Samba with AD authentication on Solaris 8

From Brandonhutchinson.com

Revision as of 15:33, 24 September 2007 by Hutch (Talk | contribs)
Jump to: navigation, search

In the following procedure, Samba is built and configured with Active Directory Server (ADS) support on a Solaris 8 Sparc system. The Samba server is an LDAP client, and AD users are mapped to UNIX users using LDAP.

The procedure assumes the following:

  • Active Directory and Kerberos domain of DOMAIN.EXAMPLE.COM
  • Key Distribution Center (KDC) and Primary Domain Controller (PDC) of PDC.DOMAIN.EXAMPLE.COM

Note: The SunFreeware Samba package is not compiled with AD support, so Samba will be built from source.

$ pkginfo -l SMCsamba
  PKGINST:  SMCsamba
     NAME:  samba
 CATEGORY:  application
     ARCH:  sparc
  VERSION:  3.0.25a
...

$ /usr/local/samba/sbin/smbd -b | egrep 'ADS|LDAP|KRB'
$

Contents

Kerberos Installation and Configuration

Install Kerberos

Download and install Kerberos.

$ tar xvf krb5-1.6.2-signed.tar

Verify the signed tarball.

$ gpg --verify krb5-1.6.2.tar.gz.asc 
gpg: Signature made Tue 10 Jul 2007 02:20:59 PM CDT using RSA key ID F376813D
gpg: Can't check signature: public key not found

$ gpg --keyserver pgp.mit.edu --recv-keys F376813D
gpg: requesting key F376813D from hkp server pgp.mit.edu
gpg: key F376813D: duplicated user ID detected - merged
gpg: key F376813D: public key "Tom Yu <tlyu@MIT.EDU>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

$ gpg --verify krb5-1.6.2.tar.gz.asc
gpg: Signature made Tue 10 Jul 2007 02:20:59 PM CDT using RSA key ID F376813D
gpg: Good signature from "Tom Yu <tlyu@MIT.EDU>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 52 E0 3E E9 38 AE 70 58  3F 21 5C C8 5C C4 55 24
$ gzip -cd krb5-1.6.2.tar.gz | tar xvf -
$ cd krb5-1.6.2/src
$ PATH=$PATH:/usr/local/bin ./configure
$ make
# make install

Configure Kerberos

Example /usr/local/etc/krb5.conf:

[libdefaults]
       # To prevent encryption type mismatches, limit the Kerberos client
       # libraries to the list supported by Microsoft
       default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
       default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
       preferred_enctypes   = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC

       # Default realm to append to unqualified principal names
       default_realm = DOMAIN.EXAMPLE.COM

       # Use DNS to locate KDCs
       # This requires:
       # 1. /etc/resolv.conf contains nameservers used by AD clients
       # and servers
       # 2. The /etc/resolv.conf "search" list contains the name of the
       # AD domain
       dns_lookup_kdc = true

# Example of manually configuring KDC lookups
#[realms]
#       DOMAIN.EXAMPLE.COM = {
#               kdc = pdc.domain.example.com
#       }

OpenLDAP Installation

Download and install OpenLDAP.

$ gzip -cd openldap-2.3.38.tgz | tar xvf -
$ cd openldap-2.3.38
$ PATH=$PATH:/usr/local/bin ./configure --disable-bdb --enable-null --without-tls
...
checking db.h usability... no
checking db.h presence... no
checking for db.h... no
configure: error: BDB/HDB: BerkeleyDB not available

GNU autoconf (i.e., configure) checks for BerkeleyDB even with the --disable-bdb option. As a workaround, use the --disable-backends option.

$ PATH=$PATH:/usr/local/bin ./configure --disable-backends --enable-null --without-tls
$ make depend
$ make
# make install

Samba Installation and Configuration

Install Samba

Download and install Samba.

$ gzip -cd samba-3.0.26a.tar.gz | tar xvf -
$ cd samba-3.0.26a/source
$ PATH=$PATH:/usr/local/bin ./configure --with-ldap --with-ads --with-krb5=/usr/local --with-winbind
# make install

Configure Samba

  • Create the Samba configuration file (e.g., /usr/local/samba/lib/smb.conf).
[global]
       # Kerberos, LDAP, and Active Directory support must be built into
       # Samba to use "security = ads"
       security = ads

       # Required for member servers of a domain, "yes" by default
       encrypt passwords = yes

       # In Active Directory domains, the Kerberos realm is the same
       # as the domain's DNS name in uppercase
       realm = DOMAIN.EXAMPLE.COM

       # Domain to which the server belongs
       workgroup = DOMAIN

       # Disable NetBIOS; use DNS for name service and TCP/UDP for transport
       smb ports = 445
       disable netbios = yes
       name resolve order = hosts

       # Log to /var/log/samba.log instead of /usr/local/samba/var/log.smbd
       log file = /var/log/samba.log
  • Create the Samba startup/shutdown script.

e.g., /etc/init.d/samba:

#!/bin/sh

SMBDIR=/usr/local/samba

case "$1" in
'start')
        $SMBDIR/sbin/smbd -D
        ;;
'stop')
        $SMBDIR/bin/smbcontrol smbd shutdown
        ;;
*)
        echo "Usage: $0 { start | stop }"
        ;;
esac
# chmod 555 /etc/init.d/samba
# chown root:root /etc/init.d/samba
# ln -s /etc/init.d/samba /etc/rc3.d/S35samba
# for i in 0 1 2 5 6 ; do ln -s /etc/init.d/samba /etc/rc$i.d/K35samba ; done

Active Directory Server (ADS) Integration

  • Synchronize the Samba server's time with the Windows AD PDC.
# ntpdate -u pdc.domain.example.com
  • Add the Samba server's hostname with a suffix of the Kerberos realm as a system alias in /etc/hosts.

Before:

192.168.1.100 samba loghost

After:

192.168.1.100 samba samba.domain.example.com loghosts
  • Join the Samba server to the AD domain.
# /usr/local/samba/bin/net join -U Administrator
  • Confirm that the Samba server is joined to the AD domain.
# /usr/local/samba/bin/net ads testjoin
Join is OK

Start Samba

# /etc/init.d/samba start
Personal tools