Thursday, February 23, 2012

Install Samba to join to Active Directory

Join SAMBA to Active Directory domain and File, Directory, and Share Access Controls

Step 1: Install the Required Packages

Code:
apt-get install krb5-user
apt-get install winbind samba

Step 2: Edit the /etc/krb5.conf File

Code:
[libdefaults]
default_realm = CONNECTA.LOCAL
ticket_lifetime = 24000

[realms]
CONNECTA.LOCAL = {
kdc = mercury.connecta.local
admin_server = mercury.connecta.local
default_domain = CONNECTA.LOCAL
}

[domain_realm]
.connecta.local = CONNECTA.LOCAL
connecta.local = CONNECTA.LOCAL
.kereberos.server = mercury.connecta.local

Step 3:
Edit /etc/samba/smb.conf 
Notes: Change the NETBIOS name parameter to be correct for the server. Make a backup copy of the original file!!! ) Make the edits. The configuration shown is the bare minimum and doesn't share anything. 
Code:
[global] 
workgroup = CONNECTA 
security = ads 
netbios name =COPPELIUS001 
realm = CONNECTA.LOCAL 
preferred master = yes 
encrypt passwords = yes 
log file = /var/log/samba/%m 
winbind separator = + 
password server = mercury.connecta.local 
idmap uid = 600-20000 
idmap gid = 600-20000 
winbind enum users = yes 
winbind enum groups = yes 
winbind use default domain = yes 
winbind nested groups = yes 
guest account = nobody 
template shell = /bin/bash 
nt acl support = true 

2) Test the configuration with the "testparm" command 
Code: 
testparm 
Step 4: Edit /etc/nsswitch.conf to look like the example below 
Code: 
passwd: compat winbind
group: compat winbind
shadow: compat 
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis 


Step 5: Modify the PAM settings 

1) /etc/pam.d/common-account should contain only the following lines 
Code: 
account sufficient pam_winbind.so account required pam_unix.so 

2) /etc/pam.d/common-auth should contain only the following lines 
Code: 
auth sufficient pam_winbind.so auth required pam_unix.so nullok_secure use_first_pass 

3) Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below 
Code: 
password required pam_unix.so nullok obscure min=4 max=50 md5 

4) Make sure the /etc/pam.d/common-session file contains the following line 
Code: 
session required pam_mkhomedir.so umask=0022 skel=/etc/skel 
Step 6: Make a directory to hold domain user home directories 
Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file 

Code (if you want to use WORKGROUP): 
mkdir /home/DOMAIN 

Step 7: Initialize Kerberos 

1) Code: 
kinit domain_admin_account@CONNECTA.LOCAL
Next check to be sure you got a ticket from the domain controller It's possible that With ADMINISTRATOR you have problem, then you must change ADMINSITRATOR's password on Active-Directory!! 

2)KLIST Shows the current ticket(s): 
Code:
klist 

Step 8: Join the system to the set Computer name in /etc/hosts to fully qualified name (example: aspirin.CONNECTA.LOCAL) 

Code: 
net ads join -U administrator@CONNECTA.LOCAL 

Error:
kinit(v5): Clock skew too great while getting initial => The time at server and client are not same, and must be synchronized.


Step 9: Restart Samba-related Services (Or reboot the server)

Note: The order is important

Code:
/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start


Step 8: Enable ACL (Access Control List) support for the file system

Code:
mount / -o remount,acl

If you want to add it at startup, edit /etc/fstab in the following way:

/dev/hda1 / ext3 defaults,acl 0 0

Now set up ACL tools, which allows us to assign ACL to files:

Code:
# apt-get install acl


Step 9: Make a directory for sharing

Example:

Code:
mkdir /home/masoud/share/newtest
chgrp "Domain Users" /home/masoud/share/newtest

Step 10: add share properties in smb.conf

Code:

[newtest]
path = /data
available = yes
browsable = yes
read only = no
public = yes
writable = yes
security mask = 0777
force security mode = 0
directory security mask = 0777
force directory security mode = 0
nt acl support = yes
store dos attributes = yes
dos filemode = yes

Step 11-1: Share permission management in WINDOWS

1. Launch the NT4 Server Manager and click on the Samba server you want to administer. From the menu select Computer, then click on Shared Directories.
2. Click on the share that you wish to manage and click the Properties tab, then click the Permissions tab. Now you can add or change access control settings as you wish.

or:

from Control Panel -> Administrative Tools run Computer Management:

1. After launching the MMC with the Computer Management snap-in,click the menu item Action and select Connect to another computer.If you are not logged onto a domain you will be prompted to enter a domain login user identifier and a password. This will authenticate
you to the domain. If you are already logged in with administrative privilege, this step is not offered.
2. If the Samba server is not shown in the Select Computer box, type in the name of the target Samba server in the field Name:. Now click the on [+] next to System Tools, then on the [+] next to Shared Folders in the left panel.
3. In the right panel, double-click on the share on which you wish to set access control permissions. Then click the tab Share Permissions. It is now possible to add access control entities to the shared folder. Remember to set what type of access (full control, change, read) you wish to assign for each entry

Warning:
Be careful. If you take away all permissions from the Everyone user without removing this user, effectively no user will be able to access the share. This is a result of what is known as ACL precedence. Everyone with no access means that MaryK who is part of the group Everyone will have no access even if she is given explicit full control access.

Step 11-2: Share permission management in UBUNTU

setfacl: This utility sets Access Control Lists (ACLs) of files and directories.
-R : Recursive
-m : Modify
-x : Delete

Code:
setfacl -R -m user:suresh:rwx /home/share/newtest

geftacl: This utility shows Access Control Lists (ACLs) of files and directories.

Code:
getfacl /home/share/newtest

=========================================================================

Map a Windows Folder to a Ubuntu Directory:

kinit suresh@CONNECTA.LOCAL

sudo mount -t cifs -o username=suresh //192.168.0.1/C$ /home/share/suresh