Set up samba on linux server
Linux must be configured in order to belong to a Windows domain. This is done by using the Samba file server which offers several interesting tools. The goal is not to create a Samba file server but only to use some tools which come with this server.
Samba server contains among others the following components:
- Winbind, a daemon which permits connectivity to Windows -NT environment.
- Ntlm_auth, a tool which uses winbind for evaluating NTLM (NT Lan Manager) requests. This tool allows verifying user credentials on the domain controller and returns either a success or an error message.
Please have a look at your Linux box and check if Samba is already installed.
[root@siptest ]# rpm -q samba
samba-3.0.28-0.el5.8
To ensure samba could support LDAP,KRB,ADS and WINBIND, run following commands to check samba build options
~#smbd -b | grep LDAP
~#smbd -b | grep KRB
~#smbd -b | grep ADS
~#smbd -b | grep WINBIND
pleaes make sure the time is identical to the DC's (the maximum offset time is 5 mins)
~#ntpdate 172.18.8.10
Key config. files for samba
[smb.conf]
[root@siptest ~]# cat /etc/samba/smb.conf |sed '/ *#/d; / *;/d; /^ *$/d'
[global]
workgroup = 800BEST
password server = 172.18.8.10
realm = 800BEST.NET
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = true
winbind offline logon = false
server string = Samba Server Version %v
passdb backend = tdbsam
load printers = yes
cups options = raw
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
[krb5.conf]
(Watch out for case sensitivity) //注意大小写
[root@siptest ~]# cat /etc/krb5.conf |sed '/ *#/d; /^ *$/d'
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = 800BEST
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
800BEST.NET = {
kdc = 172.18.8.10:88
admin_server = 172.18.8.10:749
default_domain = 800BEST.NET
}
800BEST = {
kdc = 172.18.8.10
}
[domain_realm]
.800best.net = 800BEST.NET
800best.net = 800BEST.NET
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[nsswitch.conf ]
[root@siptest ~]# cat /etc/nsswitch.conf |sed '/ *#/d; /^ *$/d'
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files
services: files winbind
netgroup: files winbind
publickey: nisplus
automount: files winbind
aliases: files nisplus
[Steps -- how to join to domain]
1.
kinit--- obtain and cache Kerberos ticket-granting ticket
kinit
[root@siptest etc]# kinit
[root@siptest etc]#Password for :
[root@siptest etc]#
it works well
2.
Verify if the Samba service is running by typing: ps -ef | grep nmbd
~#ps -ef | grep smbd
3.
Execute the following command line (you must be connected as root)
~#net join -U Administrator
Administrator is the name of the domain controller admin. Enter your password when prompted. If everything works fine, the Linux server has been registered to the Windows domain.
4.
Verify now if the winbindd daemon is running:
~#ps -ef | grep winbindd
check trust has been established between samba and AD:
~#wbinfo -t
checking the trust secret via RPC calls succeeded
5.
Try next if you can authenticate a user from the domain: ~#wbinfo -a user%password
e.g ~#wbinfo -a bl00250%Iloveyou~!@#$%
challenge/response password authentication succeeded
6.
Type the following line:
root@siptest# ntlm_auth --request-nt-key --domain= --username=
For me, the command would look like this:
[root@siptest]# ntlm_auth --request-nt-key --domain=800BEST --username=bl00250
[root@siptest ~]# ntlm_auth --request-nt-key --domain=800BEST --username=bl00250
password:
NT_STATUS_OK: Success (0x0)
WARNING!!!
When called by radiusd - thus directly setting the challenge value - the ntlm_auth program needs permission to access winbindd's winbindd_privileged directory (somewhere under /var). According to my experiences read access will suffice.
The radiusd.conf file sets the uid and gid your radiusd process will run as (by the user and group directives, respectively). The ntlm_auth process will have the same identity. If your filesystem containing the winbindd_privileged directory supports POSIX ACLs, you can safely grant ntlm_auth the necessary permissions, in case your disribution's default setting were insufficient. If radiusd runs as the user radiusd for example, then you should use setfacl the following way:
setfacl -m u:radiusd:rx winbindd_privileged
Or something like that. See