samba - Dec 2009 - Starting from scratch... and Active Directory

Hello,

    Due to a couple of circumstances, I am rebuilding my file server. In 
the process
I want to see if I can iron out the last few issues I have had with 
getting active directory
authentication to work. Ideally I would appreciate it if anyone can 
provide a link to a
website that gives decently detailed instructions for setting up samba 
with user authentication
via Active Directory running on a windows server 2008 box. If it 
matters, I will be installing
Debian squeeze, since I believe that version has a version of samba that 
is able to work with
2008 (our IT department upgraded over the weekend and thus broke my 
authentication).

    On top of that, one other question: Is it absolutely necessary to 
enable enum users and groups?
I ask because with a student population of more that 13,000 I do not 
want to choke either my
server or the university's server by making a request for that large a 
number of people. And if one
can get away without, what are the side effects? For example, the 
university's server has faculty
and staff in a separate group from the students, such that an 
authentication call via wbinfo
requires specifying for example FACULTY+John_Doe and STUDENT+Dave_Smith to
work correctly. This was the one remaining hitch I did have, I used an 
account in the FACULTY
group to bind my server to the AD server and thereafter had no issues 
with authenticating myself
with samba, but I could not get it to work for any students.

Thanks in advance!

Joel

-- 
Asst. Prof. Joel M. Therrien
Ph: 978-934-3324
Fax: 978-934-3027
Joel_Therrien at uml.edu
Dept. of Electrical & Computer Engineering
U. Massachusetts-Lowell
1 University Ave
Lowell, MA 01854

First of all, I have Samba working in an Active Directory environment. The Samba
server has been basically unchanged for a couple of years now, and survived an
upgrade to Windows 2008 without changes. So it can be done.

Here are the relevant settings from my [global] section in smb.conf (for a
domain called ad.mydomain.local. Note the capitalization):

        realm = AD.MYDOMAIN.LOCAL
        security = ADS
        encrypt passwords = yes
        domain logons = no
        domain master = no
        idmap domains = AD
        idmap config AD:backend = rid
        idmap config AD:base_rid = 0
        idmap config AD:range = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        client use spnego = yes
# set smb ports to turn of NetBT. Be aware that this makes your server invisible
# in the Network Neighborhood.
        smb ports = 445
        idmap gid = 10000-20000
        idmap uid = 10000-20000

Next, you need to make sure that DNS resolution works and uses the Windows box
as DNS server. This is critically important.

In addition, you need to set up Kerberos using krb5.conf:

[libdefaults]
        default_realm = AD.MYDOMAIN.LOCAL
        clockskew = 300

[logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON
[appdefaults]
pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        retain_after_close = false
        minimum_uid = 1
        use_shmem = sshd
}

(not sure if the pam section is needed - I believe Samba uses Kerberos directly.
Pam would allow you to use Windows accounts to log in to a Linux box without
creating accounts on the Linux box).

Some sites also recommend using a [realms] section to specify which server
serves up Kerberos tickets. I found that not necessary, and in fact harmful.
Kerberos uses SRV records in DNS to find the correct server, and Windows creates
the correct ones.


Finally, you have to join the AD domain (use the net join command in Samba)

One catch: Server 2008 prefers IPv6. In IPv6, you cannot support NetBT/WINS.
Samba does not support Network Discovery very well, so your server becomes
invisible.

If I recall correctly, the advantages and drawbacks of enum users and groups are
documented quite well in the Samba docs. The reason this setting exists is
exactly to accommodate a situation such as yours, with a very large number of
users.
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-
> bounces at lists.samba.org] On Behalf Of Joel Therrien
> Sent: Friday, December 11, 2009 11:58 AM
> To: samba at lists.samba.org
> Subject: [Samba] Starting from scratch... and Active Directory
> 
> Hello,
> 
>     Due to a couple of circumstances, I am rebuilding my file server.
> In
> the process
> I want to see if I can iron out the last few issues I have had with
> getting active directory
> authentication to work. Ideally I would appreciate it if anyone can
> provide a link to a
> website that gives decently detailed instructions for setting up samba
> with user authentication
> via Active Directory running on a windows server 2008 box. If it
> matters, I will be installing
> Debian squeeze, since I believe that version has a version of samba
> that
> is able to work with
> 2008 (our IT department upgraded over the weekend and thus broke my
> authentication).
> 
>     On top of that, one other question: Is it absolutely necessary to
> enable enum users and groups?
> I ask because with a student population of more that 13,000 I do not
> want to choke either my
> server or the university's server by making a request for that large a
> number of people. And if one
> can get away without, what are the side effects? For example, the
> university's server has faculty
> and staff in a separate group from the students, such that an
> authentication call via wbinfo
> requires specifying for example FACULTY+John_Doe and STUDENT+Dave_Smith
> to
> work correctly. This was the one remaining hitch I did have, I used an
> account in the FACULTY
> group to bind my server to the AD server and thereafter had no issues
> with authenticating myself
> with samba, but I could not get it to work for any students.
> 
> Thanks in advance!
> 
> Joel
> 
> --
> Asst. Prof. Joel M. Therrien
> Ph: 978-934-3324
> Fax: 978-934-3027
> Joel_Therrien at uml.edu
> Dept. of Electrical & Computer Engineering
> U. Massachusetts-Lowell
> 1 University Ave
> Lowell, MA 01854
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Fri, Dec 11, 2009 at 12:57 PM, Joel Therrien <Joel_Therrien at
uml.edu>wrote:
> Hello,
>
>   Due to a couple of circumstances, I am rebuilding my file server. In the
> process
> I want to see if I can iron out the last few issues I have had with getting
> active directory
> authentication to work. Ideally I would appreciate it if anyone can provide
> a link to a
> website that gives decently detailed instructions for setting up samba with
> user authentication
> via Active Directory running on a windows server 2008 box. If it matters, I
> will be installing
> Debian squeeze, since I believe that version has a version of samba that is
> able to work with
> 2008 (our IT department upgraded over the weekend and thus broke my
> authentication).
>
>   On top of that, one other question: Is it absolutely necessary to enable
> enum users and groups?
> I ask because with a student population of more that 13,000 I do not want
> to choke either my
> server or the university's server by making a request for that large a
> number of people. And if one
> can get away without, what are the side effects? For example, the
> university's server has faculty
> and staff in a separate group from the students, such that an
> authentication call via wbinfo
> requires specifying for example FACULTY+John_Doe and STUDENT+Dave_Smith to
> work correctly. This was the one remaining hitch I did have, I used an
> account in the FACULTY
> group to bind my server to the AD server and thereafter had no issues with
> authenticating myself
> with samba, but I could not get it to work for any students.
>
> This works very well in our environment (Windows 2008 DCs) with trusted
domains. I would suggest using idmap backend = hash over anything else if
you are using 3.4.x, it is consistent across machines without having to
worry about much configuration. You will be able to login both your
FACULTY+user and STUDENT+user without any problem in this configuration.
Beware that if you are doing AD logins to the box that you may have to
disable the kerberos method = system keytab. There is a bug that prevents
password challenges if you don't have a Kerberos ticket on your machine (if
you have a kerberos ticket on your machine and ssh in, then it works fine
because it doesn't challenge for a password. It is suspected that the cause
of this the the cache file option in PAM, you could probably disable that
instead (for more info see
https://bugzilla.samba.org/show_bug.cgi?id=6833for more info). If you
are not using Kerberos for login, just comment out
the line in smb.conf regular file share requests will still use Kerberos.

Our AD domain is delegated by our campus DNS servers, we don't have to
change the DHCP settings to get things to work. If your campus has not
delegated the AD DNS domain, it might be wise to have them look into it. All
that needs to happen is they put in the DC addresses as the NS for that
domain or sub-domain.

#======================= Global Settings ======================
[global]
   workgroup = ad
   realm = AD.LOCAL
   preferred master = no
   server string = %h server
   dns proxy = no

#### Debugging/Accounting ####

   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d

####### Authentication #######

   security = ADS
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   invalid users = root
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   guest account = nobody
   map to guest = bad user

########## Printing ##########

   load printers = no
   printing = bsd
   printcap name = /dev/null
   show add printer wizard = no
   disable spoolss = yes

############ Misc ############

  idmap backend = hash
  winbind nss info = hash
  winbind use default domain = yes
  winbind separator = +
  winbind enum groups = no
  winbind enum users = no
  winbind nested groups = yes
  template homedir = /ls/users/%U
  template shell = /bin/bash
  winbind refresh tickets = yes
  kerberos method = system keytab
  winbind offline logon = yes
#  get quota command = /root/sambaquota.sh

#======================= Share Definitions ======================

Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University