Personal tools
You are here: Home Tools How to set up a Samba server for Active Directory authentication
Document Actions

How to set up a Samba server for Active Directory authentication

last modified 2007-02-19 05:28 PM

Most of the necessary steps are described on this web page. The key steps are as follows:

  1. Make sure the machine is in your local DNS . This also requires a reverse PTR record.
  2. Make sure the /etc/network/interface file is set up as follows::
          auto eth0
          #iface eth0 inet dhcp
          iface eth0 inet static
          address 192.168.2.[proper number which is in DNS]
          gateway 192.168.2.1
          netmask 255.255.255.0
          network 192.168.2.0
          broadcast 192.168.2.255
    
  3. Make sure /etc/resolv.conf contains the following::
          search <your local domain>
          nameserver <your local DNS server>
    
  4. Make sure Ubuntu sources are set up to include the "Universe" repository. Then install the following packages::
       samba
       smbclient
       smbfs
       smbldap-tools
       winbind
       krb5-config
       krb5-user
    
  5. Configure /etc/samba/smb.conf . Key thing is to add domain.
  6. Configure /etc/krb5.conf . Key thing is to add domain.
  7. Get a kerboros key by running::
          # net ads join -U Administrator%password
    
          Where "password" is <your Windows Domain>\Administrator password.
          If you leave off "password" you will be prompted for it and it won't be in the history.
    
  8. You can permanently add the password with the following command (I am not sure if you need to do both)::
          # wbinfo --set-auth-user=DOMAIN\\administrator%password
    
          See comment above regarding "%password"
    
  9. Configure /etc/nsswitch.conf
  10. Restart samba and winbindd:
          # /etc/init.d/samba restart
          # /etc/init.d/winbind restart
    
  11. Test winbind is working properly:
          # wbinfo -u
          # wbinfo -g
    
  12. Add domain users and groups to /etc/passwd and /etc/group with the following commands::
          # getent passwd
          # getent group
    
  13. To check if worked try the following:
          # cat /etc/passwd
          # cd ; touch test
          # chown "your Windows Domain"+atrauring test
          # ls -al test
    
  14. In /etc/pam.d/ make a copy of the original login file. Then configure /etc/pam.d/login .
  15. Add shares.
    • Make sure the share disk has group "your Windows Domain"+domain users
    • chmod 770 for directory
    • Use webmin to set up share. Set default permissions to 770 and make sure share is writeable.
  16. Test by connecting to Share in Windows and adding a directory. On Linux side the share should have Domain owner and group and 770 privileges.
 

Powered by Plone CMS, the Open Source Content Management System

This site conforms to the following standards: