Getting started ∞
When making this work the biggest hurdle I had to overcome is described in this bug report. Basically the standard samba version in CentOS 5.x and RHEL 5.x does not work with Windows 2008 R2. To work around this you have to install the samba3x packages which of this writing are version 3.5.4 that does support Windows 2008 R2.
Installation of the samba3x-swat is not necessary but is helpful for those who prefer a GUI interface (web-based) to configure Linux. I won’t go into how to configure SWAT as there is already plenty of documentation for that.
Below we install the necessary items for Samba.
1 | $ yum install samba3x samba3x-client samba3x-common samba3x-swat samba3x-winbind |
Now install the following to give you the necessary Kerberos libraries and tools
1 | $ yum install krb5-libs krb5-workstation |
Now let’s move on to the configuration of necessary services.
Configure Kerberos ∞
In order to do authentication with AD you must have a working Kerberos with that AD’s domain. Below is the /etc/krb5.conf file I used with hostnames taken out for security reasons.
Note the highlighted lines. Those encryption types are required to successfully communicate with Windows 2008 R2.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | [libdefaults] default_realm = DOMAIN.COM default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1 default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1 clockskew = 300 [realms] DOMAIN.COM = { kdc = kdc1.domain.com kdc = kdc2.domain.com kdc = kdc3.domain.com default_domain = domain.com } [domain_realm] domain.com = DOMAIN.COM .domain.com = DOMAIN.COM [appdefaults] pam = { debug = false ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 500 try_first_pass = true } |
Once this file is in place you can begin testing this portion of your configuration. Below I outline the method for testing.
1 | $ kinit domainuser@DOMAIN.COM |
Now we verify the created ticket. Run klist and you should see something similar as the output below
1 2 3 4 5 6 7 8 9 10 11 | $ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: domainuser@DOMAIN.COM Valid starting Expires Service principal 05/25/11 09:52:57 05/25/11 19:53:00 krbtgt/DOMAIN.COM@DOMAIN.COM renew until 05/26/11 09:52:57 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached |
If these tests succeed then move on to configuration of Samba.
Configure Samba ∞
Below is the exact /etc/samba/smb.conf file I used minus sensative information. See the smb.conf man page for details on available options.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 | #======================= Global Settings ===================================== [global] workgroup = DOMAIN server string = Samba Server Version %v netbios name = CLIENTHOSTNAME # --------------------------- Logging Options ----------------------------- log level = 3 # logs split per machine log file = /var/log/samba/%m.log # max 50KB per log file, then rotate max log size = 50 # ----------------------- Domain Members Options ------------------------ # security = ADS realm = DOMAIN.COM encrypt passwords = yes winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind separator = + idmap uid = 600-20000 idmap gid = 600-20000 template primary group = "Domain Users" template shell = /sbin/nologin allow trusted domains = Yes server signing = mandatory client signing = mandatory client use spnego = Yes ntlm auth = Yes lanman auth = No # ----------------------- Browser Control Options ---------------------------- preferred master = no # --------------------------- Printing Options ----------------------------- load printers = no printcap name = /etc/printcap #============================ Share Definitions ============================== [homes] comment = Home Directories browseable = no writable = yes ;[test] ; available = yes ; comment = Test Share ; path = /var/www/test ; writeable = yes ; browseable = yes ; invalid users = root ; create mask = 0660 ; directory mask = 0770 ; valid users = @DOMAIN+Group-Name |
Configure nsswitch.conf ∞
Below is the /etc/nsswitch.conf file I used. It’s important that the file directive be infront of winbind so the system doesn’t have to check with AD to verify and lookup local system accounts.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | passwd: files winbind shadow: files winbind group: files winbind hosts: files dns wins bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: nisplus publickey: nisplus automount: files nisplus aliases: files nisplus |
Configure PAM ∞
Below is the /etc/pam.d/system-auth-ac file for my system. This is the default provided in CentOS 5.6 with the addition of the pam_krb5 and pam_winbind lines. For AD authentication you only need to add the pam_winbind lines.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account sufficient pam_winbind.so use_first_pass account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_winbind.so use_first_pass password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so session optional pam_winbind.so use_first_pass |
Join Samba to Active Directory ∞
Now we actually join the Linux client to the Windows 2008 R2 domain. The following command will do the join. Depending on your AD you may need to create this Linux client’s computer record in AD before running this command.
Be sure to replace domainadminuser with the actual username of an account with the ability to add computers to the AD.
1 2 3 4 5 | $ net ads join -U domainadminuser Enter domainadminuser's password: Using short domain name -- DOMAIN Joined 'CLIENTHOSTNAME' to realm 'domain.com' DNS update failed! |
Notice the last line “DNS update failed!”. I have yet to get rid of this error, but so far has seemed not to effect things. From what I’ve read it has something to do with Dynamic DNS.
Next restart both the smb and winbind services and set them to run at boot.
1 2 3 4 | $ /etc/init.d/smb start $ /etc/init.d/winbind start $ chkconfig smb on $ chkconfig winbind on |
Once we are joined to AD we need to create our keytab file for use with Kerberos. Below is the command to create the keytab followed by the command to verify the keytab.
1 2 3 4 5 6 | $ net ads keytab create -U domainadminuser $ klist -ke $ /etc/init.d/smb restart $ /etc/init.d/winbind restart |
Testing the domain join ∞
The next few commands are ways to verify you successfully joined the AD. The output below the commands is an example of what you should see.
1 2 3 4 5 6 7 8 9 10 11 12 | $ net ads info LDAP server: 10.1.0.1 LDAP server name: kdc1.domain.com Realm: DOMAIN.COM Bind Path: dc=DOMAIN,dc=COM LDAP port: 389 Server time: Wed, 25 May 2011 12:05:17 CDT KDC server: 10.1.0.1 Server time offset: 0 $ net ads testjoin Join is OK |
Some additional tests to run. Comments above the command describe its purpose.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | # Check the secret between client and AD $ wbinfo -t checking the trust secret for domain DOMAIN via RPC calls succeeded # This is like kinit but testing that winbind authentication is working # You will be prompted for password twice # Replace domainuser with a valid domain user's account name $ wbinfo -a domainuser Enter domainuser's password: plaintext password authentication succeeded Enter domainuser's password: challenge/response password authentication succeeded # An additional test to verify user accounts function # Replace domainuser with a valid domain user's name $ id domainuser |
If the above goes without incident then you have successfully joined your Linux Samba client to a Windows 2008 R2 domain. If you refer to the provided smb.conf you’ll notice I setup a test share. For shares that will be hosting content for Windows AD users I have enabled ACL permissions for the filesystem. The ACL option has to be specified at mount of the filesystem, and can be made permanent by adding the entry to your /etc/fstab. See below for an example.
1 2 | # An example line from my /etc/fstab file /dev/VolGroup00/LogVol00 / ext3 defaults,acl 1 1 |
Additionally you need to install acl package, and set the ACL to a domain group by running the following.
1 2 | # Replace group-name with the name of a valid domain user group setfacl -m g:group-name:rwx /var/www/test |
Now from any machine with a smb client you should be able to connect to the test share as a user who is a member of the AD group group-name.
Additional Resources and Remarks ∞
Here are a few resources that helped me get this working and also sources for some of what I’ve done.
- Samba Wiki – Samba and Active Directory
-
Fedora Forum – Very helpful post
If you have any questions or corrections please leave a comment.
13:30, March 28, 2012theodore /
Thanks for posting this. After weeks of searching and trying and failing, I finally have AD integration working.