Windows Active Directory Integration with Samba for RHEL & CentOS

Active Directory Integration with Samba for RHEL/CentOS 5

This article will show us how to join your Linux server into the Active Directory domain, how to integrate the Active Directory user accounts into the Linux user accounts and how to authenticate users in Active Directory using Winbind, a component of Samba.

Samba is installed by default when you select the Server installation type during the installation process. to check the Winbind status type

[root@localhost ~]# service smb status

 In case you need to install

[root@localhost ~]# yum install samba

Winbind is installed by Default to check the Winbind status type

[root@localhost ~]# service Winbind status

And need to do changes in the configuratation files which are in

1. /etc/samba/smb.conf

2. /etc/pam.d/system-auth-ac

3. /etc/nsswitch.conf

4. /etc/krb5.conf

First take backup of the files before doing modifications in the file

Changes according to the Files

 /etc/samba/smb.conf

Do the changes as per the below in your smb.conf file.

#=============== Global Settings==========

[global]

# ----------------------- Network Related Options -------------------------

#

# workgroup = NT-Domain-Name or Workgroup-Name,

eg: MIDEARTH

#

# server string is the equivalent of the NT Description field

#

# netbios name can be used to specify a server name not tied to the hostname

#

# Interfaces lets you configure Samba to use multiple interfaces

# If you have multiple network interfaces then you can list the ones

# you want to listen on (never omit localhost)

#

# Hosts Allow/Hosts Deny lets you restrict who can connect

 and you can

# specify it as a per share option as well

#

        workgroup = (Domain Name)

        server string = Samba Server Version %v

;       netbios name = MYSERVER

  

;       interfaces = lo eth0 192.168.1.2/24  (Your IP Range)

;       hosts allow = 127. 192.168.1. 192.168.0.

interfaces = lo eth0 192.168.0.47/24

         hosts allow = 127. 192.168.0. 192.168.40.

         security = ads

         realm=(Domain name)

         encrypt passwords = yes

         smb passwd file = /etc/samba/smbpasswd

         allow trusted domains = yes

         unix password sync = Yes

         passwd program = /usr/bin/passwd %u

          passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*

         pam password change = yes

         obey pam restrictions = yes

         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

         dns proxy = no

         idmap uid = 16777216-33554431

         idmap gid = 16777216-33554431

         winbind use default domain = yes

         winbind separator = #

         winbind enum users = yes

         winbind enum groups = yes

         template shell=/bin/bash

         template homedir = /home/%U

# ----------------------- Standalone Server Options ------------------------

#

# Security can be set to user, share(deprecated) or server(deprecated)

#

# Backend to store user information in. New installations should

# use either tdbsam or ldapsam. smbpasswd is available for backwards

# compatibility. tdbsam requires no further configuration.

        security = user

        passdb backend = tdbsam

# ----------------------- Domain Members Options ------------------------

#

# Security must be set to domain or ads

#

# Use the realm option only with security = ads

# Specifies the Active Directory realm the host is part of

#

# Backend to store user information in. New installations should

# use either tdbsam or ldapsam. smbpasswd is available for backwards

# compatibility. tdbsam requires no further configuration.

#

# Use password server option only with security = server or if you can't

# use the DNS to locate Domain Controllers

# The argument list may include:

#   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]

# or to auto-locate the domain controller/s

#   password server = *

;       security = domain

;       passdb backend = tdbsam

;       realm = MY_REALM

;       password server = <NT-Server-Name>

security = domain

        passdb backend = tdbsam

        realm = (Domain Name)

        password server = *

# A publicly accessible directory, but read only, except for people in

# the "staff" group

        [public]

        comment = Public Stuff

        path = /home/public

        public = yes

        writable = yes

;       printable = no

;       write list = +staff

===========================================

/etc/pam.d/system-auth-ac

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth        required      pam_env.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth       sufficient    pam_krb5.so use_first_pass

auth       sufficient    pam_winbind.so use_first_pass

auth        requisite     pam_succeed_if.so uid >= 500 quiet

auth        required      pam_deny.so

account     required      pam_unix.so

account     sufficient    pam_succeed_if.so uid < 500 quiet

account          [default=bad success=ok user_unknown=ignore] pam_krb5.so

account     [default=bad success=ok user_unknown=ignore] pam_winbind.so

account     required      pam_permit.so

#account     requisite      pam_succeed_if.so user ingroup unix

password    requisite     pam_cracklib.so try_first_pass retry=3

password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok

password    sufficient    pam_unix.so nullok use_authtok md5 shadow

password    sufficient    pam_winbind.so use_authtok

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

session          optional    pam_mkhomedir.so skel=etc/skel/ umask=0027

session     optional      pam_krb5.so

==========================================================

/etc/nsswitch.conf

# Example:

#passwd:    db files nisplus nis

#shadow:    db files nisplus nis

#group:     db files nisplus nis

passwd:     files winbind

shadow:     files winbind

group:      files winbind

#hosts:     db files nisplus nis dns

hosts:      files dns

# Example - obey only what nisplus tells us...

#services:   nisplus [NOTFOUND=return] files

#networks:   nisplus [NOTFOUND=return] files

#protocols:  nisplus [NOTFOUND=return] files

#rpc:        nisplus [NOTFOUND=return] files

#ethers:     nisplus [NOTFOUND=return] files

#netmasks:   nisplus [NOTFOUND=return] files    

bootparams: nisplus [NOTFOUND=return] files

ethers:     files

netmasks:   files

networks:   files

protocols:  files winbind

rpc:        files

services:   files winbind

netgroup:   files winbind

publickey:  nisplus

automount:  files winbind

aliases:    files nisplus

=========================================================

/etc/krb5.conf

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log

[libdefaults]

 default_realm = (Domain Name)

 dns_lookup_realm = true

 dns_lookup_kdc = true

 ticket_lifetime = 24h

 forwardable = yes

[realms]

 (Domain Name) = {

  kdc = (Domain Server Name):88

  admin_server = (Domain Server Name):749

  default_domain = Domain Name

 }

[domain_realm]

 .Domain name  = Domain Name

  Domain name  = Domain Name

[appdefaults]

 pam = {

   debug = false

   ticket_lifetime = 36000

   renew_lifetime = 36000

   forwardable = true

   krb4_convert = false

 }

==========================================================

And there  is modifications in the host file to

./etc/hosts

# Do not remove the following line, or various programs

# that require network functionality will fail.

127.0.0.1          (servername.domain name) localhost.localdomain localhost

::1             localhost6.localdomain6 localhost6

192.168.0.6 (servername.domain name)

After modifying the files start the smb and Winbind services.

[root@localhost ~]# service smb start

Starting SMB services:                                     [  OK  ]

Starting NMB services:                                     [  OK  ]

[root@localhost ~]# service winbind start

Starting Winbind services:                                 [  OK  ]

==========================================================

Join the Samba Server to the PDC Domain

Use the below Command to join  samba server to the pdc

[root@localhost ~]# net rpc join -S servername -U administrator

Password:

After  giving the password we can see the below result

Joined domain (servername).

Restart the “Winbind and smb” services

[root@localhost ~]# service smb restart

Shutting down SMB services:                                [  OK  ]

Shutting down NMB services:                                [  OK  ]

Starting SMB services:                                     [  OK  ]

Starting NMB services:                                     [  OK  ]

[root@localhost ~]# service winbind restart

Shutting down Winbind services:                            [  OK  ]

=========================================================

Now for testing and  get some information about the users on your PDC:

root# /usr/local/samba/bin/wbinfo -u

This should echo back a list of users on your Windows users on your PDC. For example, I get the following response:

CEO\Administrator

CEO\burdell

CEO\Guest

And  same sort of thing to get group information from the PDC:

root# wbinfo –g

CEO\Domain Admins

CEO\Domain Users

CEO\Domain Guests

CEO\Domain Computers