Overview

In small environments, administering Linux servers using only local accounts is manageable. However, in large environments hosting many hundreds or thousands of servers, the task of administering each server, manually maintaining user accounts and passwords would be a very daunting task. A central Identity and Access solution is required to effectively manage such environments. In large Microsoft Windows datacenters, you typically see Active Directory being used as the Identity and Access solution.

Samba is able to connect to your Active Directory domain to authenticate user credentials from your Windows environment. However, since Samba does not maintain a central identity store, UIDs and GIDs for each user will be different between each Samba server.

Where Does This Fit In

Small linux environment in a Windows-based infrastructure

Before You Begin

Before you move ahead with this tutorial there are a few prerequisites that must be meet in your environment.

Active Directory Domain

Domain Identity Management for Unix installed on domain controllers.

installed on domain controllers. One CentOS 6 server

server This lab will use the following variables. You’ll need to modify these to match your own environment.

Domain CONTOSO.COM Domain Controller DC01.CONTOSO.COM Samba Server Name LINUX-SRV1

Install Required Linux Packages

Install the following packages onto your Linux machine. You will not be able to join the Active Directory domain or authenticate using domain credentials without them.

Samba

Samba-winbind

oddjob-mkhomedir

To install all three packages at the same time, run the following command as Root or with Root privileges.

yum install samba samba-winbind oddjob-mkhomedir

Configuring Samba

Samba is a critical component that allows Linux to interact with Windows. It must be configured to make the Linux server appear as Windows computer on the network, using NetBIOS broadcasts and Domain prefixes.

Make a backup copy of /etc/samba/smb.conf cp /etc/samba/smb.conf /etc/samba/smb.conf.old Open /etc/samba/smb.conf into a text editor. For this example, I’ll use VI. vi /etc/samba/smb.conf Edit smb.conf to resemble the example below, modifying the highlighted lines to match your environment. [global] log file = /var/log/samba/log.%m max log size = 50 security = ads ::HL::netbios name = LINUX-SRV1 ::HL::realm = CONTOSO.COM ::HL::password server = MYDC01.CONTOSO.COM MYDC02.CONTOSO.COM ::HL::workgroup = CONTOSO idmap uid = 10000-500000 idmap gid = 10000-500000 winbind separator = winbind enum users = no winbind enum groups = no winbind use default domain = yes template homedir = /home/%U template shell = /bin/bash client use spnego = yes domain master = no Understanding the options were defining: netbios name This netbios (single label) name the Samba server will use for Windows clients. realm Fully qualified name of the Active Directory domain the Samba server is joining. password server List of domain controllers, separated by spaces, that will process Samba logon requests. workgroup Similar to the netbios name for the Samba server, except for the domain. Active Directory domains, like Windows computers, have netbios names. For more information on Samba options, go here:

http://www.samba.org/samba/docs/using_samba/ch06.html

Modify the Name Service Switch Configuration File

The Name Service Switch is used by Linux to locate account databases. By default, only local files will accessed. We need to point Linux to a domain controller by adding winbind as a database location.

Open /etc/nsswitch.conf into a text editor. vi /etc/nsswitch.conf Find the following lines: passwd: files group: files And append winbind to them, as shown below: passwd: files winbind group: files winbind

Edit Kerberos. Configuration File

Active Directory uses Kerberos, an open source network authentication protocol, to authenticate users. Before your Linux server

Open /etc/krb5.conf into a text editor vi /etc/krb5.conf Modify it so it looks like the example below, replacing [value] to match your environment. [libdefaults] ::HL::default_realm = CONTOSO.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] ::HL::REALM.INTERNAL = { ::HL::kdc = mydc01.contoso.com ::HL::admin_server = mydc01.contoso.com ::HL::default_domain = contoso.com ::HL::} [domain_realm] ::HL::.contoso.com = CONTOSO.COM ::HL::contoso.com = CONTOSO.COM

Start the Daemons

User authentication settings have been set. Now we need to start our daemons and configure them to automatically start after each reboot.

Samba Server service smb start; chkconfig smb on Winbind service winbind start; chkconfig winbind on Message Bus Daemon service messagebus start; chkconfig messagebus on

Join the Samba Server to the Domain

We’ve finally reached the part where we can join our Samba server to the Active Directory domain. Run the following command to join the domain, replacing Administrator with the username of a user in your domain who has permissions to join machines:

net ads join -U Administrator