Samba Authenticate with Domain Controller

February 11th, 2010

I had to hit everybody’s door(site) to get this done. Every body helped me to their extend. Special thanks to GOOGLE.The goal is this:

Allow users of a MICROSOFT “DOMAIN” to access a SAMBA share using that “DOMAIN”’s Active Directory username & passwords.

First we have to add the linux system to be a member of domain controller. Then only the authentication will be possible. My googled stuff contain both adding

  • the linux system to domain controller and

  • authentication with users available in domain controller.

I will tell what I have done.

We have a IBM X226 system with Debian installed.The output of uname is

#uname -a

Linux XXXXXXXXXX 2.6.18-6-686 #1 SMP Thu Nov 5 16:28:13 UTC 2009 i686 GNU/Linux.

Our ADC was onHP DL 380 with Operating System as WINDOWS 2003. We have admin user as manageserver.

Install samba, samba-common, samba-common-bin, samba-tools, swat, smbldap-tools, winbind, krb5-config, krb5-user, libkrb53, nsswitch through package manager or apt-get.

~# dpkg –get-selections|grep "samba"

samba                     install
samba-common                    install
samba-doc                    install

~# dpkg –get-selections|grep "winbind"

winbind                    install

~# dpkg –get-selections|grep "krb5"

krb5-config                    install
krb5-user                    install
libkrb53                    install

First you should verify that your Samba installation has been compiled to support Kerberos, LDAP, Active Directory, and Winbind. Most likely it has, but you need to make sure. The smbd command has a switch for printing build information. You will see a lot more lines of output than are shown here:

# cd /usr/sbin
# smbd -b | grep LDAP

HAVE_LDAP_H
HAVE_LDAP
HAVE_LDAP_DOMAIN2HOSTLIST

# smbd -b | grep KRB

HAVE_KRB5_H
HAVE_ADDRTYPE_IN_KRB5_ADDRESS
HAVE_KRB5

# smbd -b | grep ADS

WITH_ADS
WITH_ADS

# smbd -b | grep WINBIND

WITH_WINBIND
WITH_WINBIND

Once we had this, these are the rough steps we took:

  • shutdown smb

  • remove /var/cache/samba/* – get rid of prior misconfigured files

  • remove /etc/samba/secrets.tdb

  • remove host from the domain controller.(This is done on ADC/Windows system. This is done if you have misconfigured)

  • configure /etc/krb5.conf (though this is supposed to be unnecessary with kerberos 1.3.1)

Below is the out krb5.conf

[libdefaults]
default_realm = PR.IN

# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.

#        default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
#        default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
#        permitted_enctypes
= aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5


# The following libdefaults parameters are only for Heimdal Kerberos.
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true

[realms]
        PR.IN = {
                kdc = xxxxxxdc01.pr.in
                admin_server = 10.10.X.XXX#System IP where ADC is installed
        }

        ATHENA.MIT.EDU = {
                kdc = kerberos.mit.edu:88
                kdc = kerberos-1.mit.edu:88
                kdc = kerberos-2.mit.edu:88
                admin_server = kerberos.mit.edu
                default_domain = mit.edu
        }
        MEDIA-LAB.MIT.EDU = {
                kdc = kerberos.media.mit.edu
                admin_server = kerberos.media.mit.edu
        }
        ZONE.MIT.EDU = {
                kdc = casio.mit.edu
                kdc = seiko.mit.edu
                admin_server = casio.mit.edu
        }
        MOOF.MIT.EDU = {
                kdc = three-headed-dogcow.mit.edu:88
                kdc = three-headed-dogcow-1.mit.edu:88
                admin_server = three-headed-dogcow.mit.edu
        }
        CSAIL.MIT.EDU = {
                kdc = kerberos-1.csail.mit.edu
                kdc = kerberos-2.csail.mit.edu
                admin_server = kerberos.csail.mit.edu
                default_domain = csail.mit.edu
                krb524_server = krb524.csail.mit.edu
        }
        IHTFP.ORG = {
                kdc = kerberos.ihtfp.org
                admin_server = kerberos.ihtfp.org
        }
        GNU.ORG = {
                kdc = kerberos.gnu.org
                kdc = kerberos-2.gnu.org
                kdc = kerberos-3.gnu.org
                admin_server = kerberos.gnu.org
        }
        1TS.ORG = {
                kdc = kerberos.1ts.org
                admin_server = kerberos.1ts.org
        }
        GRATUITOUS.ORG = {
                kdc = kerberos.gratuitous.org
                admin_server = kerberos.gratuitous.org
        }
        DOOMCOM.ORG = {
                kdc = kerberos.doomcom.org
                admin_server = kerberos.doomcom.org
        }
        ANDREW.CMU.EDU = {
                kdc = vice28.fs.andrew.cmu.edu
                kdc = vice2.fs.andrew.cmu.edu
                kdc = vice11.fs.andrew.cmu.edu
                kdc = vice12.fs.andrew.cmu.edu
                admin_server = vice28.fs.andrew.cmu.edu
                default_domain = andrew.cmu.edu
        }
        CS.CMU.EDU = {
                kdc = kerberos.cs.cmu.edu
                kdc = kerberos-2.srv.cs.cmu.edu
                admin_server = kerberos.cs.cmu.edu
        }
        DEMENTIA.ORG = {
                kdc = kerberos.dementia.org
                kdc = kerberos2.dementia.org
                admin_server = kerberos.dementia.org
        }
        stanford.edu = {
                kdc = krb5auth1.stanford.edu
                kdc = krb5auth2.stanford.edu
                kdc = krb5auth3.stanford.edu
                admin_server = krb5-admin.stanford.edu
                default_domain = stanford.edu
        }

[domain_realm]
        .mit.edu = ATHENA.MIT.EDU
        mit.edu
= ATHENA.MIT.EDU
        .media.mit.edu = MEDIA-LAB.MIT.EDU
        media.mit.edu = MEDIA-LAB.MIT.EDU
        .csail.mit.edu = CSAIL.MIT.EDU
        csail.mit.edu = CSAIL.MIT.EDU
        .whoi.edu = ATHENA.MIT.EDU
        whoi.edu = ATHENA.MIT.EDU
        .stanford.edu = stanford.edu
        kerberos.server = PR.IN

[login]
        krb4_convert = true
        krb4_get_tickets = false

Use uppercase where it shows. Now try to connect, and mind your cases:

# kinit manageserver@PR.IN
Password for manageserver@PR.IN

Configure /etc/hosts

Even if your DNS servers are perfect in every way, it is a good idea to add important servers to your local /etc/hosts file. It speeds up lookups and provides a fallback in case the DNS servers go down:

10.10.X.XXX server.PR.IN server

Debian users may need to install the winbind package separately. RPM users will find it in the samba-common RPM. First, edit /etc/nsswitch.conf. The first three lines are the most important; the others vary according to your system:

####################################################
passwd:        files winbind
shadow:        files winbind
group:        files winbind
hosts:        files dns wins
bootparams:        nisplus [NOTFOUND=return] files
ethers:        files
netmasks:        files
networks:        files
protocols:        files
rpc:        files
services:        files
netgroup:        files
publickey:        nisplus
automount:        files
aliases:        files nisplus
####################################################

configure /etc/samba/smb.conf

Below is the our smb.conf:

[global]

        workgroup = PR
        realm = PR.IN
        server string = %h proxy server
        security = ADS
        auth methods = winbind
        obey pam restrictions = Yes
        password server = 10.10.X.XXX#The System IP where the ADC is installed
        log file = /var/log/samba/%m.log
        max log size = 0
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
        printcap name = cups
        wins server = 10.10.X.XXX
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        printing = cups
        print command =
        lpq command = %p
        lprm command =

[homes]


        comment = Home Directories
        path = /home/tellmatic/img/hemant
        valid users = %S
        read only = No

[printers]

        comment = All Printers
        path = /tmp
        create mask = 0700
        printable = Yes
        browseable = No

[HEMANT]


        comment = “SOMESERVER’s Files”
        path = /home/tellmatic/img/hemant
        username = PR+philip,PR+pipal,PR+admsanjain
        valid users = PR+philip,PR+pipal,PR+admsanjain
        admin users = PR+manageserv,PR+pipal,PR+philip,PR+admsanjain
        read list = PR+philip,PR+pipal,PR+admsanjain
        write list = PR+philip,PR+pipal,PR+admsanjain
        read only = No
        acl check permissions = No
        create mask = 0777
        force create mode = 0777
        force security mode = 0777
        directory mask = 0777
        force directory mode = 0777
        force directory security mode = 0777
        inherit permissions = Yes
        inherit acls = Yes
        inherit owner = Yes
        delete veto files = Yes
        veto files = /*.exe/*.mp3/*.msi/*.mpeg/*.mov/*.scr/*.dat/*.wav/*.3gp/*.jpg/*.jpeg/*.mp4/*.inf
        vfs objects = audit


Save your changes and run
        $ testparm
This checks smb.conf for syntax errors. Any errors must be corrected before going ahead.

  • added ‘sambausers’ group to samba host
            # addgroup sambausers

  • added ‘SambaUsers’ group to ASD

  • edit /etc/samba/smbusers to include line ‘root = administrator’
            Copy of my /etc/samba/smbusers
                    # Unix_name = SMB_name1 SMB_name2 …
                    root = manageserv administrator admin
                    nobody = guest pcguest smbguest

  • add root user to smbpasswd. The password should be same as that of administrator(here it is manageserver) in your ADC.
            #smbpasswd -a root
                    Copy of my /etc/samba/smbpasswd
                                    root:0:0841252C195B9667B9DA8FD4309DF78D:26F8207DF2C0F0C292A6D66FAA9E23BF:[U ]:LCT-4B591BAB:



  • join linux system to ADS domain: net ads join -U administrator
                    #net ads join -U manageserver
            
  • After you add the system to ADS verify it worked: wbinfo -u ; wbinfo -g
                    This will give all user and groups available in the ADS.
            
  • map some NT/Unix groups:
            
  • net groupmap modify ntgroup="Domain Users" unixgroup=users
            
  • net groupmap add ntgroup="domain users" unixgroup=users
            
  • net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
            
  • net groupmap modify ntgroup="Domain Admins" unixgroup=root
            
  • net groupmap add ntgroup="SambaUsers" unixgroup=sambausers
            
  • - verify changes: net groupman list
            
  • - restart winbind and samba (may not be necessary)

If the steps given below does not operate for you, Please restart the system and check out. The problem might be that the nsswitch.conf might have not got activated……

Hello world!

January 6th, 2010

Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!