How To Integrate Samba (File Sharing) Using Active Directory For Authentication
This tutorial explains how to install a Gentoo samba server and how to share folders with ActiveDirectory permissions.
Preparation
- Active Directory should already be implemented and working. If you need help, there's plenty of help on the net.
- Your Windows system should be secured and patched.
- You have Gentoo Linux installed of course
- With the config files, you need to change example.com to match your domain.
Install some utils
You have to install some utils.
- openldap
- kerberos
- samba
# emerge openldap
# emerge mit-krb5
# USE="kerberos ldap winbind"
#
emerge samba
Openldap doesn't need to be configured.
Configure Kerberos
Now configure the file /etc/krb5.conf as follows
[libdefaults]
ticket_lifetime = 600
default_realm = YOURDOMAIN
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
YOURDOMAIN = {
kdc = ip of you ads server
default_domain = YOURDOMAIN
}
[domain_realm]
.yourdomain = YOURDOMAIN
yourdomain = YOURDOMAIN
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.logog
Add this line to /etc/hosts:
xxx.xxx.xxx.xxx adserver.yourdomain adserver
Test kerberos to ensure you can see the AD domain. Type this command
kinit Username@DOMAIN
It will ask for the password, if you type in correctly then you will be returned to the promt which means it worked.
Configure SAMBA
You can use this example samba file: (Location: /etc/samba/smb.conf)
[global] netbios name = name of your server socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap uid = 10000-20000 winbind enum users = yes winbind gid = 10000-20000 workgroup = yourdomain os level = 20 winbind enum groups = yes socket address = ip of your ads server password server = * preferred master = no winbind separator = + max log size = 50 log file = /var/log/samba3/log.%m encrypt passwords = yes dns proxy = no realm = YOURDOMAIN security = ADS wins server = ip of your wins server wins proxy = no [exampleshare] comment = a comment path = /home/exampleshare browseable = yes read only = no inherit acls = yes inherit permissions = yes create mask = 700 directory mask = 700 valid users = @"DOMAIN+Domain Users" <-- define your ADS groups admin users = @"DOMAIN+Domain Admins" <-- define your ads groups with admin rights
Now run samba
# /etc/init.d/samba start
Join your samba server to your domain by typing in this command
# net ads join -U Username
We are going to test winbind to ensure windows authentication does indeet work You need to edit the file /etc/nsswitch.conf and change two lines to look like this
passwd: compat winbind shadow: compat group: compat winbind
Start the winbindd deamon
# winbindd
Add winbindd to your /etc/conf.d/local.start
# echo "/usr/bin/winbindd" >> /etc/conf.d/local.start
Add samba to your rc default
# rc-update add samba default
Test your SAMBA server
Let's make sure whe can see the contents of Active Directory. Type this commands
# wbinfo -u
Can you see the userlist of your Acitve Directory?
To see your groups type
# wbinfo -g
Configure your share
If you didn't configure a share yet do it now ;)
ACL Support
You need to activate ACL support into your kernel.
Now edit your /etc/fstab and add acl to your options like this:
/dev/sda4 /home reiserfs noatime,acl 0 0
Set domain groups to your share
You can add groups to your share with the command
# setfacl -m g:"DOMAIN+YourGroup":rwx .
Links
http://forums.gentoo.org/viewtopic.php?p=706581#706581
samba mailing list
http://www.samba.org
