{"id":179,"date":"2005-12-28T15:27:25","date_gmt":"2005-12-28T21:27:25","guid":{"rendered":"http:\/\/www.brentnorris.net\/blog\/?p=179"},"modified":"2008-08-05T13:21:40","modified_gmt":"2008-08-05T20:21:40","slug":"samba-3-authenticating-to-a-windows-2003-active-directory-howto","status":"publish","type":"post","link":"https:\/\/www.brentnorris.net\/blog\/archives\/179","title":{"rendered":"SAMBA 3 Authenticating to a Windows 2003 Active Directory HOWTO"},"content":{"rendered":"

Finally got a good method down and it works consistantly… You can read it in straight HTML<\/a> too.
\nEverything done in this howto is done with root permissions. It is always best to start out with a completely updated machine:
\nyum upgrade<\/code><\/p>\n

Next it is important to make sure that you have the Kerberos files on your machine:
\nyum install krb5-server krb5-workstation<\/code><\/p>\n

Next you need to edit the \/etc\/krb5.conf<\/code> file so that it looks similar to this (Case IS important. Bolded Items are things that need changing) :<\/p>\n

[logging]
\ndefault = FILE:\/var\/log\/krb5libs.log
\nkdc = FILE:\/var\/log\/krb5kdc.log
\nadmin_server = FILE:\/var\/log\/kadmind.log
\n[libdefaults]
\ndefault_realm = EDMONSON.KETSDS.NET<\/strong>
\ndns_lookup_realm = false
\ndns_lookup_kdc = false
\nticket_lifetime = 24h
\nforwardable = yes
\ndefault_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
\ndefault_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
\npreferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC<\/code><\/p>\n

[realms]
\nEDMONSON.KETSDS.NET<\/strong> = {
\nkdc = ed151000d1.edmonson.ketsds.net<\/strong>
\nadmin_server = 10.76.16.50<\/a>:749<\/span><\/strong>
\ndefault_domain = edmonson.ketsds.net<\/strong>
\n}
\n[domain_realm]
\n.example.com = EDMONSON.KETSDS.NET<\/strong>
\nexample.com = EDMONSON.KETSDS.NET<\/strong>
\n[kdc]
\nprofile = \/var\/kerberos\/krb5kdc\/kdc.conf
\n[appdefaults]
\npam = {
\ndebug = false
\nticket_lifetime = 36000
\nrenew_lifetime = 36000
\nforwardable = true
\nkrb4_convert = false
\n}<\/p>\n

Now it is a good idea to add your domain controller to your \/etc\/hosts<\/code> file. That way if something happens to DNS you can still resolve out to it. We are on to editing the \/etc\/samba\/smb.conf<\/code> file. There are several things to add and change here (again case is<\/strong> important and bolded items are what needs changed or added):
\nchange: workgroup = EDMONSON<\/strong>
\nadd: realm = EDMONSON.KETSDS.NET<\/strong>
\nchange: server string = Linux Samba File Server<\/strong>
\nchange: security = ADS<\/strong>
\nchange: encrypt passwords = yes<\/strong>
\nchange: preferred master = no<\/strong>
\nadd: template shell = \/bin\/false<\/strong>
\nadd: template homedir = \/home\/%D\/%U<\/strong>
\nadd: idmap uid = 10000-20000<\/strong>
\nadd: idmap gid = 10000-20000<\/strong>
\nadd: enhanced browsing = no<\/strong>
\nadd: winbind use default domain = yes<\/strong>
\n<\/code><\/p>\n

After you get those edited then it is a good idea to run testparm<\/code> and correct any errors that you get. With just the changes that I posted above there shouldn’t be any errors.
\nNext start SAMBA and join the machine to the domain using the commands:
\n\/etc\/init.d\/smb start
\nnet ads join -U bnorris@EDMONSON.KETSDS.NET<\/code>
\nAgain case is important. The program should ask you for your network password and then it should join the box to the network.
\nIf all went well you need to stop SAMBA while you finish up the pieces:
\n\/etc\/init.d\/smb stop<\/code><\/p>\n

Now we need to edit \/etc\/nsswitch.conf<\/code> and tell the machine to use Winbind to authenticate people.
\nchange: passwd: files winbind<\/strong>
\nchange: group: files winbind<\/strong><\/code><\/p>\n

Now we can start Winbind and SAMBA back up:
\n\/etc\/init.d\/winbind start
\n\/etc\/init.d\/smb start<\/code><\/p>\n

Test to make sure it is working using wbinfo<\/code>:
\nwbinfo -u
\nwbinfo -g<\/code><\/p>\n

Those commands should give you a list of users and groups from your domain. If you have a particularly complex domain with lots of trusts and such to you might want to limit wbinfo<\/code> to one domain with the --domain=EDMONSON<\/code> option. If wbinfo<\/code> hangs and never returns then you will need to stop and start Winbind in order to get it working again.<\/p>\n

You can also get some info about your connection to the domain with:
\nnet ads info<\/code><\/p>\n

Now you need to enable extended Access Control Lists (ACLs) on the filesystem that you will be using. This will give you access to extended security settings similar to Windows file permissions. To change this we will need to edit \/etc\/fstab<\/code>. You might not want to enable ACLs for all of your filesystems as it can induce some overhead that you might not need. Find the filesystem entry that you want to enable ACL for and edit the options field (the fourth field, usually says defaults<\/code>). After the entries that are in there put ,acl<\/code><\/p>\n

Now you need to unmount that filesystem and remount it. The easiest way to do that is to just reboot the machine, since sometimes there might be users with files open and you can’t unmount while that is going on.<\/p>\n

Now if you are planning on give your users home folders you need to make their directories. I cheated a little and did the following to quickly create mine:
\nwbinfo -u --domain=EDMONSON | grep -v '$' | sort > ~\/temp
\nfor i in `cat ~\/temp` ; do
\nmkdir -p \/home\/EDMONSON\/$i
\nsetfacl -m u:\"EDMONSON\\\\$i\":rwx \/home\/EDMONSON\/$i
\ndone<\/code><\/p>\n

That should give you a directory for every user with them having full control of that directory. I think there is an option to SAMBA to get it to do this when a user connects to the machine, but I couldn’t find it quickly today to set it. If anyone knows what it is, just let me know and I will edit this to get it in there.<\/p>\n

So there you go. You should<\/strong> now have a machine that will authenticate to the AD and show you the shares that you are allowed to access. If you want to add shares for specific users it isn’t too tough, just add them to \/etc\/samba\/smb.conf<\/code>
\nA good template share definition looks something like this:
\n[vivnenoi]
\ncomment = wireless to connect field house
\npath = \/home\/shares\/vivnenoi
\nvalid users = EDMONSON\\lamar.miller EDMONSON\\jcarnes EDMONSON\\bnorris
\npublic = no
\nwritable = yes
\nprintable = no
\ncreate mask = 0765
\n<\/code><\/p>\n

I have also written a shell script that can be accessed through a webpage to dynamically generate shares for groups of users. I will post in another entry soon.<\/p>\n","protected":false},"excerpt":{"rendered":"

Detailed HOWTO on getting a Linux machine running SAMBA 3 to use a Windows 2003 Active Directory to authenticate logins. HOWTO was created on a Fedora Core 4 machine. Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[193,75,168,147,145],"class_list":["post-179","post","type-post","status-publish","format-standard","hentry","category-journal","tag-brent","tag-hell","tag-house","tag-ldap","tag-samba"],"_links":{"self":[{"href":"https:\/\/www.brentnorris.net\/blog\/wp-json\/wp\/v2\/posts\/179","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.brentnorris.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.brentnorris.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.brentnorris.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.brentnorris.net\/blog\/wp-json\/wp\/v2\/comments?post=179"}],"version-history":[{"count":0,"href":"https:\/\/www.brentnorris.net\/blog\/wp-json\/wp\/v2\/posts\/179\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.brentnorris.net\/blog\/wp-json\/wp\/v2\/media?parent=179"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.brentnorris.net\/blog\/wp-json\/wp\/v2\/categories?post=179"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.brentnorris.net\/blog\/wp-json\/wp\/v2\/tags?post=179"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}