Configuring Samba 3.0 To Use The ADS Security Mode (CentOS)

Want to support HowtoForge? Become a subscriber!
 
Submitted by fahdaziz (Contact Author) (Forums) on Mon, 2007-06-25 17:54. :: CentOS | Samba

Configuring Samba 3.0 To Use The ADS Security Mode (CentOS)

This is the first line in the Samba 3.0 release notes:

"Active Directory support. Samba 3.0 is now able to join an ADS (Active Directory Service) realm as a member server and authenticate users using LDAP/Kerberos."

The intent of this article is to show you how to configure your Linux machine and Samba server to participate in a Windows 2003 Active Directory domain as a Member Server using Kerberos authentication. This involves using the security = ADS security mode in Samba.

Why would you want to do this? This eliminates the need to create separate Samba user accounts on your Linux server so your Windows users can access the Samba shares. Besides eliminating a lot of administrative overhead, without this, you would need to try to keep the password for the Samba user account synched with the password for the user in the AD domain. If you didn't and a Windows user changed his password, he would be prompted for a password every time he accessed a Samba share.

Probably the main advantage to the security = ADS security mode is if you are running a Win2003 AD domain in native mode and your security policy prohibits the use of NT-compatible authentication protocols. All of your workstations would be Windows 2000 or XP Professional. In this case, Samba was not previously able to act as a Domain Member server in the domain.

If you want to be able to use winbind (discussed in another article), your Samba server MUST be a domain Member Server.

If you're not familiar with the different AD modes, here's a brief explanation. In mixed mode, all windows clients are able to authenticate to the domain including Win9x, NT4, Win2k, and XP Pro. Samba could also be a Member Server of this domain.

Active Directory in native mode perfectly allows NT4-style Domain Members. This is contrary to popular belief.

Active Directory in native mode prohibits only the use of Backup Domain Controllers running MS Windows NT4. Using AD in native mode and restricting the use of the NT-compatible authentication protocols (i.e., using Kerberos authentication), only Win2k and XP Pro clients can belong to the domain. If you have a network with just Win2k and XP Pro clients, this is the preferred and most secure mode.

 

Contents

  1. Network Setup
  2. Installing Kerberos
  3. Installing Samba 3.0
  4. Configure Kerberos
  5. Configure Samba

 

Network Setup

This is the setup on our network:

Linux:

CentOS with Samba 3.0 installed from the RPM package from CentOS CDs.

host/NetBIOS name – sambaserver (eth0: 10.0.0.1)

Win2003:

Windows 2003 Enterprise Server Active Directory (Domain Controller) running SP1

Machine name – server (eth0: 10.0.0.1) (eth1: 192.168.1.1)

AD domain name – fahdaziz.com.pk

Network domain name - fahdaziz.com.pk

Running DNS for the entire network (eth0: 10.0.0.0)

Running DHCP for the entire network (eth0: 10.0.0.0)

 

Installing Kerberos

The most crucial thing you need to make this work is to have Kerberos V5 installed on your Linux machine. You will not need to configure your CentOS machine as a Kerberos server, though.

You can check to see if they are already installed by using the rpm -q command:

rpm -q krb5-libs

rpm -q krb5-workstation

rpm -q krb5-server

These should return the version numbers, not error messages.

If you don't already have them installed, you can find them on the CentOS CDs. You can install them from the command line using:

rpm -ivh <packagename>

If your distribution uses RPM packages, try www.rpmfind.net. You can also go to http://web.mit.edu/Kerberos/www/index.html for the latest release of Kerberos.

If you have yum installed on your RPM based distribution, you can execute:

yum install krb5-libs

yum install krb5-workstation

yum install krb5-server

Once you get Kerberos installed on your CentOS machine, there's a few critical things you need to check:

  1. The time on your Win2003 AD server and your CentOS machine must match. The default Kerberos setting allows for a 5-minute discrepency. I reccomend setting them as close as possible to allow for drift over time. This is ABSOLUTELY CRITICAL! If the clocks don't match, it won't work. This also applies to any other machine in your AD domain you want to authenticate to from your CentOS machine using Kerberos.
  2. Any user account in the Win2003 AD domain you are going to use for authentication using Kerberos must have had the password changed at least once since it was created. If the password has never been changed since the account was created THIS WON'T WORK!!. On the accounts I used, I just changed the passwords, then changed them right back to their originals.

 

Installing Samba 3.0

Here's the steps to follow to install Samba 3.0:

1. Remove the old version of Samba from the computer with this command:

rpm -e samba

If you installed Samba from the CENTOS CDs, you will probably have to remove more than one rpm package. You can use the CENTOS GUI package manager or execute:

rpm -qa | grep samba

to list the Samba packages that are installed, then uninstall them from the command line.

You should uninstall your current version of Samba before installing Samba 3. When you remove Samba, the rpm command will back up your smb.conf file to smb.conf.rpmsave. I reccomend you make a backup copy of it yourself though.

If you're not using CentOS, then use the method that is specific to your Linux distribution to uninstall Samba. If you installed Samba from source, see the documentation from Samba.org to uninstall it.

2. Download and install Samba 3 rpm package for CENTOS.

Once it's downloaded from the Samba.org site, just use:

rpm -ivh samba-3.0.0-1.i386.rpm

or

yum install samba

to install it.

If you're not using CentOS, then use the method that is specific to your Linux distribution to install it. If you are installing Samba from source, see the documentation from Samba.org to install it.

Once you install it, make the smb.conf.rpmsave file your active smb.conf file or restore your backup copy of smb.conf, then start Samba. Test it to be sure it works as it did before. Your Samba server should work the same with Samba 3 as it did with Samba 2.2.

Once you've tested Samba 3 to be sure it's working properly, it's CRITICAL that you stop it before you continue with further configuration. If you don't stop Samba, the following attempts to configure it will most likely fail.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Yann (not registered) on Fri, 2012-02-03 16:52.

Years afterward, still helps me ;)

Just encountered the error "Strong(er) authentication required" on last step : net ads join.

I solved it by installing  samba3x instead of samba.3.0 and added the following option to my smb.conf :

client ldap sasl wrapping = sign 

 

 

Submitted by inix (registered user) on Fri, 2007-07-06 10:37.

When facing problems, check Time vs Kerberos. Both are silent killers, even after you've authenticated.

The easiest way to resolve user related issues, is to use Winbind. Once that is fixed, is ridiculously easy to get everything to work properly.

Follow the instructions here, then follow the instructions from SAMBA (with a little intelligent changes), will set you up. Here is the link.

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html

Submitted by lokillo (registered user) on Tue, 2007-07-03 16:06.

I was getting

ads_connect: Operations error

when trying to join the domain, it seems somehow related to the version of samba, 3.0.23.

You have to make sure your /etc/hosts file is correct, and that the domain (the FQDN) of your client machine is the same as of the domain of the ad machine.

Also, the client workgroup has to be the same as of the AD workgroup.

Finally, if instead of "net ads join" you use "net join" it will try ads then rpc join, and the last one was the one who worked for me.

Hope it helps.