Ditirambo
2005-Aug-27 00:11 UTC
[Samba] Samba works!: Samba, Kerberos, Win2K Active Directory authentication
After some days, here is my personal cookbook for
Samba in Solaris.
I needed to share a folder in my Solaris server, but
using my Windows Active Directory Account. Here are my
proccess, if it can help to anyone or if anyone can
make corrections or suggestions.
Thx.
Personal Cookbook for Samba.
Objective:
To enable a Unix server for share folders
for Microsoft Windows machines with authentication
through Active Directory accounts used in the Windows
client session.
Prerequisites:
Unix Solaris 8
gcc compiler
Samba 3
Kerberos 5
OpenLDAP 2.2
Windows 2000 Server Domain Controller
Proccess:
0. Get the software:
krb5-1.4.1-signed.tar at
http://web.mit.edu/kerberos/www/
openldap-2.2.26.tar at
http://www.openldap.org/software/download/
samba-3.0.14a.tar.gz at
http://us1.samba.org/samba/
0.1 Verify the gcc compiler (v.g. execute ?type
gcc?; if the program exist, the instruction return the
path, for example /usr/local/bin)
0.2 Verify that env var CC point to
/usr/local/bin/gcc. (Make required modifies in the
file /etc/profile)
1. Unpack the files in a temp directory. Here is
used unixmachine# /export/programs/samba
tar xvf krb5-1.4.1-signed.tar
it creates the directory kerberos
tar xvf openldap-2.2.26.tar
it creates the directory openldap-2.2.26
tar xvf samba-3.0.14a.tar.gz
it creates the directory samba-3.0.14a
2. Compile and install programs. Here is made the
explicit instruction that the programs be installed in
/home1/. Follow this order:
2.1. Kerberos
Locate in kerberos/krb5-1.4.1/src
Execute
./configure --prefix=/home1/kerberos5 \
CC=/usr/local/bin/gcc
make
make install
2.2. OpenLDAP
Locate in openldap-2.2.26
Execute
./configure --prefix=/home/openldap ?-without-bdb \
?-disable-bdb ?-enable-null
make depend
make
make install
2.3. Samba
Locate in samba-3.0.14a/source
Put this env vars:
export LDFLAGS=?-L/home1/openldap/lib ?Wl,\
-R/home1/openldap/lib?
export CPPFLAGS=-I/home1/openldap/include
Execute
./configure ?prefix=/home1/samba ?with-winbind \
?with-ads ?with-ldap ?with-krb5=/home1/kerberos5
make
make install
3. Create a user account in your Windows 2000
Domain Controller with the same name that your machine
(use the lastname field). Enable option User cannot
change password y Password never expires.
4. Generate the keytab for Kerberos in your Win2k
Domain Controller:
C:\temp\ktpass ?princ
host/unixmachine.domain.com@DOMAIN.COM
?mapuser unixmachine ?pass password
-out unixmachine.keytab
4.1. Copy the file unixmachine.keytab to the
unixmachine under the directory /etc/krb5/ (It can be
made with ftp o scp, depending of the unix server)
4.2. Register the key in your unixmachine:
/home1/kerberos5/sbin/ktutil
ktutil: rkt /etc/krb5/unixmachine.keytab
ktutil: wkt /etc/krb5/krb5.keytab
ktutil: q
5. Configure some env vars::
KRB5_CONFIG=/etc/krb5/krb5.conf
KRB5_KDC_PROFILE=/var/kerberos/krb5kdc/kdc.conf
DEFAULT_KEYTAB_NAME=/etc/krb5/krb5.keytab
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local: \
/usr/local/include:/usr/local/lib:/usr/lib/iconv
export KRB5_CONFIG KRBR_KDC_PROFILE LD_LIBRARY_PATH \
DEFAULT_KEYTAB_NAME
6. Generate libraries links for nsswitch
Copy from
/export/programas/samba/samba-3.0.14a/source/nsswitch
the file libnss_winbind.so to the directory /usr/lib
Generate these soft links in /usr/lib/:
ln -s libnss_winbind.so libnss_winbind.so.1
ln ?s libnss_winbind.so nss_winbind.so.1
ln ?s libnss_winbind.so nss_winbind.so.2
7. Generate in /etc/init.d/ the file samba:
------------------------------------------------------
#!/bin/sh
#
#
# This file should have uid root, gid sys and chmod
# 744
#
if [ ! -d /usr/bin ]
then # /usr not mounted
exit
fi
killproc() { # kill the named process(es)
pid=`/usr/bin/ps -e |
/usr/bin/grep -w $1 |
/usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
[ "$pid" != "" ] && kill $pid
}
# Start/stop processes required for samba server
case "$1" in
'start')
/home1/samba/sbin/nmbd -D \
-l/home1/samba/var/log.%m
/home1/samba/sbin/winbindd
/home1/samba/sbin/smbd -D
;;
'stop')
killproc nmbd
killproc smbd
killproc winbindd
echo "Killing nmbd, smbd, winbindd OK..."
;;
'restart')
killproc nmbd
killproc smbd
killproc winbindd
echo "Killing OK..."
/home1/samba/sbin/nmbd -D \
-l/home1/samba/var/log.%m
/home1/samba/sbin/winbindd
/home1/samba/sbin/smbd -D
echo "Starting Samba OK..."
;;
*)
echo "Usage: /etc/init.d/samba { start | stop \
| restart }"
;;
esac
------------------------------------------------------
8. Generate the file /etc/krb5/krb5.conf:
------------------------------------------------------
# krb5.conf template
# In order to complete this configuration file
# you will need to replace the __<name>__ placeholders
# with appropriate values for your network.
#
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.COM
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
#forwardable = true
#proxiable = true
#dns_lookup_realm = true
#dns_lookup_kdc = true
[realms]
DOMAIN.COM = {
kdc = win2kdomcontr.domain.com
kdc = otherwin2kdomcontr.domain.com
admin_server = win2kdomcontr.domain.com
default_domain = domain.com
}
[domain_realm]
unixmachine.domain.com = unixmachine
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
.netbiosdomname = DOMAIN.COM
netbiosdomname = DOMAIN.COM
------------------------------------------------------
9. Generate the file /home1/samba/lib/smb.conf:
------------------------------------------------------
[global]
# general options
workgroup = NETBIOSDOMNAME
netbios name = unixmachine
realm = DOMAIN.COM
server string = SambaUNIXMACHINE
security = ADS
idmap uid = 5000-100000000
idmap gid = 5000-100000000
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
log level = 1
template homedir = /home1/samba/%D/%U
template shell = /bin/bash
encrypt passwords = yes
password server = win2kdomcontr.domain.com
[shared1]
comment = Shared data
path = /home1/samba/users
valid users = NETBIOSDOMNAME\anygroup
browseable = yes
writeable = yes
------------------------------------------------------
10. Modify the file /etc/nscd.conf:
enable-cache hosts no
enable-cache passwd no
enable-cache group no
11. Register the computer account into Active
Directory:
/home1/kerberos5/bin/kinit administrator
(put the password for the domain administrator)
/home1/samba/bin/net ads join
(This send a message indicating that the computer
has joined to the domain; verify the computer account
in Active Directory Users and Computers)
(Optionally, use net ads join ?debuglevel=10 to debug
errors)
12. To test the communication with Active Directory,
execute getent passwd. This command shows the passwd
content and the Active Directory accounts.
Additionally, execute /home1/samba/bin/wbinfo ?u or
/home1/samba/bin/wbinfo ?g to list the users or groups
from Active Directory.
13. Execute /etc/init.d/samba start to start the
Samba daemons. The final test is to open from Windows
machine the server with Start/run/\\unixmachine
____________________________________________________
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs
Philip Washington
2005-Aug-27 23:05 UTC
[Samba] Samba works!: Samba, Kerberos, Win2K Active Directory authentication
Ditirambo wrote:>After some days, here is my personal cookbook for >Samba in Solaris. >I needed to share a folder in my Solaris server, but >using my Windows Active Directory Account. Here are my >proccess, if it can help to anyone or if anyone can >make corrections or suggestions. >Thx. > >Personal Cookbook for Samba. > > >Objective: > To enable a Unix server for share folders >for Microsoft Windows machines with authentication >through Active Directory accounts used in the Windows >client session. > > > >Prerequisites: > Unix Solaris 8 > gcc compiler > Samba 3 > Kerberos 5 > OpenLDAP 2.2 > Windows 2000 Server Domain Controller > > > >Proccess: >0. Get the software: > krb5-1.4.1-signed.tar at >http://web.mit.edu/kerberos/www/ > > openldap-2.2.26.tar at >http://www.openldap.org/software/download/ > > samba-3.0.14a.tar.gz at >http://us1.samba.org/samba/ > > > >0.1 Verify the gcc compiler (v.g. execute ?type >gcc?; if the program exist, the instruction return the >path, for example /usr/local/bin) > >0.2 Verify that env var CC point to >/usr/local/bin/gcc. (Make required modifies in the >file /etc/profile) > > > >1. Unpack the files in a temp directory. Here is >used unixmachine# /export/programs/samba > tar xvf krb5-1.4.1-signed.tar > it creates the directory kerberos > > tar xvf openldap-2.2.26.tar > it creates the directory openldap-2.2.26 > > tar xvf samba-3.0.14a.tar.gz > it creates the directory samba-3.0.14a > > > >2. Compile and install programs. Here is made the >explicit instruction that the programs be installed in >/home1/. Follow this order: > >2.1. Kerberos > Locate in kerberos/krb5-1.4.1/src > Execute >./configure --prefix=/home1/kerberos5 \ >CC=/usr/local/bin/gcc > >make >make install > > >2.2. OpenLDAP > Locate in openldap-2.2.26 > Execute >./configure --prefix=/home/openldap ?-without-bdb \ >?-disable-bdb ?-enable-null > >make depend >make >make install > > >2.3. Samba > Locate in samba-3.0.14a/source > Put this env vars: >export LDFLAGS=?-L/home1/openldap/lib ?Wl,\ >-R/home1/openldap/lib? > >export CPPFLAGS=-I/home1/openldap/include > > Execute >./configure ?prefix=/home1/samba ?with-winbind \ >?with-ads ?with-ldap ?with-krb5=/home1/kerberos5 >make >make install > > >3. Create a user account in your Windows 2000 >Domain Controller with the same name that your machine >(use the lastname field). Enable option User cannot >change password y Password never expires. > > > >4. Generate the keytab for Kerberos in your Win2k >Domain Controller: > >C:\temp\ktpass ?princ >host/unixmachine.domain.com@DOMAIN.COM >?mapuser unixmachine ?pass password >-out unixmachine.keytab > > >4.1. Copy the file unixmachine.keytab to the >unixmachine under the directory /etc/krb5/ (It can be >made with ftp o scp, depending of the unix server) > >4.2. Register the key in your unixmachine: > /home1/kerberos5/sbin/ktutil > ktutil: rkt /etc/krb5/unixmachine.keytab > ktutil: wkt /etc/krb5/krb5.keytab > ktutil: q > >5. Configure some env vars:: >KRB5_CONFIG=/etc/krb5/krb5.conf >KRB5_KDC_PROFILE=/var/kerberos/krb5kdc/kdc.conf >DEFAULT_KEYTAB_NAME=/etc/krb5/krb5.keytab >LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local: \ >/usr/local/include:/usr/local/lib:/usr/lib/iconv > >export KRB5_CONFIG KRBR_KDC_PROFILE LD_LIBRARY_PATH \ >DEFAULT_KEYTAB_NAME > > >6. Generate libraries links for nsswitch > > Copy from >/export/programas/samba/samba-3.0.14a/source/nsswitch >the file libnss_winbind.so to the directory /usr/lib > > Generate these soft links in /usr/lib/: >ln -s libnss_winbind.so libnss_winbind.so.1 >ln ?s libnss_winbind.so nss_winbind.so.1 >ln ?s libnss_winbind.so nss_winbind.so.2 > > >7. Generate in /etc/init.d/ the file samba: >------------------------------------------------------ >#!/bin/sh ># ># ># This file should have uid root, gid sys and chmod ># 744 > ># >if [ ! -d /usr/bin ] >then # /usr not mounted > exit >fi > >killproc() { # kill the named process(es) > pid=`/usr/bin/ps -e | > /usr/bin/grep -w $1 | > /usr/bin/sed -e 's/^ *//' -e 's/ .*//'` > [ "$pid" != "" ] && kill $pid >} > ># Start/stop processes required for samba server >case "$1" in > >'start') > /home1/samba/sbin/nmbd -D \ >-l/home1/samba/var/log.%m > /home1/samba/sbin/winbindd > /home1/samba/sbin/smbd -D > ;; > >'stop') > killproc nmbd > killproc smbd > killproc winbindd > echo "Killing nmbd, smbd, winbindd OK..." > ;; > >'restart') > killproc nmbd > killproc smbd > killproc winbindd > echo "Killing OK..." > > /home1/samba/sbin/nmbd -D \ >-l/home1/samba/var/log.%m > /home1/samba/sbin/winbindd > /home1/samba/sbin/smbd -D > > echo "Starting Samba OK..." > ;; > >*) > echo "Usage: /etc/init.d/samba { start | stop \ > | restart }" > > ;; > >esac > >------------------------------------------------------ > > >8. Generate the file /etc/krb5/krb5.conf: > >------------------------------------------------------ ># krb5.conf template ># In order to complete this configuration file ># you will need to replace the __<name>__ placeholders ># with appropriate values for your network. ># > >[libdefaults] > ticket_lifetime = 24000 > default_realm = DOMAIN.COM > default_tgs_enctypes = des-cbc-crc des-cbc-md5 > default_tkt_enctypes = des-cbc-crc des-cbc-md5 > > #forwardable = true > #proxiable = true > #dns_lookup_realm = true > #dns_lookup_kdc = true > >[realms] >DOMAIN.COM = { > kdc = win2kdomcontr.domain.com > kdc = otherwin2kdomcontr.domain.com > admin_server = win2kdomcontr.domain.com > default_domain = domain.com >} > >[domain_realm] > unixmachine.domain.com = unixmachine > .domain.com = DOMAIN.COM > domain.com = DOMAIN.COM > .netbiosdomname = DOMAIN.COM > netbiosdomname = DOMAIN.COM >------------------------------------------------------ > >9. Generate the file /home1/samba/lib/smb.conf: > >------------------------------------------------------ > [global] > # general options > workgroup = NETBIOSDOMNAME > netbios name = unixmachine > realm = DOMAIN.COM > server string = SambaUNIXMACHINE > security = ADS > idmap uid = 5000-100000000 > idmap gid = 5000-100000000 > > > winbind enum users = Yes > winbind enum groups = Yes > winbind nested groups = Yes > > log level = 1 > template homedir = /home1/samba/%D/%U > template shell = /bin/bash > encrypt passwords = yes > > password server = win2kdomcontr.domain.com > >[shared1] >comment = Shared data >path = /home1/samba/users >valid users = NETBIOSDOMNAME\anygroup >browseable = yes >writeable = yes >------------------------------------------------------ > > >10. Modify the file /etc/nscd.conf: > enable-cache hosts no > enable-cache passwd no > enable-cache group no > > >11. Register the computer account into Active >Directory: > > /home1/kerberos5/bin/kinit administrator >(put the password for the domain administrator) > > /home1/samba/bin/net ads join > (This send a message indicating that the computer >has joined to the domain; verify the computer account >in Active Directory Users and Computers) > >(Optionally, use net ads join ?debuglevel=10 to debug >errors) > > >12. To test the communication with Active Directory, >execute getent passwd. This command shows the passwd >content and the Active Directory accounts. >Additionally, execute /home1/samba/bin/wbinfo ?u or >/home1/samba/bin/wbinfo ?g to list the users or groups >from Active Directory. > > >13. Execute /etc/init.d/samba start to start the >Samba daemons. The final test is to open from Windows >machine the server with Start/run/\\unixmachine > > > >____________________________________________________ >Start your day with Yahoo! - make it your home page >http://www.yahoo.com/r/hs > > >Thanks for the info. Do you have a web site where this could be posted