Install the necessary packages:
aptitude install samba smbclient winbind krb5-user krb5-doc krb5-config ntp
Edit /etc/resolv.conf to point to the AD DNS:
search some.edu nameserver 192.168.1.11
Test forward and reverse lookups, resolve any problems before moving on.
Edit /etc/ntp.conf:
server ad.some.edu #comment out the other default time servers
If your time is way off, you can stop the ntp service and use ntpdate to set the clock then restart ntp.
If you are running a xen virtual machine, you will need to do the following to free the system clock from the dom0 clock. In my install, the guest clock was fixed incorrectly to the host clock, being off by about 7 minutes without a way to reconcile the two. This will work for the guest:
Edit /etc/sysctl.conf and add the line:
xen.independent_wallclock=1
Edit the guest configuration file on the dom0 by adding the line:
extra="clocksource=jiffies"
Back to the samba configuration. Edit smb.conf to look similar to this:
[global] unix charset = LOCALE workgroup = SOME realm = SOME.EDU netbios name = mysuperawesomesambaserver server string = My File Server allow trusted domains = No security = ADS username map = /etc/samba/smbusers log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 50 printcap name = CUPS ldap ssl = no idmap backend = rid:SOME=500-100000000 idmap uid = 500-100000000 idmap gid = 500-100000000 winbind use default domain = Yes winbind enum users = Yes winbind enum groups = Yes winbind nested groups = Yes template shell = /bin/bash printing = cups socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE [My Share] comment = Work files path = /shares/myshare valid users = @"SOME\some_group" read only = No browseable = Yes [printers] comment = SMB Print Spool path = /var/spool/samba guest ok = Yes printable = Yes browseable = Yes [print$] comment = Printer Drivers path = /var/lib/samba/drivers admin users = root, Administrator write list = root
Edit nsswitch.conf to use winbind:
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat winbind hosts: files dns wins networks: files dns protocols: files services: files ethers: files rpc: files netmasks: files netgroup: files publickey: files bootparams: files automount: files
Edit krb5.conf:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = SOME.EDU dns_lookup_realm = false dns_lookup_kdc = true [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } [realms] SOME.EDU = { kdc = ad.some.edu admin_server = ad.some.edu }
Delete /etc/samba/secrets.tdb if it exists and then delete the cache files:
rm /var/lib/samba/*tdb
Test your smb.conf with testparm, clear up any errors before proceeding. Matter of fact, this is a good time to make sure that Kerberos is working. Issue the following:
kinit yourusername@SOME.EDU
Enter your password when prompted, then check your ticket with
klist
If you have any problems with getting a ticket, back up and check your krb5.conf settings.
Once all the above is sorted out, it's time to join the domain. Run the following at the prompt to put the computer in a specific container:
net ads join mycontainer\/innercontainer -U userwithjoinprivs -W SOME -S ad.some.edu
There is a very good chance that will fail. If it does, use the AD Users and Computers snap in to add the computer account manually to the correct container. Then run the same command without the path to the container:
net ads join -U userwithjoinprivs -W SOME -S ad.some.edu
It should work because now it doesn't have to try to sort out the correct path. However, you will get a DNS error message about not being able to update the record. Go back to the Users and Computers snap in and change the name from 'localhost' to the proper name by right clicking on the computer, click on 'Properties' and use the Attribute Editor, changing the appropriate field. The actual DNS record will have to be added by a domain admin, both forward and reverse entries.
Test your join with:
net ads testjoin
Make sure you can see domain users and groups and that the secret handshake has been made:
# List of users wbinfo -u # List of groups wbinfo -g # Secret handshake status wbinfo -t
Check that NSS is working properly:
getent passwd getent group
You should see local and domain users and groups from the above. If not, check your nsswitch.conf and fix any errors.
Be patient, we're almost there. Two more tests, one to check Kerberos communication with the AD controller and one to check account lookups:
net ads info #Should output like below LDAP server: 192.168.1.11 LDAP server name: ad.some.edu Realm: SOME.EDU Bind Path: dc=SOME,dc=EDU LDAP port: 389 Server time: Wed, 22 Apr 2009 16:32:26 PDT KDC server: 192.168.1.11 Server time offset: 0 #This command returns information on the status of the server net ads status -U youraccountSo far, so good. If you set a group as a valid user above in the smb.conf for a share, then you'll need to create the group in the Users and Computers snap in and add your users to it. Test connecting to your share from the server with:
smbclient \\mysuperawesomesambaserver\myshare -Uyouraccount
Then get your firewall ports opened up to allow your VLANS access. You will need at least 445/tcp open and probably 135/tcp, 137/udp, 138/udp, and 139/tcp (I haven't tested the 13x ports yet, but my firewall rules have them open.) Once that is set, go to a client that is on the domain and see if you can connect to the share. If you can't, take note of the error message and see if you have skipped any steps above.
These steps are based on the resources below and experiences in setting up a samba member server. I will use these notes on the next install and make any revisions as necessary.
Resources
Samba documentationWinbind how to
Procedures for net ads join
Some more samba stuff
Yet more samba stuff
Even more samba stuff
smbclient command reference
Microsoft net use reference
Samba and Debian how to (short)
smb.conf reference
Samba security documentation
Xen clock reference