Debian: Samba 3 Active Directory Member

From ReceptiveIT

This howto is yet another work in progress. I will clean it up one day. For the time being, it is a work in progress.

Contents 1 Install Samba 2 Configure Samba 3 Install Kerberos 4 Configure Kerberos 5 Install WinBind 6 Configure WinBind 7 Join Domain 7.1 Fix hosts file 7.2 Join Domain 7.3 Fix PAM

Install Samba

apt-get install samba samba-doc

Configure Samba

# Global parameters
[global]
workgroup = BIGSERVER
realm = DOMAIN.LOCAL
preferred master = no
server string = Samba file and print server
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
winbind separator = +
winbind use default domain = yes
printcap name = cups
printing = cups
idmap uid = 10000-20000
idmap gid = 10000-20000

[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No

[printers]
comment = All Printers
browseable = no
printable = yes
guest ok = yes

Install Kerberos

apt-get install krb5-user krb5-config

Configure Kerberos

[logging]
 default = FILE10000:/var/log/krb5lib.log
[libdefaults]
 ticket_lifetime = 24000
 default_realm = DOMAIN.LOCAL
 default_tkt_enctypes = rc4-hmac des3-hmac-sha1 des-cbc-crc
 default_tgs_enctypes = rc4-hmac des3-hmac-sha1 des-cbc-crc
[realms]
 DOMAIN.LOCAL = {
  kdc = server.domain.local
  admin_server = server.domain.local
  default_domain = DOMAIN.LOCAL
 }
[domain_realm]
 .domain.internal = DOMAIN.LOCAL
 domain.internal = DOMAIN.LOCAL

Install WinBind

apt-get install winbind

Configure WinBind

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat

hosts:          files dns wins
networks:       files dns

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Join Domain

Fix hosts file

 192.168.10.5     bigserver.domain.local     bigserver

Join Domain

Save your changes and run

$ testparm

This checks smb.conf for syntax errors. Any errors must be corrected before going ahead. Then start up Samba:

# /etc/init.d/samba start

Finally, join your Samba machine to Active Directory:

# net ads join -U Administrator
Administrator's password:
Joined 'SAMBA1' to realm 'DOMAIN.LOCAL.'

Fix PAM

common-auth

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
auth    sufficient      pam_winbind.so
auth    required        pam_unix.so nullok_secure use_first_pass