Samba with AD authentication on Solaris 8

From Brandonhutchinson.com

(Difference between revisions)
Jump to: navigation, search
m (Install OpenLDAP)
Current revision (15:24, 18 August 2008) (edit) (undo)
(OpenLDAP Installation)
 
(36 intermediate revisions not shown.)
Line 1: Line 1:
-
The SunFreeware Samba package is not compiled with AD support.
+
In the following procedure, Samba is built and configured with Active Directory Server (ADS) support on a Solaris 8 Sparc system. The Samba server is an LDAP client, and AD users are mapped to UNIX users using LDAP.
 +
 
 +
The procedure assumes the following:
 +
 
 +
* Active Directory domain and Kerberos realm of ''DOMAIN.EXAMPLE.COM''.
 +
* Key Distribution Center (KDC) and Primary Domain Controller (PDC) of ''PDC.DOMAIN.EXAMPLE.COM''.
 +
 
 +
Note: The SunFreeware Samba package is not compiled with AD support, so Samba will be built from source.
$ pkginfo -l SMCsamba
$ pkginfo -l SMCsamba
PKGINST: SMCsamba
PKGINST: SMCsamba
Line 8: Line 15:
...
...
-
$ /usr/local/samba/sbin/smbd -b | egrep 'ADS|LDAP|KRB|WINBIND'
+
$ /usr/local/samba/sbin/smbd -b | egrep 'ADS|LDAP|KRB'
-
$ tar xvf krb5-1.6.2-signed.tar
+
$
-
* [http://mailman.mit.edu/pipermail/krbdev/2006-September/004952.html Verify the signed tarball]
+
-
$ gpg --verify krb5-1.6.2.tar.gz.asc
+
== Kerberos Installation and Configuration ==
 +
 
 +
=== Install Kerberos ===
 +
 
 +
Download and install [http://web.mit.edu/kerberos/ Kerberos].
 +
 
 +
$ '''tar xvf krb5-1.6.2-signed.tar'''
 +
 
 +
[http://mailman.mit.edu/pipermail/krbdev/2006-September/004952.html Verify the signed tarball].
 +
$ '''gpg --verify krb5-1.6.2.tar.gz.asc'''
gpg: Signature made Tue 10 Jul 2007 02:20:59 PM CDT using RSA key ID F376813D
gpg: Signature made Tue 10 Jul 2007 02:20:59 PM CDT using RSA key ID F376813D
gpg: Can't check signature: public key not found
gpg: Can't check signature: public key not found
-
$ gpg --keyserver pgp.mit.edu --recv-keys F376813D
+
$ '''gpg --keyserver pgp.mit.edu --recv-keys F376813D'''
gpg: requesting key F376813D from hkp server pgp.mit.edu
gpg: requesting key F376813D from hkp server pgp.mit.edu
gpg: key F376813D: duplicated user ID detected - merged
gpg: key F376813D: duplicated user ID detected - merged
Line 23: Line 38:
gpg: Total number processed: 1
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: imported: 1 (RSA: 1)
-
 
+
-
$ gpg --verify krb5-1.6.2.tar.gz.asc
+
$ '''gpg --verify krb5-1.6.2.tar.gz.asc'''
gpg: Signature made Tue 10 Jul 2007 02:20:59 PM CDT using RSA key ID F376813D
gpg: Signature made Tue 10 Jul 2007 02:20:59 PM CDT using RSA key ID F376813D
gpg: Good signature from "Tom Yu <tlyu@MIT.EDU>"
gpg: Good signature from "Tom Yu <tlyu@MIT.EDU>"
Line 31: Line 46:
Primary key fingerprint: 52 E0 3E E9 38 AE 70 58 3F 21 5C C8 5C C4 55 24
Primary key fingerprint: 52 E0 3E E9 38 AE 70 58 3F 21 5C C8 5C C4 55 24
-
== Install Kerberos ==
+
$ '''gzip -cd krb5-1.6.2.tar.gz | tar xvf -'''
 +
$ '''cd krb5-1.6.2/src'''
 +
$ '''PATH=$PATH:/usr/local/bin ./configure'''
 +
$ '''make'''
 +
# '''make install'''
-
Download and install [http://web.mit.edu/kerberos/ Kerberos]
+
=== Configure Kerberos ===
-
$ gzip -cd krb5-1.6.2.tar.gz | tar xvf -
+
Example ''/usr/local/etc/krb5.conf'':
-
$ cd krb5-1.6.2/src
+
[libdefaults]
-
$ PATH=$PATH:/usr/local/bin ./configure
+
# To prevent encryption type mismatches, limit the Kerberos client
-
$ make
+
# libraries to the list supported by Microsoft
-
$ sudo make install
+
default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
 +
default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
 +
preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
 +
 +
# Default realm to append to unqualified principal names
 +
default_realm = DOMAIN.EXAMPLE.COM
 +
 +
# Use DNS to locate KDCs
 +
# This requires:
 +
# 1. /etc/resolv.conf contains nameservers used by AD clients
 +
# and servers
 +
# 2. The /etc/resolv.conf "search" list contains the name of the
 +
# AD domain
 +
dns_lookup_kdc = true
 +
 +
# Example of manually configuring KDC lookups
 +
#[realms]
 +
# DOMAIN.EXAMPLE.COM = {
 +
# kdc = pdc.domain.example.com
 +
# }
-
== Install OpenLDAP ==
+
== OpenLDAP Installation ==
-
Download and install [http://www.openldap.org/ OpenLDAP]
+
The OpenLDAP client libraries are needed for Active Directory support in Samba.
 +
 
 +
Download and install [http://www.openldap.org/ OpenLDAP].
$ '''gzip -cd openldap-2.3.38.tgz | tar xvf -'''
$ '''gzip -cd openldap-2.3.38.tgz | tar xvf -'''
Line 59: Line 99:
$ '''make depend'''
$ '''make depend'''
$ '''make'''
$ '''make'''
-
$ '''sudo make install'''
+
# '''make install'''
-
== Install Samba ==
+
== Samba Installation and Configuration ==
-
Download and install [http://us1.samba.org/samba/ Samba]
+
=== Install Samba ===
 +
 
 +
Download and install [http://us1.samba.org/samba/ Samba].
$ '''gzip -cd samba-3.0.26a.tar.gz | tar xvf -'''
$ '''gzip -cd samba-3.0.26a.tar.gz | tar xvf -'''
$ '''cd samba-3.0.26a/source'''
$ '''cd samba-3.0.26a/source'''
$ '''PATH=$PATH:/usr/local/bin ./configure --with-ldap --with-ads --with-krb5=/usr/local --with-winbind'''
$ '''PATH=$PATH:/usr/local/bin ./configure --with-ldap --with-ads --with-krb5=/usr/local --with-winbind'''
-
$ '''sudo make install'''
+
# '''make install'''
 +
 
 +
=== Configure Samba ===
 +
 
 +
* Create the Samba configuration file (e.g., ''/usr/local/samba/lib/smb.conf'').
 +
 
 +
[global]
 +
# Kerberos, LDAP, and Active Directory support must be built into
 +
# Samba to use "security = ads"
 +
security = ads
 +
 +
# Required for member servers of a domain, "yes" by default
 +
encrypt passwords = yes
 +
 +
# In Active Directory domains, the Kerberos realm is the same
 +
# as the domain's DNS name in uppercase
 +
realm = DOMAIN.EXAMPLE.COM
 +
 +
# Domain to which the server belongs
 +
workgroup = DOMAIN
 +
 +
# Disable NetBIOS; use DNS for name service and TCP/UDP for transport
 +
smb ports = 445
 +
disable netbios = yes
 +
name resolve order = hosts
 +
 +
# Log to /var/log/samba.log instead of /usr/local/samba/var/log.smbd
 +
log file = /var/log/samba.log
 +
 
 +
* Create the Samba startup/shutdown script.
 +
 
 +
e.g., ''/etc/init.d/samba'':
 +
 
 +
#!/bin/sh
 +
 +
SMBDIR=/usr/local/samba
 +
 +
case "$1" in
 +
'start')
 +
$SMBDIR/sbin/smbd -D
 +
;;
 +
'stop')
 +
$SMBDIR/bin/smbcontrol smbd shutdown
 +
;;
 +
*)
 +
echo "Usage: $0 { start | stop }"
 +
;;
 +
esac
 +
 
 +
# '''chmod 555 /etc/init.d/samba'''
 +
# '''chown root:root /etc/init.d/samba'''
 +
# '''ln -s /etc/init.d/samba /etc/rc3.d/S35samba
 +
# '''for i in 0 1 2 ; do ln -s /etc/init.d/samba /etc/rc$i.d/K35samba ; done'''
 +
 
 +
== Active Directory Server (ADS) Integration ==
 +
 
 +
* Synchronize the Samba server's time with the Windows AD PDC.
 +
# '''ntpdate -u pdc.domain.example.com'''
 +
 
 +
* Add the Samba server's hostname with a suffix of the Kerberos realm as a system alias in ''/etc/hosts''.
 +
Before:
 +
192.168.1.100 samba loghost
 +
After:
 +
192.168.1.100 samba samba.domain.example.com loghosts
 +
 
 +
* Join the Samba server to the AD domain.
 +
# '''/usr/local/samba/bin/net join -U Administrator'''
 +
Using short domain name -- DOMAIN
 +
Joined 'MHAPDCMCL001' to realm 'DOMAIN.EXAMPLE.COM'
 +
 
 +
* Confirm that the Samba server is joined to the AD domain.
 +
# '''/usr/local/samba/bin/net ads testjoin'''
 +
Join is OK
 +
 
 +
== Start Samba ==
 +
 
 +
# '''/etc/init.d/samba start'''
 +
 
 +
== Links ==
 +
* [http://www.occam.com/tools/ad_auth.html Procedures for Enabling Active Directory Authentication on UNIX]

Current revision

In the following procedure, Samba is built and configured with Active Directory Server (ADS) support on a Solaris 8 Sparc system. The Samba server is an LDAP client, and AD users are mapped to UNIX users using LDAP.

The procedure assumes the following:

  • Active Directory domain and Kerberos realm of DOMAIN.EXAMPLE.COM.
  • Key Distribution Center (KDC) and Primary Domain Controller (PDC) of PDC.DOMAIN.EXAMPLE.COM.

Note: The SunFreeware Samba package is not compiled with AD support, so Samba will be built from source. 

$ pkginfo -l SMCsamba
  PKGINST:  SMCsamba
     NAME:  samba
 CATEGORY:  application
     ARCH:  sparc
  VERSION:  3.0.25a
...

$ /usr/local/samba/sbin/smbd -b | egrep 'ADS|LDAP|KRB'
$

Contents

Kerberos Installation and Configuration

Install Kerberos

Download and install Kerberos. 

$ tar xvf krb5-1.6.2-signed.tar

Verify the signed tarball. 

$ gpg --verify krb5-1.6.2.tar.gz.asc 
gpg: Signature made Tue 10 Jul 2007 02:20:59 PM CDT using RSA key ID F376813D
gpg: Can't check signature: public key not found

$ gpg --keyserver pgp.mit.edu --recv-keys F376813D
gpg: requesting key F376813D from hkp server pgp.mit.edu
gpg: key F376813D: duplicated user ID detected - merged
gpg: key F376813D: public key "Tom Yu <tlyu@MIT.EDU>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

$ gpg --verify krb5-1.6.2.tar.gz.asc
gpg: Signature made Tue 10 Jul 2007 02:20:59 PM CDT using RSA key ID F376813D
gpg: Good signature from "Tom Yu <tlyu@MIT.EDU>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 52 E0 3E E9 38 AE 70 58  3F 21 5C C8 5C C4 55 24

$ gzip -cd krb5-1.6.2.tar.gz | tar xvf -
$ cd krb5-1.6.2/src
$ PATH=$PATH:/usr/local/bin ./configure
$ make
# make install

Configure Kerberos

Example /usr/local/etc/krb5.conf: 

[libdefaults]
       # To prevent encryption type mismatches, limit the Kerberos client
       # libraries to the list supported by Microsoft
       default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
       default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
       preferred_enctypes   = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC

       # Default realm to append to unqualified principal names
       default_realm = DOMAIN.EXAMPLE.COM

       # Use DNS to locate KDCs
       # This requires:
       # 1. /etc/resolv.conf contains nameservers used by AD clients
       # and servers
       # 2. The /etc/resolv.conf "search" list contains the name of the
       # AD domain
       dns_lookup_kdc = true

# Example of manually configuring KDC lookups
#[realms]
#       DOMAIN.EXAMPLE.COM = {
#               kdc = pdc.domain.example.com
#       }

OpenLDAP Installation

The OpenLDAP client libraries are needed for Active Directory support in Samba.

Download and install OpenLDAP. 

$ gzip -cd openldap-2.3.38.tgz | tar xvf -
$ cd openldap-2.3.38
$ PATH=$PATH:/usr/local/bin ./configure --disable-bdb --enable-null --without-tls
...
checking db.h usability... no
checking db.h presence... no
checking for db.h... no
configure: error: BDB/HDB: BerkeleyDB not available

GNU autoconf (i.e., configure) checks for BerkeleyDB even with the --disable-bdb option. As a workaround, use the --disable-backends option. 

$ PATH=$PATH:/usr/local/bin ./configure --disable-backends --enable-null --without-tls
$ make depend
$ make
# make install

Samba Installation and Configuration

Install Samba

Download and install Samba. 

$ gzip -cd samba-3.0.26a.tar.gz | tar xvf -
$ cd samba-3.0.26a/source
$ PATH=$PATH:/usr/local/bin ./configure --with-ldap --with-ads --with-krb5=/usr/local --with-winbind
# make install

Configure Samba

  • Create the Samba configuration file (e.g., /usr/local/samba/lib/smb.conf). 
[global]
       # Kerberos, LDAP, and Active Directory support must be built into
       # Samba to use "security = ads"
       security = ads

       # Required for member servers of a domain, "yes" by default
       encrypt passwords = yes

       # In Active Directory domains, the Kerberos realm is the same
       # as the domain's DNS name in uppercase
       realm = DOMAIN.EXAMPLE.COM

       # Domain to which the server belongs
       workgroup = DOMAIN

       # Disable NetBIOS; use DNS for name service and TCP/UDP for transport
       smb ports = 445
       disable netbios = yes
       name resolve order = hosts

       # Log to /var/log/samba.log instead of /usr/local/samba/var/log.smbd
       log file = /var/log/samba.log
  • Create the Samba startup/shutdown script.

e.g., /etc/init.d/samba: 

#!/bin/sh

SMBDIR=/usr/local/samba

case "$1" in
'start')
        $SMBDIR/sbin/smbd -D
        ;;
'stop')
        $SMBDIR/bin/smbcontrol smbd shutdown
        ;;
*)
        echo "Usage: $0 { start | stop }"
        ;;
esac

# chmod 555 /etc/init.d/samba
# chown root:root /etc/init.d/samba
# ln -s /etc/init.d/samba /etc/rc3.d/S35samba
# for i in 0 1 2 ; do ln -s /etc/init.d/samba /etc/rc$i.d/K35samba ; done

Active Directory Server (ADS) Integration

  • Synchronize the Samba server's time with the Windows AD PDC. 
# ntpdate -u pdc.domain.example.com
  • Add the Samba server's hostname with a suffix of the Kerberos realm as a system alias in /etc/hosts.

Before: 

192.168.1.100 samba loghost

After: 

192.168.1.100 samba samba.domain.example.com loghosts
  • Join the Samba server to the AD domain. 
# /usr/local/samba/bin/net join -U Administrator
Using short domain name -- DOMAIN
Joined 'MHAPDCMCL001' to realm 'DOMAIN.EXAMPLE.COM'
  • Confirm that the Samba server is joined to the AD domain. 
# /usr/local/samba/bin/net ads testjoin
Join is OK

Start Samba 

# /etc/init.d/samba start

Links

Retrieved from "http://brandonhutchinson.com/wiki/Samba_with_AD_authentication_on_Solaris_8"
Personal tools