and allows you to share your samba shares to users of the Active Directory domain without further authentication.
You need to install the latest version of Samba which is currently version 3
also install samba-common, samba-client and samba-winbind
yum install samba samba-client samba-common samba-winbind
if not already installed you also need to have
ntpd, and kerebos installed
yum install ntpd kerberos
it is imperative that your linux machines clock is in sync with the active directory domain controller
ntpdate -u [ip of your ADserver]
eg
ntpdate -u 192.168.1.10
next make sure that ntpd winbind and samba all start on boot up and are all running
chkconfig ntpd on
chkconfig winbind on
chkconfig smb on
/etc/init.d/ntpd start
/etc/init.d/smb start
/etc/init.d/winbind start
next edit your samba config file
vim /etc/samba/smb.conf
and change the following settings so that they are as they appear here.
Substitute CLIVE.COM with your Active directory domain name.
Also insure that you do not have a netbios entry.
If you have a line in your samba config file that says
netbios name = somename
delete the above line (if it exists)
the netbios entry will be added automatically by the system when you join the domain later.
your smb.conf should look something like this
workgroup = CLIVE
realm = CLIVE.COM
preferred master = no
server string = Samba File Server
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
idmap uid = 600-20000
idmap gid = 600-20000
hosts allow = 192.168.1.0/24 (put the ip of your network here)
hosts deny = 0.0.0.0/0
Restart samba to load in the new config.
/etc/init.d/smb restart
next you need to edit your kerberos config file
vim /etc/krb5.conf
and make the following additions
change CLIVE.COM for your AD domain name
and change servername to your active Directory domain controllers machine name.
case sensitivity is of extreme importance here.
[realms]
CLIVE.COM = {
kdc = servername.clive.com:88
admin_server = servername.clive.com:749
default_domain = clive.com
}
[domain_realm]
.kerberos.server = CLIVE.COM
.clive.com = CLIVE.COM
clive.com = CLIVE.COM
save the file
and then run the following file to make sure everything is working as it should.
/usr/kerberos/bin/kinit administrator@CLIVE.COM
You should be asked for the domain administrators password, once put in correctly you will return to a command prompt.
(Please note if you get an error here it is more than likely because your clock on your linux machine is not synced to your active directory domain controller) check your clock and use ntpd to sync it properly.
next edit your nsswitch.conf file and change it so that it looks like this
vim /etc/nsswitch.conf
passwd: compat winbind
shadow: compat
group: compat winbind
save the file and restart winbind
/etc/init.d/winbind restart
Edit your /etc/hosts file
vim /etc/hosts
and insure you have the following line
127.0.0.1 hostname.clive.com hostname
Edit your /etc/hosts file
vim /etc/hosts
and insure you have the following line
127.0.0.1 hostname.clive.com hostname
remove localhost localdomain from the 127.0.0.1 entry
save /etc/hosts
And now lets join your machine to the domain.
type
net ads join -U Administrator@CLIVE.COM
put in the administrators password and if all goes well your machine will be added to the domain
next type
wbinfo -u
to show a list of all the users of the Active directory domain.
in Samba to give access to an active directory user to your samba share,
edit the valid users line in your smb.conf file and add your active directory users like so,
substitute CLIVE for your domain name
[share]
comment = share
path = "/home/samba/shares/share/"
browseable = yes
writable = yes
read only = no
create mode = 0777
directory mode = 2777
valid users = CLIVE+administrator CLIVE+cliveg CLIVE+user2
to add an entire group ie Domain Users use the @
eg
valid users = "@CLIVE+Domain_users"
don't forget to restart Samba every time you make changes to smb.conf.
No comments:
Post a Comment