SAMBA 3 Authenticating to a Windows 2003 Active Directory HOWTO

Finally got a good method down and it works consistantly… You can read it in straight HTML too.
Everything done in this howto is done with root permissions. It is always best to start out with a completely updated machine:
yum upgrade

Next it is important to make sure that you have the Kerberos files on your machine:
yum install krb5-server krb5-workstation

Next you need to edit the /etc/krb5.conf file so that it looks similar to this (Case IS important. Bolded Items are things that need changing) :

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EDMONSON.KETSDS.NET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC

[realms]
EDMONSON.KETSDS.NET = {
kdc = ed151000d1.edmonson.ketsds.net
admin_server = 10.76.16.50:749
default_domain = edmonson.ketsds.net
}
[domain_realm]
.example.com = EDMONSON.KETSDS.NET
example.com = EDMONSON.KETSDS.NET
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Now it is a good idea to add your domain controller to your /etc/hosts file. That way if something happens to DNS you can still resolve out to it. We are on to editing the /etc//smb.conf file. There are several things to add and change here (again case is important and bolded items are what needs changed or added):
change: workgroup = EDMONSON
add: realm = EDMONSON.KETSDS.NET
change: server string = Linux Samba File Server
change: security = ADS
change: encrypt passwords = yes
change: preferred master = no
add: template shell = /bin/false
add: template homedir = /home/%D/%U
add: idmap uid = 10000-20000
add: idmap gid = 10000-20000
add: enhanced browsing = no
add: winbind use default domain = yes

After you get those edited then it is a good idea to run testparm and correct any errors that you get. With just the changes that I posted above there shouldn't be any errors.
Next start SAMBA and join the machine to the domain using the commands:
/etc/init.d/smb start
net ads join -U bnorris@EDMONSON.KETSDS.NET

Again case is important. The program should ask you for your network password and then it should join the box to the network.
If all went well you need to stop SAMBA while you finish up the pieces:
/etc/init.d/smb stop

Now we need to edit /etc/nsswitch.conf and tell the machine to use Winbind to authenticate people.
change: passwd: files winbind
change: group: files winbind

Now we can start Winbind and SAMBA back up:
/etc/init.d/winbind start
/etc/init.d/smb start

Test to make sure it is working using wbinfo:
wbinfo -u
wbinfo -g

Those commands should give you a list of users and groups from your domain. If you have a particularly complex domain with lots of trusts and such to you might want to limit wbinfo to one domain with the --domain=EDMONSON option. If wbinfo hangs and never returns then you will need to stop and start Winbind in order to get it working again.

You can also get some info about your connection to the domain with:
net ads info

Now you need to enable extended Access Control Lists (ACLs) on the filesystem that you will be using. This will give you access to extended security settings similar to Windows file permissions. To change this we will need to edit /etc/fstab. You might not want to enable ACLs for all of your filesystems as it can induce some overhead that you might not need. Find the filesystem entry that you want to enable ACL for and edit the options field (the fourth field, usually says defaults). After the entries that are in there put ,acl

Now you need to unmount that filesystem and remount it. The easiest way to do that is to just reboot the machine, since sometimes there might be users with files open and you can't unmount while that is going on.

Now if you are planning on give your users home folders you need to make their directories. I cheated a little and did the following to quickly create mine:
wbinfo -u --domain=EDMONSON | grep -v '$' | sort > ~/temp
for i in `cat ~/temp` ; do
mkdir -p /home/EDMONSON/$i
setfacl -m u:"EDMONSON\\$i":rwx /home/EDMONSON/$i
done

That should give you a directory for every user with them having full control of that directory. I think there is an option to SAMBA to get it to do this when a user connects to the machine, but I couldn't find it quickly today to set it. If anyone knows what it is, just let me know and I will edit this to get it in there.

So there you go. You should now have a machine that will authenticate to the AD and show you the shares that you are allowed to access. If you want to add shares for specific users it isn't too tough, just add them to /etc/samba/smb.conf
A good template share definition looks something like this:
[vivnenoi]
comment = wireless to connect field
path = /home/shares/vivnenoi
valid users = EDMONSON\lamar.miller EDMONSON\jcarnes EDMONSON\bnorris
public = no
writable = yes
printable = no
create mask = 0765

I have also written a shell script that can be accessed through a webpage to dynamically generate shares for groups of users. I will post in another entry soon.

This entry was posted in Journal and tagged , , , , . Bookmark the permalink.

60 Responses to SAMBA 3 Authenticating to a Windows 2003 Active Directory HOWTO

  1. ndbinh says:

    Dear Brent.
    I was try to join Samba server to AD 2003 but I can’t, I have some problem, the info error :

    [root@TESTER ~]# net ads join -U Administrator@DIGI-TEXX.LOCAL
    Administrator@DIGI-TEXX.LOCAL‘s password:
    Using short domain name — DIGI-TEXX
    Failed to set servicePrincipalNames. Please ensure that
    the DNS domain of this server matches the AD domain,
    Or rejoin with using Domain Admin credentials.
    Deleted account for ‘TESTER’ in realm ‘DIGI-TEXX.LOCAL’
    Failed to join domain: Type or value exists

    Can you tell me how to fix the error.

    Thanks & best regards.

  2. Santosh Sonavale says:

    Dear Sir,

    I joined windows 2003 domain with my linux machine. Actually I want to make my linux machine (OS RHEL5) as a File Server for all domain users. I want to take a backup of all windows domain client machines to my linux machine. So I want to create a directory for each user with user can store data upto 5GB. I don’t want to create smbusers as per the domain list & smbpasswd as per domain. Linux machine should authenticate with windows domain controller so domain user can easily access a directory which is assigned to the user on a linux machine.

    Waiting for ur reply…..asap.

    Regards,

    Santosh Sonavale.

  3. Lawrence Okpoho says:

    i got this error when i type net ads join -U username@DOMAIN
    ads_connect: Transport endpoint is not connected

  4. oes tsetnoc says:

    Hi, Just like to tell you that this piece of info is one quick to the point, no nonsense, workable and effective way to have directories shared in Ubuntu as fast as possible. It worked for me and thank you for the effort. Keep up the good work.

  5. Andres PH says:

    Thanks for your article, I am not so experienced with linux but I got.
    I am using Linux Centos 3.9 with Win2k3R2 servers and is working fine.
    I saw that some people did not get and this is why I want to colaborate considering that I also didnt get the first time.
    1.in /etc/samba/smb.conf all lines to “add:” have to be in the [Global] section
    2.before joining to the domain with #net ads join…, you have to sincronize the linux server time with de AD server using the command:
    #ntpupdate
    or using the GUI in SystemSetting/DateTime (enable network time protocol an declaring your AD server)
    3.you have to put the smb and winbind services to start automatically, do this using the GUI in Services
    4. in my case I will use the linux as a printer server and just share the /home partition with full access for AD Domain Users
    5.when setting ACL for the partition you want to create user folders is better to explicity declare starting with /dev/… as in my case:
    /dev/hda5 /home ext3 default,acl 1 2
    because it was (and leave commented):
    LABEL=/home /home etx3 default 1 2
    6.I give the access to /home to all domain users
    #setfacl -m g:”MYDOMAIN\Domain Users”:rwx /home
    7.I confirmed the assignment with
    #getfacl /home
    and appears this line:
    group:Domain Users: rwx
    8.now every user that is in the domain can connect to the linux server with full access to the /home partition without asking user/password
    9.only in the PCs that are not in the domain, ie in workgroup I have to log with user@mydomain.com and password usisng the credential with some account from AD
    10.I also can see the printers shared on the linux server but I still can connect to it, if someone can help me i will apreciate otherwise I will search how to do by myself
    thanks.

  6. slarti says:

    Hi Brent,

    I found your site by trying to solve my problem for the last 4 days. Maybe you can help.

    I have Fedora 11 trying to join MS 2003 R2 AD server. I followed all the steps you outlined and then I did some more experimenting, but I am consistently getting the same error :

    net ads join -U administrator
    Enter administrator’s password:
    [2010/02/14 04:33:01, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
    kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
    Failed to join domain: failed to connect to AD: Invalid credentials

    the net ads info works :

    net ads info
    LDAP server: 192.168.1.5
    LDAP server name: bluead.blueteam.local
    Realm: BLUETEAM.LOCAL
    Bind Path: dc=BLUETEAM,dc=LOCAL
    LDAP port: 389
    Server time: Sun, 14 Feb 2010 04:51:54 CET
    KDC server: 192.168.1.5
    Server time offset: 0

    I can’t joint the domain. Is there anything I am missing ?
    Do you need more info from me ?
    Please help.

    Thanks,
    Mirek

  7. ilayaraja says:

    Thanks for your article. i successfully configured joined samba with my windows 2003 ADS.

  8. Cloud81918 says:

    I just want to drop a thanks, I’ve been following another how-to and ended up with everything the way they wanted, but it wasn’t working. With your walk through I had it up in minutes. Thanks again for taking the time to put this up.

    -Jerred

  9. brahma says:

    Hi,
    i setup samba as you mentioned, added domain to samba,while testing with net rpc shows JOINED OK but testing with net ads it shows following error and also iam not added ACL, please help me.

    [ samba]# net ads join -U Administrator%welcome*123
    [2011/07/21 18:30:26, 0] libads/sasl.c:ads_sasl_spnego_bind(330)
    kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
    Failed to join domain: Invalid credentials
    [ samba]# net rpc join -U Administrator%welcome*123
    Joined domain PLATFORM.

  10. brahma says:

    My access log returns following message

    failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly.]
    [2011/07/21 18:30:26, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(603)
    NTLMSSP BH: NT_STATUS_ACCESS_DENIED

    MY KDC server info

    LDAP server: 171.18.0.45
    LDAP server name: bnsr259.platform.com
    Realm: PLATFORM.COM
    Bind Path: dc=PLATFORM,dc=COM
    LDAP port: 389
    Server time: Wed, 20 Jul 2011 20:34:57 IST
    KDC server: 171.18.0.45
    Server time offset: 180

Leave a Reply

Your email address will not be published. Required fields are marked *