Samba - Pass-through Active Directory authentication

This article describes how to use Samba to create a share on a Debian linux system and allow pass-through authentication for Windows workstations which are already authenticated to an Active Directory server. The instructions should be pretty much the same on other Linux distributions, but the paths to the files and the way you install the software will be different.

These are not exact instructions, but should provide you with most of the steps required.

First you need to install the required packages:

apt-get install samba

When you are prompted for a domain, enter the short (NetBIOS) domain name. When it asks if you want to use encrypted passwords, answer yes. When it asks if you want to create a password database, answer yes.

apt-get install winbind

apt-get install krb5-user

When prompted for a realm, enter the full domain name (e.g. exampledomain.com). You will be asked for the domain controllers for the domain and the password server. Simply enter all or at least one of the domain controllers for your domain.

You now need to edit the file /etc/samba/smb.conf. Leave all the default settings that have been created as is (unless you're doing something other than just file sharing). The following is ONLY a list of the changes required and is NOT a complete configuration file.

workgroup = EXAMPLE
wins server = <IP address of your Wins server>
security = ads
encrypt passwords = true
obey pam restrictions = yes

idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
realm = EXAMPLEDOMAIN.COM
client schannel = no
password server = myserver.exampledomain.com
winbind use default domain = yes

[myshare]
        comment = This is my share
        path = /data/myshare
        valid users = @"Domain Users"
        public = no
        writable = yes

So, in the example configuration changes above, EXAMPLE is the short NetBios domain name and EXAMPLEDOMAIN.COM is the long Active Directory domain name for the same domain. myserver.exampledomain.com is a domain controller for the domain. In the example I've also shown how to create a share (called myshare) and specify which Windows group can access it.

You should now restart the Samba and Winbind services.

/etc/init.d/samba restart
/etc/init.d/winbind restart

Now you need to try and join the computer to the domain. To do this, type the following command:

net ads join -Uadministrator

You can replace 'administrator' with any other account with permission to join the computer to the domain. This command should return saying that the computer was successfully joined to the domain. If something in Samba or Kerberos isn't configured properly, this will probably fail.

Now you have to change you nsswitch.conf file to use winbind for authentication. Basically you just need to add winbind to the correct lines. Here is an example modified nsswitch.conf file:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind

hosts:          files dns
networks:       files

protocols:      db files winbind
services:       db files winbind
ethers:         db files
rpc:            db files

netgroup:       nis winbind

Once you've made this modification you can try testing the connection to the Active Directory server. First try running:

wbinfo -u

This should return all the users in the Active directory domain. Now check to see if the passwords can be retrieved from the server by typing:

getent passwd

This should list all the users in a passwd format.

If these two commands were successful at retrieving the users, you should now be able to access the shares you set up in Samba from any computer where you have authenticated as a domain user.

One thing to note is that if you give permission to a Windows group to access a directory, you must also give them access to the directory itself. I usually do this like so:

chown root:"Domain Users" /data/myshare
chmod 770 /data/myshare

And that's it... hopefully I didn't miss anything. If you see something I missed, please let me know using the comment system below. Hope this help!

Author: DPAK
Created: Jan 25 2006
Categories: Debian
TechByte #119

Warning: By visiting this site and/or by using any information contained herein, you agree to the Techbytes.ca terms of use.



Add a comment about this TechByte

If you wish to add a comment regarding this TechByte, please use the form below. Please note that by submitting comments using this form you are allowing all of the information submitted to be visible on this website. Any comments submitted using this form will only be shown on the website if they are approved by the administrators of this site. IF APPROVED, COMMENTS MAY TAKE SEVERAL DAYS TO BE POSTED.

Posted By: (Optional)

Comments:


Other TechBytes: