Howto: Samba 3 Authenticating to Windows 2003 Active Directory
A quick and dirty howto for CentOS 4.
- Make sure system is completely updated.
yum update - Make sure Kerberos packages are installed.
krb5-server krb5-workstation - Edit /etc/krb5.conf to work with the 2003 AD server. It should look similar to below. The line in bold are what needs to be chanaged and entries are CASE sensitive!
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log[libdefaults]
default_realm = ADS.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false[realms]
ADS.LOCAL = {
kdc = ads.local
admin_server = 192.168.0.1:749
default_domain = ads.local
}[domain_realm]
.ads.local = ADS.LOCAL
ads.local = ADS.LOCAL[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
- Configure Samba. The basic config should look like below. Bold items are important.
[global]
dns proxy = no
log file = /var/log/samba/%m.log
load printers = no
netbios name = Samba
server string = Samba Server
socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
workgroup = ADS
realm = ADS.LOCAL
os level = 20
encrypt passwords = yes
security = ADS
preferred master = no
max log size = 50
disable spoolss = yes #Enabled if you will not server printers off this server
template shell = /bin/false
template homedir = /home/%D/%U
idmap uid = 10000-20000
idmap gid = 10000-20000
enhanced browsing = no
winbind use default domain = yes
Run
testparmto make sure you do not have any typos or errors. - Edit /etc/nsswitch.conf so that the system will use winbind for authentication.
passwd: files winbind
group: files winbind - Start Samba and join it to the domain.
service smb restartnet ads join -U Administrator@ADS.LOCAL - Start Winbind and restart Samba
service smb restartservice winbind start - Run
wbinfo -uto see if user accounts on the 2003 Server are seen. - To see some info about the connected domain issue
net ads info - Edit /etc/fstab and add the option
aclto the file system that will hold any directories shared by Samba. For example:/dev/md2 / ext3 defaults,acl 1 1 - Reboot the server or issue a remount command similar to
mount -n -o remount,defaults,acl / - Make sure Samba and Winbind are set to start at system boot.
chkconfig smb onchkconfig winbind on - Let’s setup an example share for use by Administrator. smb.conf should contain something like:
[Backups]
comment = Backups
wide links = no
writeable = yes
create mode = 644
path = /home/BACKUPS - Let’s set permissions on /home/BACKUPS so that administrator has rwx permissions.
setfacl -m u:"ADS\\Administrator":rwx /home/BACKUPS - Check the permissions.
getfacl /home/BACKUPSYou should see something like the following:getfacl /home/BACKUPS
getfacl: Removing leading '/' from absolute path names
# file: home/BACKUPS
# owner: foo
# group: foo
user::rwx
user:administrator:rwx
group::rwx
mask::rwx
other::rwx - In the event of DNS failure, you may want to edit /etc/hosts and add a line for the 2003 Server so the samba server always knows the IP of the 2003 server.
- Because these two servers depend highly on time synchronization, ntpd must be setup to sync to the AD server. Do this by editing /etc/ntp.conf and /etc/ntp/step-tickers. Examples of which are as follows:
Enter your AD server’s FQDN after the first server entry in ntp.conf
### Begin /etc/ntp.conf ###
restrict default nomodify notrap noqueryrestrict 127.0.0.1
server 2003server.ads.local
server 1.pool.ntp.org
server 2.pool.ntp.orgserver 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10driftfile /var/lib/ntp/drift
broadcastdelay 0.008keys /etc/ntp/keys
### END /etc/ntp.conf
—
List the three servers in /etc/ntp/step-tickers that are in /etc/ntp.conf.
### BEGIN /etc/ntp/step-tickers
2003server.ads.local
1.pool.ntp.org
2.pool.ntp.orgThis will enable the Samba server to sync it’s time to the the AD server.