How to add Linux Samba to AD

Set up samba on linux server

Linux must be configured in order to belong to a Windows domain. This is done by using the Samba file server which offers several interesting tools. The goal is not to create a Samba file server but only to use some tools which come with this server.

Samba server contains among others the following components:

• Winbind, a daemon which permits connectivity to Windows -NT environment.

• Ntlm_auth, a tool which uses winbind for evaluating NTLM (NT Lan Manager) requests. This tool allows verifying user credentials on the domain controller and returns either a success or an error message.

【准备工作】-- 检查samba是否安装，krb5.conf, nsswitch.conf  是否符合要求

Please have a look at your Linux box and check if Samba is already installed.

 

To avoid any trouble, please run "hostname" and "hostname -f" to make sure name resolutions are OK . # 为防止一些不必要的麻烦，先确认 hostname 和 hostname -f 解析正常

 

[root@siptest ]# rpm -q samba
samba-3.0.28-0.el5.8

To ensure samba could support LDAP,KRB,ADS and WINBIND, run following commands to check samba build options

~#smbd -b | grep LDAP
~#smbd -b | grep KRB
~#smbd -b | grep ADS
~#smbd -b | grep WINBIND

pleaes make sure the time is identical to the DC's  (the maximum offset time is 5 mins)

~#ntpdate 172.18.8.10

Key config. files for samba

[smb.conf] 

[root@proxy samba]# cat smb.conf | sed '/ *#/d; / *;/d; /^ *$/d'
[global]
   workgroup = 800BEST
   password server = 172.18.8.10
   realm = 800BEST.NET
   security = ads
   encrypt passwords = yes
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431

   use kerberos keytab = yes
   dns proxy = no
   ldap ssl = no
   preferred master = no
   template shell = /bin/false
   winbind use default domain = yes
   winbind offline logon = false
        server string = Samba Server Version %v
        netbios name = proxy
        passdb backend = tdbsam
        load printers = yes
        cups options = raw
[homes]
        comment = Home Directories
        browseable = no
        writable = yes
[printers]
        comment = All Printers
        path = /var/spool/samba
        browseable = no
        guest ok = no
        writable = no
        printable = yes

[ krb5.conf] 

 (Watch out for case sensitivity) // 注意大小写

 [root@siptest ~]# cat /etc/krb5.conf |sed '/ *#/d; /^ *$/d'
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 default_realm = 800BEST.NET

 dns_lookup_realm = false  # 如果是true的话后面不用配置realms和KDC了
 dns_lookup_kdc = true  
 ticket_lifetime = 24h
 forwardable = yes
[realms]
 800BEST.NET = {
  kdc = 172.18.8.10:88
  admin_server = 172.18.8.10:749
  default_domain = 800BEST.NET  # 和 smb.conf 的 realm 值相同
 }
 800BEST = {                    # 这里的800BEST 指的是域的NETBIOS名字
  kdc = 172.18.8.10
 }
[domain_realm]
 .800best.net = 800BEST.NET
 800best.net = 800BEST.NET
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

##############

注意：

 krb5.conf realm的值 和smb.conf 中 realm 要保持相同，否则会出现

[2009/08/18 21:05:51, 0] utils/net_ads.c:ads_startup_int(286)

  ads_connect: No logon servers

Failed to join domain: No logon servers

##############

[nsswitch.conf ]

[root@siptest ~]# cat /etc/nsswitch.conf |sed '/ *#/d; /^ *$/d'
passwd:     files winbind
shadow:     files winbind
group:      files winbind
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files winbind
rpc:        files
services:   files winbind
netgroup:   files winbind
publickey:  nisplus
automount:  files winbind
aliases:    files nisplus

[Steps -- how to join to domain]

1. 用Kinit检查kerberos 是否工作正常

kinit--- obtain and cache Kerberos ticket-granting ticket

kinit administrator@800BEST.NET #注意这里是大写

[root@siptest etc]# kinit administrator@800BEST.NET
[root@siptest etc]#Password for administrator@800BEST.NET:

[root@siptest etc]#

it works well

2. 检查samba服务有没有正常工作

Verify if the Samba service is running by typing: ps -ef | grep nmbd
~#ps -ef | grep smbd

3. 加入域
Execute the following command line (you must be connected as root)
~#net join -U Administrator  #这里net join是 net ads join
Administrator is the name of the domain controller admin. Enter your password when prompted. If everything works fine, the Linux server has been registered to the Windows domain.

注意 net ads join 和 net rpc join是不同， net ads join要用到berberos

 [如果出现如下错误

root@proxy software]# net join -U administrator@800BEST.NET
[2009/08/14 21:31:24, 0] libads/kerberos.c:create_local_private_krb5_conf_for_domain(651)
  create_local_private_krb5_conf_for_domain: failed to create directory /var/cache/samba/smb_krb5. Error was Permission denied

需要手动创建/var/cache/samba/smb_krb5 目录]

4. 

Verify now if the winbindd daemon is running:
~#ps -ef | grep winbindd 

check trust has been established between samba and AD:
~#wbinfo -t
checking the trust secret via RPC calls succeeded

5.

Try next if you can authenticate a user from the domain: ~#wbinfo -a user%password  

e.g ~#wbinfo -a bl00250%Iloveyou~!@#$%

challenge/response password authentication succeeded

6. 

Type the following line:
root@siptest# ntlm_auth --request-nt-key --domain=<your domain> --username= <your username>

For me, the command would look like this:
[root@siptest]# ntlm_auth --request-nt-key --domain=800BEST --username=bl00250

[root@siptest ~]# ntlm_auth --request-nt-key --domain=800BEST --username=bl00250
password:
NT_STATUS_OK: Success (0x0)

WARNING!!!

When called by radiusd - thus directly setting the challenge value - the ntlm_auth program needs permission to access winbindd's winbindd_privileged directory (somewhere under /var). According to my experiences read access will suffice.

The radiusd.conf file sets the uid and gid your radiusd process will run as (by the user and group directives, respectively). The ntlm_auth process will have the same identity. If your filesystem containing the winbindd_privileged directory supports POSIX ACLs, you can safely grant ntlm_auth the necessary permissions, in case your disribution's default setting were insufficient. If radiusd runs as the user radiusd for example, then you should use setfacl the following way:

setfacl -m u:radiusd:rx winbindd_privileged

Or something like that. See [url]http://www.suse.de/~agruen/acl/linux-acls/online/[/url] or man setfacl about POSIX ACLs!

Add share

edit /etc/samba/smb.conf and add lines like following

**************

[share]
        comment = shared folder
        path = /var/spool/share
        browseable = yes
        guest ok = no
        writable = yes
        valid users = 800BEST\bl00250

************************

 then

~#chown '800BEST\bl00250':'800BEST\domain users'  /var/spool/share

[troubleshooting]

1. how to resolve  "Failed to join domain: Type or value exists"

~# net join -U administrator
  Administrator's password:
  Using short domain name -- 800BEST
  Failed to set servicePrincipalNames. Please ensure that
  the DNS domain of this server matches the AD domain,
  Or rejoin with using Domain Admin credentials.
  Deleted account for 'ftpsvr' in realm '800BEST.NET'
  Failed to join domain: Type or value exists

when wen join samba to AD by typing: net join -U administrator, we get following message. there are 2 reasons:

a. there is an existing computer account with same name in AD

b. hostname & hostname -f could not work well --- it seems to be a bug in samba 3.0 or checking hostname machanism in samba before adding to AD 

for a, delete the existing computer account in AD and synchronize and vierify the account was deleted cleanly.

for b, check /etc/sysconfig/network, type right hostname and restart network. if it still not work, just type:

~# hostname <hostname>

then re-do

 ~# net join -U administrator

转载于:https://blog.51cto.com/brandon/116729