This post documents how to get Samba to work with both AD and local authentication. Initially we will check with the local SMB database, and then use AD as a secondary account store. The following was performed with the following machines
- Centos 6, Samba 3.5
- Windows 2008 R2, AD
The basic configurations required to get SAMBA to do what we want from a vanilla install is as follow
[global]
workgroup = DOMAIN
security = ADS
auth methods = sam winbind
realm = DOMAIN.EXAMPLE.COM
machine password timeout = 0
server string = SERVER
idmap domains = ALL
idmap config ALL:backend = lwicompat_v4
idmap config ALL:default = yes
idmap config ALL:readonly = yes
idmap uid = 10000-33554431
idmap gid = 10000-33554431However this does not detail joining the machine to A/D, so lets go through it step by step from a vanilla installation.
- Ensure that the latest version of Samba is installed (ensure Samba is version >= 3.5.10) along with kerberos
yum install samba samba-winbind krb5-worksation
- Because we need to use kerberos, edit /etc/krb5.conf
default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes dns_lookup_realm = true [realms] EXAMPLE.COM = { default_domain = example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COMNOTE: Change example.com to be you domain name. Note that capitalization. It IS important.
- Check to make sure we can connect to the domain controller
root# kinit administrator@EXAMPLE.COM
and enter the password when prompted. If all goes well, it will return back to the # prompt.
- Confirm that kerberos succeeded
[root@vc6 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@EXAMPLE.COM Valid starting Expires Service principal 12/19/12 21:02:28 12/20/12 07:02:32 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 12/26/12 21:02:28 - Edit /etc/samba/smb.conf and modify the following parameters
workgroup = example realm = EXAMPLE.COM security = ads
auth methods = sam winbindidmap uid = 10000-500000 idmap gid = 10000-500000 idmap domains = ALL idmap config ALL:backend = lwicompat_v4 idmap config ALL:default = yesidmap config ALL:readonly = yestemplate shell = /bin/bash winbind use default domain = true machine password timeout = 0 server string = SERVER winbind offline logon = false winbind nested groups = yes encrypt passwords = yes - Ensure that Samba will start with the system
chkconfig smb on
- Start SMB (restart in this case)
service smb restart
- Join the machine to the domain
net ads join –U username
If it complains about unable to update DNS, this is OK. Ensure that it says Joined ‘VC6’ to realm ‘sc.local’
- Configure WinBind to start
chkconfig winbind on
- Start winbind
service winbind restart
- Now the moment of truth. See if we can look up some groups of users
wbinfo -g
What should be returned are all the domain groups from the AD
- Config file SMB differences
- security = ADS
auth methods = sam winbind
realm = SC.LOCAL
machine password timeout = 0
server string = Centos 6 Server
idap domains = ALL
idmap config ALL:backend = lwicompat_v4
idmap config ALL:default = yes
idmap config ALL:readonly = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
winbind nested groups = yes
winbind separator = +
encrypt passwords = yes
template homedir = /home/%U - Edit /etc/nsswitch.conf file and add winbind as per following 3 lines from the config file
passwd: files winbind
shadow: files winbind
group: files winbind - Create a mkhomedir.sh file
[root@centos6 home]# cat /usr/local/sbin/mkhomedir.sh
#!/bin/bashif [ ! -e /home/$1 ]; then
mkdir /home/$1
chown $1:”Domain Users” /home/$1
chmod 0700 /home/$1
touch /home/$1/newfile
fi
exit 0chmod u=rwsx,g=rwx,o-rwx /usr/local/sbin/mkhomedir.sh
- Restart SMB,NMB,Winbind services and a home directory should be automatically created.
ns_lookup_realm = true