Samba 3.0 Integration with ADS

(Using Kerberos)

Gathered and Written by: Jason Williams
(Other downloadable versions available at the bottom of this document)

This document will cover the steps to integrate a Samba 3.0 server with active directory. I did this on a RHEL AS 4.0 server, but it should be pretty much the same for any of them. If you read this and realize there is something I forgot, or if you have a scenario that you think should be added to this document, use the contact email at the bottom to drop me a line.

1. Semantics

In All sections of this document, the following is what is used for configurations on the Samba machine and for ADS:

• Samba Host name: samba-srv1

• Samba Host Domain name: my-ads.corp

• ADS Domain: my-ads.corp

• ADS NT Compatible Domain: MY-ADS

• ADS PDC: dom1.my-ads.corp

• WINS Server: 10.1.1.2

• Kerberos Realm: MY-ADS.CORP
  
  

Make sure that when you are setting up your environment, you make the proper changes. I will try to put notes in each section or step to guide you, but if you run into problems, the first thing to check is that you substituted the right values in the commands for your environment.

2. Initial Setup and Prerequisites
   
   

In order to have Samba talk to your ADS machine correctly, you will need Kerberos installed on your system. (Well, as far as I have seen on the Internet, the Kerberos libs should be enough, but I'll supply a list of what I have installed and working for me.) You will also need Samba (obviously) version 3.0 or higher. As far as I know, this document should work with any version of Samba 3.0. There are a few “gotchas” that I ran into that were not documented in other “How-To's” that I'll try to address here. Here is the commands and software lists that I have installed that worked for me:

Samba Check and List (Cmd. 2-1)

# rpm -qa | grep samba
samba-common-3.0.10-1.4E.2
samba-client-3.0.10-1.4E.2
samba-3.0.10-1.4E.2

Kerberos Check and List (Cmd. 2-2)

# rpm -qa | grep krb
krbafs-1.2.2-6

krb5-libs-1.3.4-17

pam_krb5-2.1.8-1

krb5-devel-1.3.4-17

krb5-workstation-1.3.4-17
krb5-auth-dialog-0.2-1
krbafs-devel-1.2.2-6

NOTE: From my understanding, krbafs, krb5-devel, krb5-auth-dialog, krbafs-devel are probably not needed but they were installed by the Red Hat installer, so I just went with it.

If all these requirements are met, then you are ready to proceed.

3. Samba Configuration
   
   Here we will explain what really needs to be configured in the smb.conf file (Samba's Main Configuration File). Before we begin making changes to the conf file, the best thing to do ALWAYS is to make a backup of the conf file before making ANY changes. You can do this by running the following commands.
   
   

Samba Conf File Backup (Cmd. 3-1)

# cd /etc/samba
# cp smb.conf smb.conf.preADS

Once you have a backup of the file, it's time to edit it.

Edit smb.conf (Cmd. 3-2)

# vim smb.conf

Upon opening the file, you will see a bunch of comment lines that explain in great detail what each directive in the file does. These comments are also in the backup copy we made, so there is no need for them. A quick way to delete them is use the substitute command in vi to remove them. In vi, if you press escape to make sure you are not in an edit mode, then type in the following 2 commands, you will remove most of the comments.

:%s/^#.*\n//g
:%s/^;.*\n//g

If any lines remain that start with a # or a ; then you can move your cursor to them and press the d key twice to remove them individually.

Once you have those comments removed, the following listing of my example smb.conf file is what you will want yours to look like (replacing the proper settings to match your environment of course).

NOTE: Case is VERY important here. So make sure that if you are making changes, your case is set right.

smb.conf (Listing 3-1)

[global]

workgroup = MY-ADS ; Change This

netbios name = samba-srv1 ; Change This

server string = Samba File Server Server

log file = /var/log/samba/%m.log

max log size = 50

realm = MY-ADS.CORP ; Change This

security = ADS

password server = dom1.my-ads.corp ; Change This

encrypt passwords = yes

socket options = TCP_NODELAY SO_RCVBUF=8192 \ SO_SNDBUF=8192

wins server = 10.1.1.2 ; Change This

dns proxy = no

winbind separator = +

winbind enum users = yes

winbind enum groups = yes

idmap uid = 16777216-33554431

idmap gid = 16777216-33554431

template shell = /bin/false

winbind use default domain = no

[samba]

comment = My Samba Share

path = /shares/samba

browsable = yes

writable = yes

In the above listing, lines marked with “; Change This” should be adjusted to match your environment. This listing sets up a primary share named “samba” and maps it to the path of “/shares/samba” on the Linux machine. For information on setting up more shares, see the backup copy of the smb.conf file we made and check out the man page for smb.conf.

4. Kerberos Configuration

The next thing that needs to be configured on the Linux machine is the Kerberos setup. Kerberos is needed so that Samba can properly communicate with the ADS machine. There are a few different ways to get Samba to communicate with ADS, but it seems that the perferred method is Kerberos. You can also use LDAP, however, this document does not cover that particular setup.

Since we will once again be modifying a configuration file, you will want to make a backup copy of it.

Kerberos Conf File Backup (Cmd. 4-1)

# cd /etc

# cp krb5.conf krb5.conf.preADS

Now we are ready to edit the configuration file. Here is a listing of what my krb5.conf file looks like. Make sure that you make the proper changes to the right parts of this file. The things that need to be changed are the values mentioned in the above “Semantics” section.

krb5.conf (Listing 4-1)

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = MY-ADS.CORP

default_tgs_enctypes = des-cbc-crc des-cbc-md5

default_tkt_enctypes = des-cbc-crc des-cbc-md5

dns_lookup_realm = true

dns_lookup_kdc = true

[realms]

MY-ADS.CORP = {

kdc = dom1.my-ads.corp

default_domain = my-ads.corp

}

[domain_realm]

.my-ads.corp = MY-ADS.CORP

my-ads.corp = MY-ADS.CORP

[kdc]

profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]

pam = {

debug = false

ticket_lifetime = 36000

renew_lifetime = 36000

forwardable = true

krb4_convert = false

}

The above listing is a good example configuration. This may vary depending on your environment, and if you are using Kerberos for any other stuff on your network.

5. Windows Setup
   
   Now it's time to go to the PDC for the ADS. We have a little bit of stuff to do on there as well.
   
   NOTE: This section will not contain screen shorts. If you are doing anything on your ADS PDC, it is expected that you know what you are doing. If you do not, I suggest you get the assistance of someone who does. I cannot help with any problems or questions regarding Windows. These commands have been verified as ok by my ADS guy, so if you have one of those, check with him/her.
   
   First thing is first, make sure that on your ADS domain you have a service account for the Linux Samba Services. In my case, I created a user called smbservice. But you can use whatever you wish. If you use something different, just make sure you substitute it where ever you see smbservice from here on in this document. Also, you need to make sure that that service has “Domain Admin” rights, or at least permissions to join a computer the domain.
   
   Once you have the service account set up, you need to create a keytab for the host that you are setting up. This is done by using the ktpass.exe program. It comes with the Windows Support Tools, so if you don't have it on your domain controller, you can get it from Microsoft.
   
   Here is the syntax for the ktpass command. Make sure you make the proper substitutions. (NOTE: This command should be typed all on one line without the backslashes.)
   
   Ktpass Command (Cmd. 5-1)

C:\> ktpass /out keytab.samba-srv1 \

/princ host/samba-srv1.my-ads.corp@MY-ADS.CORP \

/pass * /mapuser smbservice

After generating that file, you need to transfer it to the Linux machine. You can do this via a floppy, ftp or any other means you have of getting it to the Linux machine. The remainder of this assumes that you have transferred the file and put it in the /tmp directory on the Linux machine. If you transfer it to another location on the Linux machine, just make sure you substitute the path that you put it in for /tmp in the remainder of these commands.

6. Final Linux Configuration
   
   Now that you have the keytab.samba-srv1 file (or whatever you named the file) on your Linux machine, you need to import it into a Kerberos keytab file. The easiest way to do this is with the ktutil command. Here is a command listing that shows what you need to do.
   
   Ktutil Command (Cmd. 6-1)

# ktutil

ktutil: rkt /tmp/keytab.samba-srv1
ktutil: wkt /etc/krb5.keytab
ktutil: q

Once you have run those commands and no errors are returned, then you are ready to join the Samba machine to the ADS domain. You can do so with the following command:

Net Command (Cmd. 6-2)

# net ads join -Usmbservice

NOTE: This command will ask for a password. The password is the one that you set for the smbservice user on the ADS domain.

That command should return and say:

Joined 'SAMBA-SRV1' to realm 'MY-ADS.CORP'

If it returns anything else as the last line, that means the join failed. You should check to make sure you followed all the steps to the letter, that the user you are using, in this case smbservice, has permissions to join a computer to the domain, and that the settings in the smb.conf file and the krb5.conf file are all correct. Keep in mind CASE counts. There is a difference between MY-ADS.CORP and my-ads.corp when it comes to Kerberos and certain settings in Samba.

7. Checking your Work.
   
   Now that you are have made it this far, and everything has gone through without errors, you are ready to start checking your work. First thing to do is to start the winbind service. On Red Hat, this is done with an init script
   
   Red Hat Winbind (Cmd. 7-1)

# /etc/init.d/winbind start

On other distributions, it can be done by simply running the winbind command from the command line.

Other Distributions Winbind (Cmd. 7-2)

# /usr/sbin/winbindd

Once winbind is running, you have a few more options to set for winbind to work properly with a properly secured Microsoft ADS environment. The following commands will set this information for you:

Winbind Command (Cmd. 7-3)

# wbinfo –set-auth-user=smbservice%password
# wbinfo –domain=MY-ADS

Once that is set, you should be able to do a test query on the ADS Domain. Here is a command that will list the available users on the ADS Domain:

Wbinfo Command (Cmd. 7-4)

# wbinfo -u

This will show all available users. If this is a long list, it could take a while.

Finally, the last thing you need to edit, is the nsswitch.conf file. This is what tells Linux and it's programs where to look when it's trying to lookup users. Open the

/etc/nsswitch.conf

file in an editor and make sure the following lines have winbind on them.

nsswitch.conf (Listing 7-1)

passwd: files winbind

group: files winbind

Now that nsswitch.conf is set up you can use the getent command to verify that Linux can lookup users and groups on the domain.

getent for users (Cmd. 7-5)

# getent passwd

getent for groups (Cmd. 7-6)

# getent group

Each of these will return all of the users and all of the groups on the domain, respectively. If these lists are long, these commands might take a while. You can use the grep command to help filter the list for known users or groups.

The last thing you should need to do now is start Samba. For Red Hat, there is an init script.

Samba Startup (Cmd 7-7)

# /etc/init.d/smb start

For other distributions, see your documentation on how Samba should be started.

Once Samba comes up, you should be able to access the share. Also, you can set permissions on the share to domain users inside of Linux using the chown command. If you wish to use the Windows permissions stuff, you will need to have the share on a filesystem with ACL support turned on. ACL support is an option that is passed to mount. See the man pages for mount for information on how to use that.

And that should be it. If you have any further questions, please feel free to email me. Also, email me if I missed something that you think should be included. Here's the address, changed slightly to avoid web page crawlers.

jason at tulg dot org.

Happy sharing.

Oh and here's some other downloadable formats for those out there who like prettier, printable versions.

.doc format
OpenOffice/StarOffice