Gentoo Wiki ArchivesGentoo Wiki

HOWTO_Active_Directory_with_Samba_and_Winbind

Contents

Confirm Connectivity

The first step to configuring a Gentoo client for participation in an Active Directory (AD) network is to confirm network connectivity and name resolution for the Active Directory domain controller. An easy way to verify both of these is to ping the fully-qualified domain name (FQDN) of the AD DC on your network.

# ping dc1.domain.local
PING dc1.domain.local (192.168.1.250) 56(84) bytes of data.
64 bytes from win2k3.lab.example.com (192.168.1.250): icmp_seq=1 ttl=128 time=0.176ms

The output of the ping response shows successful resolution of the FQDN to an IP Address, and the confirmation of connectivity between your Gentoo client and the AD DC.

Time Settings

Ensure that the date is correct on the server, a good practice is to install ntp client and sync time with dc1 first. Emerge net-misc/ntp, edit etc/conf.d/ntp-client and set the address to dc1.domain.local. When you are done editing the file should look like this:

File: /etc/conf.d/ntp-client
NTPCLIENT_CMD="ntpdate"
NTPCLIENT_OPTS="-s -b -u dc1.domain.local"

Make sure to start the ntp client and ensure the date was syncronized properly with dc1:


#/etc/init.d/ntp-client start                                                                                                                       
 * Setting clock via the NTP client 'ntpdate' ... [ ok ]
#

FQDN

A valid FQDN is essential for Kerberos and Active Directory. Active Directory is heavily dependent upon DNS, and it is likely that your Active Directory Domain Controllers are also running the Microsoft DNS server package. Here, we will edit the local hosts file on your Gentoo workstation to make sure that your FQDN is resolvable.

File: /etc/hosts
127.0.0.1 gentoobox.domain.local localhost gentoobox

You can test your configurating by PINGING your own FQDN. The output should be similar to the PING output above, from the Network Connectivity test (of course, the FQDN will be your own, and the IP address will be 127.0.0.1). Or test with:

# hostname -f

Set up Kerberos

The first step in setting up Kerberos is to install the appropriate client software.

Required Software

To properly install the necessary Kerberos packages, you need to install the sys-auth/pam_krb5 and app-crypt/mit-krb5 packages from portage

Note: This command may also fetch additional packages like openldap.
#emerge -av sys-auth/pam_krb5 app-crypt/mit-krb5

Now edit your kerberos configuration file according to your setup. Make sure to pay attention at the capitalization, it is very important or things will not work. You can use the following as a template:

File: /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5.log

[libdefaults]
   ticket_lifetime = 24000
   clock_skew = 300
   default_realm = domain.LOCAL

[realms]
   domain.LOCAL = {
       kdc = dc1.domain.local:88
       admin_server = dc1.domain.local:464
       default_domain = domain.LOCAL
}

[domain_realm]
   .domain.local = domain.LOCAL
   domain.local = domain.LOCAL
Note: With mit-krb5-1.6.3-r1 I have experienced problems during authorization against Active Directory (Win 2003 server) since I wrote all hostnames in upper case, i.e. "kdc = OFFICE.COMPANY.TLD" --84.244.81.42 16:00, 13 June 2008 (UTC)
Testing

Request a Ticket-Granting Ticket (TGT) by issuing the kinit command, as shown. You can use any valid domain account; it doesn't have to be Administrator. You can also omit the domain name from the command if the "default_realm" directive is properly applied in the /etc/krb5.conf file. Make sure you use the exact same case (upper or lower) when testing with kinit!

#kinit Administrator@domain.LOCAL
Password for Administrator@DOMAIN.LOCAL: ******

Check if ticket request was valid using the klist command.

#klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@domain.LOCAL
Valid starting     Expires            Service principal
10/05/07 14:28:00  10/05/07 21:08:00  krbtgt/domain.LOCAL@domain.LOCAL

At this point, your Kerberos installation and configuration is operating correctly. You can release your test ticket by issuing the kdestroy command.

Join AD domain

Required software

You need to install the samba package. For this to work properly samba needs to be emerged with the ads and ldap flags enabled.

# USE="ldap ads winbind" emerge -av net-fs/samba
Joining the Domain

Edit your samba configuration file, use the following as a template.

File: /etc/samba/smb.conf
[global]
   workgroup = domain
   server string = Samba Server %v
   load printers = no
   log file = /var/log/samba/log.%m
   max log size = 50
   interfaces = lo eth0
   bind interfaces only = yes
   hosts allow = 192.168.1. 127.
   hosts deny = 0.0.0.0/0
   encrypt passwords = yes
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   dns proxy = no
   smb ports = 139
   security = ADS
   realm = domain.LOCAL
   password server = 192.168.1.250
   winbind separator = /
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind enum users = yes
   winbind enum groups = yes
   template homedir = /home/%D/%U
   template shell = /bin/zsh
   client use spnego = yes
   client ntlmv2 auth = yes
   winbind use default domain = yes
   restrict anonymous = 2
   domain master = no
   local master = no
   preferred master = no
   os level = 0
   disable netbios = no
   dos charset = ASCII
   unix charset = UTF8
   display charset = UTF8
 


Note: The "winbind use default domain" parameter is useful in single-domain enterprises and makes winbind assume that all user authentications should be performed in the domain to which winbind is joined. Omit this parameter if your environment includes multiple domains or if your account domain differs from the resource domain. The "winbind separator" directive is optional, and the default value is the usual backslash "\" Domain and User separator. You can use "+" if you know of a specific reason "\" will not work in your environment.


Edit the Samba init configuration file and insert the following in order to start winbind with samba:

File: /etc/conf.d/samba
#add "winbind" to the daemon_list if you also want winbind to start
daemon_list="smbd nmbd winbind"


A few more steps before we start samba. First create a valid ticket using kinit. If the Kerberos auth was valid, you should not get asked for a password. However, if you are not working as root and are instead using sudo to perform the necessary tasks, use the command sudo net ads join -U username and supply your password when prompted. Otherwise, you will be asked to authenticate as root@.domain.LOCAL instead of a valid account name.

Create a valid ticket

# kinit Administrator@domain.LOCAL

join the domain before starting samba and winbind:

# net ads join -U administrator
Using short domain name  domain
Joined 'gentoobox' to realm 'domain.LOCAL'

Be sure to start Samba after the above steps completed succesfuly. Optionally you should add samba to the default runlevel as well.

# /etc/init.d/samba start
 * samba -> start: smbd ... [ ok ]
 * samba -> start: nmbd ... [ ok ]
 * samba -> start: winbind ... [ ok ]
# rc-update add samba default
* samba added to runlevel default
#
Testing
# wbinfo -u

You should get a list of the users of the domain.

And a list of the groups.

# wbinfo -g

Setup Authentication

nsswitch

Now edit /etc/nsswitch.conf and make the following changes

File: /etc/nsswitch.conf
passwd:      compat winbind
shadow:      compat winbind
group:       compat winbind


Testing

Check the Winbind nsswitch module with getent.

# getent passwd

You should see users from the AD as well as your Gentoo box.

# getent group

Same thing for groups.


Final Configuration

Each domain needs a directory in /home/.

# mkdir /home/DOMAIN


Ability to change Domain Password using passwd

Simple, just add

File: /etc/pam.d/passwd
password        sufficient      pam_winbind.so
password        required        pam_unix.so

Your pam.d/passwd should now look something like this

File: /etc/pam.d/passwd
#%PAM-1.0


password        sufficient      pam_winbind.so
password        required        pam_unix.so 

auth       include      system-auth
account    include      system-auth
password   include      system-auth

Troubleshooting

LDAP

Samba was not starting on my setup and I needed to do this part. Your mileage may vary. If you know more feel free to edit.

File: /etc/openldap/ldap.conf
 # LDAP Defaults
 #
 
 # See ldap.conf(5) for details
 # This file should be world readable but not world writable.
 
 BASE    dc=domain, dc=local
 URI     ldap://dc1.domain.local
 
 SIZELIMIT       12
 TIMELIMIT       15
 DEREF           never
 


Trouble joining the AD?

Make sure you use the net join command that samba and winbind are not running when you try to join the domain.


References

By and large most of this was compiled by many sources on the web as well as my own trial and error but notably most of it came from: Active Directory Winbind Howto As well Using_Samba on Debian Linux to authenticate against Active Directory


Edited by Darf 15:26, 5 October 2007 (UTC)

Retrieved from "http://www.gentoo-wiki.info/HOWTO_Active_Directory_with_Samba_and_Winbind"

Last modified: Fri, 25 Jul 2008 10:02:00 +1000 Hits: 17,136

Created by NickStallman.net, Luxury Homes Australia
Real estate agents should list their apartments, townhouses and units in Australia.