[Samba] how to join to AD ?
Jason Gerfen
jason.gerfen at scl.utah.edu
Wed Nov 25 07:48:10 MST 2009
mistofeles wrote:
> We have a small Ubuntu 9.10 file server in a large Win 2003/2008 domain.
> There is no X nor web browser in the server.
> I have rights to join machines to the domain, but I'm not an Administrator
> There is about 10 users in this server, who want to authenticate with domain
> passwords when they mount their home directories to WindowsXP workstations.
> The ssh passwords should be local and separated from domain passwords.
> The server should not try to play any master roles.
> Just deliver directories to windows.
>
>
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ServerType.html#id2560147
ADS server type will allow domain authentication for samba directories
> We have tried this for about a month and gone through many books, web pages
> and forums.
>
You will need Samba which provides winbindd, sasl, openldap, kerberos.
Samba should be configured with ads, acl, ldap, kerberos, pam, winbind
options if you are building from source.
I would configure it with the following options for optimum scalability:
kerberos, acl, caps, cups, ipv6, ldap, pam, python, readline, winbind,
ads, async, automount, doc, examples, fam, quotas, selinux, swat, syslog.
In gentoo linux the following will give you everything you need:
%> USE="kerberos acl caps cups ipv6 ldap pam python readline winbind ads async automount doc examples fam quotas selinux swat syslog" /
emerge mit-krb5 pam_krb5 pam_ldap openldap nss_ldap openssl cyrus-sasl ntp samba -va
> After reading Samba documentation we don't even understand what programs we
> need. in some documents we are told to use PAM, LDAP, krb or winbind. In
> some documents you are advised NOT to use this if you are using that. It is
> a total chaos.
>
> Is there any example of a working case like this ?
> Is there any script which takes care of the configuration ?
>
Here is are a few file configuration examples to get you going:
/etc/krb5.conf
========
[libdefaults]
default_realm = DOMAIN.COM
[realms]
UTAH.EDU = {
kdc = 192.168.xxx.xxx
}
[domain_realm]
.domain.com = DOMAIN.COM
[loggin]
default = FILE:/var/log/krb5.log
[appdefaults]
pam = {
ticket_lifetime = 365d
renew_lifetime = 365d
forwardable = true
proxiable = false
retain_after_close = true
minimum_uid = 0
}
=========
/etc/nsswitch.conf
=========
passwd: compat winbind
shadow: compat
group: compat winbind
# passwd: db files nis
# shadow: db files nis
# group: db files nis
hosts: files dns wins
networks: files dns
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
bootparams: files
automount: files
aliases: files
==========
/etc/samba/smb.conf
Change anything with DOMAIN.COM to match your own domain
==========
[global]
workgroup = DOMAIN
realm = DOMAIN.COM
server string = servername.domain.com
netbios name = servername
password server = *
encrypt passwords = true
security = ads
lanman auth = no
ntlm auth = no
os level = 20
allow trusted domains = yes
auth methods = winbind
interfaces = eth0, lo
bind interfaces only = yes
socket options = TCP_NODELAY
hosts allow = 192.168.xxx.xxx/24 #add more subnets if needed
hosts deny = 0.0.0.0/0
log level = 40
log file = /var/log/samba/log.%m
max log size = 50
client signing = yes
client schannel = no
client use spnego = yes
client lanman auth = no
client NTLMv2 auth = yes
client plaintext auth = no
preferred master = no
local master = no
domain master = no
wins proxy = no
dns proxy = No
obey pam restrictions = yes
template shell = /bin/bash
nt acl support = yes
inherit permissions = yes
create mask = 0022
template homedir = /home/Authenticated Users/%U
winbind uid = 1000-2000000
winbind gid = 500-2000000
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = yes
winbind offline logon = true
winbind nss info = rfc2307
idmap uid = 1000-2000000
idmap gid = 500-2000000
idmap domains = SCL
idmap config DOMAIN:backend = ad
idmap config DOMAIN:default = yes
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 1000 - 300000000
[classes]
comment = Class software
browsable = yes
writeable = no
create mask = 0022
force create mode = 0022
directory mask = 0022
force directory mode = 0022
inherit permissions = yes
path = /path/to/share
[staff]
comment = Staff folders
browsable = yes
writeable = yes
create mask = 0022
force create mode = 0022
directory mask = 0022
force directory mode = 0022
inherit permissions = yes
valid users = @DOMAIN+Grouname
path = /path/to/another/share
===========
/etc/pam.d/system-auth
===========
#%PAM-1.0
auth required pam_mount.so
auth required pam_env.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_krb5.so ignore_root
account sufficient pam_winbind.so
password optional pam_krb5.so
password required pam_mount.so use_authtok
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow
password required pam_deny.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel/
session required pam_limits.so
session required pam_unix.so
session optional pam_mount.so use_authtok
session optional pam_krb5.so
I hope that helps. Also if you look at the pam configuration above you
will see some of the best pam modules to install with ubunu package manager.
--
Jas
More information about the samba
mailing list