Penguin
Recent Changes
Blame: ActiveDirectorySamba
EditPageHistoryDiffInfoLikePages
Annotated edit history of ActiveDirectorySamba version 45, including all changes. View license author blame.
Rev Author # Line
38 CraigBox 1 This simple guide is a mostly accurate way to set up a [Samba] machine as a domain member in a MicrosoftWindows 2000 or Windows 2003 ActiveDirectory domain. For a REALLY short version, tested with Win2k3, see the Quick 'n' Dirty instructions at the bottom of the page.
2
3 !!Samba as an Active Directory Domain Member
4
5 The following setup is used:
6
7 192.168.0.1 |
8 test1.thinclient.test.org |
9 the AD server, hereafter known as "the server"
10 192.168.0.209 |
11 mail.thinclient.test.org |
12 samba3 "client" machine
13
14 The Samba system is based upon a stock standard RedHat 9 system with the samba software upgraded to Samba3 (using RPM)
15
16 The following steps are needed to get the system functioning:
17
44 JohnEnnew 18 # install and check necessary packages
38 CraigBox 19 # configure name resolution using either dns or a hosts file
20 # configure samba and winbindd
21 # configure kerberos
22 # testing Samba and winbindd
23 # good luck
44 JohnEnnew 24
25 !! Install and Check necessary packages
26
27 The following packages are required to sucessfully run all the commands detailed in this guide:
28
29 Samba:
30 # redhat-config-samba (or system-config-samba)
31 # samba-common
32 # samba-client
33 # samba
34
35 Kerberos:
36 # pam_krb5
37 # krb5-workstation
38 # krb5-libs
39 # krbafs
40
41 You can query if these packages are installed by running:
42 <pre>
43 rpm -q package-name
44 </pre>
38 CraigBox 45
46 !! Configure name resolution
47
48 Active Directory relies HEAVILY on DNS to resolve not only host names but services they provide as well. To set up DNS on the Linux box, see the DNSHowTo, otherwise consult necessary Windows documentation on setting up forward AND reverse DNS zones.
49
50 The first step is to configure name resolution for our systems. The kerberos authentication system, which we will configure later on, requires us to be able to do a reverse lookup on an IP address to get a fully qualified domain name (FQDN).
51
52 There are two ways to do this. The cheap and nasty method is to use a hosts file on both systems. Hosts based authentication, which is discussed here, is ugly and hacky, and should be avoided at all costs. If you want to do it anyway, you need entries similar to the following.
53
54 !Samba machine
55
56 <pre>
57 __/etc/hosts__
58
59 127.0.0.1 localhost localhost.localdomain
60 192.168.0.1 test1.thinclient.test.org test1
61 192.168.0.209 mail.thinclient.test.org mail
62 </pre>
63
64 !Windows Active Directory server (see footnote 1)
65
66 <pre>
67 __%Systemroot%\System32\drivers\etc\hosts__
68
69 127.0.0.1 localhost localhost.localdomain
70 192.168.0.1 test1 test1.thinclient.test.org
71 192.168.0.209 mail mail.thinclient.test.org
72 </pre>
73
74 The correct method is to setup DNS on the server which can be done through the DNS console in the Administrative Tools section of Windows 2000/2003 Server. (You shouldn't be runing an Active Directory without a well set up DNS; if you don't know how to do it, go away and learn RIGHT NOW). We won't go into the details of setting this up here, but we will specify the Linux side of that here.
75
76 A good way to set this up is to have a Linux-based BIND server doing name resolution for your site 'mydomain.tld', just as you normally would; then configure BIND to delegate the special Active Directory sub-domains ~DomainDnsZones.mydomain.tld and so on to the Windows Server 2003 box. Then, configure Windows Server 2003 DNS to be a caching proxy using the Linux BIND box as its parent, except for the AD sub-domains for which it should be authoritative. All machines can then use the Linux box for DNS. This way, name resolution of normal names stays on good ole reliable Linux where it belongs, the Windows Active Directory crud goes on Windows where it belongs, and everything's happy. If the Windows Server is down, the AD stuff stops working (there's no avoiding that if the PDC is offline); however normal (non-AD) name resolution is unaffected. Thanks to Matthew Sanderson for the tip.
77
78 <pre>
79 __/etc/resolv.conf__
80
81 search thinclient.test.org
82 domain thinclient.test.org
83 nameserver 192.168.0.1
84 </pre>
85
86
87 !!Configure Samba3 and Winbindd
88
89 This part is the easy one, we just create ourselves a default Samba configuration with at least the following entries (Note this is a completely empty and default configuration file, and you may wish to add more. A file share would be handy to add).
90
91 <verbatim>
92 /etc/samba/smb.conf
93 [global]
94 # general options
95 workgroup = THINCLIENT
96 netbios name = MAIL
97
98 # winbindd configuration
99 # default winbind separator is \, which is good if you
100 # use mod_ntlm since that is the character it uses.
101 # users only need to know the one syntax
102 winbind separator = +
103
104 # idmap uid and idmap gid are aliases for
105 # winbind uid and winbid gid, respectively
106 idmap uid = 10000-20000
107 idmap gid = 10000-20000
108 winbind enum users = yes
109 winbind enum groups = yes
110 template homedir = /home/%D/%U
111 template shell = /bin/bash
112
113 # Active directory joining
114 # "ads server" is only necessary if your kdc
115 # can't be located using /etc/krb5.conf -- JamesSpooner
40 ChetHosey 116 #
117 # Note that more recent Samba versions have renamed "ads server"
118 # to "password server", so if /var/log/messages reports
119 # 'Unknown parameter encountered: "ads server"' on restart,
120 # change 'ads' to 'password' -- ChetHosey
121 #
38 CraigBox 122 # ads server = test1.thinclient.test.org
123 security = ads
124 # encrypt passwords = yes is now default in Samba3 -- Enigma
125 encrypt passwords = yes
126 realm = thinclient.test.org
127 # this handles the "ads server = " directive as well -- Enigma
128 password server = test1.thinclient.test.org
129 </verbatim>
130
131 NB: The important things to pay attention to here are the name of our samba machine (netbios name), the workgroup, and the ActiveDirectory stuff.
132
133 !! Configure Kerberos5
134
135 If your Kerberos setup is good, run =net ads join -U Administrator%password= and it will perform all the =ktpass= and =ktutil= stuff on the fly as mentioned in [the SAMBA howto|http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-create-machine-account] . Then you can skip to the winbind section below. Thanks to EnigMa for the tip. If you don't specify %password, it will prompt you on the command line (for the security minded).
136
137 Configuring a Kerberos setup is much easier in the long run then generating the key and importing it.
138
139 !Manual approach
140
141 We need to generate a key for our samba machine on the Windows server, and securely import this into our samba machine.
142 To create the keyfile we run the following on the Windows server:
143
144 <verbatim>
145 ktpass -princ host/mail.thinclient.test.org@THINCLIENT.TEST.ORG \
146 -mapuser MAIL -pass MAIL1234PASSWORD -out mail.keytab
147 </verbatim>
148
149 This, and many other tools for managing Kerberos in Windows 2000, are located in the support tools which are directly downloadable from [Microsoft|http://www.microsoft.com/downloads/details.aspx?familyid=f08d28f3-b835-4847-b810-bb6539362473&displaylang=en]. Thanks to Jan Gerle for the tip.
150
151 We then transfer the mail.keytab securely to our samba machine by using something similar to SSH or another secure means. And then on the samba machine we will import the keyfile we just generated by using the ktutil program, which is part of the kerberos distribution. The unix commands for ktutil are as follows:
152
41 JohnMcPherson 153 <pre>
38 CraigBox 154 % __ktutil__
155 ktutil: __rkt mail.keytab__
156 ktutil: __list__
157 ktutil: __wkt /etc/krb5.keytab__
158 ktutil: __q__
41 JohnMcPherson 159 </pre>
38 CraigBox 160
161 See ActiveDirectoryKerberos on setting up Kerberos to talk to ActiveDirectory.
162
163 ! (Re)starting Samba and Winbindd
164
165 First we test our samba configuration and our winbind settings, before we modify our samba startup script.
166
167 <verbatim>
168 /etc/rc.d/init.d/samba restart
169 /usr/sbin/winbindd
170 </verbatim>
171
172 For some of our paranoid friends, we can check to see if our winbindd is actually running using
173 <verbatim>
174 ps fax | grep winbindd
175 </verbatim>
176 Now for a real test, and see if we can get some information off our Active Directory PDC.
177 <verbatim>
178 /usr/bin/wbinfo -u
179 </verbatim>
180 And we should get a list of users in the format THINCLIENT+<username>
181 <verbatim>
182 THINCLIENT+Administrator
183 THINCLIENT+Guest
184 ..
185 </verbatim>
186 And we can do the same for our list of groups.
187
188 <verbatim>
189 /usr/bin/wbinfo -g
190
191 THINCLIENT+Domain Admins
192 THINCLIENT+Domain Users
193 THINCLIENT+Schema Admins
194 ..
195 </verbatim>
196 We can now use the getent utility to get a unified list of both the local and PDC users and groups. These utilities will generate a list of data similar in format to the /etc/passwd and /etc/group files respectively.
197
198 add following entries in nssswitch.conf:
199
200 <verbatim>
201 passwd: files winbind
202 group: files winbind
203 </verbatim>
204
205 if you are compiling samba from source then you need to copy following files manually
206
207 <verbatim>
208 cp /usr/src/samba-3.0.1/source/nsswitch/pam_winbind.so /lib/security/
209 cp /usr/src/samba-3.0.1/source/nsswitch/libnss_winbind.so /lib/
210 cp /usr/src/samba-3.0.1/source/bin/pam_smbpass.so /lib/security/
211 </verbatim>
212
213 then run following command to get unified entries
214
215 <verbatim>
216 /usr/bin/getent passwd
217 /usr/bin/getent group
218 </verbatim>
219
220 It is now a good idea to test to ensure your Active Directory usernames are valid on the system.
221 Try the following:
222 <verbatim>
223 chown "THINCLIENT+username" filename
224 </verbatim>
225 (where THINCLIENT is the active directory short name)
226
227 If 'wbinfo -u' and 'getent passwd' work fine but your chown says this is an unknown user, you probably have NSCD running. You should disable NSCD and restart winbind. (See http://us4.samba.org/samba/docs/man/winbind.html#id2958310 for more)
228
229 After this we can fix up our init.d startup scripts to automate the startup of winbindd and not start NSCD.
230
231 ! Configure PAM and Winbind
232
233 __Before we do anything at all here, we need to make a backup of our /etc/pam.d/* files. And have a linux bootdisk available if possible. If anything goes wrong here, you may not be able to login to your system properly. (So don't reboot or logoff to test, but use a text console)__
234
235 To have our ActiveDirectory users be able to login to our we have to modify our /etc/pam.d/login.
236 We don't need to modify our /etc/pam.d/samba settings as it is already configured for winbind.
237
238 <verbatim>
239 /etc/pam.d/login
240
241 #%PAM-1.0
242 auth required pam_securetty.so
243 auth sufficient pam_winbind.so
244 auth sufficient pam_unix.so use_first_pass
245 auth required pam_stack.so service=system-auth
246 auth required pam_nologin.so
247 account sufficient pam_winbind.so
248 account required pam_stack.so service=system-auth
249 password required pam_stack.so service=system-auth
250 session required pam_stack.so service=system-auth
251 session optional pam_console.so
252 </verbatim>
253 After we save this file, we should now be able to login to our linux machine with the username THINCLIENT+Administrator, and get ourself a login prompt. Now the system may complain if you do not have the specified home directory created (in this case /home/THINCLIENT/Administrator)
254
255 ! SSH Support
256
257 Do the same additions that you made to /etc/pam.d/login to /etc/pam.d/sshd to support logins via SSH.
258
259 ! Have fun
260
261 And congrats it works, if you want to configure further items such as mail and other things you may need to modify the apropriate PAM modules, and isn't covered here.
262
263 ! References
264
265 * Using Kerberos Clients section of the [ Microsoft : Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability | http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp ]
266 * [ Authentication to ADS | http://mailman.mit.edu/pipermail/kerberos/2002-June/001189.html ]
267 * The winbindd and Active Directory Domain Member sections of the [ Samba v3 Documentation | http://au1.samba.org/samba/devel/docs/html/Samba-HOWTO-Collection.html ]
268
269 ----
270 ! Quick 'n' Dirty setup for Samba 3 and Windows 2003
271
272 These are the absolute bare minimum steps to get your Samba server integrated as a member server in an AD controlled domain with Win2k3 as the DC.
273
274 1. ENSURE your samba box has an A record and associated PTR in DNS.
275
276 2. On your DC, disable signing: Run Domain Controller Policy tool and edit Account Policies -> Security Options -> Microsoft network client: Digitally sign communications (always) Set this to Disabled. Do the same in the Domain Policy tool. Note, you will need to reboot the server for this step, though it won't tell you to. Disable on your samba server as well with the following in smb.conf
39 PvtJoker 277
278 <em>Note (PvtJoker):</em> In my experience that wasn't needed, [this tutorial | http://lilly.csoft.net/~vdebaere/handleiding/samba-activedirectory/index_en.html] concentrates on windows 2003, and works without disabling these options.
38 CraigBox 279
280 <verbatim>
281 client signing = no
282 client use spnego = no
283 </verbatim>
284
285 3. On your samba server, install kerberos5, and edit /etc/krb5.conf. It should contain:
286 <verbatim>
287 [libdefaults]
288 default_realm = YOUR.ADS.DOMAIN
289 dns_lookup_kdc = false
290 dns_lookup_realm = false
291
292 [domain_realm]
293 .your.domain.name=YOUR.ADS.DOMAIN
294 your.domain.name=YOUR.ADS.DOMAIN
295
296 [realms]
297 YOUR.ADS.DOMAIN = {
298 default_domain = your.domain.name
299 kdc = IP.OF.THE.DC
300 }
301 </verbatim>
302
303 4. Ensure smb.conf contains
304 <verbatim>
305 realm = YOUR.ADS.DOMAIN
306 workgroup = YOUR
307 security = ADS
308 </verbatim>
309
310 5. Get a ticket using kerberos: kinit administrator (enter the administrator password when prompted). The klist command should then list a ticket.
311
312 6. Join the domain using 'net ads join'. This should use the credentials in your kerberos ticket.
313
314 7. Set up winbind - ensure the following is in smb.conf
315 <verbatim>
316 winbind uid = 10000-20000
317 winbind gid = 10000-20000
318 winbind enum groups = yes
319 winbind enum users = yes
320 </verbatim>
321
322 8. store your winbind credentials with wbinfo --set-auth-user=DOMAIN\\administrator%password
45 MichaelGronlund 323
324 NOTE: This step may fail with one or more of the following errors:
325 <verbatim>
326 could not obtain winbind separator!
327 could not obtain winbind domain name!
328 </verbatim>
329 Should you receive either or both errors, it is because winbind is not currently running continue with the remaining steps and return to this step after winbind has been started.
330
38 CraigBox 331
332 9. modify /etc/pam.d/samba (on woody) or the appropriate pam file to add "sufficient" for auth and account using pam_winbind.so. These need to go BEFORE the pam_unix.so calls for samba. My /etc/pam.d/samba is as follows:
333
334 <verbatim>
335 auth sufficient pam_winbind.so
336 auth required pam_unix.so nullok
337 account sufficient pam_winbind.so
338 account required pam_unix.so
339 session required pam_unix.so
340 password required pam_unix.so
341 </verbatim>
342
343 10. Modify /etc/nsswitch.conf with the following:
344 <verbatim>
345 passwd: winbind compat
346 group: winbind compat
347 shadow: winbind compat
348 </verbatim>
349
350 11. Restart samba and winbind.
351
352 12. All should work. :) Browse your server and see...
42 TomaszChmielewski 353
354 ----
355 ! Samba and software deployment
356
357 Software deployment is a useful feature of a domain controller, as it allows to distribute software to many clients - and thus, the administrator doesn't have to walk from one workstation to another (10, 20, ... 100 machines...) to install the same piece of software (and uninstall it or upgrade a couple of days later).
358
359 One common misconception when comparing Samba to Active Directory, is that with Samba you can't deploy software to your Windows workstations.
360 Another misconception, this time about Active Directory, is that with AD you can deploy software to your workstations.
361 So, what's this all about?
362
363
364 Active Directory can only deploy packages in MSI format. This isn't very widely used; mostly software is available in EXE format.
365
366 With Samba, as in whole *NIX philosophy, one tool does the job, but does it well.
43 TomaszChmielewski 367
42 TomaszChmielewski 368 To distribute software with Samba, one can use [ WPKG | http://wpkg.org ] - with this tool, you just configure the software which should be installed / upgraded / uninstalled on a given machine or a group of machines - and next time these Windows workstations are booted, the software you specified is installed / upgraded / uninstalled automatically.
369
38 CraigBox 370
371 ----
372
373 ! Footnotes
374 # %Systemroot% is a variable set by Windows NT and onward to mean "the location where Windows is installed", ie c:\winnt, c:\windows, etc.
375
376 -----
377 CategoryInteroperability