Debian Squeeze based Samba server with AD Kerberos and LDAP
Prev Linux Authenticating against Active Directory Next

Debian Squeeze based Samba server with AD Kerberos and LDAP

  1. Prepare for Kerberos installation

    Create any file - say - debconf-kerberos-settings (see for explanations): 

    # Kerberos servers for your realm:
krb5-config krb5-config/kerberos_servers string wspace.mydomain.com adsvr01.wspace.mydomain.com adsvr02.wspace.mydomain.com adsvr03.wspace.mydomain.com adsvr04.wspace.mydomain.com

# Default Kerberos version 5 realm:
krb5-config krb5-config/default_realm string WSPACE.MYDOMAIN.NL

# Local realm name:
heimdal-kdc heimdal/realm string WSPACE.MYDOMAIN.NL

# Administrative server for your Kerberos realm:
krb5-config krb5-config/admin_server string wspace.mydomain.com

# Does DNS contain pointers to your realm's Kerberos Servers?
krb5-config krb5-config/dns_for_default boolean true

# Add locations of default Kerberos servers to /etc/krb5.conf?
krb5-config krb5-config/add_servers boolean false

    ... and feed them into debconf:

    apprentice@srv25:~$ cat debconf-kerberos-settings |sudo debconf-set-selections

  2. Install packages

    apprentice@srv25:~$ sudo apt-get install samba sssd heimdal-clients libnss-sss libpam-sss
    <snip>

  3. Configure sssd

    /etc/default/sssd: 

    DAEMON_OPTS="-d3 -f /var/log/sssd.log"

    /etc/sssd/sssd.conf (be sure to chmod to 600): 

    [sssd]
config_file_version = 2
domains = wspace.mydomain.com
services = nss, pam

[nss]

[pam]

[domain/wspace.mydomain.com]
description = LDAP domain with AD server
debug_level = 9

cache_credentials = true
enumerate = true

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
#access_provider = ldap
access_provider = permit

# Uncomment if service discovery is not working
ldap_uri = ldap://wspace.mydomain.com/

# Uncomment if using SASL/GSSAPI to bind and a valid /etc/krb5.keytab exists
#ldap_sasl_mech = GSSAPI
# Uncomment and adjust if the default principal host/fqdn@REALM is not available
#ldap_sasl_authid = CLIENT$@REALM

# Define these only if anonymous binds are not allowed and no keytab is available
ldap_default_bind_dn = CN=ListAccount,OU=Maintenance accounts,OU=Users,OU=MYDOMAIN,DC=wspace,DC=mydomain,DC=com?sub?uid=*
ldap_default_authtok_type = password
ldap_default_authtok = ENUMpass

ldap_schema = rfc2307bis

ldap_search_base = dc=wspace,dc=mydomain,dc=com

# It looks like the ?sub?search notation is also accepted: (albeit not needed)
#ldap_user_search_base = ou=users,ou=mydomain,dc=wspace,dc=mydomain,dc=com?sub?uid=*
ldap_user_search_base = ou=users,ou=mydomain,dc=wspace,dc=mydomain,dc=com
ldap_user_object_class = person

ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName

ldap_group_search_base = ou=workgroups,ou=mydomain,dc=wspace,dc=mydomain,dc=com
ldap_group_object_class = group

ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true

ldap_pwd_policy = none

#krb5_server = wspace.mydomain.com
krb5_realm = WSPACE.MYDOMAIN.NL

# Don't forget the trailing newline

    ... then (re)start the daemon:

    apprentice@srv25:~$ sudo service sssd restart

  4. Configure libnss

    /etc/nsswitch.conf: 

    passwd:         compat sss
group:          compat sss
shadow:         compat sss

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis sss

  5. Configure Kerberos

    /etc/krb5.conf needs this in the libdefaults section: 

        default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
    default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
    permitted_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC

  6. Configuring Samba

    /etc/samba/smb.conf (diff from distributed file): 

       realm = WSPACE.MYDOMAIN.NL
   kerberos method = system keytab

   log level = 1 
; tdb:1
; printdrivers:0
; lanman:0
; smb:1
; rpc_parse:1
; rpc_srv:1
; rpc_cli:1
; passdb:1
; sam:0
; auth:3
; winbind:3
; vfs:1
; idmap:1
; quota:0
; acls:1
; locking:0
; msdfs:0
; dmapi:0
; registry:0

   security = ADS

# Something to mount
[exported]
   comment = Exported dir
   browseable = no
   read only = no
   create mask = 0700
   directory mask = 0700
   valid users = U1234567
   path = /srv/exported
   guest ok = no

    apprentice@srv25:~$ /etc/init.d/samba restart

  7. Joining the Domain

    apprentice@srv25:~$ sudo net ADS JOIN -U 'unixJOINer%JOINpwd' createupn=host/$(hostname -f)@WSPACE.MYDOMAIN.NL createcomputer='OU=Extra Workstations,OU=Computers,OU=MYDOMAIN,DC=wspace,DC=mydomain,DC=com'

  8. Adding a principal for CIFS

    This may be unnecessary...

    apprentice@srv25:~$ sudo net ADS keytab add cifs/$(hostname -f)@WSPACE.MYDOMAIN.NL -U 'unixJOINer%JOINpwd'

  9. Testing

    (On the client (Ubuntu, configured as in :)

    root@clnt-3-53:~# smbclient -k -L //srv25.srvlan.mydomain.com/exported
    <snip>
    root@clnt-3-53:~# mount.cifs //srv25.srvlan.mydomain.com/exported  /mnt/srv25/ -o sec=krb5 -v
    mount.cifs kernel mount options: ip=192.168.63.120,unc=\\srv25.srvlan.mydomain.com\exported,sec=krb5,ver=1,user=root,pass=********

Prev Up Next
Ubuntu NFS4 server/client with AD Kerberos/LDAP  Home PXE install of SuSE Linux Enterprise Server 11 SP1