Samba authentication against Active Directory

Samba authentication against Active Directory

Samba authentication against Active Directory 150 150 Roderick Derks

A guide to authenticate Samba on a HP UX 11.23 system to Microsoft Active Directory running on W2003 R2.

General setup

Update your software if you want ADS authentication (kerberos), I used samba versie 3.0.22
Kerberos: http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=KRB5CLIENT
Ldap: https://h20392.www2.hp.com/portal/swdepot/try.do?productNumber=J4269AA
Cifs server: https://h20392.www2.hp.com/portal/swdepot/try.do?productNumber=B8725AA

  1. When using RPC for authentication (less secure) kerberos is not needed
  2. edit the following files (see examples below):
    /etc/opt/samba/smb.conf
    /etc/opt/samba/smbusers.map (if not using kerberos, and I think you don’t need this one at all as long as you don’t give rights to AD users or groups on Unix level)
    /etc/krb5.conf
  3. the command kinit <domainuser> must work if you want an ADS config, use klist to view the certificatewinbind must run, so start samba with option -w
    /opt/samba/bin/startsmb -w
    /opt/samba/bin/stopsmb -w
  4. the following commands to give you the list of all groups or users in Active Directory must work (winbind must be running):
    /opt/samba/bin/wbinfo -g
    /opt/samba/bin/wbinfo -u
  5. folder on unix has the following rights:
    drwxrwxrwx 2 root sys /folder
  6. create groups in Active Directory (whom you give right in smb.conf), add users.
  7. To automatically start winbind when HP UX starts, go to /etc/rc.config.d/samba and set RUN_WINBIND to 1

Files

smb.conf

You can automatically create the global section by using the command /opt/samba/bin/samba_setup.

[global]
local master = yes
domain master = auto
domain logons = no
netbios name = <LOCAL_SERVER_NAME>
wins support = no
workgroup = <DOMAIN_NAME>
realm = <DOMAIN_NAME.COM>
preferred master = auto
server string = <Description of the server>
password server = <domaincontroller1.domain.com>, *
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/adm/%m
max log size = 50
winbind separator = +
winbind use default domain = yes
winbind enum users=yes
winbind enum groups=yes
idmap uid = 10000-20000
idmap gid = 10000-20000
directory mask = 0775

[folders]
comment = folders
path = /tmp/testfolder
browseable = yes
read list = @GROUP_READ
write list = @GROUP_WRITE
valid users = @GROUP_READ,@GROUP_WRITE

krb5.conf

[logging]
default = FILEvaradmkrb5libs.log
kdc = FILEvaradmkrb5kdc.log
admin_server = FILEvaradmkadmind.log

[libdefaults]
default_realm = <DOMAIN_NAME.COM>
default_tkt_enctypes = DES-CBC-MD5 DES-CBC-CRC
default_tgs_enctypes = DES-CBC-MD5 DES-CBC-CRC
ccache_type = 2

[realms]
<DOMAIN_NAME.COM> = {
kdc = <domaincontroller1.domain.com>:88
kdc = <domaincontroller2.domain.com>:88
admin_server = <domaincontroller1.domain.com>
}

[domain_realm]
<.domainname.com> = <DOMAINNAME.COM>

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

smb.conf not using kerberos

If you dont want ADS authentication (kerberos) smb.conf looks like this:
[global]
workgroup = <DOMAIN>
security = domain
password server = <domaincontroller1.domain.com>
allow trusted domains = No
preferred master = no
local master = no
domain master = no
idmap backend = idmap_rid: <activedirectorydomainname>=10000-30000
idmap uid = 10000-30000
idmap gid = 10000-30000

username map = /etc/opt/samba/smbusers.map

winbind use default domain = Yes
winbind separator = “+”

log file = /var/opt/samba/log.%m
max log size = 1000
directory mask = 0775
include = /etc/opt/samba/smb.conf.%m

smbusers.dat

And then you have to create the smbusers.dat file.
root = sqladmin

VoilĂ 

Roderick Derks

Liefhebber van fietsen, van het oplossen van IT puzzels, en van het delen van informatie om anderen te helpen.

All stories by:Roderick Derks

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Your Name (required)

Your Email (required)

Subject

Your Message

Your Name (required)

Your Email (required)

Subject

Your Message