-
Notifications
You must be signed in to change notification settings - Fork 205
Samba configuration
This process isn't specific to the NTLM process, it's only how to join a server to the domain using Samba. mod_auth_ntlm_winbind will not function without a correctly configured Samba installation. The process is setting up Samba on the webserver to be a Domain Member Server.
A note on firewalls: If your webserver is in a DMZ, you will need to allow access for both TCP and UDP on ports 88, 464, and 750. Do not attempt to add machines to domains through NAT (Network Address Translation) or you will get errors along the lines of “ads_set_machine_password: Message stream modified”. You will need to connect the machine to the internal network, join the domain, and then connect it back to the DMZ.
You will need to check you have support for Kerberos, LDAP, AD, and Winbind.
# smbd -b | grep LDAP
HAVE_LDAP_H
HAVE_LDAP
HAVE_LDAP_DOMAIN2HOSTLIST
...
# smbd -b | grep KRB
HAVE_KRB5_H
HAVE_ADDRTYPE_IN_KRB5_ADDRESS
HAVE_KRB5
...
# smbd -b | grep ADS
WITH_ADS
WITH_ADS
# smbd -b | grep WINBIND
WITH_WINBIND
WITH_WINBIND
If you're missing any of these options, you need to recompile Samba. You shouldn't have any problems if you're using a package managed installation from a major vendor though (eg. deb, rpm).
To install Kerberos, Debian requires the packages heimdal-clients libpam-heimdal
Edit krb5.conf:
[libdefaults]
default_realm = DOMAIN.LOCAL
[realms]
DOMAIN.LOCAL = {
kdc = dc01.domain.local
}
[domain_realms]
.kerberos.server = DOMAIN.LOCAL
Be sure to use uppercase where applicable as shown above, and when you test the connection with kinit. If you mess up your cases, you will get an error “Cannot find KDC for requested realm while getting initial credentials”. Test the connection with:
# kinit [email protected]
Password for [email protected]
You can view your list of Kerberos tickets with "klist".
Samba configuration is pretty simple. The global section has a few changes though.
[global]
workgroup = WORKGROUP
realm = DOMAIN.LOCAL
preferred master = no
security = ADS
encrypt passwords = yes
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
[homes]
valid users = %S
Save your changes and run 'testparm' to check for any syntax errors.
# testparm
...
# samba start
Fnally, join your Samba machine to Active Directory:
# net ads join -U Administrator
Administrator's password:
Joined 'WEB01' to realm 'DOMAIN.LOCAL'
If this works, shut down samba and enable winbind. If not, you'll need to do some troubleshooting.
Debian users may need to install the winbind package separately. RPM users will find it in the samba-common RPM. First, edit /etc/nsswitch.conf. The first three lines are the most important; the others vary according to your system:
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files dns
protocols: db files
services: db files
ethers: db files
rpc: db files
Save your changes, and fire up winbind and Samba:
# winbind
# /etc/init.d/samba start
You can verify winbind is working with:
# wbinfo -u
...
# wbinfo -g
...
Note: Be careful when using this in a large domain: -u queries all users, -g queries all groups. With 60K users, this may take quite some time, and your ADS admin might not exactly be enthusiastic about it…
That's it :)