Overview
In small environments, administering Linux servers using only local accounts is manageable. However, in large environments hosting many hundreds or thousands of servers, the task of administering each server, manually maintaining user accounts and passwords would be a very daunting task. A central Identity and Access solution is required to effectively manage such environments. In large Microsoft Windows datacenters, you typically see Active Directory being used as the Identity and Access solution.
Samba is able to connect to your Active Directory domain to authenticate user credentials from your Windows environment. However, since Samba does not maintain a central identity store, UIDs and GIDs for each user will be different between each Samba server.
Where Does This Fit In
- Small linux environment in a Windows-based infrastructure
Before You Begin
Before you move ahead with this tutorial there are a few prerequisites that must be meet in your environment.
- Active Directory Domain
- Identity Management for Unix installed on domain controllers.
- One CentOS 6 server
- This lab will use the following variables. You’ll need to modify these to match your own environment.
Domain CONTOSO.COM Domain Controller DC01.CONTOSO.COM Samba Server Name LINUX-SRV1
Install Required Linux Packages
Install the following packages onto your Linux machine. You will not be able to join the Active Directory domain or authenticate using domain credentials without them.
- Samba
- Samba-winbind
- oddjob-mkhomedir
To install all three packages at the same time, run the following command as Root or with Root privileges.
yum install samba samba-winbind oddjob-mkhomedir
Configuring Samba
Samba is a critical component that allows Linux to interact with Windows. It must be configured to make the Linux server appear as Windows computer on the network, using NetBIOS broadcasts and Domain prefixes.
- Make a backup copy of /etc/samba/smb.conf
cp /etc/samba/smb.conf /etc/samba/smb.conf.old
- Open /etc/samba/smb.conf into a text editor. For this example, I’ll use VI.
vi /etc/samba/smb.conf
- Edit smb.conf to resemble the example below, modifying the highlighted lines to match your environment.
[global] log file = /var/log/samba/log.%m max log size = 50 security = ads ::HL::netbios name = LINUX-SRV1 ::HL::realm = CONTOSO.COM ::HL::password server = MYDC01.CONTOSO.COM MYDC02.CONTOSO.COM ::HL::workgroup = CONTOSO idmap uid = 10000-500000 idmap gid = 10000-500000 winbind separator = winbind enum users = no winbind enum groups = no winbind use default domain = yes template homedir = /home/%U template shell = /bin/bash client use spnego = yes domain master = no
Understanding the options were defining:
netbios name This netbios (single label) name the Samba server will use for Windows clients. realm Fully qualified name of the Active Directory domain the Samba server is joining. password server List of domain controllers, separated by spaces, that will process Samba logon requests. workgroup Similar to the netbios name for the Samba server, except for the domain. Active Directory domains, like Windows computers, have netbios names. For more information on Samba options, go here:
http://www.samba.org/samba/docs/using_samba/ch06.html
Modify the Name Service Switch Configuration File
The Name Service Switch is used by Linux to locate account databases. By default, only local files will accessed. We need to point Linux to a domain controller by adding winbind as a database location.
- Open /etc/nsswitch.conf into a text editor.
vi /etc/nsswitch.conf
- Find the following lines:
passwd: files
group: files
And append winbind to them, as shown below:
passwd: files winbind
group: files winbind
Edit Kerberos. Configuration File
Active Directory uses Kerberos, an open source network authentication protocol, to authenticate users. Before your Linux server
- Open /etc/krb5.conf into a text editor
vi /etc/krb5.conf
- Modify it so it looks like the example below, replacing [value] to match your environment.
[libdefaults] ::HL::default_realm = CONTOSO.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] ::HL::REALM.INTERNAL = { ::HL::kdc = mydc01.contoso.com ::HL::admin_server = mydc01.contoso.com ::HL::default_domain = contoso.com ::HL::} [domain_realm] ::HL::.contoso.com = CONTOSO.COM ::HL::contoso.com = CONTOSO.COM
Start the Daemons
User authentication settings have been set. Now we need to start our daemons and configure them to automatically start after each reboot.
- Samba Server
service smb start; chkconfig smb on
- Winbind
service winbind start; chkconfig winbind on
- Message Bus Daemon
service messagebus start; chkconfig messagebus on
Join the Samba Server to the Domain
We’ve finally reached the part where we can join our Samba server to the Active Directory domain. Run the following command to join the domain, replacing Administrator with the username of a user in your domain who has permissions to join machines:
net ads join -U Administrator