Joining Samba 3 on CentOS 6 to Active Directory

Overview

In small environments, administering Linux servers using only local accounts is manageable. However, in large environments hosting many hundreds or thousands of servers, the task of administering each server, manually maintaining user accounts and passwords would be a very daunting task. A central Identity and Access solution is required to effectively manage such environments. In large Microsoft Windows datacenters, you typically see Active Directory being used as the Identity and Access solution.

Samba is able to connect to your Active Directory domain to authenticate user credentials from your Windows environment. However, since Samba does not maintain a central identity store, UIDs and GIDs for each user will be different between each Samba server.

Where Does This Fit In

  • Small linux environment in a Windows-based infrastructure

Before You Begin

Before you move ahead with this tutorial there are a few prerequisites that must be meet in your environment.

  • Active Directory Domain
  • Identity Management for Unix installed on domain controllers.
  • One CentOS 6 server
  • This lab will use the following variables. You’ll need to modify these to match your own environment.
    Domain CONTOSO.COM
    Domain Controller DC01.CONTOSO.COM
    Samba Server Name LINUX-SRV1

Install Required Linux Packages

Install the following packages onto your Linux machine. You will not be able to join the Active Directory domain or authenticate using domain credentials without them.

  • Samba
  • Samba-winbind
  • oddjob-mkhomedir

To install all three packages at the same time, run the following command as Root or with Root privileges.

yum install samba samba-winbind oddjob-mkhomedir

Configuring Samba

Samba is a critical component that allows Linux to interact with Windows. It must be configured to make the Linux server appear as Windows computer on the network, using NetBIOS broadcasts and Domain prefixes.

  1. Make a backup copy of /etc/samba/smb.conf
    cp /etc/samba/smb.conf /etc/samba/smb.conf.old
  2. Open /etc/samba/smb.conf into a text editor. For this example, I’ll use VI.
    vi /etc/samba/smb.conf
  3. Edit smb.conf to resemble the example below, modifying the highlighted lines to match your environment.
    [global]
    log file = /var/log/samba/log.%m
    max log size = 50
    security = ads
    ::HL::netbios name = LINUX-SRV1
    ::HL::realm = CONTOSO.COM
    ::HL::password server = MYDC01.CONTOSO.COM MYDC02.CONTOSO.COM
    ::HL::workgroup = CONTOSO
    idmap uid = 10000-500000
    idmap gid = 10000-500000
    winbind separator =  
    winbind enum users = no
    winbind enum groups = no
    winbind use default domain = yes
    template homedir = /home/%U
    template shell = /bin/bash
    client use spnego = yes
    domain master = no

    Understanding the options were defining:

    netbios name This netbios (single label) name the Samba server will use for Windows clients.
    realm Fully qualified name of the Active Directory domain the Samba server is joining.
    password server List of domain controllers, separated by spaces, that will process Samba logon requests.
    workgroup Similar to the netbios name for the Samba server, except for the domain. Active Directory domains, like Windows computers, have netbios names.
    For more information on Samba options, go here:
    http://www.samba.org/samba/docs/using_samba/ch06.html

Modify the Name Service Switch Configuration File

The Name Service Switch is used by Linux to locate account databases. By default, only local files will accessed. We need to point Linux to a domain controller by adding winbind as a database location.

  1. Open /etc/nsswitch.conf into a text editor.
    vi /etc/nsswitch.conf
  2. Find the following lines:
    passwd: files
    group: files

    And append winbind to them, as shown below:

    passwd: files winbind
    group: files winbind

Edit Kerberos. Configuration File

Active Directory uses Kerberos, an open source network authentication protocol, to authenticate users. Before your Linux server

  1. Open /etc/krb5.conf into a text editor
    vi /etc/krb5.conf
  2. Modify it so it looks like the example below, replacing [value] to match your environment.
    [libdefaults]
    ::HL::default_realm = CONTOSO.COM
    dns_lookup_realm = true
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    
    [realms]
    ::HL::REALM.INTERNAL = {
    ::HL::kdc = mydc01.contoso.com
    ::HL::admin_server = mydc01.contoso.com
    ::HL::default_domain = contoso.com
    ::HL::}
    [domain_realm]
    ::HL::.contoso.com = CONTOSO.COM
    ::HL::contoso.com = CONTOSO.COM
    

Start the Daemons

User authentication settings have been set. Now we need to start our daemons and configure them to automatically start after each reboot.

  1. Samba Server
    service smb start; chkconfig smb on
  2. Winbind
    service winbind start; chkconfig winbind on
  3. Message Bus Daemon
    service messagebus start; chkconfig messagebus on

Join the Samba Server to the Domain

We’ve finally reached the part where we can join our Samba server to the Active Directory domain. Run the following command to join the domain, replacing Administrator with the username of a user in your domain who has permissions to join machines:

net ads join -U Administrator