %H/%D/%U

8. next, we want your ubuntu server to update the DNS everytime it boots up, so create the following script under "/etc/init.d":

Code: Select all

sudo vi /etc/init.d/lw-startup

Enter the following in the new file:

Code: Select all


Save the file and make it executable:

Code: Select all

sudo chmod a+x /etc/init.d/lw-startup

Setup the script to run everytime your server is boots up:

Code: Select all

cd /etc/init.d

Code: Select all

sudo update-rc.d -f lw-startup defaults

9. Ensure that members of a group in your AD domain are able to "sudo" in your Ubuntu server. On the console run the following command:

Code: Select all


The command above allows you to edit the "/etc/sudoers" file. This is the ONLY way you should edit this file, don't even think about using just plain old "vi". Enter the following under the "%admin ALL=(ALL) ALL" line:

Code: Select all


so the whole section will look like this:

Code: Select all

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

where "YOURDOMAIN" is your AD domain and the "AD^GROUP" is an AD group you want to be able to "sudo" in your machine. The "^" is located right above the "6" key in your keyboard and it's used when you have a two word AD group (most of them are) since you cannot separate the group name with spaces in your "/etc/sudoers" file.

Press "CTRL" and "O" (the letter NOT ZERO), press enter in the "File Name to Write" prompt and then press "CTRL" and "X" to exit.

Run the following command to verify Samba compatibility with Likewise:

Code: Select all

sudo /opt/likewise/bin/samba-interop-install --check-version

You should get the following message:

Code: Select all

Found smbd version 3.4.7
Samba version supported

10. Next, edit your fresh "/etc/samba/smb.conf" file and enter the following entries:

Code: Select all

   workgroup = YOURDOMAIN
   server string = %h server
   wins server =
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = ADS
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = no
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   idmap uid = 10000-33554431
   idmap gid = 10000-33554431
   usershare allow guests = yes

  path = /share
  read only = no
  guest ok = no
  browseable = yes
  valid users = YOURDOMAIN\Administrator
  force user = share

Where, "YOURDOMAIN" is your netbios domain name, "YOURDOMAIN.LOCAL" is your full AD domain name, "" is the IP of your domain controller, "/share" is the name of your share and "YOURDOMAIN\Administrator" is the AD user you want to have access to that share, and "force user = share" is the unix account username we are going to create next to have full ownership of that directory path and save the file.

Change the permissions on your share directory path:

Code: Select all

sudo chmod -R -c 766 /share

Add a user named "share" or whatever you want it to be and give it ownership of that directory path. If you use another username, ensure you change the "force user = " parameter in the "/etc/samba/smb.conf" file to reflect that username:

Code: Select all

sudo useradd share

Code: Select all

sudo chown -R share:share /share

Alternatively, in the "valid users =" parameter of your "/etc/samba/smb.conf" instead of using a single domain user, you can use a domain group as follows:

Code: Select all

valid users = @"YOURDOMAIN\Domain Users"

As you can see we put a "@" symbol in front and enclosed the AD group name in double quotes since it's a two word group name.

11. Next, we need to run the Samba Interoperability Installer and restart the Samba and Winbind services. But, since we don't have Winbind installed, we must install it first:

Code: Select all

sudo apt-get install winbind

The installation of winbind will most likely give you a compatibility error between Likewise and Winbind, just ignore it and continue. It will not harm anything.

Once winbind is installed, enter the following command:

Code: Select all

sudo /opt/pbis/bin/samba-interop-install --install

Reboot the server or restart Samba and winbind (Order is important):

Code: Select all

sudo /etc/init.d/samba stop

Code: Select all

sudo /etc/init.d/winbind stop

Code: Select all

sudo /etc/init.d/samba start

Code: Select all

sudo /etc/init.d/winbind start

You should now be able to access the Samba share from any Windows computer on the AD domain and as long as you supply the correct AD credentials, you should get access to the share. Alternatively, you can SSH into your server and logon as an AD user.
Post Reply