HOWTO_Active_Directory_with_Samba_and_Winbind
Contents |
Confirm Connectivity
The first step to configuring a Gentoo client for participation in an Active Directory (AD) network is to confirm network connectivity and name resolution for the Active Directory domain controller. An easy way to verify both of these is to ping the fully-qualified domain name (FQDN) of the AD DC on your network.
# ping dc1.domain.local PING dc1.domain.local (192.168.1.250) 56(84) bytes of data. 64 bytes from win2k3.lab.example.com (192.168.1.250): icmp_seq=1 ttl=128 time=0.176ms
The output of the ping response shows successful resolution of the FQDN to an IP Address, and the confirmation of connectivity between your Gentoo client and the AD DC.
Time Settings
Ensure that the date is correct on the server, a good practice is to install ntp client and sync time with dc1 first. Emerge net-misc/ntp, edit etc/conf.d/ntp-client and set the address to dc1.domain.local. When you are done editing the file should look like this:
| File: /etc/conf.d/ntp-client |
NTPCLIENT_CMD="ntpdate" NTPCLIENT_OPTS="-s -b -u dc1.domain.local" |
Make sure to start the ntp client and ensure the date was syncronized properly with dc1:
#/etc/init.d/ntp-client start * Setting clock via the NTP client 'ntpdate' ... [ ok ] #
FQDN
A valid FQDN is essential for Kerberos and Active Directory. Active Directory is heavily dependent upon DNS, and it is likely that your Active Directory Domain Controllers are also running the Microsoft DNS server package. Here, we will edit the local hosts file on your Gentoo workstation to make sure that your FQDN is resolvable.
| File: /etc/hosts |
127.0.0.1 gentoobox.domain.local localhost gentoobox |
You can test your configurating by PINGING your own FQDN. The output should be similar to the PING output above, from the Network Connectivity test (of course, the FQDN will be your own, and the IP address will be 127.0.0.1). Or test with:
# hostname -f
Set up Kerberos
The first step in setting up Kerberos is to install the appropriate client software.
- Required Software
To properly install the necessary Kerberos packages, you need to install the sys-auth/pam_krb5 and app-crypt/mit-krb5 packages from portage
#emerge -av sys-auth/pam_krb5 app-crypt/mit-krb5
Now edit your kerberos configuration file according to your setup. Make sure to pay attention at the capitalization, it is very important or things will not work. You can use the following as a template:
| File: /etc/krb5.conf |
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
ticket_lifetime = 24000
clock_skew = 300
default_realm = domain.LOCAL
[realms]
domain.LOCAL = {
kdc = dc1.domain.local:88
admin_server = dc1.domain.local:464
default_domain = domain.LOCAL
}
[domain_realm]
.domain.local = domain.LOCAL
domain.local = domain.LOCAL
|
- Testing
Request a Ticket-Granting Ticket (TGT) by issuing the kinit command, as shown. You can use any valid domain account; it doesn't have to be Administrator. You can also omit the domain name from the command if the "default_realm" directive is properly applied in the /etc/krb5.conf file. Make sure you use the exact same case (upper or lower) when testing with kinit!
#kinit Administrator@domain.LOCAL Password for Administrator@DOMAIN.LOCAL: ******
Check if ticket request was valid using the klist command.
#klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@domain.LOCAL
Valid starting Expires Service principal 10/05/07 14:28:00 10/05/07 21:08:00 krbtgt/domain.LOCAL@domain.LOCAL
At this point, your Kerberos installation and configuration is operating correctly. You can release your test ticket by issuing the kdestroy command.
Join AD domain
- Required software
You need to install the samba package. For this to work properly samba needs to be emerged with the ads and ldap flags enabled.
# USE="ldap ads winbind" emerge -av net-fs/samba
- Joining the Domain
Edit your samba configuration file, use the following as a template.
| File: /etc/samba/smb.conf |
[global] workgroup = domain server string = Samba Server %v load printers = no log file = /var/log/samba/log.%m max log size = 50 interfaces = lo eth0 bind interfaces only = yes hosts allow = 192.168.1. 127. hosts deny = 0.0.0.0/0 encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no smb ports = 139 security = ADS realm = domain.LOCAL password server = 192.168.1.250 winbind separator = / idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/zsh client use spnego = yes client ntlmv2 auth = yes winbind use default domain = yes restrict anonymous = 2 domain master = no local master = no preferred master = no os level = 0 disable netbios = no dos charset = ASCII unix charset = UTF8 display charset = UTF8 |
Edit the Samba init configuration file and insert the following in order to start winbind with samba:
| File: /etc/conf.d/samba |
#add "winbind" to the daemon_list if you also want winbind to start daemon_list="smbd nmbd winbind" |
A few more steps before we start samba. First create a valid ticket using kinit. If the Kerberos auth was valid, you should not get asked for a password. However, if you are not working as root and are instead using sudo to perform the necessary tasks, use the command sudo net ads join -U username and supply your password when prompted. Otherwise, you will be asked to authenticate as root@.domain.LOCAL instead of a valid account name.
Create a valid ticket
# kinit Administrator@domain.LOCAL
join the domain before starting samba and winbind:
# net ads join -U administrator Using short domain name – domain Joined 'gentoobox' to realm 'domain.LOCAL'
Be sure to start Samba after the above steps completed succesfuly. Optionally you should add samba to the default runlevel as well.
# /etc/init.d/samba start * samba -> start: smbd ... [ ok ] * samba -> start: nmbd ... [ ok ] * samba -> start: winbind ... [ ok ] # rc-update add samba default * samba added to runlevel default #
- Testing
# wbinfo -u
You should get a list of the users of the domain.
And a list of the groups.
# wbinfo -g
Setup Authentication
- nsswitch
Now edit /etc/nsswitch.conf and make the following changes
| File: /etc/nsswitch.conf |
passwd: compat winbind shadow: compat winbind group: compat winbind |
- Testing
Check the Winbind nsswitch module with getent.
# getent passwd
You should see users from the AD as well as your Gentoo box.
# getent group
Same thing for groups.
Final Configuration
Each domain needs a directory in /home/.
# mkdir /home/DOMAIN
Ability to change Domain Password using passwd
Simple, just add
| File: /etc/pam.d/passwd |
password sufficient pam_winbind.so password required pam_unix.so |
Your pam.d/passwd should now look something like this
| File: /etc/pam.d/passwd |
#%PAM-1.0 password sufficient pam_winbind.so password required pam_unix.so auth include system-auth account include system-auth password include system-auth |
Troubleshooting
- LDAP
Samba was not starting on my setup and I needed to do this part. Your mileage may vary. If you know more feel free to edit.
| File: /etc/openldap/ldap.conf |
# LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=domain, dc=local URI ldap://dc1.domain.local SIZELIMIT 12 TIMELIMIT 15 DEREF never |
- Trouble joining the AD?
Make sure you use the net join command that samba and winbind are not running when you try to join the domain.
- References
By and large most of this was compiled by many sources on the web as well as my own trial and error but notably most of it came from: Active Directory Winbind Howto As well Using_Samba on Debian Linux to authenticate against Active Directory
Edited by Darf 15:26, 5 October 2007 (UTC)
Created by NickStallman.net, Luxury Homes Australia
Real estate agents should list their apartments, townhouses and units in Australia.