Quick HOWTO : Samba Implementation with Active directory authentication in Linux

Advantages:



1. Administrator don’t need to create/maintain separate accounts for samba shares
2. Users don’t need to remember separate password for samba
3. Users can change their samba password without system administrator’s help
4. Users home drive can be mapped via login script while they are logging into their PC/Laptops/Citrix



Implementation:



We are going to use, Kerberos Authentication method here. There are two files to edit to achieve this,

a. /etc/samba/smb.conf
b. /etc/krb5.conf


Do the modifications to /etc/samba/smb.conf as follows,




#========== Global Settings ========


[global]


log file = /var/log/samba/%m.log
realm = (DOMAIN NAME IN CAPS)
dns proxy = no
server string = Samba Server
password server = (domain controller name)
path = /var/spool/cups
workgroup = (Netbios name of domain)
security = ADS
max log size = 50
pam password change = yes

wins server = (wins server name)



#======= Share Definitions =========


[homes]
comment = Home Directories
browseable = no
writable = yes




[printers]
comment = All Printers
guest ok = yes
writeable = no
printable = yes
public = yes
use client driver = yes
path = /var/spool/samba




Do the Modifications to /etc/krb5.conf as follows,


[logging]


default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = (DOMAIN NAME IN CAPS)
dns_lookup_realm = false
dns_lookup_kdc = false




[realms]


(DOMAIN NAME IN CAPS) = {
kdc = (domain controller server):88
admin_server = (domain controller server):749
default_domain = (domain name)
}

[domain_realm]
.(domain name) = (DOMAIN NAME IN CAPS)
.(domain name) = (DOMAIN NAME IN CAPS)



[kdc]


profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}



Type the following command in terminal,

service winbind start



kinit administrator@DOMAINNAME




net ads join -U administrator 


You will be asked to enter the AD Administrator password. When the command line doesn't return a value, you're now connected to the Active Directory. Now you are done with the setup. :)


Share this

Related Posts

Previous
Next Post »

What do you think about this Article? Add your Opinion..! EmoticonEmoticon