Skip to main content
Welcome guest. | Register | Login | Post

How do I setup Samba in a Windows AD domain?

3 replies [Last post]
supermike's picture
Offline
Joined: 2006-02-17

I finally got Samba to work in workgroup mode. Hurray! However, now I want to make it play in the AD domain.

// sidebar - This is all experimentation at this point. I'd love to be able to go back to my boss and show him we can switch all our Windows file servers over to Linux and have something that's easier to manage because it's more scriptable. (For instance, with one script, I can update multiple Samba servers. But with one script, it's not very easy to update multiple Windows servers.) - end sidebar //

Does anyone have a quick tutorial to show me how to get my Ubuntu 5.10 to act like a member server in an AD domain, letting Windows XP users use their AD logons to authenticate to my member server? Note also that I'm hoping to not have an admin chore to keep adding accounts to my Ubuntu 5.10 -- I want to just say, "Whatever is allowed in the domain to login, is allowed read/write on my share."

I also don't know what ports it requires, so temporarily I had to bring down my firewall (iptables -F) in order to get going for this test.

Here's my smb.conf file as it stands now. Note I had to use smbpasswd command before I could get it to use my local Linux user account to authenticate.

[global]
workgroup = WORKGROUP
netbios name = %h
server string = %h
passdb backend = tdbsam
security = user
domain logons = no
preferred master = no
wins support = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
passwd chat debug = yes
unix password sync = no
log level = 3

[public]
path = /tmp/public
available = yes
browseable = yes
public = yes
writable = yes
create mode = 0755
directory mode = 0755
read only = no

BONUS QUESTION: How does one make their Samba server permit different AD domain security on different directories? This could permit me to have a department model where I store stuff for different departments.

supermike's picture
Offline
Joined: 2006-02-17

I GOT IT!!!

With the technique below, I am able to build a Linux based Samba server and have the logins pass through to an Active Directory domain controller. The catch is that you still have to do useradd to add the particular accounts locally on the Samba server, but at least you do not have to set their passwords or worry about password synchronization. You might like it that way. Eventually I might figure out how to play with the /etc/pam.d/common* files to just let it pass all this through and not require useradd to add an account, but oh well -- it's pretty darn good for now.

I've also made a Windows share on this server pretty wide open. You'll want to restrict it more later on.

HOW TO ENABLE SAMBA WITH PAM TO ENABLE MICROSOFT ACTIVE DIRECTORY LOGINS

1. Turn off your iptables firewall (iptables -F). Later on you can fire it up if you know which ports need to be poked through.

2. Turn on (uncomment) Universe option in /etc/apt/sources.list. (When all done, turn it off again and do apt-get update.)

3. Do this:

apt-get update
apt-get install krb5-user

When you install this, note that a window will pop open and ask you for the IP address (twice, I think) of your closest domain controller for the domain with which you wish to authenticate.

apt-get install winbind samba

4. Edit your /etc/krb5.conf file like so:

[logging]
default = FILE10000:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = MY_AD_DOMAIN.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]
MY_AD_DOMAIN.COM = {
# use IP address of closest DC for domain to you
kdc = 192.168.0.2
}

[domain_realm]
.my_ad_domain.com = MY_AD_DOMAIN.COM
my_ad_domain.com = MY_AD_DOMAIN.COM

5. Use something like this /etc/samba/smb.conf:

[global]
unix charset = LOCALE
workgroup = MY_AD_DOMAIN
realm = MY_AD_DOMAIN.COM
netbios name = UBUNTU
server string = Samba
security = ADS
password server = 192.168.0.2
winbind use default domain = yes
client use spnego = yes
domain master = no
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
printcap name = CUPS
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template primary group = "Domain Users"
template shell = /bin/bash
winbind separator = +
printing = cups

[public]
path = /tmp/public
available = yes
browseable = yes
public = yes
writable = yes
create mode = 0755
directory mode = 0755
read only = no

6. Test the Samba configuration with the testparm command.

7. Edit /etc/nsswitch.conf like so:

passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis

8. Edit /etc/pam.d/common-account like so:

account sufficient pam_winbind.so
account required pam_unix.so

9. Edit /etc/pam.d/common-auth like so:

auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass

10. Edit /etc/pam.d/common-password and change the max parameter to 50:

password required pam_unix.so nullok obscure min=4 max=50 md5

11. Edit /etc/pam.d/common-session like so:

session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel

12. Do this:

mkdir /home/MY_AD_DOMAIN.COM

...note that I don't know if this is a requirement or not.

13. Fire up Kerberos by doing this:

kinit <your domain account here>@MY_AD_DOMAIN.COM

...be patient here -- takes about 30 seconds to come back.

14. Check to see if Kerberos is giving you a ticket by doing:

klist

...and it should spit back something like:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal:

Valid starting Expires Service principal
03/01/06 22:42:31 03/02/06 08:42:31 krbtgt/MY_AD_DOMAIN.COM@MY_AD_DOMAIN.COM

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

15. Join the Linux system to the domain by doing:

net ads join -U <your domain account here>@MY_AD_DOMAIN.COM

16. Add a user locally that exists in the domain. For instance, I did:

useradd supermike

17. Edit /etc/hosts so that you have your FQDN on the 127.0.0.1 line before localhost, as in "127.0.0.1 UBUNTU.MY_AD_DOMAIN.COM localhost".

18. Do this:

rm /var/lib/samba/*.tbd

19. Restart Samba, but you have to do it in this order:

/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start

20. Restart SSH.

/etc/init.d/ssh restart

21. Then, I could do "ssh -l supermike 127.0.0.1" locally and it prompted me for my domain password. When I used it, it passed it on to the domain and utilized that instead. There was no need to worry about storing the password locally on the Linux system or worrying about password synchronization issues.

22. Comment back out Universe option in sources.list.

23. Turn your firewall back on if you know what ports to poke through. I have no clue what ports are necessary yet.

supermike's picture
Offline
Joined: 2006-02-17

A good mentor of mine recommended:

Try adding these settings do global of smb.conf

host msdfs = no
oplocks = yes
dead time = 60
getwd cache = yes
read raw = yes
write raw = yes
max xmit = 65535
keepalive = 300

I don't think it will help on your case, but I like these settings.

He thinks perhaps it might fix this problem that I have mentioned previously:

The Samba shares act funny in Windows 2000 and XP. If you do Start, Run, \\<server and doubleclick the share, then create a new folder, it appears properly and you are given a chance to rename it. But if you close that window and repeat this step, you can create folders but not have a chance to rename them until you refresh your window with F5 key. The same goes for renaming them, creating new files, etc. I can see people getting fairly aggravated by this. I don't know how to fix that. However, if you map a permanent drive to this share, the problem goes away.

I have yet to test these settings to see if that fixes it.

supermike's picture
Offline
Joined: 2006-02-17

sysop - suggestion for pinning.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.