Penguin
Note: You are viewing an old revision of this page. View the current version.

This simple guide is a mostly accurate way to set up a Samba machine as a domain member in a Windows 2000 or Windows 2003 Active Directory domain. For a REALLY short version, tested with Win2k3, see SambaADQuickNDirty.

The following setup is used
192.168.0.1 test1.thinclient.test.org (the AD server, hereafter known as the server) 192.168.0.209 mail.thinclient.test.org (samba3 machine)

The Samba system is based upon a stock standard RedHat 9 system with the samba software upgraded to Samba3 (using RPM)

The following steps are needed to get the system functioning:

  1. configure name resolution using either dns or a hosts file
  2. configure samba and winbindd
  3. configure kerberos
  4. testing Samba and winbindd?
  5. good luck

Configure name resolution

Active Directory relies HEAVILY on DNS to resolve not only host names but services they provide as well. To set up DNS on the Linux box, see the DNSHowTo, otherwise consult necessary Windows documentation on setting up forward AND reverse DNS zones.

As a temporarily solution, you can use hosts based authentication, this is ugly and hacky, and should be avoided at all costs. -- JamesSpooner

The first step is to configure name resolution for our systems. The kerberos authentication system, which we will configure later on, requires us to be able to do a reverse lookup on an IP address to get a fully qualified domain name (FQDN). There are two ways to do this, the cheap and nasty method is to use a hosts file on both systems, which will have entries similar to the following.

Samba machine
/etc/hosts

127.0.0.1 mail mail.thinclient.test.org localhost.localdomain localhost 192.168.0.1 test1 test1.thinclient.test.org 192.168.0.209 mail mail.thinclient.test.org

Surely it would be better to put the FQDN first, and not alias localhost to a name other than localhost? -- PerryLorier

The proper name of the machine in FQDN should be first then alias(s) after IE 127.0.0.1 mail.thinclient.test.org aliaswhatever1 aliaswhatever2 . Then when you resolve any alias, they point to the first textual alias. IE if you ping say mail it should point to mail.thinclient.test.org. In the example it would point to 'mail'. localhost.localdomain is useful for any program that looked at this but they will all point to 'mail' and the corresponding IP in the example. Dean

Windows Active Directory server
%Systemroot%\System32\drivers\etc\hosts1?

127.0.0.1 test1 test1.thinclient.test.org localhost.localdomain localhost 192.168.0.1 test1 test1.thinclient.test.org 192.168.0.209 mail mail.thinclient.test.org

The correct method is to setup DNS on the server which can be done through the DNS console in the Administrative Tools section of Windows 2000/2003 Server. We won't go into the details of setting this up here, but we will specify the Linux side of that here.

/etc/resolv.conf

search thinclient.test.org domain thinclient.test.org nameserver 192.168.0.1

Configure Samba3 and Winbindd

This part is the easy one, we just create ourselves a default Samba configuration with at least the following entries (Note this is a completely empty and default configuration file, and you may wish to add more. A file share would be handy to add).

/etc/samba/smb.conf

[global?

  1. general options

workgroup = THINCLIENT netbios name = MAIL

  1. winbindd configuration

winbind separator = + The default character is \ which is good if you use mod_ntlm since that's it's character, users only have to remember 1 syntax idmap uid = 10000-20000 alias of winbind uid idmap gid = 10000-20000 alias of winbind gid winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash

  1. Active directory joining
  2. "ads server" is only necessary if your kdc can't be located using /etc/krb5.conf -- JamesSpooner
  3. ads server = test1.thinclient.test.org

security = ads encrypt passwords = yes This is now the default behavior in Samba 3 --EnigMa? realm = thinclient.test.org password server = test1.thinclient.test.org This handles the "ads server =" directive as well --EnigMa?

NB: The important things to pay attention to here are the name of our samba machine (netbios name), the workgroup, and the ActiveDirectory stuff.

Configure Kerberos5

Configuring your kerberos setup is much easier in the long run then generating the key and importing it

See ActiveDirectoryKerberos on setting up Kerberos to talk to ActiveDirectory.

If your kerberos setup is good, at this point, you might just want to run net ads join -U Administrator%password which should do all that ktpass and ktutil stuff on the fly as mentioned in http://us1.samba.org/samba/docs/man/domain-member.html#ads-member . Then you can skip to the winbind section below ;-) -- EnigMa?

We need to generate a key for our samba machine on the Windows server, and securely import this into our samba machine.

To create the keyfile we run the following on the Windows server

ktpass - princ host/mail.thinclient.test.org@THINCLIENT.TEST.ORG \

  • mapuser MAIL -pass MAIL1234PASSWORD -out mail.keytab

This and many other tools for managing kerberos in Windows 2000 are located in the support tools which are directly downloadable from Microsoft http://www.microsoft.com/downloads/details.aspx?familyid=f08d28f3-b835-4847-b810-bb6539362473&displaylang=en -- JanGerle?

We then transfer the mail.keytab securely to our samba machine by using something similar to SSH or another secure means. And then on the samba machine we will import the keyfile we just generated by using the ktutil program, which is part of the kerberos distribution. The unix commands for ktutil are as follows
% ktutil ktutil: rkt mail.keytab ktutil: list ktutil: wkt /etc/krb5.keytab ktutil: q
Alternatively ... as root
net join -U Administrator%password Don't specify %password and it will prompt you on the command line, for the security minded

This will join the Samba machine to the Active Directory Domain. However this latter will only work if your Kerberos configuration actually works.

(Re)starting Samba and Winbindd

First we test our samba configuration and our winbind settings, before we modify our samba startup script.

/etc/rc.d/init.d/samba restart /usr/sbin/winbindd

For some of our paranoid friends, we can check to see if our winbindd is actually running using

ps fax | grep winbindd

Now for a real test, and see if we can get some information off our Active Directory PDC.

/usr/bin/wbinfo -u

And we should get a list of users in the format THINCLIENT+<username>

THINCLIENT+Administrator THINCLIENT+Guest ..

And we can do the same for our list of groups.

/usr/bin/wbinfo -g

THINCLIENT+Domain Admins THINCLIENT+Domain Users THINCLIENT+Schema Admins ..

We can now use the getent utility to get a unified list of both the local and PDC users and groups. These utilities will generate a list of data similar in format to the /etc/passwd and /etc/group files respectively.

add following entries in nssswitch.conf

passwd: files winbind group: files winbind

if you are compiling samba from source then you need to copy following files manually

cp /usr/src/samba-3.0.1/source/nsswitch/pam_winbind.so /lib/security/ cp /usr/src/samba-3.0.1/source/nsswitch/libnss_winbind.so /lib/ cp /usr/src/samba-3.0.1/source/bin/pam_smbpass.so /lib/security/

then run following command to get unified entries

/usr/bin/getent passwd /usr/bin/getent group

It is now a good idea to test to ensure your Active Directory usernames are valid on the system.

try: chown "THINCLIENT+username" filename (where THINCLIENT is the active directory short name)

If wbinfo -u and getent passwd work fine but your chown says this is an unknown user, you probably have NSCD running. You should disable NSCD and restart winbind. (See http://us4.samba.org/samba/docs/man/winbind.html#id2958310 for more)

After this we can fix up our init.d startup scripts to automate the startup of winbindd and not start NSCD.

Configure PAM and Winbind

Before we do anything at all here, we need to make a backup of our /etc/pam.d/* files. And have a linux bootdisk available if possible. If anything goes wrong here, you may not be able to login to your system properly. (So don't reboot or logoff to test, but use a text console)

To have our ActiveDirectory users be able to login to our we have to modify our /etc/pam.d/login. We don't need to modify our /etc/pam.d/samba settings as it is already configured for winbind.

/etc/pam.d/login

  1. %PAM-1.0

auth required pam_securetty.so auth sufficient pam_winbind.so auth sufficient pam_unix.so use_first_pass auth required pam_stack.so service=system-auth auth required pam_nologin.so account sufficient pam_winbind.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session optional pam_console.so

After we save this file, we should now be able to login to our linux machine with the username THINCLIENT+Administrator, and get ourself a login prompt. Now the system may complain if you do not have the specified home directory created (in this case /home/THINCLIENT/Administrator)

SSH Support

Do the same additions that you made to /etc/pam.d/login to /etc/pam.d/sshd to support logins via SSH.

Have fun

And congrats it works, if you want to configure further items such as mail and other things you may need to modify the apropriate PAM modules, and isn't covered here.

References


Footnotes

1? %Systemroot% is a variable set by Windows NT and onward to mean "the location where Windows is installed", ie c:\winnt, c:\windows, etc.


CategoryInteroperability