Unified Diff » Samba http://www.unifieddiff.com I should do that! How hard could it be?! Sat, 30 Jan 2010 01:23:00 +0000 http://wordpress.org/?v=2.8.4 en hourly 1 HOW TO: Samba as an AD Domain Member http://www.unifieddiff.com/2006/10/04/samba-ad-domain-member/ http://www.unifieddiff.com/2006/10/04/samba-ad-domain-member/#comments Thu, 05 Oct 2006 01:30:55 +0000 Bob http://www.robertjcarroll.com/2006/10/05/samba-ad-domain-member/ There are probably a million and one articles about how to make Samba 3 an Active Directory domain member. But with all of that, this process still seems to require hours of research. So I’ve decided to compile my latest experiences here.

The domain member box is running Gentoo Linux. So you may need to adjust the steps to fit your flavor. Make sure the USE flags kerberos, ldap, samba, ssl, and winbind are set. Start by installing an NTP client. 

# emerge ntp

The purpose of NTP is to keep your computer’s clock in-sync with the domain controller. Edit your /etc/ntp.conf file to use your domain controller as the time server. Then sync your clock, start the NTP client, and install Samba:

# ntpdate ad01.rit.edu
# /etc/init.d/ntpd start
# rc-update add ntpd default
# emerge samba

Now you can configure kerberos. Open your /etc/krb5.conf file and make it look like this:

[libdefaults]
  ticket_lifetime = 600
  default_realm = RIT.EDU
  clockskew = 120

[realms]
  RIT.EDU = {
    kdc = ad01.rit.edu
    default_domain = RIT.EDU
  }

[domain_realm]
  .rit.edu = RIT.EDU
  rit.edu = RIT.EDU

Test your kerberos setup by requesting a ticket from your domain controller.

# kinit administrator
# klist
# kdestroy

Edit your Samba configuration.

[global]
  workgroup = RIT
  realm = RIT.EDU
  server string =

  log file = /var/log/samba/log.%m
  max log size = 50

  hosts allow = 127.0.0.1 129.21.0.0/16   
  hosts deny = 0.0.0.0/0
  security = ADS
  allow trusted domains = yes
  password server = ad01.rit.edu
  encrypt passwords = yes
  min protocol = NT1

  winbind enum users = yes
  winbind enum groups = yes
  winbind cache time = 600
  winbind use default domain = yes
  template homedir = /home/%U
  obey pam restrictions = yes
  template shell = /bin/bash

  socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
  domain master = no
  local master = no

  idmap uid = 10000-99999
  idmap gid = 10000-99999

Add winbind to the daemon_list variable in /etc/conf.d/samba.

daemon_list="smbd nmbd winbind"

Join the domain and start Samba.

# net ads join -U administrator
# /etc/init.d/samba start

Add winbind to the passwd and group lines in /etc/nsswitch.conf.

passwd:      compat winbind
shadow:      compat
group:       compat winbind

Test user resolution and add Samba to the startup:

# getent passwd administrator
# rc-update add samba default

Add the bolded lines to your /etc/pam.d/system-auth file.

auth required pam_env.so
auth sufficient	pam_winbind.so
auth sufficient	pam_unix.so likeauth nullok use_first_pass
auth required pam_deny.so

account	required pam_access.so
account	sufficient pam_winbind.so
account	required pam_unix.so

password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so nullok md5 shadow use_authtok
password required pam_deny.so

session	required pam_limits.so
session	required pam_unix.so
session required pam_mkhomedir.so

That’s it! Now all you need to do is start samba and your box is an AD domain member.

]]> http://www.unifieddiff.com/2006/10/04/samba-ad-domain-member/feed/ 0