[Samba] How to - Samba, winbind and Active Directory

john woo johnwoo72 at yahoo.com
Thu Aug 30 21:46:41 GMT 2007 

Hi,

I finally was able to to get samba/winbind to
authenticate off W2k3 Active Directory. I seen a lot
of info on the web on how to do this but I never seem
to have one site that got me through it all. Anyway,
with all the info I gathered I was able to put it all
together, get it working and documented all the steps
I used. I'm running Redhat 4 (2.6.9-55.0.2) with
compiled Samba 3.0.25c (you'll need Samba 3.0.24
though because of a *bug* in 3.0.25c net binary? -
more info below). Hope this helps anyone trying to do
Samba/AD integration.

Compile/Install Samba 3.0.25c
•    ./configure --with-winbind --with-ldap --with-ads
--with-krb5
•    make
•    make install
•       Samba will be installed in /usr/local/samba

Edit krb5.conf
•    vi /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = MY.DOMAIN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 MY.DOMAIN.COM = {
  # I used the Windows DC IP address instead of the
FQDN for the kdc
  kdc = 10.2.30.63
  default_domain = my.domain.com
 }

[domain_realm]
 .my.domain.com = MY.DOMAIN.COM
 my.domain.com = MY.DOMAIN.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Edit /etc/nsswitch.conf
•    vi /etc/nsswitch.conf (only need add winbind to
passwd and group – everything else stays the same)
passwd:     files winbind
shadow:     files
group:      files winbind

Edit /etc/samba/smb.conf
•    vi /etc/samba/smb.conf
[global]
security = ADS
workgroup = MY
netbios name = sambatest
realm = MY.DOMAIN.COM
#I used the Windows DC IP address instead of the FQDN
for the "password server".
password server = 10.2.30.63
encrypt passwords = yes
client use spnego = no
server signing = auto


log file = /var/log/samba/%m

# enum users/group is needed for getent passwd|groups
to work but otherwise samba still works fine without
this option
winbind enum users = yes
winbind enum groups = yes

winbind separator = .
winbind use default domain = no
idmap uid = 10000-20000
idmap gid = 10000-20000

# Shares
[smbtest]
        comment = test share
        path = /smbtest
        valid users = MY.user1 MY.user2
        browseable = no
        printable = no
        writable = yes

Link smb.conf
Note: By default – Samba will look in
/usr/local/samba/lib for smb.conf but I kept my
smb.conf in /etc/samba/smb.conf so I just softlinked
to it.
•    ln –s /etc/samba/smb.conf 
/usr/local/samba/lib/smb.conf

Net binary
Note: the net binary supplied with Samba 3.0.25c is
buggy and does not work when trying to joint a domain.
What I did was copy the net binary from a 3.0.24
install to the 3.0.25c server
(/usr/local/etc/samba/bin) and it worked like a charm.

•    mv /usr/local/samba/bin/net 
/usr/local/esamba/bin/net.BAK
•    cp /usr/local/samba/bin/net (from 3.0.24 install)
/usr/local/samba/bin/net

Update libnss_winbind.so lib
•    unlink /lib/libnss_winbind.so
•    mv /lib/libniss_winbind.so.2
/lib/libniss_winbind.so.2.BAK
•    cp /BUILDSOURCE/source/nsswitch/libnss_winbind.so
/lib/libniss_winbind.so.2 (yes, I changed the file
name to libniss_winbind.so.2)
•    ln –s /lib/libniss_winbind.so.2 
/lib/libniss_winbind.so

Get Kerberos ticket
•    kinit administrator at MY.DOMAIN.COM
•    kinit (this will show you cached tickets on the
system)

Join Samba server to the Windows Domain
•    /usr/local/samba/bin/net ads join –U
administrator
•    You should see the following:
[root at sambatest2 bin]# /usr/local/samba/bin/net ads
join -U administrator
Administrator’s password:
Using short domain name -- MY
Joined 'SAMBATEST2' to realm 'MY.DOMAIN.COM'

Check for domain accounts/groups
•    /usr/local/samba/bin/wbinfo –u (this should
return MY.user1, MY.user2, MY.user3
etc..)
•    /usr/local/samba/bin/wbinfo –g (this should
return MY.group1, MY.group2, MY.group3
etc..)
•    getent passwd (this should return accounts from
the local server and domain depending if you used the
“winbind enum users/group in the smb.conf)
•    getent groups (this should return groups from the
local server and domain depending if you used the
“winbind enum users/group in the smb.conf)

Fire up Samba and Winbind
•    ./smb start
•    test your share by accessing it from a windows
computer (\\sambaServer\shareName)

Samba/Winbind startup script
#!/bin/sh
#
# chkconfig: - 91 35
# description: Starts and stops the Samba smbd and
nmbd daemons \
#              used to provide SMB network services.
#
# pidfile: /var/run/samba/smbd.pid
# pidfile: /var/run/samba/nmbd.pid
#config:  /etc/samba/smb.conf


# Source function library.
if [ -f /etc/init.d/functions ] ; then
  . /etc/init.d/functions
elif [ -f /etc/rc.d/init.d/functions ] ; then
  . /etc/rc.d/init.d/functions
else
  exit 0
fi

# Avoid using root's TMPDIR
unset TMPDIR

# Source networking configuration.
. /etc/sysconfig/network

if [ -f /etc/sysconfig/samba ]; then
   . /etc/sysconfig/samba
fi

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

# Check that smb.conf exists.
[ -f /etc/samba/smb.conf ] || exit 0

RETVAL=0

SMBHOME="/usr/local/samba/sbin"

start() {
        KIND="SMB"
        echo -n $"Starting $KIND services: "
        daemon $SMBHOME/smbd $SMBDOPTIONS
        RETVAL=$?
        echo
        KIND="NMB"
        echo -n $"Starting $KIND services: "
        daemon $SMBHOME/nmbd $NMBDOPTIONS
        RETVAL2=$?
        echo
        KIND="Winbind"
        echo -n $"Starting $KIND services: "
        daemon $SMBHOME/winbindd
        RETVAL3=$?
        echo
        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3
-eq 0 ] && touch /var/lock/subsys/smb || \
           RETVAL=1
        return $RETVAL
}

stop() {
        KIND="SMB"
        echo -n $"Shutting down $KIND services: "
        killproc smbd
        RETVAL=$?
        echo
        KIND="NMB"
        echo -n $"Shutting down $KIND services: "
        killproc nmbd
        RETVAL2=$?
        echo
        KIND="Winbind"
        echo -n $"Shutting down $KIND services: "
        killproc winbindd
        RETVAL3=$?
        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3
-eq 0 ] && rm -f /var/lock/subsys/smb
        echo ""
        return $RETVAL
}

restart() {
        stop
        start
}

reload() {
        echo -n $"Reloading smb.conf file: "
        killproc smbd -HUP
        RETVAL=$?
        echo
        return $RETVAL
}

rhstatus() {
        status smbd
        status nmbd
        status winbindd
}


# Allow status as non-root.
if [ "$1" = status ]; then
       rhstatus
       exit $?
fi

# Check that we can write to it... so non-root users
stop here
[ -w /etc/samba/smb.conf ] || exit 0



case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  restart)
        restart
        ;;
  reload)
        reload
        ;;
  status)
        rhstatus
        ;;
  condrestart)
        [ -f /var/lock/subsys/smb ] && restart || :
        ;;
  *)
        echo $"Usage: $0
{start|stop|restart|reload|status|condrestart}"
        exit 1
esac

exit $?


       
____________________________________________________________________________________
Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online.
http://smallbusiness.yahoo.com/webhosting

More information about the samba mailing list