I had to hit everybodys door(site) to get this done. Every body helped me to their extend. Special thanks to GOOGLE.The goal is this:
Allow users of a MICROSOFT DOMAIN to access a SAMBA share using that DOMAIN’s Active Directory username & passwords.
First we have to add the linux system to be a member of domain controller. Then only the authentication will be possible. My googled stuff contain both adding
I will tell what I have done.
We have a IBM X226 system with Debian installed.The output of uname is
#uname -a
Linux XXXXXXXXXX 2.6.18-6-686 #1 SMP Thu Nov 5 16:28:13 UTC 2009 i686 GNU/Linux.
Our ADC was onHP DL 380 with Operating System as WINDOWS 2003. We have admin user as manageserver.
Install samba, samba-common, samba-common-bin, samba-tools, swat, smbldap-tools, winbind, krb5-config, krb5-user, libkrb53, nsswitch through package manager or apt-get.
~# dpkg –get-selections|grep "samba" samba install samba-common install samba-doc install ~# dpkg –get-selections|grep "winbind" winbind install ~# dpkg –get-selections|grep "krb5" krb5-config install krb5-user install libkrb53 install |
First you should verify that your Samba installation has been compiled to support Kerberos, LDAP, Active Directory, and Winbind. Most likely it has, but you need to make sure. The smbd command has a switch for printing build information. You will see a lot more lines of output than are shown here:
# cd /usr/sbin # smbd -b | grep LDAP HAVE_LDAP_H HAVE_LDAP HAVE_LDAP_DOMAIN2HOSTLIST … # smbd -b | grep KRB HAVE_KRB5_H HAVE_ADDRTYPE_IN_KRB5_ADDRESS HAVE_KRB5 # smbd -b | grep ADS WITH_ADS WITH_ADS # smbd -b | grep WINBIND WITH_WINBIND WITH_WINBIND |
Once we had this, these are the rough steps we took:
shutdown smb
remove /var/cache/samba/* – get rid of prior misconfigured files
remove /etc/samba/secrets.tdb
remove host from the domain controller.(This is done on ADC/Windows system. This is done if you have misconfigured)
configure /etc/krb5.conf (though this is supposed to be unnecessary with kerberos 1.3.1)
Below is the out krb5.conf
[libdefaults] default_realm = PR.IN # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 # default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 # permitted_enctypes
= aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
# The following libdefaults parameters are only for Heimdal Kerberos. v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] PR.IN = { kdc = xxxxxxdc01.pr.in admin_server = 10.10.X.XXX#System IP where ADC is installed } ATHENA.MIT.EDU = { kdc = kerberos.mit.edu:88 kdc = kerberos-1.mit.edu:88 kdc = kerberos-2.mit.edu:88 admin_server = kerberos.mit.edu default_domain = mit.edu } MEDIA-LAB.MIT.EDU = { kdc = kerberos.media.mit.edu admin_server = kerberos.media.mit.edu } ZONE.MIT.EDU = { kdc = casio.mit.edu kdc = seiko.mit.edu admin_server = casio.mit.edu } MOOF.MIT.EDU = { kdc = three-headed-dogcow.mit.edu:88 kdc = three-headed-dogcow-1.mit.edu:88 admin_server = three-headed-dogcow.mit.edu } CSAIL.MIT.EDU = { kdc = kerberos-1.csail.mit.edu kdc = kerberos-2.csail.mit.edu admin_server = kerberos.csail.mit.edu default_domain = csail.mit.edu krb524_server = krb524.csail.mit.edu } IHTFP.ORG = { kdc = kerberos.ihtfp.org admin_server = kerberos.ihtfp.org } GNU.ORG = { kdc = kerberos.gnu.org kdc = kerberos-2.gnu.org kdc = kerberos-3.gnu.org admin_server = kerberos.gnu.org } 1TS.ORG = { kdc = kerberos.1ts.org admin_server = kerberos.1ts.org } GRATUITOUS.ORG = { kdc = kerberos.gratuitous.org admin_server = kerberos.gratuitous.org } DOOMCOM.ORG = { kdc = kerberos.doomcom.org admin_server = kerberos.doomcom.org } ANDREW.CMU.EDU = { kdc = vice28.fs.andrew.cmu.edu kdc = vice2.fs.andrew.cmu.edu kdc = vice11.fs.andrew.cmu.edu kdc = vice12.fs.andrew.cmu.edu admin_server = vice28.fs.andrew.cmu.edu default_domain = andrew.cmu.edu } CS.CMU.EDU = { kdc = kerberos.cs.cmu.edu kdc = kerberos-2.srv.cs.cmu.edu admin_server = kerberos.cs.cmu.edu } DEMENTIA.ORG = { kdc = kerberos.dementia.org kdc = kerberos2.dementia.org admin_server = kerberos.dementia.org } stanford.edu = { kdc = krb5auth1.stanford.edu kdc = krb5auth2.stanford.edu kdc = krb5auth3.stanford.edu admin_server = krb5-admin.stanford.edu default_domain = stanford.edu }
[domain_realm] .mit.edu = ATHENA.MIT.EDU mit.edu
= ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU media.mit.edu = MEDIA-LAB.MIT.EDU .csail.mit.edu = CSAIL.MIT.EDU csail.mit.edu = CSAIL.MIT.EDU .whoi.edu = ATHENA.MIT.EDU whoi.edu = ATHENA.MIT.EDU .stanford.edu = stanford.edu kerberos.server = PR.IN
[login] krb4_convert = true krb4_get_tickets = false
|
Use uppercase where it shows. Now try to connect, and mind your cases:
# kinit manageserver@PR.IN
Password for manageserver@PR.IN
Configure /etc/hosts
Even if your DNS servers are perfect in every way, it is a good idea to add important servers to your local /etc/hosts file. It speeds up lookups and provides a fallback in case the DNS servers go down:
10.10.X.XXX server.PR.IN server
Debian users may need to install the winbind package separately. RPM users will find it in the samba-common RPM. First, edit /etc/nsswitch.conf. The first three lines are the most important; the others vary according to your system:
#################################################### passwd: files winbind shadow: files winbind group: files winbind hosts: files dns wins bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files publickey: nisplus automount: files aliases: files nisplus #################################################### |
configure /etc/samba/smb.conf
Below is the our smb.conf:
[global] workgroup = PR realm = PR.IN server string = %h proxy server security = ADS auth methods = winbind obey pam restrictions = Yes password server = 10.10.X.XXX#The System IP where the ADC is installed log file = /var/log/samba/%m.log max log size = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE printcap name = cups wins server = 10.10.X.XXX idmap uid = 10000-20000 idmap gid = 10000-20000 winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes printing = cups print command = lpq command = %p lprm command =
[homes]
comment = Home Directories path = /home/tellmatic/img/hemant valid users = %S read only = No
[printers] comment = All Printers path = /tmp create mask = 0700 printable = Yes browseable = No
[HEMANT]
comment = SOMESERVERs Files path = /home/tellmatic/img/hemant username = PR+philip,PR+pipal,PR+admsanjain valid users = PR+philip,PR+pipal,PR+admsanjain admin users = PR+manageserv,PR+pipal,PR+philip,PR+admsanjain read list = PR+philip,PR+pipal,PR+admsanjain write list = PR+philip,PR+pipal,PR+admsanjain read only = No acl check permissions = No create mask = 0777 force create mode = 0777 force security mode = 0777 directory mask = 0777 force directory mode = 0777 force directory security mode = 0777 inherit permissions = Yes inherit acls = Yes inherit owner = Yes delete veto files = Yes veto files = /*.exe/*.mp3/*.msi/*.mpeg/*.mov/*.scr/*.dat/*.wav/*.3gp/*.jpg/*.jpeg/*.mp4/*.inf vfs objects = audit |
Save your changes and run
$ testparm
This checks smb.conf for syntax errors. Any errors must be corrected before going ahead.
- join linux system to ADS domain: net ads join -U administrator
#net ads join -U manageserver
- After you add the system to ADS verify it worked: wbinfo -u ; wbinfo -g
This will give all user and groups available in the ADS.
- map some NT/Unix groups:
- net groupmap modify ntgroup="Domain Users" unixgroup=users
- net groupmap add ntgroup="domain users" unixgroup=users
- net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
- net groupmap modify ntgroup="Domain Admins" unixgroup=root
- net groupmap add ntgroup="SambaUsers" unixgroup=sambausers
- – verify changes: net groupman list
- – restart winbind and samba (may not be necessary)
If the steps given below does not operate for you, Please restart the system and check out. The problem might be that the nsswitch.conf might have not got activated……