How to integrate Samba into Active Directory (UPDATED).

[maalth]

How to integrate Samba (file sharing) using Active Directory for authentication (basic stuff).- Updated 13 Apr 2004.

Alright, I'll have to go on my notes, I did this on Thanksgiving Day, so I may not remember everything I did. Anyway, here goes:

• Active Directory should already be implemented and working. If you need help, there's plenty of help on the net.
• Your Windows system should be secured and patched.
• You have Gentoo Linux installed of course
• With the config files, you need to change example.com to match your domain.

Okay, now the basics are done, let's begin the install process.

Step 1: Emerge openldap. No configuration is necessary. However, AD support will not be compiled into samba without it.
Step 2: Emerge mit-krb5. Configure the file /etc/krb5.conf as follows:

Code: Select all

[libdefaults]
   default_realm = EXAMPLE.COM
 
   [realms]
   EXAMPLE.COM = {
        kdc = adserver.example.com
   }

Add this line to /etc/hosts:

Code: Select all

1.2.3.4    adserver.example.com   adserver

You need this to make sure you can connect to the AD server, even when DNS is down.

Notes about this config file, do NOT change the case of EXAMPLE.COM because you will get the following error message: "Cannot find KDC for requested realm while getting initial credentials". Also, do NOT comment the config file because the kerberos client will not read the config file correctly.

Step 3: We will stop here and test kerberos to ensure you can see the AD domain type in this command:

Code: Select all

kinit Administrator@EXAMPLE.COM

It will ask for the password; if you type in correctly; then you will be returned to the prompt which means it worked. Pat yourself on the back. You've done the easy part!

Step 4: We are now going to emerge samba. You can do this one of two ways:

1. Add kerberos and ldap to your USE flags make.conf file. Emerge samba using the following command:

   Code: Select all

   emerge samba

   OR
2. Type in the following command:

   Code: Select all

   USE="kerberos ldap" emerge samba

IMPORTANT: kerberos and ldap MUST be included, winbind will NOT work without those flags!

Use the command

Code: Select all

emerge -pv kerberos

The resulting line should look similar to this (this is on my system):

Code: Select all

[ebuild   R   ] net-fs/samba-3.0.2a -acl +cups +kerberos +ldap +mysql -oav +pam +python +readline +xml  127 kb

Simply put, pick option 1 or 2; samba takes a little time to compile and install. Once samba is installed, you need to configure it. You can use this example samba file:

Code: Select all

# Separate domain and username with '+', like DOMAIN+username
[global]
        netbios name = SERVERNAME <- I recommend the same name as the server.
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 <- Tweak this to get the best speed out of your connection
        idmap uid = 10000-20000 <- This is for mapping uids between linux server and AD
        winbind enum users = yes <- This allows you to bind users.
        winbind gid = 10000-20000 <- This is for mapping gids between linux server and AD
        workgroup = WORKGROUP <- Change to match the NETBIOS name of the AD domain.
        os level = 20 <- This is for the master browser priority.
        winbind enum groups = yes <- This allows you to use the Active Directory groups
        socket address = 1.2.3.4 <- Change this to match the IP address or remove it to listen to all addresses.
        password server = * <- I recommend this if you have more than one server; I do in my case.
        preferred master = no <- You do NOT want to be a master browser.
        winbind separator = + <- See the first line comment.
        max log size = 50 <- In K
        log file = /var/log/samba3/log.%m <- This allows logging activities for each machine.
        encrypt passwords = yes <- Active directory does NOT accept plaintext passwords.
        dns proxy = no <- You don't want anything to do with DNS.
        realm = EXAMPLE.COM <- This is for kerberos.
        security = ADS <- Active directory server provides security for the shared resources.
        wins server = 1.2.3.4 <- Change to IP address of your installed WINS server
        wins proxy = no <- You don't want to proxy WINS either.

# Shares section
[mp3]  <- Name of the share.
        comment = MP3 Repository <- A comment...
        writeable = yes <- If you want users to update the directory
        path = /home/mp3 <- Where is the share on the linux server
        force user = mp3 <- Should be the name of the user who is responsible for the share.

Step 5: Fire up samba; check to make sure it's running.

Code: Select all

 /etc/init.d/samba start

Step 6: Join your samba server to your domain by typing in this command:

Code: Select all

net ads join -U Administrator

It will ask you for a password, type your password in. If you typed it in correctly, you will see the message that says: Joined 'SERVERNAME' to realm 'EXAMPLE.COM.' If you check your AD server, the machine account for your system will appear under computers.

Step 7: We are going to test winbind to ensure windows authentication does indeed work. Winbind allows you to use Active Directory for user authentication (see link 2 for more info). The steps for using and testing winbind are gleaned from link 2.

You need to edit the file /etc/nsswitch.conf You need to change two lines to look like this (other lines removed to keep this post short as possible):

Code: Select all

passwd:      compat winbind
shadow:      compat
group:       compat winbind

Let's test the winbindd daemon before we make it permanent. Fire up winbindd by typing

Code: Select all

winbindd

You can also make winbindd run as two processes (which is faster; but for these purposes, let's run it as one). Winbindd runs in dual daemon mode by default.

Since there is no visual confirmation whether or not it's running, you can check with ps to ensure it is indeed running.

Code: Select all

ps -ae | grep winbindd

The results should be something similar to this:
13324 ?        00:04:23 winbindd
13325 ?        00:00:00 winbindd

If you get an error message instead of the above, then you didn't compile kerberos and ldap support in and need to do that before anything will work

Let's make sure we can see the contents of Active Directory. Type in this command:

Code: Select all

wbinfo -u

This is the results from my system (changed for integrity), yours should be similar.

Code: Select all

EXAMPLE+test <- test account on AD
EXAMPLE+test2 <- test account on AD
EXAMPLE+Administrator
EXAMPLE+Guest
EXAMPLE+TsInternetUser
EXAMPLE+krbtgt
EXAMPLE+MACHINE1$ <- test machine 1
EXAMPLE+MACHINE2$ <- test machine 2
EXAMPLE+MACHINE3$ <- test machine 3
EXAMPLE+HOST/servername <- samba machine
EXAMPLE+DOMAINCONTROLLER$

To see the groups, use this command:

Code: Select all

wbinfo -g

You should see a result similar to this:u should see a result similar to this:

Code: Select all

EXAMPLE+Domain Computers
EXAMPLE+Domain Controllers
EXAMPLE+Schema Admins
EXAMPLE+Enterprise Admins
EXAMPLE+Cert Publishers
EXAMPLE+Domain Admins
EXAMPLE+Domain Users
EXAMPLE+Domain Guests
EXAMPLE+Group Policy Creator Owners
EXAMPLE+DnsUpdateProxy

We can get a username from both the local linux server and the Active Directory server by typing in this command:

Code: Select all

getent passwd

I will not post the results of this command for security reasons, but you should see a list of local users with the Active Directory users appended.

For groups, type in getent group
I will not post the results of this command for security reasons, but you should see a list of local groups with the Active Directory groups appended.

I would suggest reading the info in link 2 for more things you can do with other authentication with AD.

If everything has worked as above, pat yourself on the back! Good job!

Step 8: If you didn't configure a share yet; do so now. You need to restart samba if you created a share.

You should join any machine you want to access the samba resources to your Active Directory Domain. Use a machine that's joined to the AD domain to see if your share appears via network neighborhood.

If you want samba and winbind to run on startup, type in the following commands:

Code: Select all

rc-update add samba default
rc-update add winbind default

That's it for now, any problems, something is unclear, or questions, let me know and I will do my best to help you.

Resources:

The samba/ADS howto: http://us1.samba.org/samba/docs/man/dom ... ads-member
Helpful info for winbind: http://us1.samba.org/samba/docs/man/winbind.html[b][/b]

[PoLiPiE]

and the rest????

[floam]

Nice.

[maalth]

Sorry, I was finishing up the doc. I had to move from the Windoze machine to my linux machine because my config files were there.

[maalth]

and the rest????

It's done.

[Tom.Fischer]

Okay, now it's ready

Hi,

complemental to Original-Poster here is my solution for authentificating Users against the Active Directory. First you need the ad4unix Kit. You can download it form http://www.padl.com/download/MKSADPlugins.msi Install it on your AD-Schema Server and everywhere where you add new Users. Make sure that you have the rights to update the Schema on the AD-Server. Here is a short Description on how to enable Schema-Update

Code: Select all

regsvr32 c:\winnt\system32\schmmgmt.dll
Open a new mmc an add Active-Directoy Schema
right-click on it an go to Operations Master
Activate the checkbox The Schema may be modified on this Domain Controller

Note: you have to install the Extensions only on the Schema-Master, the one who own the FSMO Role "Schema Master". The Snap-In you have to install on all Computers where you want to add New Users.

You must add a User for every host which should authenticate in your AD and run this command for getting a keytab file:

Code: Select all

ktpass -princ nssldap/<hostname> -pass password -mapuser <account> -out <host>_keytab

Copy the keytab on a secure way to your linux host.

On the Linux Side do the following, assuming that you followed the Hints in the first Post (If not install kerberos and openldap with the USE-Flags mentioned above. NOTE: You don't need Samba for the Authentfication to work)

Code: Select all

emerge pam
emerge nss_ldap
emerge pam_ldap

If you want sasl (for cyrus imapd for example) also emerge cyrus-sasl.

Code: Select all

USE="ldap kerberos pam" emerge cyrus-sasl

Edit /etc/krb5.conf to the following and change things to your need :

Code: Select all

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 EXAMPLE.COM = {
  kdc = dc.example.com:88
  admin_server = dc.example.com:464
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Now you shoul be able to obtain a ticket form the AD-Server. Test it with

Code: Select all

kinit user
klist user

You should get back something like this:

Code: Select all

 Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@EXAMPLE.COM:

Valid starting     Expires            Service principal
07/16/02 13:01:03  07/16/02 23:01:03  krbtgt/EXAMPLE.COM@EXAMPLE.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

If this works we install the teytab file created earlier on the AD-Server.

Code: Select all

ktutil
  rkt <host>_keytab
  list
  wkt /etc/krb5.keytab
  q

Place this line in crontab:

Code: Select all

0       */2     *       *       *       /usr/bin/kinit -k -c /etc/.ldapcache -S ldap/dc.example.com nssldap/host && chmod a+r /etc/.ldapcache

Edit /etc/nsswitch.conf to look something like this:

Code: Select all

# /etc/nsswitch.conf:
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4 2002/11/18 19:39:22 azarah Exp $

passwd:     ldap files
group:      ldap files
shadow:     ldap files

Now edit /etc/ldap.conf:

Code: Select all

host dc.example.com
base dc=example,,dc=com
binddn cn=host,ou=OrganistaionUnit,dc=example,dc=com
scope one
#use_sasl on

# SASL authorization ID
sasl_auth_id nssldap/proxysrv

nss_base_passwd ou=OrganistaionUnit,dc=example,dc=com?one
nss_base_shadow ou=OrganistaionUnit,dc=example,dc=com?one
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute userPassword msSFUPassword
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute uniqueMember member
nss_map_attribute cn sAMAccountName
pam_login_attribute sAMAccountName
pam_filter objectclass=user
pam_password ad

I have a Organisation Unit in AD for my Users so I'm not using the Users OU. Change this to your needs. Notice that I have disabled SASL here because i had problems with local logins and SASL, maybe I will have a deeper look at this later but saslauthd -a pam works without it!

Last but not least copy the necessary pamd COnfigurations from /usr/share/doc/pam_ldap/pam.d to your /etc/pam.d and gunzip then.

Note I'm still not able to log in over ssh. I don't know why, sshd returny always
Failed password for user from xxx.xxx.xxx.xxx port 44732 ssh2

login and imap works for me. Maybe later i will have a closer look, but i don't need it this time.

Have fun.

Most of this stuff is from: http://www.hut.fi/cc/docs/kerberos/nss_ldap.html

[maalth]

While your solution is a good one, what I was writing was a doc to set up file sharing on a linux server, but using Active Directory to authtenticate. I apologize if what I wrote is misleading.

[Tom.Fischer]

Thx, i saw it as an addition to yours.

[karwoski]

Thanks for the guide. I made it through all the steps and the gentoo machine shows up on my network now but when I try to view the shares on it I get prompted for login credentials. Is there another step or something I've missed?

[maalth]

Actually, if you don't log on to the domain, it won't ask for credentials. I'll double check to be sure.

** Update **
Yes I am correct... you do have to log on to the domain for the credentials to be "pass through" You can always map a drive letter to the share and permanently remember the password, as long as group policy don't stop you from doing it.

[karwoski]

I'm not sure I follow you. Here's what I'm trying to do: My workstation is joined to an Active Directory domain and I've got a Linux box that I joined to the domain following the above instructions. When I browse from my Windows 2000 workstation to \\linuxbox\, I get prompted for a username and password. Regardless of what username/pass I give it (domain\username and pass; username and pass) I can't view the shares on the linux box.

[maalth]

Are you logged into the domain? Did you create a username/password on the AD server? Try that, it may help.

[karwoski]

Yeah, I'm logged into the domain. What's type of environment are you using this setup in, anything similar to my previous post or is it a bit different?

[maalth]

My AD server is a vmware machine. It shouldn't make a difference though. As long as all the machines on the network can see it, you should be fine. In addition, the machine should be joined to the AD directory. Something definitely strange is going on.

[karwoski]

OK. I'll keep playing with it as I have time and if I get it figured out I'll post what I find. Thanks.

[TheZog]

I'm attempting to convert an office from mostly Win2k to mostly Linux, however the servers have to Win2k. So I'm trying to use the Active Directory to authenticate all users regardless of OS.
I've been all through Goolge looking for an up-to-date step-by-step or at least some instructions, so far this is one of the best I've seen.
Is the ad4unix.msi really necessary? I'm loathe to make changes to our schema. Are there issues with using the default one?
I must say that although I've been using Linux as both workstation and server for the past 4 years I am unfamiliar with LDAP and modifing PAM or using NIS.

Oh, and I can't find the file "ktpass" even though I have mit-krb5 installed.

Any help would be great!

[Lightspeed]

TheZog: the "ktpass" command is something to be executed on the windows server, not on the linux box, hence the reason you can't find it on the linux machine.

I'm trying to work my way through setting up AD authentication for linux clients as well but getting errors referring to:

"/lib/libnss_ldap.so.2: undefined symbol: __db185_open"

I thought I had gone through all the steps above, but this error appears all over the place now

[TheZog]

Ok thanks, I see that ktpass thing now that I've reread the the doc a few times.
However I'm still confused on some issues.
In the line:
ktpass -princ nssldap/<hostname> -pass password -mapuser <account> -out <host>_keytab

What exactly do the variables <hostname> <host> <account> stand for? The workstation's hostname? If so is that FQDN? I'm a bit lost.
I have kinda the same question in regards to the crontab section:
0 */2 * * * /usr/bin/kinit -k -c /etc/.ldapcache -S ldap/dc.example.com nssldap/host && chmod a+r /etc/.ldapcache

Should nssldap/host = nssldap/wkstn01 or whatever my workstation's hostname is?

Why do we need to create a USER account on the AD server for the workstation? Can't we just add it to the domain with Samba3?

Also I had to add "TLS_REQCERT allow" to my ldap.conf file because the SSL enabled ldapsearches would fail with a Could not find/connect to server error. I'm not sure if that's due to my not having the keytab file installed or not, probably...

I really do apprecitate the help. I have a limited amount of time to demo a working MS replacement desktop using Linux before the boss decides just to spend several tens of $k on MS licenses instead. Most of my tests are going ok except for
1) An easy way to map a user's homedir to their previous //win2kserver/userdata/{userid} share.
2) Getting an ODBC connection to a MS-SQL server to work for a Wine app.

It's gonna be a long weekend....

[backjackII]

I get the following error while trying to to test whether password is accepted by the domain KDC:

Code: Select all

mojo:/etc # kinit Administrator
Administrator@mydomainname.com's Password:
kinit: krb5_get_init_creds: Response too big for UDP, retry with TCP

Here is my configuration. I have, of course, changed mydomainname.com to my actual name.

Code: Select all

[libdefaults]
        default_realm = MYDOMAINNAME.COM
        #clockskew = 300

[realms]
        MYDOMAINNAME.COM = {
                kdc = ad.mydomainname.com
          }

[domain_realm]
        .mydomainname.com = mydomainname.com
        #mydomainname.com = mydomainname.com

[logging]
        default = SYSLOG:NOTICE:DAEMON
        kdc = FILE:/var/log/kdc.log
        kadmind = FILE:/var/log/kadmind.log

[appdefaults]
        pam = {
                ticket_lifetime = 1d
                renew_lifetime = 1d
                forwardable = true
                proxiable = false
                retain_after_close = false
                minimum_uid = 0
                debug = false
        }

[ritjobbie]

I followed the above tutorial. However, I still have problems... I have successfully joined the Linux box to the domain. I now am trying to create a share on the Linux box that can be accessed by users of our Win2k AD environment. When you try to map the share, it just keeps asking for the username and password over and over. kinit works fine on the Linux box. I can connect to a Windows share in the domain from the Linux box with transparant passthrough via smbclient, but what I really need to happen is in the opposite direction. I have no idea what the errors in my samba log mean (below).

Am I making a n00b mistake? Does Coyboyneal own me?

Blelow is my smb.conf, krb5.conf, and the output of /var/log/samba3/log.blah:

smb.conf

Code: Select all

# Separate domain and username with '+', like DOMAIN+username
[global]
netbios name = PHASERTEST
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
workgroup = MAIN
os level = 20
winbind enum groups = yes
password server = *
preferred master = no
winbind separator = +
max log size = 512
log file = /var/log/samba3/log.%m
encrypt passwords = yes
dns proxy = no
realm = MAIN.AD.SOMEDOMAIN.EDU
security = ADS
wins server = ?.?.3.95
wins proxy = no
winbind use default domain = no
 
[pub]
        comment = pub test
        writeable = yes
        path = /pub

krb5.conf

Code: Select all

[libdefaults]
        default_realm = MAIN.AD.SOMEDOMAIN.EDU
 
[realms]
        MAIN.AD.SOMEDOMAIN.EDU = {
                kdc = svits03.SOMEDOMAIN.edu
                kdc = svits04.SOMEDOMAIN.edu
                kdc = svits15.SOMEDOMAIN.edu
        }

/var/log/samba3/log.?.?.13.196 (these same messages repeat about 40 times a second for a few seconds). svits13 is the Windows machine that I was trying to map a share on. The share is shared from \\phasertest\pub. cosdss is my username (domain admin on AD).

Code: Select all

[2004/03/04 09:23:31, 1] smbd/sesssetup.c:reply_spnego_kerberos(245)
  Username MAIN.AD.SOMEDOMAIN.EDU-SVITS13$ is invalid on this system
[2004/03/04 09:23:31, 1] smbd/sesssetup.c:reply_spnego_kerberos(245)
  Username MAIN.AD.SOMEDOMAIN.EDU-cosdss is invalid on this system
[2004/03/04 09:23:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(245)
  Username MAIN.AD.SOMEDOMAIN.EDU-SVITS13$ is invalid on this system
[2004/03/04 09:23:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(245)
  Username MAIN.AD.SOMEDOMAIN.EDU-cosdss is invalid on this system
[2004/03/04 09:23:40, 1] smbd/sesssetup.c:reply_spnego_kerberos(245)
  Username MAIN.AD.SOMEDOMAIN.EDU-SVITS13$ is invalid on this system
[2004/03/04 09:23:40, 1] smbd/sesssetup.c:reply_spnego_kerberos(245)
  Username MAIN.AD.SOMEDOMAIN.EDU-cosdss is invalid on this system

This was in /var/log/samba3/log.svits13 (again, svits13 is the WINS name of a windows box)

Code: Select all

[2004/03/04 09:25:56, 0] auth/auth_util.c:make_server_info_info3(1100)
  make_server_info_info3: pdb_init_sam failed!

Again, I just want Windows users to be able to get to a share on this Linux box. Help?

~Jay

[ritjobbie]

WORD UP! I got it working. I had to add winbind to the /etc/pam.d/samba config file, duh.

*whew*

[xavior2180]

ritjobbie: how did you configure your /etc/pam.d/samba file?

i've edited mine so now i have the following:

Code: Select all

auth       required     /lib/security/pam_winbind.so nodelay
account    required     /lib/security/pam_winbind.so service=system-auth
session    required     /lib/security/pam_winbind.so service=system-auth
password   required     /lib/security/pam_winbind.so nodelay smbconf=/etc/samba/smb.conf

i basically just changed where it had smbpass.so or pam_stack.so to pam_winbind.so but i have the same problem as you had initially, where it wouldn't accept a username from the windows domain. i don't think this is what i'm supposed to have in there exactly, and i couldn't find any documentation for what to put exactly, even on the samba manual.

[ritjobbie]

Code: Select all

#%PAM-1.0
# pam_smbpass.so authenticates against the smbpasswd file
auth       required     pam_smbpass.so nodelay
auth       sufficient   /lib/security/pam_winbind.so try_first_pass
account    required     /lib/security/pam_winbind.so
account    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
password   required     pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf

I still can't get /etc/pam.d/login right so that users can log in to a console. I haven't tried playing with /etc/pam.d/ssh yet. Also, for me it takes about 2 or 3 minutes before someone can access a samba share after winbind starts up. I restarted winbind and thought that I had broken something, but it just takes forever to do its business with AD or something...

~Jay

[xavior2180]

Code: Select all

#%PAM-1.0
# pam_smbpass.so authenticates against the smbpasswd file
auth       required     pam_smbpass.so nodelay
auth       sufficient   /lib/security/pam_winbind.so try_first_pass
account    required     /lib/security/pam_winbind.so
account    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
password   required     pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf

I still can't get /etc/pam.d/login right so that users can log in to a console. I haven't tried playing with /etc/pam.d/ssh yet. Also, for me it takes about 2 or 3 minutes before someone can access a samba share after winbind starts up. I restarted winbind and thought that I had broken something, but it just takes forever to do its business with AD or something...

~Jay

THANKS! it works like a charm now

i wasn't really concerned about the other services as i was the samba server tho. i don't get the delay that you're talking about, but if i set permissions on the AD server on a shared folder, it does seem to take a little while for the permissins to propagate.

[ritjobbie]

If anyone does have a working /etc/pam.d/login that allows console logins, please let me know (or just post here). I have been trying to get it working for a while now, but I suck. This thread was a ton of help, but I am just missing something, I think...

I'm going to try netatalk next. =)
~Jay