[Samba] Samba works!: Samba, Kerberos, Win2K Active Directory authentication

Ditirambo ditirambo_farfulla at yahoo.com
Sat Aug 27 00:11:16 GMT 2005


After some days, here is my personal cookbook for
Samba in Solaris.
I needed to share a folder in my Solaris server, but
using my Windows Active Directory Account. Here are my
proccess, if it can help to anyone or if anyone can
make corrections or suggestions.
Thx.

Personal Cookbook for Samba.

 
Objective:
            To enable a Unix server for share folders
for Microsoft Windows machines with authentication
through Active Directory accounts used in the Windows
client session. 

 

Prerequisites:
            Unix Solaris 8
            gcc compiler
            Samba 3
            Kerberos 5
            OpenLDAP 2.2
            Windows 2000 Server Domain Controller

 

Proccess:
0. Get the software:
            krb5-1.4.1-signed.tar               at
http://web.mit.edu/kerberos/www/

            openldap-2.2.26.tar                  at
http://www.openldap.org/software/download/

            samba-3.0.14a.tar.gz                at
http://us1.samba.org/samba/

 

0.1      Verify the gcc compiler (v.g. execute ‘type
gcc’; if the program exist, the instruction return the
path, for example /usr/local/bin)

0.2      Verify that env var CC point to
/usr/local/bin/gcc. (Make required modifies in the
file /etc/profile)

 

1.    Unpack the files in a temp directory. Here is
used unixmachine# /export/programs/samba
            tar xvf krb5-1.4.1-signed.tar
            it creates the directory kerberos

            tar xvf openldap-2.2.26.tar
            it creates the directory openldap-2.2.26

            tar xvf samba-3.0.14a.tar.gz
            it creates the directory samba-3.0.14a

 

2.      Compile and install programs. Here is made the
explicit instruction that the programs be installed in
/home1/. Follow this order:

2.1.   Kerberos
      Locate in kerberos/krb5-1.4.1/src
      Execute 
./configure --prefix=/home1/kerberos5 \
CC=/usr/local/bin/gcc

make
make install

 
2.2.   OpenLDAP
      Locate in  openldap-2.2.26
      Execute
./configure --prefix=/home/openldap –-without-bdb \
–-disable-bdb –-enable-null

make depend
make 
make install

 
2.3.   Samba
      Locate in samba-3.0.14a/source
      Put this env vars:
export LDFLAGS=”-L/home1/openldap/lib –Wl,\
-R/home1/openldap/lib”

export CPPFLAGS=-I/home1/openldap/include

      Execute
./configure –prefix=/home1/samba –with-winbind \
–with-ads –with-ldap –with-krb5=/home1/kerberos5
make
make install

                        
3.      Create a user account in your Windows 2000
Domain Controller with the same name that your machine
(use the lastname field). Enable option User cannot
change password y Password never expires. 

 

4.      Generate the keytab for Kerberos in your Win2k
Domain Controller:

C:\temp\ktpass –princ
host/unixmachine.domain.com at DOMAIN.COM 
–mapuser unixmachine –pass password  
-out unixmachine.keytab

 
4.1.   Copy the file unixmachine.keytab to the
unixmachine under the directory /etc/krb5/ (It can  be
made with ftp o scp, depending of the unix server)
 
4.2.   Register the key in your unixmachine:
            /home1/kerberos5/sbin/ktutil
            ktutil: rkt /etc/krb5/unixmachine.keytab
            ktutil: wkt /etc/krb5/krb5.keytab
            ktutil: q

5.      Configure some env vars::
KRB5_CONFIG=/etc/krb5/krb5.conf
KRB5_KDC_PROFILE=/var/kerberos/krb5kdc/kdc.conf
DEFAULT_KEYTAB_NAME=/etc/krb5/krb5.keytab 
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local: \
/usr/local/include:/usr/local/lib:/usr/lib/iconv

export KRB5_CONFIG KRBR_KDC_PROFILE LD_LIBRARY_PATH \
DEFAULT_KEYTAB_NAME

 
6.      Generate libraries links for nsswitch

  Copy from 
/export/programas/samba/samba-3.0.14a/source/nsswitch
the file libnss_winbind.so to the directory /usr/lib

   Generate these soft links in /usr/lib/:
ln -s libnss_winbind.so libnss_winbind.so.1
ln –s libnss_winbind.so nss_winbind.so.1
ln –s libnss_winbind.so nss_winbind.so.2

 
7.      Generate in /etc/init.d/ the file samba:
------------------------------------------------------
#!/bin/sh
#
#
# This file should have uid root, gid sys and chmod 
# 744

#
if [ ! -d /usr/bin ]
then                    # /usr not mounted
        exit
fi

killproc() {            # kill the named process(es)
        pid=`/usr/bin/ps -e |
             /usr/bin/grep -w $1 |
             /usr/bin/sed -e 's/^  *//' -e 's/ .*//'`
        [ "$pid" != "" ] && kill $pid
}

# Start/stop processes required for samba server
case "$1" in

'start')
     /home1/samba/sbin/nmbd -D \
-l/home1/samba/var/log.%m
     /home1/samba/sbin/winbindd
     /home1/samba/sbin/smbd -D
   ;;

'stop')
   killproc nmbd
   killproc smbd
   killproc winbindd
   echo "Killing nmbd, smbd, winbindd OK..."
   ;;

'restart')
   killproc nmbd
   killproc smbd
   killproc winbindd
   echo "Killing OK..."

    /home1/samba/sbin/nmbd -D \
-l/home1/samba/var/log.%m
    /home1/samba/sbin/winbindd
    /home1/samba/sbin/smbd -D

   echo "Starting Samba OK..."
   ;;

*)
   echo "Usage: /etc/init.d/samba { start | stop \
 | restart }"

   ;;

esac

------------------------------------------------------
 

8.      Generate the file /etc/krb5/krb5.conf:

------------------------------------------------------
# krb5.conf template
# In order to complete this configuration file
# you will need to replace the __<name>__ placeholders
# with appropriate values for your network.
#

[libdefaults]
        ticket_lifetime = 24000
        default_realm = DOMAIN.COM
        default_tgs_enctypes = des-cbc-crc des-cbc-md5
        default_tkt_enctypes = des-cbc-crc des-cbc-md5

        #forwardable = true
        #proxiable = true
        #dns_lookup_realm = true
        #dns_lookup_kdc = true

[realms]
DOMAIN.COM = {
  kdc = win2kdomcontr.domain.com
  kdc = otherwin2kdomcontr.domain.com
  admin_server = win2kdomcontr.domain.com
  default_domain = domain.com
}

[domain_realm]
  unixmachine.domain.com = unixmachine
  .domain.com = DOMAIN.COM
  domain.com = DOMAIN.COM
  .netbiosdomname = DOMAIN.COM
  netbiosdomname = DOMAIN.COM
------------------------------------------------------

9.      Generate the file /home1/samba/lib/smb.conf:

------------------------------------------------------
  [global]
    # general options
    workgroup = NETBIOSDOMNAME
    netbios name = unixmachine
    realm = DOMAIN.COM
    server string = SambaUNIXMACHINE
    security = ADS
    idmap uid = 5000-100000000
    idmap gid = 5000-100000000

 
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind nested groups = Yes

    log level = 1
    template homedir = /home1/samba/%D/%U
    template shell = /bin/bash
    encrypt passwords = yes

    password server = win2kdomcontr.domain.com 

[shared1]
comment = Shared data
path = /home1/samba/users
valid users = NETBIOSDOMNAME\anygroup
browseable = yes
writeable = yes
------------------------------------------------------

 
10.  Modify the file /etc/nscd.conf:
        enable-cache            hosts           no
        enable-cache            passwd          no
        enable-cache            group           no


11.  Register the computer account into Active
Directory:

  /home1/kerberos5/bin/kinit administrator
(put the password for the domain administrator)

  /home1/samba/bin/net ads join 
  (This send a message indicating that the computer
has joined to the domain; verify the computer account
in Active Directory Users and Computers)

(Optionally, use net ads join –debuglevel=10 to debug
errors)


12.  To test the communication with Active Directory,
execute getent passwd. This command shows the passwd
content and the Active Directory accounts.
Additionally, execute /home1/samba/bin/wbinfo –u or
/home1/samba/bin/wbinfo –g to list the users or groups
from Active Directory.

 
13.  Execute /etc/init.d/samba start to start the
Samba daemons. The final test is to open from Windows
machine the server with Start/run/\\unixmachine


		
____________________________________________________
Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs 
 


More information about the samba mailing list