[Samba] Starting from scratch... and Active Directory

Lennart Sorensen lsorense at csclub.uwaterloo.ca
Fri Dec 11 14:12:53 MST 2009 

On Fri, Dec 11, 2009 at 12:40:50PM -0800, Kevin Keane wrote:
> First of all, I have Samba working in an Active Directory environment. The Samba server has been basically unchanged for a couple of years now, and survived an upgrade to Windows 2008 without changes. So it can be done.
> 
> Here are the relevant settings from my [global] section in smb.conf (for a domain called ad.mydomain.local. Note the capitalization):
> 
>         realm = AD.MYDOMAIN.LOCAL
>         security = ADS
>         encrypt passwords = yes
>         domain logons = no
>         domain master = no
>         idmap domains = AD
>         idmap config AD:backend = rid
>         idmap config AD:base_rid = 0
>         idmap config AD:range = 10000-20000
>         winbind enum users = yes
>         winbind enum groups = yes
>         client use spnego = yes
> # set smb ports to turn of NetBT. Be aware that this makes your server invisible
> # in the Network Neighborhood.
>         smb ports = 445
>         idmap gid = 10000-20000
>         idmap uid = 10000-20000
> 
> Next, you need to make sure that DNS resolution works and uses the Windows box as DNS server. This is critically important.

Well you have to make your DNS use the windows box as the DNS server
for the mydomain.local domain.  To make the DNS go to the windows box
at all times is not necesary and is frustratingly slow compared to bind9
for example.

> In addition, you need to set up Kerberos using krb5.conf:
> 
> [libdefaults]
>         default_realm = AD.MYDOMAIN.LOCAL
>         clockskew = 300
> 
> [logging]
>         kdc = FILE:/var/log/krb5/krb5kdc.log
>         admin_server = FILE:/var/log/krb5/kadmind.log
>         default = SYSLOG:NOTICE:DAEMON
> [appdefaults]
> pam = {
>         ticket_lifetime = 1d
>         renew_lifetime = 1d
>         forwardable = true
>         proxiable = false
>         retain_after_close = false
>         minimum_uid = 1
>         use_shmem = sshd
> }
> 
> (not sure if the pam section is needed - I believe Samba uses Kerberos directly. Pam would allow you to use Windows accounts to log in to a Linux box without creating accounts on the Linux box).
> 
> Some sites also recommend using a [realms] section to specify which server serves up Kerberos tickets. I found that not necessary, and in fact harmful. Kerberos uses SRV records in DNS to find the correct server, and Windows creates the correct ones.
> 
> 
> Finally, you have to join the AD domain (use the net join command in Samba)
> 
> One catch: Server 2008 prefers IPv6. In IPv6, you cannot support NetBT/WINS. Samba does not support Network Discovery very well, so your server becomes invisible.

Hmm, that's an interesting change.

> If I recall correctly, the advantages and drawbacks of enum users and groups are documented quite well in the Samba docs. The reason this setting exists is exactly to accommodate a situation such as yours, with a very large number of users.

-- 
Len Sorensen

More information about the samba mailing list