Configuring Samba 3.0 To Use The ADS Security Mode (CentOS) - Page 2
On this page
Configure Kerberos
If you're not familiar with Kerberos, there's a few things you can read to familiarize yourself with it:
The most important thing in configuring Kerberos is the /etc/krb5.conf file. There should be an example one in /etc you can modify (that's what I did). If not, then just create one. Here's a copy of mine:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = FAHDAZIZ.COM.PK [realms] FAHDAZIZ.COM.PK = { kdc = server.fahdaziz.com.pk admin_server = server.fahdaziz.com.pk default_domain = fahdaziz.com.pk } [domain_realm] . fahdaziz.com.pk = FAHDAZIZ.COM.PK fahdaziz.com.pk = FAHDAZIZ.COM.PK [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
All of the literature I read said the realm name should be in upper case but doesn't have to be. I took their recommendation.
As you can see, I named my realm the same as the AD Domain name. It just so happens that my AD Domain name is the same as my network domain name but that's not always the case.
Use your AD DC as the kdc (
Once you get your krb5.conf file done, you can test it with the kinit command. Execute:
kinit username@REALM
where username is the name of an account in your AD Domain. It should prompt you for a password. Enter the password for that user in the AD Domain. Note that you must enter the name of the realm in uppercase letters.
If it executes without error, then execute klist to see your Kerberos ticket.
Here are the commands I entered:
[root@sambaserver home]$ kinit [email protected]
Password for [email protected]:
[root@sambaserver home]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: [email protected]
Valid starting Expires Service principal
01/28/07 15:35:40 01/29/07 01:35:40 krbtgt/ FAHDAZIZ.COM.PK @
IVENTSTER.COM.PK
Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
[root@sambaserver home]$
If you get any error messages, make sure that:
- you have no spelling errors in your krb5.conf file
- the times are synched on your machines
- the password has been changed at least once on the username you are using.
Once you get a ticket from the AD DC, test it out by using Kerberos authentication with the smbclient command to view the shares on your Win2k AD DC:
smbclient -L /servername -k
That should return a list of all the shares on the DC.
Here's how the command worked on my machine:
[root@sambaserver home]$ smbclient -L /server -k
Sharename Type Comment
--------- ---- -------
photos Disk
IPC$ IPC Remote IPC
D$ Disk Default share
rlcowan Disk
NETLOGON Disk Logon server share
Family Disk
ADMIN$ Disk Remote Admin
SYSVOL Disk Logon server share
Linux Disk
C$ Disk Default share
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@sambaserver home]$
After you execute that, you should have another ticket for the server. You can view it with klist like this:
[root@sambaserver home]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: [email protected]
Valid starting Expires Service principal
09/28/03 15:35:40 09/29/03 01:35:40 krbtgt/ FAHDAZIZ.COM.PK @ FAHDAZIZ.COM.PK
09/28/03 15:42:13 09/29/03 01:35:40 pe500sc$@ FAHDAZIZ.COM.PK
Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
[root@sambaserver home]$
Configure Samba
When you install Samba from the Samba.org rpm package, it will also install SWAT. Before you configure Samba, I suggest you fire up SWAT and read the document listed on the SWAT home page titled "The Samba HOWTO Collection" It has a section in it that deals with Win2k AD and Kerberos.
You now need to make the changes to your smb.conf file to enable Kerberos authentication and so you can join the AD domain. The important lines in smb.conf are:
realm = YOUR.REALM
security = ads
password server = <ip address or name of DC>
Here's a copy of my smb.conf file:
[global] workgroup = fahdaziz netbios name = sambaserver server string = Samba Server 3.0 security = ads realm = FAHDAZIZ.COM.PK password server = 10.0.0.1 encrypt passwords = yes printcap name = /etc/printcap load printers = yes printing = cups log file = /var/log/samba/%m.log max log size = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no domain master = no preferred master = no dns proxy = no #============================ Share Definitions ============================== [homes] comment = Home Directories browseable = no writable = yes valid users = %S create mode = 0664 directory mode = 0775 [printers] comment = All Printers path = /var/spool/samba browseable = yes guest ok = yes writable = no printable = yes
Once you make the changes to smb.conf and before you start Samba, you need to join the AD domain. Before you do so there are two things that you should check:
- If there is a file named /etc/samba/secrets.tdb either delete, move or rename it. This file would be from your previous connections to the domain. A new one will be created when you join the domain.
- If there is an existing machine account in your AD domain for your Samba server, delete it. A new one will be created when you join the AD domain.
Here are the commands I used as root to join the AD domain:
kinit [email protected]
net ads join -Uadministrator%password
The first command gets the Kerberos ticket you need to authenticate to the AD domain. You need to use the username of an account in your AD domain that has permission to join computers to the domain. The second command joins the domain.
If you're familiar with the command used with Samba 2.2 to join a domain, you'll notice the difference. smbpasswd is not used any more for this purpose.
If you successfully join the AD domain, you should receive a message stating that you successfully joined the Domain. You should also see a new /etc/samba/secrets.tdb file. There should also be a new machine account created in your Active Directory. If you look at the properties of the machine account, you should see that the OS is listed as Samba 3.0.
Once you've successfully joined the AD domain, start Samba in CentOS using:
service smb start
or use whatever command you use with your distribution to start Samba.
One advantage to using this type of authentication is that you don't need to create Samba accounts on the Linux server with the smbpasswdcommand. There is no need for the /etc/samba/smbpasswd file. You Windows users only need to be be concerned with one user account.
However, each user that accesses the Samba server will still need to have a valid Linux user account on the server that matches the account in the AD domain. The purpose of this account is to control access to the the Linux file system. The password for that account does not need to match the Win2k AD domain account password. The account doesn't even need to have the ability to log in locally to the Linux machine. It does have to exist however and it must have the proper permissions to the directories you are sharing out with Samba for the user to access them. This hasn't changed from Samba 2.2.
To get around the need for for local Linux accounts, you need to use winbind. It'll be interesting to see how that will work in conjuction with an AD domain. But that's the subject of another article.