Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] How to - Samba, winbind and Active Directory

9 views
Skip to first unread message

john woo

unread,
Sep 3, 2007, 8:20:06 AM9/3/07
to
Hi,

I finally was able to to get samba/winbind to
authenticate off W2k3 Active Directory. I seen a lot
of info on the web on how to do this but I never seem
to have one site that got me through it all. Anyway,
with all the info I gathered I was able to put it all
together, get it working and documented all the steps
I used. I'm running Redhat 4 (2.6.9-55.0.2) with
compiled Samba 3.0.25c (you'll need Samba 3.0.24
though because of a *bug* in 3.0.25c net binary? -
more info below). Hope this helps anyone trying to do
Samba/AD integration.

Compile/Install Samba 3.0.25c
• ./configure --with-winbind --with-ldap --with-ads
--with-krb5
• make
• make install
• Samba will be installed in /usr/local/samba

Edit krb5.conf
• vi /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = MY.DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
MY.DOMAIN.COM = {
# I used the Windows DC IP address instead of the
FQDN for the kdc
kdc = 10.2.30.63
default_domain = my.domain.com
}

[domain_realm]
.my.domain.com = MY.DOMAIN.COM
my.domain.com = MY.DOMAIN.COM

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Edit /etc/nsswitch.conf
• vi /etc/nsswitch.conf (only need add winbind to
passwd and group – everything else stays the same)
passwd: files winbind
shadow: files
group: files winbind

Edit /etc/samba/smb.conf
• vi /etc/samba/smb.conf
[global]
security = ADS
workgroup = MY
netbios name = sambatest
realm = MY.DOMAIN.COM
#I used the Windows DC IP address instead of the FQDN
for the "password server".
password server = 10.2.30.63
encrypt passwords = yes
client use spnego = no
server signing = auto


log file = /var/log/samba/%m

# enum users/group is needed for getent passwd|groups
to work but otherwise samba still works fine without
this option
winbind enum users = yes
winbind enum groups = yes

winbind separator = .
winbind use default domain = no
idmap uid = 10000-20000
idmap gid = 10000-20000

# Shares
[smbtest]
comment = test share
path = /smbtest
valid users = MY.user1 MY.user2
browseable = no
printable = no
writable = yes

Link smb.conf
Note: By default – Samba will look in
/usr/local/samba/lib for smb.conf but I kept my
smb.conf in /etc/samba/smb.conf so I just softlinked
to it.
• ln –s /etc/samba/smb.conf
/usr/local/samba/lib/smb.conf

Net binary
Note: the net binary supplied with Samba 3.0.25c is
buggy and does not work when trying to joint a domain.
What I did was copy the net binary from a 3.0.24
install to the 3.0.25c server
(/usr/local/etc/samba/bin) and it worked like a charm.

• mv /usr/local/samba/bin/net
/usr/local/esamba/bin/net.BAK
• cp /usr/local/samba/bin/net (from 3.0.24 install)
/usr/local/samba/bin/net

Update libnss_winbind.so lib
• unlink /lib/libnss_winbind.so
• mv /lib/libniss_winbind.so.2
/lib/libniss_winbind.so.2.BAK
• cp /BUILDSOURCE/source/nsswitch/libnss_winbind.so
/lib/libniss_winbind.so.2 (yes, I changed the file
name to libniss_winbind.so.2)
• ln –s /lib/libniss_winbind.so.2
/lib/libniss_winbind.so

Get Kerberos ticket
• kinit admini...@MY.DOMAIN.COM
• kinit (this will show you cached tickets on the
system)

Join Samba server to the Windows Domain
• /usr/local/samba/bin/net ads join –U
administrator
• You should see the following:
[root@sambatest2 bin]# /usr/local/samba/bin/net ads
join -U administrator
Administrator’s password:
Using short domain name -- MY
Joined 'SAMBATEST2' to realm 'MY.DOMAIN.COM'

Check for domain accounts/groups
• /usr/local/samba/bin/wbinfo –u (this should
return MY.user1, MY.user2, MY.user3…etc..)
• /usr/local/samba/bin/wbinfo –g (this should
return MY.group1, MY.group2, MY.group3…etc..)
• getent passwd (this should return accounts from
the local server and domain depending if you used the
“winbind enum users/group in the smb.conf)
• getent groups (this should return groups from the
local server and domain depending if you used the
“winbind enum users/group in the smb.conf)

Fire up Samba and Winbind
• ./smb start
• test your share by accessing it from a windows
computer (\\sambaServer\shareName)

Samba/Winbind startup script
#!/bin/sh
#
# chkconfig: - 91 35
# description: Starts and stops the Samba smbd and
nmbd daemons \
# used to provide SMB network services.
#
# pidfile: /var/run/samba/smbd.pid
# pidfile: /var/run/samba/nmbd.pid
#config: /etc/samba/smb.conf


# Source function library.
if [ -f /etc/init.d/functions ] ; then
. /etc/init.d/functions
elif [ -f /etc/rc.d/init.d/functions ] ; then
. /etc/rc.d/init.d/functions
else
exit 0
fi

# Avoid using root's TMPDIR
unset TMPDIR

# Source networking configuration.
. /etc/sysconfig/network

if [ -f /etc/sysconfig/samba ]; then
. /etc/sysconfig/samba
fi

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

# Check that smb.conf exists.
[ -f /etc/samba/smb.conf ] || exit 0

RETVAL=0

SMBHOME="/usr/local/samba/sbin"

start() {
KIND="SMB"
echo -n $"Starting $KIND services: "
daemon $SMBHOME/smbd $SMBDOPTIONS
RETVAL=$?
echo
KIND="NMB"
echo -n $"Starting $KIND services: "
daemon $SMBHOME/nmbd $NMBDOPTIONS
RETVAL2=$?
echo
KIND="Winbind"
echo -n $"Starting $KIND services: "
daemon $SMBHOME/winbindd
RETVAL3=$?
echo
[ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3
-eq 0 ] && touch /var/lock/subsys/smb || \
RETVAL=1
return $RETVAL
}

stop() {
KIND="SMB"
echo -n $"Shutting down $KIND services: "
killproc smbd
RETVAL=$?
echo
KIND="NMB"
echo -n $"Shutting down $KIND services: "
killproc nmbd
RETVAL2=$?
echo
KIND="Winbind"
echo -n $"Shutting down $KIND services: "
killproc winbindd
RETVAL3=$?
[ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3
-eq 0 ] && rm -f /var/lock/subsys/smb
echo ""
return $RETVAL
}

restart() {
stop
start
}

reload() {
echo -n $"Reloading smb.conf file: "
killproc smbd -HUP
RETVAL=$?
echo
return $RETVAL
}

rhstatus() {
status smbd
status nmbd
status winbindd
}


# Allow status as non-root.
if [ "$1" = status ]; then
rhstatus
exit $?
fi

# Check that we can write to it... so non-root users
stop here
[ -w /etc/samba/smb.conf ] || exit 0

case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
reload)
reload
;;
status)
rhstatus
;;
condrestart)
[ -f /var/lock/subsys/smb ] && restart || :
;;
*)
echo $"Usage: $0
{start|stop|restart|reload|status|condrestart}"
exit 1
esac

exit $?



____________________________________________________________________________________
Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online.
http://smallbusiness.yahoo.com/webhosting
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

0 new messages