Samba with AD authentication on Solaris 8
From Brandonhutchinson.com
(Difference between revisions)
m |
(→OpenLDAP Installation) |
||
| Line 81: | Line 81: | ||
== OpenLDAP Installation == | == OpenLDAP Installation == | ||
| + | The OpenLDAP client libraries are needed for Active Directory support in Samba. | ||
| + | |||
Download and install [http://www.openldap.org/ OpenLDAP]. | Download and install [http://www.openldap.org/ OpenLDAP]. | ||
Current revision
In the following procedure, Samba is built and configured with Active Directory Server (ADS) support on a Solaris 8 Sparc system. The Samba server is an LDAP client, and AD users are mapped to UNIX users using LDAP.
The procedure assumes the following:
- Active Directory domain and Kerberos realm of DOMAIN.EXAMPLE.COM.
- Key Distribution Center (KDC) and Primary Domain Controller (PDC) of PDC.DOMAIN.EXAMPLE.COM.
Note: The SunFreeware Samba package is not compiled with AD support, so Samba will be built from source.
$ pkginfo -l SMCsamba
PKGINST: SMCsamba
NAME: samba
CATEGORY: application
ARCH: sparc
VERSION: 3.0.25a
...
$ /usr/local/samba/sbin/smbd -b | egrep 'ADS|LDAP|KRB'
$
Contents |
Kerberos Installation and Configuration
Install Kerberos
Download and install Kerberos.
$ tar xvf krb5-1.6.2-signed.tar
$ gpg --verify krb5-1.6.2.tar.gz.asc gpg: Signature made Tue 10 Jul 2007 02:20:59 PM CDT using RSA key ID F376813D gpg: Can't check signature: public key not found $ gpg --keyserver pgp.mit.edu --recv-keys F376813D gpg: requesting key F376813D from hkp server pgp.mit.edu gpg: key F376813D: duplicated user ID detected - merged gpg: key F376813D: public key "Tom Yu <tlyu@MIT.EDU>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) $ gpg --verify krb5-1.6.2.tar.gz.asc gpg: Signature made Tue 10 Jul 2007 02:20:59 PM CDT using RSA key ID F376813D gpg: Good signature from "Tom Yu <tlyu@MIT.EDU>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 52 E0 3E E9 38 AE 70 58 3F 21 5C C8 5C C4 55 24
$ gzip -cd krb5-1.6.2.tar.gz | tar xvf - $ cd krb5-1.6.2/src $ PATH=$PATH:/usr/local/bin ./configure $ make # make install
Configure Kerberos
Example /usr/local/etc/krb5.conf:
[libdefaults]
# To prevent encryption type mismatches, limit the Kerberos client
# libraries to the list supported by Microsoft
default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
# Default realm to append to unqualified principal names
default_realm = DOMAIN.EXAMPLE.COM
# Use DNS to locate KDCs
# This requires:
# 1. /etc/resolv.conf contains nameservers used by AD clients
# and servers
# 2. The /etc/resolv.conf "search" list contains the name of the
# AD domain
dns_lookup_kdc = true
# Example of manually configuring KDC lookups
#[realms]
# DOMAIN.EXAMPLE.COM = {
# kdc = pdc.domain.example.com
# }
OpenLDAP Installation
The OpenLDAP client libraries are needed for Active Directory support in Samba.
Download and install OpenLDAP.
$ gzip -cd openldap-2.3.38.tgz | tar xvf - $ cd openldap-2.3.38 $ PATH=$PATH:/usr/local/bin ./configure --disable-bdb --enable-null --without-tls ... checking db.h usability... no checking db.h presence... no checking for db.h... no configure: error: BDB/HDB: BerkeleyDB not available
GNU autoconf (i.e., configure) checks for BerkeleyDB even with the --disable-bdb option. As a workaround, use the --disable-backends option.
$ PATH=$PATH:/usr/local/bin ./configure --disable-backends --enable-null --without-tls $ make depend $ make # make install
Samba Installation and Configuration
Install Samba
Download and install Samba.
$ gzip -cd samba-3.0.26a.tar.gz | tar xvf - $ cd samba-3.0.26a/source $ PATH=$PATH:/usr/local/bin ./configure --with-ldap --with-ads --with-krb5=/usr/local --with-winbind # make install
Configure Samba
- Create the Samba configuration file (e.g., /usr/local/samba/lib/smb.conf).
[global]
# Kerberos, LDAP, and Active Directory support must be built into
# Samba to use "security = ads"
security = ads
# Required for member servers of a domain, "yes" by default
encrypt passwords = yes
# In Active Directory domains, the Kerberos realm is the same
# as the domain's DNS name in uppercase
realm = DOMAIN.EXAMPLE.COM
# Domain to which the server belongs
workgroup = DOMAIN
# Disable NetBIOS; use DNS for name service and TCP/UDP for transport
smb ports = 445
disable netbios = yes
name resolve order = hosts
# Log to /var/log/samba.log instead of /usr/local/samba/var/log.smbd
log file = /var/log/samba.log
- Create the Samba startup/shutdown script.
e.g., /etc/init.d/samba:
#!/bin/sh
SMBDIR=/usr/local/samba
case "$1" in
'start')
$SMBDIR/sbin/smbd -D
;;
'stop')
$SMBDIR/bin/smbcontrol smbd shutdown
;;
*)
echo "Usage: $0 { start | stop }"
;;
esac
# chmod 555 /etc/init.d/samba # chown root:root /etc/init.d/samba # ln -s /etc/init.d/samba /etc/rc3.d/S35samba # for i in 0 1 2 ; do ln -s /etc/init.d/samba /etc/rc$i.d/K35samba ; done
Active Directory Server (ADS) Integration
- Synchronize the Samba server's time with the Windows AD PDC.
# ntpdate -u pdc.domain.example.com
- Add the Samba server's hostname with a suffix of the Kerberos realm as a system alias in /etc/hosts.
Before:
192.168.1.100 samba loghost
After:
192.168.1.100 samba samba.domain.example.com loghosts
- Join the Samba server to the AD domain.
# /usr/local/samba/bin/net join -U Administrator Using short domain name -- DOMAIN Joined 'MHAPDCMCL001' to realm 'DOMAIN.EXAMPLE.COM'
- Confirm that the Samba server is joined to the AD domain.
# /usr/local/samba/bin/net ads testjoin Join is OK
Start Samba
# /etc/init.d/samba start
