You are here: Home / Software / Samba and Active Directory

Samba and Active Directory¶

Using a Samba Fileserver authenticating users against an Active Directory Domain Controller

Goal: Using a Linux (Debian 3.1, sarge) as a Fileserver for a Windows Network To do this the Linux machine will access the Windows Domain Controller to get username and passwords. This is done using the winbind daemon. The daemon will also map linux-userids and groups to windows-sids (A windows Account has a unique SID that will differ even if you recreate an account with the same name).

Software¶

Used Software: Debian, Samba 3, Kerberos Kerberos packages:

apt-get install krb5-config krb5-user libkrb53 libpam-krb5

Samba packages:

apt-get install samba-common samba winbind smbclient

Utility packages:

apt-get install ntpdate

List of package version at the time of writing:

krb5-config                1.6
krb5-user                  1.3.6-2sarge2
libkrb53                   1.3.6-2sarge2
libpam-krb5                1.0-12
samba-common               3.0.14a-3
samba                      3.0.14a-3
winbind                    3.0.14a-3
smbclient                  3.0.14a-3

Configuration¶

Kerberos¶

Kerberos Configuration sits in /etc/krb5.conf, we add a default_realm and a server to the realm (write Uppercase Text also in uppercase). File /etc/krb5.conf

[libdefaults]
default_realm = MY.ACTIVE.DIRECTORY
...
[realms]
MY.ACTIVE.DIRECTORY = {
  kdc = dc1.active.directory
  kdc = dc2.active.directory
  kdc = dc3.active.directory
  ...
  admin_server = dc1.active.directory
}
...

Now we can check if we can Authenticate a user against the Active Directory:

debian:~# kinit administrator
  Password for administrator@MY.ACTIVE.DIRECTORY

Winbind¶

winbind is outdated, newer distributions will use sssd

The Winbind Daemon will map users and groups from the Active Directory to Linux. To do this we will tell winbind which ID-Range and which prefix it should use. The mapping is set up on use and stored in a file-database in the samba lock-dir /var/lib/samba/winbindd_idmap.tdb

The Configuration sits in the /etc/samba/smb.conf

[global]
workgroup = ADGROUP
security = ADS
realm = MY.ACTIVE.DIRECTORY
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
auth methods = winbind
...

# the share we will use to test it, make sure path is
# valid and writeable
[testshare]
comment = Test Share using Active Directory
read only = no
path = /data/test
valid users = @"ADGROUP+domain users"

Start the winbind daemon (/etc/init.d/winbind start) and now we can list the users from the Active Directory:

debian:~# wbinfo -u
ADGROUP+administrator
ADGROUP+guest
ADGROUP+chandel
...

Samba¶

Next we will get a kerberos Ticket and join our Server to the active directory:

debian:~# kinit administrator
Password for administrator@MY.ACTIVE.DIRECTORY
debian:~# net ads join
Using short domain name -- ADGROUP
Joined 'DEBIAN' to realm 'MY.ACTIVE.DIRECTORY'

PAM¶

So far so good. We can authenticate using kerberos tickets and Samba knows how to get userids and groups. But we also need to tell the operating system about the userids. This is done using PAM. We tell PAM that samba requires authentication and account from winbind. File /etc/pam.d/samba:

auth required /lib/security/pam_winbind.so
account required /lib/security/pam_winbind.so

And we tell the system that it can get information about userdata (id, name, homedir, etc.) not only from /etc/passwd but also from winbind. File /etc/nsswitch.conf:

...
passwd:      compat winbind
group:       compat winbind
shadow:      compat
...

Test it by listing the accounts known to the system:

debian:~# getent passwd
  root:x:0:0:root:/root:/bin/bash
  daemon:x:1:1:daemon:/usr/sbin:/bin/sh
  bin:x:2:2:bin:/bin:/bin/sh
  ...
  ADGROUP+administrator:x:10001:10000:Administrator:/home/ADGROUP/administrator:/bin/false
  ADGROUP+guest:x:10002:10001:Guest:/home/ADGROUP/guest:/bin/false
  ...

Test¶

Test it using our own server as a linux client. We will get a ticket, and connect to the share using this ticket. Than we place a file there and check in the filesystem who owns the file:

debian:~# kinit administrator
  Password for administrator@MY.ACTIVE.DIRECTORY
debian:~# touch hello_world.txt
debian:~# smbclient //fileservername/testshare -k
  OS=[Unix] Server=[Samba 3.0.14a-Debian]
  smb: \> put hello_world.txt
  putting file hello_world.txt as \hello_world.txt (0.0 kb/s) (average nan kb/s)
  smb: \> quit
debian:~# ls -l /data/testshare/hello_world.txt
  -rwxr--r--  1 ADGROUP+administrator ADGROUP+domain users 0 2005-07-22 13:37 /data/test/hello_world.txt
  debian:~#

Hints¶

Kerberos relies on synchronized time between client (linux box) and Server (Domain Controller). Keep your machines in sync using ntpd or ntpdate