A guide to authenticate Samba on a HP UX 11.23 system to Microsoft Active Directory running on W2003 R2.
General setup
Update your software if you want ADS authentication (kerberos), I used samba versie 3.0.22
Kerberos: http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=KRB5CLIENT
Ldap: https://h20392.www2.hp.com/portal/swdepot/try.do?productNumber=J4269AA
Cifs server: https://h20392.www2.hp.com/portal/swdepot/try.do?productNumber=B8725AA
- When using RPC for authentication (less secure) kerberos is not needed
- edit the following files (see examples below):
/etc/opt/samba/smb.conf
/etc/opt/samba/smbusers.map (if not using kerberos, and I think you don’t need this one at all as long as you don’t give rights to AD users or groups on Unix level)
/etc/krb5.conf - the command kinit <domainuser> must work if you want an ADS config, use klist to view the certificatewinbind must run, so start samba with option -w
/opt/samba/bin/startsmb -w
/opt/samba/bin/stopsmb -w - the following commands to give you the list of all groups or users in Active Directory must work (winbind must be running):
/opt/samba/bin/wbinfo -g
/opt/samba/bin/wbinfo -u - folder on unix has the following rights:
drwxrwxrwx 2 root sys /folder - create groups in Active Directory (whom you give right in smb.conf), add users.
- To automatically start winbind when HP UX starts, go to /etc/rc.config.d/samba and set RUN_WINBIND to 1
Files
smb.conf
You can automatically create the global section by using the command /opt/samba/bin/samba_setup.
[global]
local master = yes
domain master = auto
domain logons = no
netbios name = <LOCAL_SERVER_NAME>
wins support = no
workgroup = <DOMAIN_NAME>
realm = <DOMAIN_NAME.COM>
preferred master = auto
server string = <Description of the server>
password server = <domaincontroller1.domain.com>, *
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/adm/%m
max log size = 50
winbind separator = +
winbind use default domain = yes
winbind enum users=yes
winbind enum groups=yes
idmap uid = 10000-20000
idmap gid = 10000-20000
directory mask = 0775
[folders]
comment = folders
path = /tmp/testfolder
browseable = yes
read list = @GROUP_READ
write list = @GROUP_WRITE
valid users = @GROUP_READ,@GROUP_WRITE
krb5.conf
[logging]
default = FILEvaradmkrb5libs.log
kdc = FILEvaradmkrb5kdc.log
admin_server = FILEvaradmkadmind.log
[libdefaults]
default_realm = <DOMAIN_NAME.COM>
default_tkt_enctypes = DES-CBC-MD5 DES-CBC-CRC
default_tgs_enctypes = DES-CBC-MD5 DES-CBC-CRC
ccache_type = 2
[realms]
<DOMAIN_NAME.COM> = {
kdc = <domaincontroller1.domain.com>:88
kdc = <domaincontroller2.domain.com>:88
admin_server = <domaincontroller1.domain.com>
}
[domain_realm]
<.domainname.com> = <DOMAINNAME.COM>
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
smb.conf not using kerberos
If you dont want ADS authentication (kerberos) smb.conf looks like this:
[global]
workgroup = <DOMAIN>
security = domain
password server = <domaincontroller1.domain.com>
allow trusted domains = No
preferred master = no
local master = no
domain master = no
idmap backend = idmap_rid: <activedirectorydomainname>=10000-30000
idmap uid = 10000-30000
idmap gid = 10000-30000
username map = /etc/opt/samba/smbusers.map
winbind use default domain = Yes
winbind separator = “+”
log file = /var/opt/samba/log.%m
max log size = 1000
directory mask = 0775
include = /etc/opt/samba/smb.conf.%m
smbusers.dat
And then you have to create the smbusers.dat file.
root = sqladmin
VoilĂ
Leave a Reply