Authenticating Debian & Samba to Active Directory (!)

Linux Samba Configuration:

Debian Samba server connecting to Active directory

1. Installing software

The first thing that you need to do is to install the required packages.

Windows server information

In this configuration I used the following windows info.

Domain name: is414 Fully qualified domain name: is414.com Window domain controller: rkb-server

Kerberos setup

Open /etc/krb5.conf

add the following lines to the krb.conf file.

After that has been completed do the following:

Verify that it worked by using the following command:

Samba Setup

Open the samba configuration file /etc/samba/smb.conf and add the following:

Creating a share in /etc/samba/smb.conf. Replace ?WindowsShare with any name you want. first create the folder:

Add the following in the /etc/samba/smb.conf

Test your configuration with the following command:

Now you must restart the samba deamon.

Winbind configuration

Stop the winbind deamon.

edit the couple of lines of the /etc/nsswitch.conf file.

Joining the Domain

start the samba and winbind deamons

Join the domain with the following command

Test winbind with the following commands

The wbinfo – u should list the AD users

The wbinfo – g should list the AD groups

All that is left is to test the connection from the server to verify that the share is working.

Linux Client Configuration:

Joining a Debian Client to Active Directory

Note: This walkthrough was taken almost entirely from https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto. A few configuration changes in the PAM section and verbiage used are the only differences.

Required Software/Packages

Name Version MS Server 2003 w/AD and DNS 2003 Standard Linux (Ubuntu 6.10) Winbind 3.0.22-lubuntu4.1 Samba 3.0.22.-lubuntu4.1 Krb5-user 1.4.3-9ubuntu1.2 Libpam-krb5 2.4-1

Time settings

Kerberos requires that the device time be within a few minutes of the server time. Utilize NTP-Server to confirm time synchronization.

Location: /etc/default/ntpdate

#servers to check NTPSERVERS= “example.test.server.com” #additional options for ntpdate NTPOPTIONS= “-u”

root@linux:~# /etc/init.d/ntpdate restart

*Synchronizing clock to example.test.server.com… [ok]

FQDN

A valid FQDN is necessary for Kerberos and AD. Edit the local host file so that it is resolvable.

Location: /etc/hosts 127.0.0.1 linux.test.server.com localhost linux

Configure Kerberos

Use apt-get install to install the following packages:

krb5 template Location: /etc/krb5.conf

[logging]

[libdefaults]

# dns_lookup_realm = false # dns_lookup_kdc = true

[realms]

}

[domain_realm]

Test your configuration by requesting a ticket root@linux:~# kinit Administrator@test.server.com Password for Administrator@test.server.com : ****

Use klist to verify request worked root@linux:~# klist Ticket cache: File: /tmp/krb5cc_0 Default principal: Administrator@test.server.com

Valid starting Expires Service principal 05/16/07 10:30:42 05/16/07 20:30:01 Krbtgt/test.server.com@test.server.com

Join the Domain

Use apt-get install to install the following packages:

Join Location: /etc/samba/smb.conf

[global]

# winbind separator = +

Restart services root@linux:~# /etc/init.d/winbind stop root@linux:~# /etc/init.d/samba restart root@linux:~# /etc/init.d/winbind start

Request Kerberos TGT for an account root@linux:~# n et ads join

Using short domain name – test

Joined ‘Linux’ to realm ‘test.server.com’

Test # wbinfo – u

Setup Authentication

nsswitch Location: /etc/nsswitch.conf

passwd: compat winbind group: compat winbind shadow: compat

Test root@linux:~# getent passwd

root:x:0:0:root:/root:/bin/bash . . . test+administrator:x:10000:10000:Administrator:/home/test/administrator:/bin/b… test+gast:x:10001:10001:Gast:/home/LAB/gast:/bin/bash . . .

root@linux:~#: getent group

root:x:0: daemon:x:1: bin:x:2: . . . test+organizations-admins:x:10005:administrator test+domain-admins:x:10006: user, administrator . . .

PAM

Location: /etc/pam.d/common-account

account sufficient pam_winbind.so account required pam_unix.so

Location: /etc/pam.d/common-auth

auth sufficient pam_winbind.so auth sufficient pam_unix.so nullok_secure use_first_pass auth required pam_deny.so

Location: /etc/pam.d/common-session

session required pam_unix.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel

Location: /etc/pam.d/sudo

Auth sufficient pam_winbind.so Auth sufficient pam_unix.so use_first_pass Auth required pam_deny.so

@include common-account

Final Config

Each domain needs a directory in home root@linux:~# mkdir /home/test

Login login: test+user password: **** . . . test+user@linux:~$