Samba and Active Directory Authentication
Computer, Linux, Windows March 19th, 2009Using a Samba Fileserver authenticating users against an Active Directory Domain Controller
Goal: Using a Linux (Debian 3.1, sarge) as a Fileserver for a Windows Network
To do this the Linux machine will access the Windows Domain Controller to get username and passwords. This is done using the winbind daemon. The daemon will also map linux-userids and groups to windows-sids (A windows Account has a unique SID that will differ even if you recreate an account with the same name).
Software
Used Software: Debian, Samba 3, Kerberos Kerberos packages:
Samba packages:apt-get install samba-common samba winbind smbclient
Utility packages
List of package version at the time of writing
krb5-config 1.6
krb5-user 1.3.6-2sarge2
libkrb53 1.3.6-2sarge2
libpam-krb5 1.0-12
samba-common 3.0.14a-3
samba 3.0.14a-3
winbind 3.0.14a-3
smbclient 3.0.14a-3
Configuration
Kerberos
Kerberos Configuration sits in /etc/krb5.conf, we add a default_realm and a server to the realm (write Uppercase Text also in uppercase).# file /etc/krb5.conf
[libdefaults]
default_realm = MY.ACTIVE.DIRECTORY
...
[realms]
MY.ACTIVE.DIRECTORY = {
kdc = dc1.active.directory
kdc = dc2.active.directory
kdc = dc3.active.directory
...
admin_server = dc1.active.directory
}
...
Now we can check if we can Authenticate a user against the Active Directory
debian:~# kinit administrator
Password for administrator@MY.ACTIVE.DIRECTORY
debian:~#
Winbind
The Winbind Daemon will map users and groups from the Active Directory to Linux. To do this we will tell winbind which ID-Range and which prefix it should use. The mapping is set up on use and stored in a file-database in the samba lock-dir /var/lib/samba/winbindd_idmap.tdb
The Configuration sits in the smb.conf
# file /etc/samba/smb.conf
[global]
workgroup = ADGROUP
security = ADS
realm = MY.ACTIVE.DIRECTORY
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
auth methods = winbind
...
# the share we will use to test it, make sure path is
# valid and writeable
[testshare]
comment = Test Share using Active Directory
read only = no
path = /data/test
valid users = @"ADGROUP+domain users"
Start the winbind daemon (/etc/init.d/winbind start) and now we can list the users from the Active Directory
debian:~# wbinfo -u
ADGROUP+administrator
ADGROUP+guest
ADGROUP+chandel
...
Samba
Next we will get a kerberos Ticket and join our Server to the active directory
debian:~# kinit administrator
Password for administrator@MY.ACTIVE.DIRECTORY
debian:~# net ads join
Using short domain name -- ADGROUP
Joined 'DEBIAN' to realm 'MY.ACTIVE.DIRECTORY'
PAM
So far so good. We can authenticate using kerberos tickets and Samba knows how to get userids and groups. But we also need to tell the operating system about the userids. This is done using PAM. We tell PAM that samba requires authentication and account from winbind.
# File /etc/pam.d/samba
auth required /lib/security/pam_winbind.so
account required /lib/security/pam_winbind.so
And we tell the system that it can get information about userdata (id, name, homedir, etc.) not only from /etc/passwd but also from winbind
# File /etc/nsswitch.conf
...
passwd: compat winbind
group: compat winbind
shadow: compat
...
Test it by listing the accounts known to the system
debian:~# getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
...
ADGROUP+administrator:x:10001:10000:Administrator:/home/ADGROUP/administrator:/bin/false
ADGROUP+guest:x:10002:10001:Guest:/home/ADGROUP/guest:/bin/false
...
Test
Test it using our own server as a linux client. We will get a ticket, and connect to the share using this ticket. Than we place a file there and check in the filesystem who owns the file.
debian:~# kinit administrator
Password for administrator@MY.ACTIVE.DIRECTORY
debian:~# touch hello_world.txt
debian:~# smbclient //fileservername/testshare -k
OS=[Unix] Server=[Samba 3.0.14a-Debian]
smb: \> put hello_world.txt
putting file hello_world.txt as \hello_world.txt (0.0 kb/s) (average nan kb/s)
smb: \> quit
debian:~# ls -l /data/testshare/hello_world.txt
-rwxr--r-- 1 ADGROUP+administrator ADGROUP+domain users 0 2005-07-22 13:37 /data/test/hello_world.txt
debian:~#
Hints
Kerberos relies on synchronized time between client (linux box) and Server (Domain Controller). Keep your machines in sync using ntpd or ntpdate
April 7th, 2009 at 10:58 am
[...] http://www.simsonlai.org/samba-and-active-directory-authentication/ [...]
April 8th, 2009 at 9:30 pm
If you ever want to see a reader’s feedback
, I rate this article for 4/5. Detailed info, but I have to go to that damn google to find the missed pieces. Thanks, anyway!
April 15th, 2009 at 8:59 am
Hey, nice tips. Perhaps I’ll buy a bottle of beer to that person from that chat who told me to visit your blog
April 16th, 2009 at 7:55 am
Great tips! been awile i dont visit your blog simson, but this samba article really saved my butt!! could you publish also some article about configuring ISA server?
April 23rd, 2009 at 2:41 am
Great post! This is why I love blogging. Always something interesting to read, watch and enjoy. It keeps the mind active. Thanks, Amy x.
July 31st, 2009 at 1:35 am
Great post, but… couple of queries. Trying to create a web directory on a Ubuntu server, that authenticated users (AD) can drop files for the web in. Can give them access through Samba, but can’t add AD users to the file permissions, so they still can’t write to the directory….?
Thanks.
July 31st, 2009 at 4:33 am
Sorry… Can get it to work for an AD user, but can it work for an AD group? Have tried putting @”DOMAIN\group_name” in but does not seem to work. Thanks.
August 3rd, 2009 at 7:25 pm
Tr to add this line on your share line
create mask = 0777
directory mask = 0777
February 22nd, 2010 at 10:29 pm
Great!!!!! Simson, I tried for 3 days and finally grant access to AD group. AD user no problem, but AD group only with your lines! Thanx