Wednesday, March 14, 2012

Samba as an AD member server

The purpose is to allow Unix/Linux administrators to use their skills and knowledge to provide file and print services while still playing nicely with the campus domain. These steps apply to Debian Lenny, using packages out of the stable distribution (no third party repositories.)
Install the necessary packages:

aptitude install samba smbclient winbind krb5-user krb5-doc krb5-config ntp
 
Edit /etc/resolv.conf to point to the AD DNS:


search some.edu
nameserver 192.168.1.11
 
Test forward and reverse lookups, resolve any problems before moving on.

Edit /etc/ntp.conf:


server ad.some.edu
#comment out the other default time servers
 
If your time is way off, you can stop the ntp service and use ntpdate to set the clock then restart ntp.

If you are running a xen virtual machine, you will need to do the following to free the system clock from the dom0 clock. In my install, the guest clock was fixed incorrectly to the host clock, being off by about 7 minutes without a way to reconcile the two. This will work for the guest:

Edit /etc/sysctl.conf and add the line:

xen.independent_wallclock=1
 
Edit the guest configuration file on the dom0 by adding the line:

extra="clocksource=jiffies"
 
Back to the samba configuration. Edit smb.conf to look similar to this:


[global]
unix charset = LOCALE
workgroup = SOME
realm = SOME.EDU
netbios name = mysuperawesomesambaserver
server string = My File Server
allow trusted domains = No
security = ADS
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
printcap name = CUPS
ldap ssl = no
idmap backend = rid:SOME=500-100000000
idmap uid = 500-100000000
idmap gid = 500-100000000
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
template shell = /bin/bash
printing = cups
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE

[My Share]
comment = Work files
path = /shares/myshare
valid users = @"SOME\some_group"
read only = No
browseable = Yes

[printers]
comment = SMB Print Spool
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = Yes

[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
admin users = root, Administrator
write list = root
 
Edit nsswitch.conf to use winbind:


# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind

hosts:          files dns wins
networks:       files dns

protocols:      files
services:       files
ethers:         files
rpc:            files
netmasks:       files
netgroup:       files
publickey:      files

bootparams:     files
automount:      files
 
Edit krb5.conf:


[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = SOME.EDU
dns_lookup_realm = false
dns_lookup_kdc = true

[appdefaults]
pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
}

[realms]
SOME.EDU = {
    kdc = ad.some.edu
    admin_server = ad.some.edu
}
 
Delete /etc/samba/secrets.tdb if it exists and then delete the cache files:


rm /var/lib/samba/*tdb
 
Test your smb.conf with testparm, clear up any errors before proceeding. Matter of fact, this is a good time to make sure that Kerberos is working. Issue the following:

kinit yourusername@SOME.EDU
 
Enter your password when prompted, then check your ticket with

klist
 
If you have any problems with getting a ticket, back up and check your krb5.conf settings.

Once all the above is sorted out, it's time to join the domain. Run the following at the prompt to put the computer in a specific container:


net ads join mycontainer\/innercontainer -U userwithjoinprivs -W SOME -S ad.some.edu
 
There is a very good chance that will fail. If it does, use the AD Users and Computers snap in to add the computer account manually to the correct container. Then run the same command without the path to the container:


net ads join -U userwithjoinprivs -W SOME -S ad.some.edu
 
It should work because now it doesn't have to try to sort out the correct path. However, you will get a DNS error message about not being able to update the record. Go back to the Users and Computers snap in and change the name from 'localhost' to the proper name by right clicking on the computer, click on 'Properties' and use the Attribute Editor, changing the appropriate field. The actual DNS record will have to be added by a domain admin, both forward and reverse entries.

Test your join with:


net ads testjoin
 
Make sure you can see domain users and groups and that the secret handshake has been made:


# List of users
wbinfo -u
# List of groups
wbinfo -g
# Secret handshake status
wbinfo -t
 
Check that NSS is working properly:


getent passwd
getent group
 
You should see local and domain users and groups from the above. If not, check your nsswitch.conf and fix any errors.

Be patient, we're almost there. Two more tests, one to check Kerberos communication with the AD controller and one to check account lookups:


net ads info #Should output like below
LDAP server: 192.168.1.11
LDAP server name: ad.some.edu
Realm: SOME.EDU
Bind Path: dc=SOME,dc=EDU
LDAP port: 389
Server time: Wed, 22 Apr 2009 16:32:26 PDT
KDC server: 192.168.1.11
Server time offset: 0

#This command returns information on the status of the server
net ads status -U youraccount
So far, so good. If you set a group as a valid user above in the smb.conf for a share, then you'll need to create the group in the Users and Computers snap in and add your users to it. Test connecting to your share from the server with:

smbclient \\mysuperawesomesambaserver\myshare -Uyouraccount
 
Then get your firewall ports opened up to allow your VLANS access. You will need at least 445/tcp open and probably 135/tcp, 137/udp, 138/udp, and 139/tcp (I haven't tested the 13x ports yet, but my firewall rules have them open.) Once that is set, go to a client that is on the domain and see if you can connect to the share. If you can't, take note of the error message and see if you have skipped any steps above.
These steps are based on the resources below and experiences in setting up a samba member server. I will use these notes on the next install and make any revisions as necessary.

Resources

Samba documentation
Winbind how to
Procedures for net ads join
Some more samba stuff
Yet more samba stuff
Even more samba stuff
smbclient command reference
Microsoft net use reference
Samba and Debian how to (short)
smb.conf reference
Samba security documentation
Xen clock reference
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)