I was playing with samba configuration to precise as less of the setup steps should be really done to start the samba as the domain member server in Active Directory domain. I was motivated there by the users who sending me the support requests of their's configurations which are not running where I want to show this task is really simple (if there are not a "space research" expectations :-) )
The following steps ensure the samba to join to the AD domain named SMBSETUP successfully:
- Box running the samba should be properly added into the DNS so the /etc/resolv.conf should be created and the /etc/inet/hosts should contain the FQDN than the "dns" should be added as one of the sources of "hosts" and "ipnodes" tables into the /etc/nsswitch.conf
- /etc/krb5/krb5.conf should be edited to be pointing the realm and kdc so here should be at least the following items.
[libdefaults] default_realm = SMBSETUP.CZECH.SUN.COM default_keytab_name = FILE:/etc/krb5.keytab [realms] SMBSETUP.CZECH.SUN.COM = { kdc = adsdc.smbsetup.czech.sun.com admin_server = adsdc.smbsetup.czech.sun.com } MOUREK.CZECH.SUN.COM = { kdc = sunprg6.mourek.czech.sun.com admin_server = sunprg6.mourek.czech.sun.com } [domain_realm] smbsetup.czech.sun.com = SMBSETUP.CZECH.SUN.COM mourek.czech.sun.com = MOUREK.CZECH.SUN.COM
...then on the w2k3-side should be done:
- create the user having the same login as the hostname of the samba box is and assign a password to him
- running the ktpass from the "Windows Support Tools" create the private key (user's password signed) for the samba box
...than continue on the samba box again:
- transfer this key to the samba box by the secure way
- install the key from the file to the /etc/krb5/krb5.keytab using the ktutil
- ensure the "samba" "winbind" "wins" and "swat" services are disabled nor any of the "smbd", "winbindd", "nmbd" daemons is not running
- ensure the all samba private data from the previous trials in the /etc/sfw/private , /var/samba/locks/* are clean or save the old "idmap" info if you need to continue on the prevous samba setup where the tdb-backend of the idmap was used to store the idmap mappings.
- create the /etc/sfw/smb.conf properly. This step depends on configuration used. Bottom are simple examples.
- join the AD domain using the command:
/usr/sfw/sbin/net ads join -U 'Administrator%passwd'
- enable the "winbind" service
svcadm enable winbind
- test if the domain users are known using the /usr/sfw/bin/wbinfo utility
/usr/sfw/bin/wbinfo -u
- enable the "samba" and "wins" services
svcadm enable wins samba
smb.conf configuring idmap backend using the RID (part of the SID) to map the SID to POSIX uid/gid
this simple idmap backend ensure the mapping will be tha same on several samba servers running in the same domain on the network so it can be used for clustering of the samba services where the shared volume can be shared by the several samba servers ...for instance using the NFSv4, SAM QFS.
Here is also the second Win domain MOUREK configured in this example. There should be also the interdomain (cross-realm) trust set-up between the SMBSETUP and MOUREK domains on the DCs and both realms should be configured in the /etc/krb5/krb5.conf .
[public] share in this configuration share the ZFS volume so the appropriate module should be set to handle the ACL correctly.
[global] security = ads auth methods = winbind guest sam realm = SMBSETUP.CZECH.SUN.COM workgroup = SMBSETUP use kerberos keytab = true winbind refresh tickets = true server string = Samba 3.0.28 ADS # winbind configuration: # winbind separator is default set to '\' - so it is fine winbind normalize names = no winbind use default domain = no winbind enum users = no winbind enum groups = no winbind nss info = template template homedir = /samba/home/%D/%U template shell = /bin/true idmap domains = SMBSETUP MOUREK idmap config SMBSETUP:backend = rid idmap config SMBSETUP:base_rid = 500 idmap config SMBSETUP:range = 10000 - 29999 idmap config MOUREK:backend = rid idmap config MOUREK:base_rid = 500 idmap config MOUREK:range = 30000 - 49999 invalid users = root bin daemon lp sys tty # this tells Samba to use a separate log file for each machine # that connects log file = /var/samba/log/log.%m log level = 3 printdrivers: 0 lanman: 0 smb: 1 rpc_parse: 0 rpc_srv: 0 rpc_cli: 0 passdb: 1 sam: 0 auth: 5 \ winbind: 5 vfs: 0 idmap: 0 quota: 0 acls: 0 locking: 0 msdfs: 0 dmapi: 0 # Put a capping on the size of the log files (in Kb). max log size = 1024 # Most people will find that this option gives better performance. # See the chapter 'Samba performance issues' in the Samba HOWTO Collection # and the manual pages for details. ; socket options = TCP_NODELAY #============================ Share Definitions ============================== ;[homes] ; path = /samba/home/%D/%U ; read only = no [printers] printable = no [public] path = /samba/public comment = Public data directory read only = no browseable = yes dos filemode = yes inherit permissions = Yes inherit acls = Yes ea support = yes map acl inherit = yes store dos attributes = yes vfs objects = zfsacl nfs4: mode = simple nfs4: acedup = merge |
idmap part of the samba configuration altered for using of the SFU (MS Services for UNIX) ...requires the Win 2003-R2 Server where the POSIX identities can be set directly as the user's attributes directly
... # winbind configuration: winbind nested groups = yes ; winbind normalize names = yes ; winbind use default domain = yes ; winbind enum users = yes ; winbind enum groups = yes winbind nss info = sfu idmap domains = SMBSETUP idmap config SMBSETUP:backend = ad idmap config SMBSETUP:default = yes idmap config SMBSETUP:range = 500 - 100000 idmap config SMBSETUP:schema_mode = sfu ... |
tdb-backend using the tdb's (trivial databases) to store the idmap mappings. This is stored locally so using this backend the the mappings is not ensured to be consistent on the 2 different samba nodes because the winbind doing this mapping on demand. Also loosing of the local tdb's making the ACL info on the shares outdated and unusable. This backend was default (and only the possible) in pre-3.0.25 releases of the samba.
... # winbind configuration: ; winbind enum users = yes template homedir = /samba/pchome/%D/%U idmap domains = SMBSETUP idmap config SMBSETUP:default = yes idmap config SMBSETUP:backend = tdb idmap config SMBSETUP:range = 10000-20000 idmap alloc backend = tdb idmap alloc config:range = 10000-20000 ... |
hi jiri,
I was able to configure the AD users to authenticate thru samba, with one little problem.
It seems like that the AD user should also exist in the local /etc/passwd
then it authenticates using AD password.
let me know if there is a something i'm missing here.
Posted by Pankaj Gautam on October 23, 2008 at 10:53 PM CEST #
@Pankaj
You need to add winbind to nsswitch.conf so you don't have to add users to /etc/passwd (unless you are using something like SFU and ldap in nsswitch.conf). E.g.
/etc/nsswitch.conf:
passwd: files winbind
group: files winbind
Posted by Brian King on February 11, 2009 at 02:50 AM CET #