Outils pour utilisateurs
Ceci est une ancienne révision du document !
SAMBA AD
How to Join Samba Server into Microsoft Windows Active Directory
The following steps need to be performed in order to join the Samba 3 server to the Microsoft Windows Active Directory.
- Liste numérotée Configure Kerberos.
The most important thing in configuring Kerberos is the /etc/krb5.conf file. There should be an example one in /etc you can modify. If not, then just create one. Here is a copy:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = SAMBA-TEST.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
SAMBA-TEST.COM = {
kdc = SAMBA-TEST.SAMBA-TEST.COM:88
admin_server = samba-test:749
default_domain = samba-test.com
}
[domain_realm]
.samba-test = samba-test.com
samba-test.com = samba-test.com
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
It is recommended that the realm name should be in upper case but this is not a requirement.
In this case, the realm is named the same as the AD Domain name. It just so happens that the AD Domain name is the same as the network domain name, but that is not always the case.
Use your AD DC as the Key Distribution Center (kdc) in your file. You should also list it as the admin server. If you have more than one DC in your AD domain, you can list them as kdc entries.
After you get the krb5.conf file done, you can test it with the kinit command.
Execute:
#kinit username@REALM
Username is the name of an account in your AD Domain. It should prompt you for a password. Enter the password for that user in the AD Domain. NOTE: You must enter the name of the realm in uppercase letters.
If it executes without error, then execute klist to see the Kerberos ticket. If you get any error messages, make sure:
- Liste à puce You have no spelling errors in the krb5.conf file.
- Liste à puce The times are synched on the machines.
- Liste à puce The password has been changed at least once on the username you are using.
After you get a ticket from the AD DC, test it by using Kerberos authentication with the smbclient command to view the shares on the Microsoft Window 2000 AD DC:
#smbclient -L /servername -k
This should return a list of all the shares on the DC.
- Liste numérotée Configure Samba:
You now need to make the changes to your smb.conf file to enable Kerberos authentication and so you can join the AD domain. The important lines in smb.conf are:
realm = YOUR.REALM security = ads password server = <ip address or name of DC>
Here is a copy of my smb.conf file:
[global]
workgroup = SAMBA-TEST0
server string = Customer-Test
netbios name = node2
; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
hosts allow = 127. 192.168.224. 16.138.174.240
# logs split per machine
log file = /var/log/samba/%m.log
# max 50KB per log file, then rotate
max log size = 50
security = ads
passdb backend = tdbsam
realm = samba-test.com
password server = samba-test.samba-test.com
local master = yes
os level = 255
preferred master = yes
[homes]
comment = Home Directories
browseable = no
writable = yes
; valid users = %S
; valid users = MYDOMAIN\%S
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
After you make the changes to smb.conf and before you start Samba, you need to join the AD domain. Before you do so there are two things that you should check:
- Liste à puce If there is a file named /etc/samba/secrets.tdb either delete, move, or rename it. This file is from your previous connections to the domain. A new one will be created when you join the domain.
- Liste à puce If there is an existing machine account in your AD domain for your Samba server, delete it. A new one will be created when you join the AD domain.
Here are the commands used as root to join the AD domain:
#kinit Administrator@FAHDAZIZ.COM.PK #net ads join -U administrator%password
The first command gets the Kerberos ticket you need to authenticate to the AD domain. You need to use the username of an account in your AD domain that has permission to join computers to the domain. The second command joins the domain.
If you successfully join the AD domain, you should receive a message stating that you successfully joined the Domain. You should also see a new /etc/samba/secrets.tdb file. There should also be a new machine account created in your Active Directory. If you look at the properties of the machine account, you should see that the operating system is listed as Samba 3.0.
After you have successfully joined the AD domain, start Samba in RHEL using:
#service smb start
One advantage to using this type of authentication is that you do not need to create Samba accounts on the Linux server with the smbpasswdcommand. There is no need for the /etc/samba/smbpasswd file. Microsoft Windows users only need to be concerned with one user account.
However, each user that accesses the Samba server will still need to have a valid Linux user account on the server that matches the account in the AD domain. The purpose of this account is to control access to the Linux file system. The password for that account does not need to match the Microsoft Windows 2000 AD domain account password. The account does not even need to have the ability to log in locally to the Linux machine. It does have to exist however, and it must have the proper permissions to the directories you are sharing with Samba for the user to access them. This has not changed from Samba 2.2.
Outils de la page
