[Samba] how to join to AD ? -Annoyed
Robert LeBlanc
robert at leblancnet.us
Wed Dec 16 08:57:09 MST 2009
On Wed, Dec 16, 2009 at 4:34 AM, mistofeles <ptmusta at utu.fi> wrote:
>
> Okay, this Samba4 seemed to be a dead end. I re-installed some parts of
> Samba and 'net' command started to work again.
>
> Some questions:
> - Must I log in and 'kinit' with my username, which has rights to join this
> device to AD every time I reboot the PC. It seems so.
>
> - Is there some way to make the user permissions work in Samba ?
> Now I have to set 707 permissions to user home directory so that he can
> read
> and modify his data. If I make it like this, everyone in the AD can go and
> read his files.
> Linux has its own system of permissions. Is there any way to make Samba
> understand that they should be used and not some system, which is built in
> Samba ?
>
> Somebody said that I should keep the system 'KISS'. How is this made ?
>
You seem to be having a lot more trouble with this than it should be. I'll
go over the steps that are in a joining script I wrote to make sure you are
not missing anything. YMMV mostly depending on how your DNS is set up.
apt-get update
apt-get install samba samba-common winbind ntp ntpdate openssh-server
krb5-config krb5-user
/etc/init.d/winbind stop
/etc/init.d/samba stop
edit /etc/krb5.conf (if needed, we replace the file with only the following
contents as our DNS provides everything else we need)
[libdefaults]
default_realm = DOMAIN.LOCAL
forwardable = true
rdns = no
[domain_realm]
.domain.local = DOMAIN.LOCAL
edit /etc/hosts
127.0.0.1 localhost
127.0.1.1 hostname.domain.local hostname.domain.edu hostname
edit /etc/dhcp3/dhclient.conf (if the computer is using DHCP, add the
following lines)
send host-name "MYCOMPUTER";
supersede domain-name "domain.local domain.edu";
/sbin/dhclient
If static assigned IP addresses edit /etc/resolve.conf
domain domain.local
search domain.local domain.edu
edit /etc/nsswitch.conf (modify the following lines)
passwd: compat winbind
group: compat winbind
hosts: files dns
(msdns, or whatever it is causes lots of problems, I suggest you only use
files and dns for hosts, use whatever else you need)
If you don't want interactive logins to the box, comment out the identified
PAM lines
- Edit /etc/pam.d/common-account like this:
account sufficient pam_winbind.so
account required pam_unix.so
- Edit /etc/pam.d/common-auth like this:
auth sufficient pam_winbind.so krb5_auth krb5_ccache_type=FILE
auth required pam_unix.so use_first_pass nullok_secure
- Edit /etc/pam.d/common-session like this:
session required pam_mkhomedir.so skel=/etc/skel
umask=0028 #Comment out if no interactive logins
session required pam_winbind.so
session required pam_unix.so
- Edit /etc/pam.d/samba like this:
@include common-auth
auth required pam_winbind.so
@include common-account
account required pam_winbind.so
@include common-session
- Edit /etc/pam.d/login like this:(no changes needed if no interactive
logins)
#
# The PAM configuration file for the Shadow 'login' service
#
# Enforce a minimal delay in case of failure (in microseconds).
# (Replaces the \`FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth optional pam_faildelay.so delay=3000000
# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth required pam_issue.so issue=/etc/issue
# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the \`CONSOLE' setting from login.defs)
auth [success=ok ignore=ignore user_unknown=ignore default=die]
pam_securetty.so
# Disallows other than root logins when /etc/nologin exists
# (Replaces the \`NOLOGINS_FILE' option from login.defs)
auth requisite pam_nologin.so
# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
#
# parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session required pam_env.so readenv=1 envfile=/etc/default/locale
# Standard Un*x authentication.
@include common-auth
# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please edit /etc/security/group.conf to fit your needs
# (Replaces the \`CONSOLE_GROUPS' option in login.defs)
auth optional pam_group.so
# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on logins.
# (Replaces the \`PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account requisite pam_time.so
# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
account required pam_access.so
# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session required pam_limits.so
# Prints the last login info upon succesful login
# (Replaces the \`LASTLOG_ENAB' option from login.defs)
session optional pam_lastlog.so
# Prints the motd upon succesful login
# (Replaces the \`MOTD_FILE' option in login.defs)
session optional pam_motd.so
# Prints the status of the user's mailbox upon succesful login
# (Replaces the \`MAIL_CHECK_ENAB' option from login.defs).
#
# This also defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user
# also removes the user's mail spool file.
# See comments in /etc/login.defs
session optional pam_mail.so standard
# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context.
# Uncomment the following line to enable SELinux
# session required pam_selinux.so select_context
# Standard Un*x account and session
@include common-account
@include common-session
@include common-password
- Edit /etc/pam.d/sshd like this:(no changes needed if no interactive
logins)
# PAM configuration for the Secure Shell service
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth required pam_env.so envfile=/etc/default/locale
# Standard Un*x authentication.
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
account required pam_access.so
# Standard Un*x authorization.
@include common-account
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
session optional pam_motd.so # [1]
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Set up SELinux capabilities (need modified pam)
# session required pam_selinux.so multiple
# Standard Un*x password updating.
@include common-password
- Edit /etc/security/access.conf like this:(no changes if no interactive
logins)
+ : root : ALL
+ : ad_group1 : ALL
+ : ad_group2 : ALL
- : ALL : ALL
- Edit /etc/security/pam_winbind.conf like this: (no changes if no
interactive logins)
#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#
[global]
# turn on debugging
;debug = no
# turn on extended PAM state debugging
;debug_state = no
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
cached_login = yes
# authenticate using kerberos
;krb5_auth = yes
# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type = FILE
# make successful authentication dependend on membership of one SID
# (can also take a name)
;require_membership_of =
# password expiry warning period in days
;warn_pwd_expire = 14
# omit pam conversations
;silent = no
- Edit /etc/samba/smb.conf like this:
#======================= Global Settings =======================
[global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
preferred master = no
server string = %h server
dns proxy = no
#### Debugging/Accounting ####
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
security = ADS
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
invalid users = root
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
########## Printing ##########
load printers = no
printing = bsd
printcap name = /dev/null
show add printer wizard = no
disable spoolss = yes
############ Misc ############
idmap backend = hash
winbind nss info = hash
winbind use default domain = yes
winbind separator = +
winbind enum groups = no
winbind enum users = no
winbind nested groups = yes
template homedir = /home/%U
template shell = /bin/bash
winbind refresh tickets = yes
# kerberos method = system keytab # Keytab not working with PAM
cache, see bug #6833
winbind offline logon = yes
#======================= Share Definitions =======================
- Edit /etc/ssh/ssh_config like this:(no changes if no interactive
logins)
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
Host *
# ForwardAgent no
# ForwardX11 no
# ForwardX11Trusted yes
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# MACs hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
- Edit /etc/ssh/sshd_config like this:
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
- Turn samba and windbind back on
- Run the following command: `net ads join -U [domain-account]`
- restart samba, winbind and ssh
- try to login/access share using your domain credentials
- now you're done!
Set up the the passwd command to work with AD users (interactive logins
only)
If you want the active directory users to be able to change their passwords
(such as for non-route-y AD users), You must make the following change:
- Edit /etc/pam.d/common-password like this:
password sufficient pam_unix.so nullok obscure md5
password requisite pam_winbind.so krb5_auth krb5_ccache_type=FILE
As far as file security, Samba will honor Linux's file permissions including
ACLs. If you need fine grained permissions and the ability to set some
permissions through Windows, then install acl package and enable it on your
file system. Samba also honors quotas from Linux as well.
It has taken me months of research and tinkering with Samba and Active
Directory to get to the point where I am now. If you take the time to
understand how each option listed above works, it's a lot easier to
troubleshoot. Don't get discouraged if things are not working right away, be
sure you are restarting the winbind and samba services, check the logs, they
help a lot (/var/log/samba/*) in finding where problems lie. Every
environment is different, so you may run into things that others have not.
We can try to help where we can, but be patient, you may have to be the one
that figures it out.
Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University
More information about the samba
mailing list