- Software
- Samba > 3.0.20
- Kerberos MIT/Heimdal
- ntp
- often cups-Server
- Permissions/Users
- root-user on the server
- an AD user with the permission to join AD
- The time between DC's and the Samba server must be in sync
- use ntp
- configure your Kerberos environment kinit must be running fine
- configure your smb.conf
- security = ADS
- join into the domain
- kinit
- net ads join
- start the services
- nmbd
- smbd
- winbindd
The
first thing to do is to set up the kerberos keys so that they work.
Remember that kerberos is time-dependent, so you may have to make
sure that the machine time is correct using a protocol like NTP.
Below
is a working krb5.conf file.
Note:
Letters are case sensitive in this case!!!!!
Without
capitalization of your realms and .domain_realm, kerberos won't be
able to connect.
[logging]
default
= FILE:/var/log/krb5libs.log
kdc
= FILE:/var/log/krb5kdc.log
admin_server
= FILE:/var/log/kadmind.log
[libdefaults]
default_realm
= WINDOWS.DOMAIN.COM
dns_lookup_realm
= false
dns_lookup_kdc
= false
ticket_lifetime
= 24h
forwardable
= yes
[realms]
WINDOWS.DOMAIN.COM
= {
kdc
= windows.domain.com
admin_server
= windows.domain.com
default_domain
= windows.domain.com
}
[domain_realm]
.kerberos.server
= WINDOWS.DOMAIN.COM
.windows.domain.com
= WINDOWS.DOMAIN.COM
[kdc]
profile
= /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam
= {
debug
= false
ticket_lifetime
= 36000
renew_lifetime
= 36000
forwardable
= true
krb4_convert
= false
}
Save
the file. Once the file is saved you can test it with this command:
kinit
admin@WINDOWS.DOMAIN.COM.
Remember,
again, capitals are important. This should ask you for the password
for the user account "admin", and then tell you if you have
successfully logged in.
Samba
is the software that allows you to connect Linux and UNIX clients to
a Window's domain in the same way as you would a Windows 2000/XP
machine. There are three important components, smbd, nmbd, and
winbind, which all use the same configuration file:
/etc/samba/smb.conf. Check the example configuration file below:
#GLOBAL
PARAMETERS
[global]
workgroup
= MIDGARD
realm
= WINDOWS.DOMAIN.COM
preferred
master = no
server
string = Linux Test Machine
security
= ADS
encrypt
passwords = yes
log
level = 3
log
file = /var/log/samba/%m
max
log size = 50
printcap
name = cups
printing
= cups
winbind
enum users = Yes
winbind
enum groups = Yes
winbind
use default domain = Yes
winbind
nested groups = Yes
winbind
separator = +
idmap
uid = 600-20000
idmap
gid = 600-20000
;template
primary group = "Domain Users"
template
shell = /bin/bash
[homes]
comment
= Home Direcotries
valid
users =%S
read
only = No
browseable
= No
[printers]
comment
= All Printers
path
= /var/spool/cups
browseable
= no
printable
= yes
guest
ok = yes
A
few important switches that might need a bit of explanation.
Now,
test the parameters file, and correct any syntax errors, using the
command "testparm". It should print out that everything is
okay, and a warning about the + sign possibly causing problems with
domain joins. This can be safely ignored.
Now
to join your machine to the active directory. You will need the
user-name and password to a Domain Administrator account to do this.
The command you need to join the domain is net ads join -U sadwrn.
This should then ask you for a password, and print a domain join
notice.
To
check that you have succesfully joined the domain, there are several
things you can test.
- net ads join -U administrator Test the connection to the Active Directory.
- wbinfo -u Should now list all the members of the domain.
- wbinfo -g Should now list all the groups available in the domain.
- wbinfo -a username%password checks to see if username using password can connect to the domain.
- should wbinfo fail to return all groups or users in the active directory, simply increase the idmap gid upper boundary and restart winbind and SMB until all users and groups are produced in the list.
The
next step is to get the passwd command to check the winbind list for
usernames and groups. This is fairly straight forward as it only
involves changing one file, /etc/nsswitch.conf and at that fairly
minimally. Of course, backup this file before changing it.
passwd:
files winbind
shadow:
files winbind
group:
files winbind
#hosts:
db files nisplus nis dns
hosts:
files dns wins
#
Example - obey only what nisplus tells us...
#services:
nisplus [NOTFOUND=return] files
#networks:
nisplus [NOTFOUND=return] files
#protocols:
nisplus [NOTFOUND=return] files
#rpc:
nisplus [NOTFOUND=return] files
#ethers:
nisplus [NOTFOUND=return] files
#netmasks:
nisplus [NOTFOUND=return] files
bootparams:
nisplus [NOTFOUND=return] files
ethers:
db files
netmasks:
files
networks:
files dns
protocols:
db files
rpc:
files
services:
files
netgroup:
files
publickey:
nisplus
automount:
files
aliases:
files nisplus
Note
that the following files (and symlinks) must be present in the system
/lib directory:
libnss_winbind.so
libnss_winbind.so.2
-> libnss_winbind.so
libnss_wins.so
libnss_wins.so.2
-> libnss_wins.so
Now
all that remains is setting up PAM authentication.
On
RedHat, changing the PAM configuration is as easy as changing one
file, the /etc/pam.d/system-auth file. This file is responsible for
directing the services that require authentication to the right
mechanism to get a response. Change the file as follows:
#%PAM-1.0
#
This file is auto-generated.
#
User changes will be destroyed the next time authconfig is run.
auth
required /lib/security/$ISA/pam_env.so
auth
sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth
sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth
required /lib/security/$ISA/pam_deny.so
account
required /lib/security/$ISA/pam_unix.so
account
sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account
sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
account
required /lib/security/$ISA/pam_permit.so
password
requisite /lib/security/$ISA/pam_cracklib.so retry=3 type=
password
sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow
password
sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
password
required /lib/security/$ISA/pam_deny.so
session
required /lib/security/$ISA/pam_limits.so
session
required /lib/security/$ISA/pam_unix.so
session
required /lib/security/$ISA/pam_winbind.so use_first_pass
Save
the file, and change to another virtual terminal. Try logging in as a
Member of the Active Directory. This should work, though you WILL see
an error about missing home-directory (don't worry about that, we'll
fix that later). If you have had a a previous user account on that
machine that matches the log-in from the Active Directory, you will
need to comment it out. (comment, not delete, that way you can
restore if things go wrong). Check as many users as you can, until
you feel comfortable that the mechanism works. ALERT! Remember to
ensure that ROOT can still log in.
Yeah,
this one took me about a day too.
[Pictures]
comment
= Directory for storing pictures
path=
/usr/local/pictures
Valid
Users =@WINDOWS.DOMAIN.COM+group WINDOWS.DOMAIN.COM+user
writable=yes
browseable=yes
@WINDOWS.DOMAIN.COM+group
gives
any member of the 'group' on WINDOWS.DOMAIN.COM access to this share.
WINDOWS.DOMAIN.COM+user
gives
'user', single user members of WINDOWS.DOMAIN.COM,
access to this share.
The
Samba configuration (tested on 3.0.24) should contain these values:
[global]
passdb
backend = tdbsam
idmap
backend = ad
idmap
uid = 100-20000000
idmap
gid = 100-20000000
winbind
nss info = rfc2307
RESTART
SERVICES smb, nmb and winbind
# service smb restart
# service nmb restart
# service winbind restart
AD
users and groups may be designated as file and directory owners, and
whitespace may be used in group names hwoever must be escaped by
backslash. chown, chgrp,setfacl, and getfacl all function with active
directory users and groups.