How To Integrate Samba (File Sharing) Using Active Directory For Authentication

Want to support HowtoForge? Become a subscriber!
 
Submitted by un1x (Contact Author) (Forums) on Fri, 2006-11-24 14:30. :: Samba | Storage

How To Integrate Samba (File Sharing) Using Active Directory For Authentication

This tutorial explains how to install a Gentoo samba server and how to share folders with ActiveDirectory permissions.

Preparation

  • Active Directory should already be implemented and working. If you need help, there's plenty of help on the net.
  • Your Windows system should be secured and patched.
  • You have Gentoo Linux installed of course
  • With the config files, you need to change example.com to match your domain.

Install some utils

You have to install some utils.

  • openldap
  • kerberos
  • samba

# emerge openldap
# emerge mit-krb5
# USE="kerberos ldap winbind"
# emerge samba

Openldap doesn't need to be configured. 

Configure Kerberos

Now configure the file /etc/krb5.conf as follows

[libdefaults]         
		ticket_lifetime = 600       
		default_realm = YOURDOMAIN         
		default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc         
		default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc  
[realms]         
		YOURDOMAIN = {         
			kdc = ip of you ads server         
			default_domain = YOURDOMAIN         
		}  
[domain_realm]         
		.yourdomain = YOURDOMAIN         
		yourdomain = YOURDOMAIN  
[kdc]         
		profile = /etc/krb5kdc/kdc.conf  
[logging]         
		kdc = FILE:/var/log/krb5kdc.log         
		admin_server = FILE:/var/log/kadmin.log         
		default = FILE:/var/log/krb5lib.logog  

Add this line to /etc/hosts:

xxx.xxx.xxx.xxx    adserver.yourdomain   adserver  

Test kerberos to ensure you can see the AD domain. Type this command

kinit Username@DOMAIN

It will ask for the password, if you type in correctly then you will be returned to the promt which means it worked.

Configure SAMBA

You can use this example samba file: (Location: /etc/samba/smb.conf)

[global]         
	netbios name = name of your server         
	socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384         
	idmap uid = 10000-20000         
	winbind enum users = yes         
	winbind gid = 10000-20000         
	workgroup = yourdomain         
	os level = 20         
	winbind enum groups = yes         
	socket address = ip of your ads server         
	password server = *         
	preferred master = no         
	winbind separator = +         
	max log size = 50         
	log file = /var/log/samba3/log.%m         
	encrypt passwords = yes         
	dns proxy = no         
	realm = YOURDOMAIN         
	security = ADS         
	wins server = ip of your wins server         
	wins proxy = no  
[exampleshare]         
	comment = a comment         
	path = /home/exampleshare         
	browseable = yes         
	read only = no         
	inherit acls = yes         
	inherit permissions = yes         
	create mask = 700         
	directory mask = 700         
	valid users = @"DOMAIN+Domain Users"   <-- define your ADS groups         
	admin users = @"DOMAIN+Domain Admins"  <-- define your ads groups with admin rights  

Now run samba

# /etc/init.d/samba start

Join your samba server to your domain by typing in this command

# net ads join -U Username

We are going to test winbind to ensure windows authentication does indeet work You need to edit the file /etc/nsswitch.conf and change two lines to look like this

passwd:     compat winbind  
shadow:     compat  
group:      compat winbind  

Start the winbindd deamon

# winbindd

Add winbindd to your /etc/conf.d/local.start

# echo "/usr/bin/winbindd" >> /etc/conf.d/local.start

Add samba to your rc default

# rc-update add samba default

Test your SAMBA server

Let's make sure whe can see the contents of Active Directory. Type this commands

# wbinfo -u

Can you see the userlist of your Acitve Directory?

To see your groups type

# wbinfo -g

Configure your share

If you didn't configure a share yet do it now ;)

ACL Support

You need to activate ACL support into your kernel.

Now edit your /etc/fstab and add acl to your options like this:

/dev/sda4               /home           reiserfs        noatime,acl             0 0  

Set domain groups to your share

You can add groups to your share with the command

# setfacl -m g:"DOMAIN+YourGroup":rwx .

Links

http://forums.gentoo.org/viewtopic.php?p=706581#706581
samba mailing list
http://www.samba.org


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by jlchannel (registered user) on Thu, 2006-12-07 09:57.

This is another similar documentation  based on Fedora Core 6