7701
Comment:
|
653
|
Deletions are marked like this. | Additions are marked like this. |
Line 6: | Line 6: |
Linux Samba Configuration: | '''Linux Samba Configuration''': |
Line 8: | Line 8: |
[[samba]] Debian Samba server connecting to Active directory 1. Installing software The first thing that you need to do is to install the required packages. #aptitude update #aptitude upgrade #aptitude install samba smbclient winbind krb5-doc krb5-user krb5-config Windows server information In this configuration I used the following windows info. Domain name: is414 Fully qualified domain name: is414.com Window domain controller: rkb-server Kerberos setup Open /etc/krb5.conf add the following lines to the krb.conf file. [libdeffaults] default_realm = IS414 [realms] IS414.COM = { kdc – rkb-server.is414.com admin_server – rkb-server.is414.com } [domain_realm] .kerberos.server = IS414.COM After that has been completed do the following: #kinit administrator@IS414.COM Verify that it worked by using the following command: #klist Samba Setup Open the samba configuration file /etc/samba/smb.conf and add the following: [global] security = ADS password server = rkb-server encrypt passwords = yes workgroup = IS414 realm = IS414.COM idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind separator = + Creating a share in /etc/samba/smb.conf. Replace WindowsShare with any name you want. first create the folder: #mkdir /home/WindowsShare #chmod 777 /home/WindowsShare Add the following in the /etc/samba/smb.conf [WindowsShare] comment = Windows Share path = /home/WindowsShare read only = no create mask = 0775 directory mask = 0775 browsable = yes public = yes writeable = yes force create mode = 0775 force directory mode = 0775 force security mode = 0775 guest ok = no inherit permissions = yes nt acl support = yes Test your configuration with the following command: #testparm -v Now you must restart the samba deamon. # /etc/init.d/samba stop Winbind configuration Stop the winbind deamon. #/etc/init.d/winbind stop edit the couple of lines of the /etc/nsswitch.conf file. passwd: compat winbind group: compat winbind Joining the Domain start the samba and winbind deamons #/etc/init.d/samba start #/etc/init.d/winbind start Join the domain with the following command #net ads join -U administrator Test winbind with the following commands #wbinfo -u The wbinfo – u should list the AD users #wbinfo – g The wbinfo – g should list the AD groups All that is left is to test the connection from the server to verify that the share is working. |
http://wiki.debian.org/JohnJacob |
Line 138: | Line 12: |
Linux Client Configuration: | '''''Linux Client Configuration''''': |
Line 140: | Line 14: |
Joining a Debian Client to Active Directory Note: This walkthrough was taken almost entirely from https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto. A few configuration changes in the PAM section and verbiage used are the only differences. Required Software/Packages Name Version MS Server 2003 w/AD and DNS 2003 Standard Linux (Ubuntu 6.10) Winbind 3.0.22-lubuntu4.1 Samba 3.0.22.-lubuntu4.1 Krb5-user 1.4.3-9ubuntu1.2 Libpam-krb5 2.4-1 Time settings Kerberos requires that the device time be within a few minutes of the server time. Utilize NTP-Server to confirm time synchronization. Location: /etc/default/ntpdate #servers to check NTPSERVERS= “example.test.server.com” #additional options for ntpdate NTPOPTIONS= “-u” root@linux:~# /etc/init.d/ntpdate restart *Synchronizing clock to example.test.server.com… [ok] FQDN A valid FQDN is necessary for Kerberos and AD. Edit the local host file so that it is resolvable. Location: /etc/hosts 127.0.0.1 linux.test.server.com localhost linux Configure Kerberos Use apt-get install to install the following packages: krb5-user (Universe repository) libpam-krb5 krb5-conifg libkrb53 libkadm55 krb5 template Location: /etc/krb5.conf [logging] Default = FILE:/var/log/krb5.log [libdefaults] ticket_lifetime = 24000 clock-skew = 300 default_realm = test.server.com # dns_lookup_realm = false # dns_lookup_kdc = true [realms] test.example.com = { kdc = example.test.server.com:88 admin_server = example.test.server.com:464 default_domain = test.server.com } [domain_realm] .server.com = test.server.com server.com = test.server.com Test your configuration by requesting a ticket root@linux:~# kinit Administrator@test.server.com Password for Administrator@test.server.com : **** Use klist to verify request worked root@linux:~# klist Ticket cache: File: /tmp/krb5cc_0 Default principal: Administrator@test.server.com Valid starting Expires Service principal 05/16/07 10:30:42 05/16/07 20:30:01 Krbtgt/test.server.com@test.server.com renew until 05/16/07 10:30:42 Join the Domain Use apt-get install to install the following packages: winbind samba Join Location: /etc/samba/smb.conf [global] security = ads realm = test.server.com password server = 10.0.0.1 workgroup = test # winbind separator = + idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash client use sponego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes restrict anonymous = 2 domain master = no local master = no preferred master = no os level = 0 Restart services root@linux:~# /etc/init.d/winbind stop root@linux:~# /etc/init.d/samba restart root@linux:~# /etc/init.d/winbind start Request Kerberos TGT for an account root@linux:~# n et ads join Using short domain name – test Joined ‘Linux’ to realm ‘test.server.com’ Test # wbinfo – u Setup Authentication nsswitch Location: /etc/nsswitch.conf passwd: compat winbind group: compat winbind shadow: compat Test root@linux:~# getent passwd root:x:0:0:root:/root:/bin/bash . . . test+administrator:x:10000:10000:Administrator:/home/test/administrator:/bin/b… test+gast:x:10001:10001:Gast:/home/LAB/gast:/bin/bash . . . root@linux:~#: getent group root:x:0: daemon:x:1: bin:x:2: . . . test+organizations-admins:x:10005:administrator test+domain-admins:x:10006: user, administrator . . . PAM Location: /etc/pam.d/common-account account sufficient pam_winbind.so account required pam_unix.so Location: /etc/pam.d/common-auth auth sufficient pam_winbind.so auth sufficient pam_unix.so nullok_secure use_first_pass auth required pam_deny.so Location: /etc/pam.d/common-session session required pam_unix.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel Location: /etc/pam.d/sudo Auth sufficient pam_winbind.so Auth sufficient pam_unix.so use_first_pass Auth required pam_deny.so @include common-account Final Config Each domain needs a directory in home root@linux:~# mkdir /home/test Login login: test+user password: **** . . . test+user@linux:~$ |
http://wiki.debian.org/Authinticating_Linx_With_Active_Directory |
Authenticating Debian & Samba to Active Directory
- This walkthrough is designed to give instructions for configuring Linux servers/clients to authenticate to Active Directory. The purpose is to join a Linux samba server and a Linux client to an existing AD structure. The samba connects seamlessly for Windows and Linux users alike. The walkthrough is broken into two sections and is available in via the links below.
Linux Samba Configuration:
http://wiki.debian.org/JohnJacob
Linux Client Configuration:
http://wiki.debian.org/Authinticating_Linx_With_Active_Directory