Integrating SAMBA\WINBIND on AIX 4.3.3 with Microsoft Active Directory.
Overview: This document is a roadmap on how you can integrate SAMBA with
your Active Directory environment. This configuration will allow
your Samba server to appear as a member of Active Directory. It will also
allow your telnet sessions to use Active Directory for
authentication.
AIX Setup:
Verify your system has all the BOS sub packages from the AIX install
CD's.
Install rpm package manager (rpm.rte) with installp:
installp -qacXgd rpm.rte rpm.rte
Install the following rpms
(http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html)
If they are all in the same directory, you can do this by doing the
following:
rpm -ivh --nodeps *.rpm
Packages Required:
autoconf-2.53-1.aix4.3.noarch.rpm
automake-1.5-1.aix4.3.noarch.rpm
bash-2.05a-1.aix4.3.ppc.rpm
bison-1.34-2.aix4.3.ppc.rpm
db-3.3.11-3.aix4.3.ppc.rpm
flex-2.5.4a-6.aix4.3.ppc.rpm
gawk-3.1.0-2.aix4.3.ppc.rpm
gettext-0.10.39-2.aix4.3.ppc.rpm
glib-1.2.10-2.aix4.3.ppc.rpm
glib-devel-1.2.10-2.aix4.3.ppc.rpm
glib2-2.2.1-3.aix4.3.ppc.rpm
glib2-devel-2.2.1-3.aix4.3.ppc.rpm
gzip-1.2.4a-7.aix4.3.ppc.rpm
libtool-1.4.2-1.aix4.3.ppc.rpm
m4-1.4-14.aix4.3.ppc.rpm
make-3.79.1-3.aix4.3.ppc.rpm
openldap-2.0.21-4.aix4.3.ppc.rpm
openldap-devel-2.0.21-4.aix4.3.ppc.rpm
pkgconfig-0.15.0-1.aix4.3.ppc.rpm
rpm-3.0.5-30.aix4.3.ppc.rpm
sed-3.02-8.aix4.3.ppc.rpm
tar-1.13-4.aix4.3.ppc.rpm
Update PATH and LD_LIBRARY_PATH:
PATH=/usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11:/sbin:/usr/local/bin:/usr
/local/sbin:/usr/local/samba/bin:/usr/local/samba/sbin
LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:/lib
Download binutils and gcc binaries:
binutils.2.9.1.tar.gz
(http://sunsite.lanet.lv/ftp/unix/aix-binaries/uclapub/binutils/RISC/4.2/exe
c/)
gcc.3.3.4.tar.Z (http://aixpdslib.seas.ucla.edu/packages/gcc.html)
Download source code for the following:
krb5-1.3.5.tar.gz (http://web.mit.edu/kerberos/www/dist/)
openldap-2.2.18.tar.gz (http://www.openldap.org/software/download/)
samba-3.0.8pre2.tar.gz (http://www.samba.org)
Install binutils:
gzip -d binutils.2.9.1.tar.gz
cp binutils.2.9.1.tar /
tar -xvf binutils.2.9.1.tar
rm /binutils.2.9.1.tar
**Note** Untar the binutils from the / directory so the files are
placed into the proper locations.
Install gcc:
gzip -d gcc.3.3.4.tar.Z
cp gcc.3.3.4.tar /
tar -xvf gcc.3.3.4.tar
rm /gcc.3.3.4.tar
**Note** Untar the binutils from the / directory so the files are
placed into the proper locations.
Build and install Kerberos:
gzip -d krb5-1.3.5.tar.gz
tar -xvf krb5-1.3.5.tar
cd krb5-1.3.5
./configure --enable-dns --enable-dns-for-kdc --enable-dns-for-realm
make
make install
Build and install OpenLDAP:
gzip -d openldap-2.2.18.tar.gz
tar -xvf openldap-2.2.18.tar
cd openldap-2.2.18
./configure --disable-slurpd --disable-bdb --disable-slapd
--without-threads
make
make install
Build and install Samba:
gzip -d samba-3.0.8pre2.tar.gz
tar -xvf samba-3.0.8pre2.tar
cd samba-3.0.8pre2
./configure --with-winbind --with-ldap --with-ads
--with-krb5=/usr/local
make
make install
Configure Kerberos:
Edit /etc/krb5.conf to reflect the following (substitute DOMAIN.COM with
your domain):
[logging]
default = FILE:/var/log/krb5/libs.log
kdc = FILE:/var/log/krb5/kdc.log
admin_server = FILE:/var/log/krb5/admin.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.COM
forwardable = true
proxiable = true
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
DOMAIN.COM = {
default_domain = domain.com
kdc = <ip address of AD server>:88
admin_server = <ip address of AD server>:749
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
Configure Samba:
Edit /usr/local/samba/lib/smb.conf to reflect the following (substitute
DOMAIN with your domain):
**Note** That the shares are examples and may be different.
[global]
workgroup = DOMAIN
netbios name = HOSTNAME
server string = HOSTNAME
security = ADS
realm = DOMAIN.COM
password server = <ip address>
wins server = <ip address>
client use spnego = yes
client signing = yes
encrypt passwords = yes
printcap name = cups
disable spoolss = Yes
show add printer wizard = No
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind separator = +
winbind use default domain = Yes
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
use sendfile = Yes
printing = cups
ldap suffix = "dc=DOMAIN, dc=com"
winbind cache time = 0
#Uncomment to allow these options
#log level = 8
#log file = /var/log/samba.log
#max log size = 5000000
#debug timestamp = yes
browseable = yes
obey pam restrictions = yes
auth methods = winbind
[homes]
comment = User Home
path = /home/%U
force group = %U
read only = No
browseable = No
[alpha]
comment = OSCAR Alpha Code (Read/Write)
path = /apps/oscar/alpha
valid users = @dev, @REDHAT
admin users = @dev, @REDHAT
read only = No
browseable = Yes
[beta]
comment = OSCAR Beta Code (Read Only)
path = /apps/oscar/beta
valid users = @dev, @REDHAT
admin users = @dev, @REDHAT
read only = Yes
browseable = Yes
[scripts]
comment = OSCAR Scripts (Read Only)
path = /apps/oscar/scripts
valid users = @dev, @REDHAT
admin users = @dev, @REDHAT
read only = Yes
browseable = Yes
[logs]
comment = OSCAR Logs (Read Only)
path = /apps/logs
valid users = @dev, @REDHAT
admin users = @dev, @REDHAT
force user = oscar
force group = dev
read only = Yes
browseable = Yes
[archive]
comment = OSCAR Archive (Read Only)
path = /apps/archive
valid users = @dev, @REDHAT
admin users = @dev, @REDHAT
force user = oscar
force group = dev
read only = Yes
browseable = Yes
[apps]
comment = OSCAR
path = /apps
valid users = @dev, @REDHAT
admin users = @dev, @REDHAT
read only = No
browseable = Yes
[public]
comment = test
path = /usr/local/source
read only = No
browseable = Yes
**Note** Do not start Samba yet!
Active Directory Integration:
Obtain a kerberos ticket from your AD server by issuing the command:
kinit Administrator
You will then be asked for a password. Put in the Administrator password
for your Domain.
To verify the ticket was issued do the following:
klist
The results should appear as follows:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@DOMAIN.COM
Valid starting Expires Service principal
11/03/04 14:26:23 11/04/04 00:26:22 krbtgt/DOMAIN.COM@DOMAIN.COM
renew until 11/04/04 14:26:23
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Once you have obtained kerberos ticket you can join the computer to the
domain:
net ads join
Now start the Samba and Winbind:
/usr/local/samba/sbin/smbd -D
/usr/local/samba/sbin/nmbd -D
/usr/local/samba/sbin/winbindd
Winbind and Active Directory Authentication:
First you will need to copy the WINBIND file from where is was created when
you compiled Samba to /usr/lib/security:
cp /path/to/samba-3.0.8pre2/nsswitch/WINBIND /usr/lib/security
Next you will need to add a stanza to the file
/usr/lib/security/methods.cfg:
WINBIND:
program = /usr/lib/security/WINBIND
options = authonly
Finally you will need to edit /etc/security/users and make sure under the
default stanza that SYSTEM is set to WINBIND:
default:
admin = false
login = true
su = true
daemon = true
rlogin = true
sugroups = ALL
admgroups ttys = ALL
auth1 = SYSTEM
auth2 =
tpath = nosak
umask = 022
expires = 0
SYSTEM = "WINBIND"
logintimes =
pwdwarntime = 0
account_locked = false
loginretries = 0
histexpire = 0
histsize = 0
minage = 0
maxage = 0
maxexpired = -1
minalpha = 0
minother = 0
minlen = 0
mindiff = 0
maxrepeats = 8
dictionlist pwdchecks
Test your authentication by issuing a telnet to the aix box and login using
your Active Directory credentials.
_____________________________________________________________________
This message has been checked for all known viruses by the MessageLabs Virus
Scanning Service for Chronimed, Inc.
