[Samba] Samba works!: Samba, Kerberos, Win2K Active Directory
authentication
Philip Washington
phwashington at comcast.net
Sat Aug 27 23:05:53 GMT 2005
Ditirambo wrote:
>After some days, here is my personal cookbook for
>Samba in Solaris.
>I needed to share a folder in my Solaris server, but
>using my Windows Active Directory Account. Here are my
>proccess, if it can help to anyone or if anyone can
>make corrections or suggestions.
>Thx.
>
>Personal Cookbook for Samba.
>
>
>Objective:
> To enable a Unix server for share folders
>for Microsoft Windows machines with authentication
>through Active Directory accounts used in the Windows
>client session.
>
>
>
>Prerequisites:
> Unix Solaris 8
> gcc compiler
> Samba 3
> Kerberos 5
> OpenLDAP 2.2
> Windows 2000 Server Domain Controller
>
>
>
>Proccess:
>0. Get the software:
> krb5-1.4.1-signed.tar at
>http://web.mit.edu/kerberos/www/
>
> openldap-2.2.26.tar at
>http://www.openldap.org/software/download/
>
> samba-3.0.14a.tar.gz at
>http://us1.samba.org/samba/
>
>
>
>0.1 Verify the gcc compiler (v.g. execute ‘type
>gcc’; if the program exist, the instruction return the
>path, for example /usr/local/bin)
>
>0.2 Verify that env var CC point to
>/usr/local/bin/gcc. (Make required modifies in the
>file /etc/profile)
>
>
>
>1. Unpack the files in a temp directory. Here is
>used unixmachine# /export/programs/samba
> tar xvf krb5-1.4.1-signed.tar
> it creates the directory kerberos
>
> tar xvf openldap-2.2.26.tar
> it creates the directory openldap-2.2.26
>
> tar xvf samba-3.0.14a.tar.gz
> it creates the directory samba-3.0.14a
>
>
>
>2. Compile and install programs. Here is made the
>explicit instruction that the programs be installed in
>/home1/. Follow this order:
>
>2.1. Kerberos
> Locate in kerberos/krb5-1.4.1/src
> Execute
>./configure --prefix=/home1/kerberos5 \
>CC=/usr/local/bin/gcc
>
>make
>make install
>
>
>2.2. OpenLDAP
> Locate in openldap-2.2.26
> Execute
>./configure --prefix=/home/openldap –-without-bdb \
>–-disable-bdb –-enable-null
>
>make depend
>make
>make install
>
>
>2.3. Samba
> Locate in samba-3.0.14a/source
> Put this env vars:
>export LDFLAGS=”-L/home1/openldap/lib –Wl,\
>-R/home1/openldap/lib”
>
>export CPPFLAGS=-I/home1/openldap/include
>
> Execute
>./configure –prefix=/home1/samba –with-winbind \
>–with-ads –with-ldap –with-krb5=/home1/kerberos5
>make
>make install
>
>
>3. Create a user account in your Windows 2000
>Domain Controller with the same name that your machine
>(use the lastname field). Enable option User cannot
>change password y Password never expires.
>
>
>
>4. Generate the keytab for Kerberos in your Win2k
>Domain Controller:
>
>C:\temp\ktpass –princ
>host/unixmachine.domain.com at DOMAIN.COM
>–mapuser unixmachine –pass password
>-out unixmachine.keytab
>
>
>4.1. Copy the file unixmachine.keytab to the
>unixmachine under the directory /etc/krb5/ (It can be
>made with ftp o scp, depending of the unix server)
>
>4.2. Register the key in your unixmachine:
> /home1/kerberos5/sbin/ktutil
> ktutil: rkt /etc/krb5/unixmachine.keytab
> ktutil: wkt /etc/krb5/krb5.keytab
> ktutil: q
>
>5. Configure some env vars::
>KRB5_CONFIG=/etc/krb5/krb5.conf
>KRB5_KDC_PROFILE=/var/kerberos/krb5kdc/kdc.conf
>DEFAULT_KEYTAB_NAME=/etc/krb5/krb5.keytab
>LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local: \
>/usr/local/include:/usr/local/lib:/usr/lib/iconv
>
>export KRB5_CONFIG KRBR_KDC_PROFILE LD_LIBRARY_PATH \
>DEFAULT_KEYTAB_NAME
>
>
>6. Generate libraries links for nsswitch
>
> Copy from
>/export/programas/samba/samba-3.0.14a/source/nsswitch
>the file libnss_winbind.so to the directory /usr/lib
>
> Generate these soft links in /usr/lib/:
>ln -s libnss_winbind.so libnss_winbind.so.1
>ln –s libnss_winbind.so nss_winbind.so.1
>ln –s libnss_winbind.so nss_winbind.so.2
>
>
>7. Generate in /etc/init.d/ the file samba:
>------------------------------------------------------
>#!/bin/sh
>#
>#
># This file should have uid root, gid sys and chmod
># 744
>
>#
>if [ ! -d /usr/bin ]
>then # /usr not mounted
> exit
>fi
>
>killproc() { # kill the named process(es)
> pid=`/usr/bin/ps -e |
> /usr/bin/grep -w $1 |
> /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
> [ "$pid" != "" ] && kill $pid
>}
>
># Start/stop processes required for samba server
>case "$1" in
>
>'start')
> /home1/samba/sbin/nmbd -D \
>-l/home1/samba/var/log.%m
> /home1/samba/sbin/winbindd
> /home1/samba/sbin/smbd -D
> ;;
>
>'stop')
> killproc nmbd
> killproc smbd
> killproc winbindd
> echo "Killing nmbd, smbd, winbindd OK..."
> ;;
>
>'restart')
> killproc nmbd
> killproc smbd
> killproc winbindd
> echo "Killing OK..."
>
> /home1/samba/sbin/nmbd -D \
>-l/home1/samba/var/log.%m
> /home1/samba/sbin/winbindd
> /home1/samba/sbin/smbd -D
>
> echo "Starting Samba OK..."
> ;;
>
>*)
> echo "Usage: /etc/init.d/samba { start | stop \
> | restart }"
>
> ;;
>
>esac
>
>------------------------------------------------------
>
>
>8. Generate the file /etc/krb5/krb5.conf:
>
>------------------------------------------------------
># krb5.conf template
># In order to complete this configuration file
># you will need to replace the __<name>__ placeholders
># with appropriate values for your network.
>#
>
>[libdefaults]
> ticket_lifetime = 24000
> default_realm = DOMAIN.COM
> default_tgs_enctypes = des-cbc-crc des-cbc-md5
> default_tkt_enctypes = des-cbc-crc des-cbc-md5
>
> #forwardable = true
> #proxiable = true
> #dns_lookup_realm = true
> #dns_lookup_kdc = true
>
>[realms]
>DOMAIN.COM = {
> kdc = win2kdomcontr.domain.com
> kdc = otherwin2kdomcontr.domain.com
> admin_server = win2kdomcontr.domain.com
> default_domain = domain.com
>}
>
>[domain_realm]
> unixmachine.domain.com = unixmachine
> .domain.com = DOMAIN.COM
> domain.com = DOMAIN.COM
> .netbiosdomname = DOMAIN.COM
> netbiosdomname = DOMAIN.COM
>------------------------------------------------------
>
>9. Generate the file /home1/samba/lib/smb.conf:
>
>------------------------------------------------------
> [global]
> # general options
> workgroup = NETBIOSDOMNAME
> netbios name = unixmachine
> realm = DOMAIN.COM
> server string = SambaUNIXMACHINE
> security = ADS
> idmap uid = 5000-100000000
> idmap gid = 5000-100000000
>
>
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind nested groups = Yes
>
> log level = 1
> template homedir = /home1/samba/%D/%U
> template shell = /bin/bash
> encrypt passwords = yes
>
> password server = win2kdomcontr.domain.com
>
>[shared1]
>comment = Shared data
>path = /home1/samba/users
>valid users = NETBIOSDOMNAME\anygroup
>browseable = yes
>writeable = yes
>------------------------------------------------------
>
>
>10. Modify the file /etc/nscd.conf:
> enable-cache hosts no
> enable-cache passwd no
> enable-cache group no
>
>
>11. Register the computer account into Active
>Directory:
>
> /home1/kerberos5/bin/kinit administrator
>(put the password for the domain administrator)
>
> /home1/samba/bin/net ads join
> (This send a message indicating that the computer
>has joined to the domain; verify the computer account
>in Active Directory Users and Computers)
>
>(Optionally, use net ads join –debuglevel=10 to debug
>errors)
>
>
>12. To test the communication with Active Directory,
>execute getent passwd. This command shows the passwd
>content and the Active Directory accounts.
>Additionally, execute /home1/samba/bin/wbinfo –u or
>/home1/samba/bin/wbinfo –g to list the users or groups
>from Active Directory.
>
>
>13. Execute /etc/init.d/samba start to start the
>Samba daemons. The final test is to open from Windows
>machine the server with Start/run/\\unixmachine
>
>
>
>____________________________________________________
>Start your day with Yahoo! - make it your home page
>http://www.yahoo.com/r/hs
>
>
>
Thanks for the info. Do you have a web site where this could be posted
More information about the samba
mailing list