Binding a Samba Server to Your AD Domain

Ok, this is not a simple or well documented process so I’ll post here what I did.  I’m using Ubuntu Feisty Fawn (7.0.4). I’m also using a Windows 2003 AD Domain running in native mode.  I had such a hard time getting this to work properly and I’m hoping that this will save someone hours and hours of hair pulling.  Now, I’ve complied this using, as best I can recall, the steps that worked and leaving out the steps that didn’t.  If I’ve overlooked something, and that is entirely possible, please feel free to leave a comment and let me know.

Anything in this font is what you will type in.  Most stuff you can copy and paste with a little editing.  Keep in mind that you will need to read the config files to find out where you need to insert host names, IP addresses, etc.  I’ll try to mark those things in this font. 

  1. Download ISO and install Ubuntu (ok, some people need the obvious stated for them)
    1. Now I’m going to do something dangerous and assume that you know how to click your way through the Ubuntu install.  If not, there are about a zillion tutorials out there to explain this. Learn to use Google.  It is your friend.
  2. sudo su to get to be real root
  3. edit /etc/apt/sources.list – make sure that you include universe and multiverse by un-commenting out those lines.
    1. I’m going to assume again that you know how to edit a text file on a linux box.  If not, there are about a zillion tutorials out there to explain this.  Learn to use Google.  It is your friend.
  4. aptitude dist-upgrade  you will want to have your system fully upgraded before we get started. 
  5. aptitude install krb5-clients krb5-user krb5-config librkb53 nptdate this will install everything you need for Kerberos which is your first prerequisite to getting your new server talking to everything else.
  6. You will need to configure kerberos now that it’s installed.  I’ll paste in a sample config that should get you working once you put the right values into it.  NOTE:  I’ve noted which values need to be NETBIOS names and which need to be DNS names because in a Windows AD Domain these do NOT have to be the same. 
  7. [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5libs.log
    admin_server = FILE:/var/log/kadmin.log

    [libdefaults]
    default_realm = DNS DOMAIN NAME OF WINDOWS DOMAIN
    default_tgs_enctypes = des-cbc-crc des-cbc-md5
    default_tkt_enctypes = des-cbc-crc des-cbc-md5
    permitted_enctypes = des-cbc-crc des-cbc-md5

    [realms]
    DNS DOMAIN NAME OF WINDOWS DOMAIN  = {
    default_domain = DNS DOMAIN NAME OF WINDOWS DOMAIN
    kdc = DNS NAME OF DOMAIN CONTROLLERS OR KERBEROS TICKETING SERVER#1
    kdc = DNS NAME OF DOMAIN CONTROLLERS OR KERBEROS TICKETING SERVER#2
    kdc = DNS NAME OF DOMAIN CONTROLLERS OR KERBEROS TICKETING SERVER#3
    }

    NETBIOS NAME OF DOMAIN = {
    default_domain = NETBIOS NAME OF DOMAIN
    kdc = DNS NAME OF DOMAIN CONTROLLERS OR KERBEROS TICKETING SERVER#1
    kdc = DNS NAME OF DOMAIN CONTROLLERS OR KERBEROS TICKETING SERVER#2
    kdc = DNS NAME OF DOMAIN CONTROLLERS OR KERBEROS TICKETING SERVER#3
    }

    [domain_realm]
    #Note the dot here.  It is intentional!!!
    .ALTERNATE DNS OF DOMAIN NAME=DNS DOMAIN NAME OF WINDOWS DOMAIN
    .DNS DOMAIN NAME OF WINDOWS DOMAIN=DNS DOMAIN NAME OF WINDOWS DOMAIN

  8. Now you can reboot and start getting your server into shape
  9. Log back in and become root (sudo su)
  10. First order of business – sync timestamps  ntpdate (insert name of domain controller or kerberos ticket server here)
    1. This will sync your time and save you all kinds of headaches
  11. Now, we’ll make the time sync permanent  cd /etc/cron.hourly
  12. Create a file and call it what you will.  I prefer to call my files Steve, but you may have another preference.  Many system administrators prefer to use something more descriptive and less friendly than Steve.  They’d use something like ntpdate, which is perfectly acceptable, if more boring than Steve.
    1. Again, I’m going to assume that you know how or can figure out how to edit a text file. 
    2. Paste the following into your new file
    3. #!/bin/bash

      ntpdate (name of kerberos ticketing server here)

    4. Save your file and you’re done.  This will keep you synched up so that you don’t get a lot of annoying timing errors, which is a major headache with kerberos.
    5. Make sure you chmod 755 (your file name here)
  13. kinit (domainadmin acct)
    1. It will ask you for the password of  the domain admin account you supplied above.
    2. If all goes will, you will not see any error messages. 
    3. If you see error messages, Google is your friend.  Please do not write me.  I am not a Kerberos expert. 
  14. aptitude install samba samba-common samba-doc smbfs smbclient libcrypt-smbhash-perl libpam-smbpass smbldap-tools libsmbclient libsmbclient-dev python-samba
    1. This will install all of the nifty Samba stuff that you need to get your server talking to your windows boxes
  15. Once that finishes we need to configure samba.  To that end, we will create a script.  I’ll call mine Mike but you might want to call yours something else. 
    1. cd /etc/samba
    2. Create a new text file
    3. Put this in your text file
      1. #! /bin/bash
        testparm -s smb.conf.master > smb.conf
    4. Save your file and chmod 755 (file name)
    5. This will create your real smb.conf from the nicely commented one we’re about to create.  Since file size and any typos can cause you serious problems, this is a really good idea.  You will have a day where hate yourself if you skip this step. 
  16. cp smb.conf smb.conf.master
  17. First we’re going to do a bit of magic with groups.  We’ll need a Unix group that our users can belong to so that they’ll have rights to their files.  Unfortunately, the domain authentication will just over ride their Unix user group and give them a domain user group.  You may have to experiment a bit to see what this is, but on our domain it’s “domain users”.  We’ll get more into this later so for now, just trust me.
    1. groupadd mynewusergroup 
    2. cd /etc
    3. Edit the group file
    4. Scroll down until you find mynewusergroup
    5. It should look like mynewusergroup:x:(a number):
    6. After the last colon start adding your users so that it looks like mynewusergroup:x:(a number):usera,userb,userc,userd
    7. When you’re done adding your users, save the file. 
    8. Be sure you keep a note of what the group name is since you’ll need it later.
  18. Now we go edit the smb.conf. 
    1. cd /etc/samba
    2. Edit smb.conf.master
      1. [global]
        #Domain Options
                workgroup = NETBIOS NAME OF DOMAIN
                realm = DNS NAME OF DOMAIN
        #Networking Interfaces
            interfaces = eth0 lo
            bind interfaces only = Yes
        #NetBIOS Stuff
            server string = netbios name of samba server
            preferred master = no
            local master = no
            domain master = no
            os level =  33
            wins server = IP.Address.of.Wins.Serve
        # Security Options
            security = DOMAIN
            encrypt passwords = yes
            password server = *
        #Logging Options
            log level = 10
            log file = /var/log/samba/%m
            max log size = 50
        #User Options
            template shell = /bin/bash
            template homedir = /home/%D/%U
        #Winbind Options
            winbind enum users = Yes
            winbind enum groups = Yes
            winbind cache time = 10
            winbind use default domain = Yes
        #Misc Options
            idmap uid = 10000-20000
            idmap gid = 10000-20000
        #Global Printing Options
            printcap name = cups
            printcap cache time = 750
            disable spoolss = yes
            show add printer wizard = no
        [printers]
                comment = All Printers
                path = /tmp
                guest ok = Yes
                min print space = 2000
                printable = Yes
                printing = cups
                cups options = raw
                print command =
                lpq command = %p
                lprm command =
                browseable = No
        [home]
                comment = Home Directories
                path = /home/%D/%U
                valid users = NETBIOS NAME OF DOMAIN%U
                force group = mynewusergroup
                read only = No
                create mask = 775
        [temp]
                path = /tmp
                valid users = NETBIOS NAME OF DOMAIN%U
                read only = No
                browseable = No
      2. Now run your script from earlier (Mike not Steve).  This will produce what should be a working smb.conf.
      3. cd /etc/init.d/
      4. ./samba start
      5. ./winbind start
  19. Now the fun begins and we start binding this beast to the domain.  First we set up authentication via PAM.
    1. cd /etc/pam.d
    2. mkdir oldpamfiles
    3. cp * oldpamfiles/
    4. make sure that /etc/pam.d/samba looks like this
      1. @include common-auth
        @include common-account
        @include common-session
    5. If that  looks ok, then we need to start editing files
      1. Edit common-account
        1. Comment out the auth pam_unix.so
        2. Add account required pam_winbind.so
        3. Save the file
      2. Edit the common-auth so it says (and yes, the order counts)
        1. auth sufficient pam_winbind.so
          auth required pam_unix.so nullok_secure
        2. Save the file
      3. Edit the common-session so it says
        1. session required        pam_unix.so
          session required pam_mkhomedir.so umask=022 skel=/etc/skel
          session optional        pam_foreground.so
        2. Save the file
      4. Now cd /etc
        1. Edit the nsswitch.conf
        2. Find the line about passwd:
        3. Change it to read passwd: compat winbind
        4. Find group and change it to group:compat winbind
        5. Find hosts and change it to hosts: files dns winbind
        6. Save the file
  20. Now we attempt to bind the domain
    1. net ads join -U (domain admin account)
    2. You should see something that says the machine was joined successfully to the domain
    3. type in wbinfo -u and you should see a lis t of your domain users
    4. type in wbinfo -g and you should see a list of your domain groups
    5. net groupmap add ntgroup=”domain users” unixgroup=mynewusergroup type=d

That should do it.  You should be ready to rumble.  You can test by having a regular domain user try to map the drive from their work station.  If you have problems, I strongly suggest trying to map as a domain user from the local machine using the command line smbclient.  This will give a lot more meaninful error messages than what you would normally get. 

Advertisements