This post documents how to get Samba to work with both AD and local authentication, while mapping AD users to local Unix users. In the scenario I had, we wanted local AD users to be mapped to the already existing linux accounts. We will check with the local SMB database, and then use AD as a secondary account store. The following was performed with the following machines
- Centos 6, Samba 3.5
- Windows 2008 R2, AD
STEPS
- Backup your configurations before starting.
- Ensure that the latest version of Samba and kerberos is installed (ensure Samba is version >= 3.5.10)
yum install samba samba-winbind krb5-workstation
- Because we need to use kerberos, edit /etc/krb5.conf
default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes dns_lookup_realm = true [realms] EXAMPLE.COM = { default_domain = example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COMNOTE: Change example.com to be you domain name. Note that capitalization. It IS important.
- Check to make sure we can connect to the domain controller
root# kinit administrator@EXAMPLE.COM
and enter the password when prompted. If all goes well, it will return back to the # prompt.
- Confirm that kerberos succeeded
[root@vc6 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@EXAMPLE.COM Valid starting Expires Service principal 12/19/12 21:02:28 12/20/12 07:02:32 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 12/26/12 21:02:28 - Edit /etc/samba/smb.conf and modify the following parameters
security = ADS auth methods = sam winbind realm = EXAMPLE.COM machine password timeout = 0 idap domains = ALL idmap backend = nss winbind use default domain = true winbind trusted domains only = yes winbind offline logon = false winbind nested groups = yes winbind separator = + encrypt passwords = yes template homedir = /home/%U username map = /etc/samba/smbusers - Ensure that Samba will start with the system
chkconfig smb on
- Start SMB (restart in this case)
service smb restart
- Join the machine to the domain
net ads join –U username
If it complains about unable to update DNS, this is OK. Ensure that it says Joined ‘VC6’ to realm ‘EXAMPLE.COM’
- Configure WinBind to start
chkconfig winbind on
- Start winbind
service winbind restart
- Now the moment of truth. See if we can look up some groups of users
wbinfo -g
What should be returned are all the domain groups from the AD
- Need to edit /etc/samba/smbusers to map AD users to local users
user1 = EXAMPLE+user1
- Restart smb service to reload smbusers file
service smb restart
- Test with both user and AD accounts to confirm working