Saturday, August 14, 2010

Samba Implementation with Active directory authentication in Linux


Advantages:

1. Administrator don’t need to create/maintain separate accounts for samba shares
2. Users don’t need to remember separate password for samba
3. Users can change their samba password without system administrator’s help
4. Users home drive can be mapped via login script while they are logging into their PC/Laptops/Citrix

Implementation:

We are going to use, Kerberos Authentication method here. There are two files to edit to achieve this,
a. /etc/samba/smb.conf
b. /etc/krb5.conf
Do the modifications to /etc/samba/smb.conf as follows,

#========== Global Settings ========

[global]

log file = /var/log/samba/%m.log
realm = (DOMAIN NAME IN CAPS)
dns proxy = no
server string = Samba Server
password server = (domain controller name)
path = /var/spool/cups
workgroup = (Netbios name of domain)
security = ADS
max log size = 50
pam password change = yes
wins server = (wins server name)

#======= Share Definitions =========

[homes]
comment = Home Directories
browseable = no
writable = yes

[printers]
comment = All Printers
guest ok = yes
writeable = no
printable = yes
public = yes
use client driver = yes
path = /var/spool/samba

Do the Modifications to /etc/krb5.conf as follows,

[logging]

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = (DOMAIN NAME IN CAPS)
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]

(DOMAIN NAME IN CAPS) = {
kdc = (domain controller server):88
admin_server = (domain controller server):749
default_domain = (domain name)
}
[domain_realm]
.(domain name) = (DOMAIN NAME IN CAPS)
.(domain name) = (DOMAIN NAME IN CAPS)

[kdc]

profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Type the following command in terminal,

service winbind start

kinit administrator@DOMAINNAME

net ads join -U administrator 

You will be asked to enter the AD Administrator password. When the command line doesn't return a value, you're now connected to the Active Directory. Now you are done with the setup. :)