Join Debian Lenny to Active Directory using Samba
If you install GNOME on Debian and intend to use it as a server, first thing you should do is remove the network-manager and network-manager-gnome packages. This tool can be helpful on a desktop, but since we are tweaking DNS, IP addresses, and perhaps even NIC bonding, the network-manager can screw up your settings.
aptitude purge network-manager-gnome network-manager If this is a VMware Virtual machine, install VMware tools. The prerequisites for Debian Lenny are:
aptitude install build-essential openssl libssl-dev linux-headers-$(uname -r) psmiscaptYou may have to manually create a DNS entry for your server. Just to be safe, do that now.
If you plan to support NTFS-like ACL’s, install support for it now.
aptitude install aclnow, you need to mount the partition with ACL’s enabled, to do this, edit your /etc/fstab.
nano /etc/fstabThe line I needed looked like this:
/dev/sda9 / ext3 acl,defaults 0 1The important part is to get “acl” into the options list. Dont forget the comma.
I recommend rebooting just to make sure your fstab is set before you continue.
It’s easy to screw something up here and make your system unbootable, so if you reboot, and cant get your system back up and running, get into single user mode, and use this command. (You will have to adjust /dev/sda1 to your root partition. In my experience, it is usually /dev/sda1 or /dev/hda1. Use fdisk -l to list the partitions on the disk.
mount -o remount,rw /dev/sda1Now lets get the samba and kerberos software packages installed.
aptitude install samba ntpdate smbclient winbind krb5-config krb5-userPut in the Workgroup/domain info when prompted if you like. They will set up some .conf files for you, but we’re not going to use them anyways. We wont worry about WINS for now.
Now lets stop samba and winbind:
/etc/init.d/samba stop /etc/init.d/winbind stopmove the /etc/samba files somewhere
mkdir /etc/samba/vanillaconf mv /etc/samba/* /etc/samba/vanillaconf/create your own /etc/samba/smb.conf: Make sure that the domain and realm fields are all caps.
[global] workgroup = ((DOMAIN)) server string = %h server wins support = no security = ads realm = ((DOMAIN)).COM encrypt passwords = yes obey pam restrictions = yes winbind use default domain = yes winbind enum users = yes winbind enum groups = yes template shell = /bin/bash idmap uid = 10000-20000 idmap gid = 10000-20000 sync time
ntpdate ((domain controller))now that samba knows what domain its part of, and we have a basic config for it, we need to get the authentication part working. Kerberos is the softare that communicates with your Active Directory domain to authenticate users.
nano /etc/krb5.confconfigure domain in /etc/krb5.conf. important parts:
[libdefaults] default_realm = ((domain)).COM [realms] ((DOMAIN.COM)) = { kdc = ((domain controller)) kdc = ((backup DC)) admin_server = (domain controller)) } [domain_realm] .(domain).com = (domain controller).(domain).COMdo a test by typing:
kinit [username]then type:
klistif you get some output looking like this, you are ready to go.
Ticket cache: FILE:/tmp/krb5cc_0 Default principal: (username)@(domain).COM Valid starting Expires Service principal 04/27/09 13:54:23 04/27/09 23:54:26 krbtgt/(domain).COM@(domain).COM renew until 04/27/09 23:54:23To get Debian to recognize your Active Directory users, you need to update /etc/nsswitch.conf
nano /etc/nsswitch.confadd “winbind” to the passwd and group lines. if you have “compat” in the line, put in like this:
passwd: compat winbind passwd_compat: winbind group: compat winbind group_compat: winbind Now start samba and winbind back up
/etc/init.d/winbind start /etc/init.d/samba startJoin your machine to the domain.
net ads join -U (administrative user)You should see
Joined '(server name)' to realm '(domain).com'If you see
No DNS domain configured for '(servername)'. Unable to perform DNS Update. DNS update failed!Don’t worry. Just create an entry in your DNS server for the samba machine.
Test if winbind is working properly with
wbinfo -tIf you get
checking the trust secret via RPC calls failed Could not check secretThen restart winbind:
/etc/init.d/winbind restartallow AD accounts to logon to the machine:
# /etc/pam.d/common-account account sufficient pam_winbind.so account required pam_unix.so # /etc/pam.d/common-auth auth sufficient pam_winbind.so auth required pam_unix.so use_first_pass nullok_secure# /etc/pam.d/common-session session required pam_mkhomedir.so skel=/etc/skel/ umask=0066 session sufficient pam_winbind.so session required pam_unix.soIt is critical that “obey pam restrictions” is set to “yes”. in your smb.conf for these pam settings to take effect.There are some other changes to these Pam.d settings i decided to make upon putting the server into production. I will write about that in another page [link].
Now, give your admin group from AD root access to the box
aptitude install sudo visudoadd this line:
%(domain)\\(admin's group) ALL =(ALL) ALLWhen creating shares, to give an AD user access to a share, use:(More info in the future)
valid users = (domain)\usernameto give an AD group access to a share, use:
valid users = @(domain)\groupnameSometimes, I have to reboot my windows client machine to make it work… fyi.
Sources:
- O’reilly Samba book 3rd Edition.
- http://www.ccs.neu.edu/home/battista/documentation/winbind/index.html
- …Countless articles, mailing lists, forums.
Great post! Just wanted to let you know you have a new subscriber- me!
Hi, good post. I have been woondering about this issue,so thanks for posting. I’ll definitely be coming back to your site.
Unbelievable, this document is 100% top to bottom correct! I have been attempting to PROPERLY CONFIGURE Samba to be FULLY integrated into AD with no success of any document that I have read specifically for Debian Lenny 5. I was amazed after rebooting the server and seeing all of my AD users listed in the login screen; I knew right then everything was setup properly! Setting up Samba share was not a problem… just amazing!!! We thank you.
I have the exactly same problem, But I am not sure what you mean to create an entry in DNS Server ?
can you show me how to do ?
If you see
No DNS domain configured for ‘(servername)’. Unable to perform DNS Update.
DNS update failed!
Don’t worry. Just create an entry in your DNS server for the samba machiine.
Eric,
What i mean by “create an entry in DNS server” is:
in your DNS server (many times this is also your domain controller or Router), the Samba server is looking to register and validate its hostname and IP address. If you name the server ‘sambamonkey.jungle.com’, Samba will try to make sure that the hostname it has resolves to the correct IP. If you are using Microsoft DNS server as your network’s DNS server, create a ‘host A’ entry for your samba server, and make sure that both forward and reverse lookups work correctly.
Sorry, I am still confused.
Yes, I have my DC configured also as my DNS server. The “net ads join -U” from the samba server kept reporting “No DNS domain configured for . Unable to perform DNS Update.”
How can I “create a ‘host A’ entry for my samba server ” ? I tried in the dnsmgmt console of my DC (Win2003ServerR2), but did not find good place to go.
apptagieres,
you need to create a “host A” record. Make sure that the PTR record is also created at the same time.
Hey guys! i recommend this solution! Works great!
I implemented it and make a few changes for a production Server.
All the best
THANK YOU VERY MUCH! AWESOME WORK!!!
Good guide – works well in Squeeze as well…Thanks!
I just wanted to thank you for this excellent step-by-step. You saved me a lot trouble!
I have create the DNS entry and have left and rejoined the domain and I still receive the same DNS error.
The server is in fact added to Active Directory.
Does it also need a dhcp reservation?
Nevermind needed to restart winbind
I haven’t been able to make this work, for some reason. My requirements are slightly different; our Linux systems don’t authenticate against AD, but some of them need to be running SAMBA servers within the domain. Consequently
Kerberos seems to be configured correctly; I can get tickets just fine. Our AD domain is currently running on Windows Server 2003
But when I try to join the computer to the domain, it fails:
# net ads join -U tjrc
Enter tjrc’s password:
[2010/11/24 10:45:44, 0] libads/kerberos.c:ads_kinit_password(356)
kerberos_kinit_password G2CSRV2$@INTERNAL.SANGER.AC.UK failed: Preauthentication failed
Failed to join domain: failed to connect to AD: Preauthentication failed
Googling suggests lots of people have had this problem, but no-one ever seems to have a definitive solution to it.
Any ideas?
thank you a lot, 100% correct, i add this web page in my IT bibles group ,
thank you Sir
Many thanks for this nice and working post!
Can you give me an example of this line?
%(domain)\\tcp ALL =(ALL) ALL
The sudo command is not allowing domain administrators use…
Let’s say our domain is sample.com, shoult I write:
%sample\\tcp ALL =(ALL) ALL
?
TCP is a group used in the organization i was documenting this on. I have updated the article to say “%(domain)\\(admin’s group) ALL =(ALL) ALL”.
If you have an admin group called “adminz”, it would be:
%sample\\adminz ALL =(ALL) ALL
Hi there.. I have a couple of Cent-OS servers using samba & AD… in these 2 servers Im able to write permisions to my share FROM WINDOWS… Everytime I want to add a single permision to a Folder inside any share it will give me error (error whle aplying security information to share, acces dennied).
I think is something with PAM but im not sure…
What I need is, to have a “Public Share” and granular permisions to each subfolder… for example, everyone can access to the root, then the folder Backup should be available for any group to pass trought it but they have to write only in their own folder.
Any hint?
Thanks in advance
Solrac,
If I were you, I would forget about setting the permissions through windows. I’ve never had good luck doing it. What I would do, however, is use the command line on the samba servers to set the permissions desired.
Set the parent public share folder permissions to allow anyone to r+w. (also make sure nobody can edit the permissions). Once you have the public share working acceptably, create a folder manually on your server and chown it to the AD group which needs access to it. Use chmod to make sure that other groups cannot open it.
Man you are the best God bless you
jacob,
great article, thank you very much for sharing!!! It helped me getting through rightaway.
The only issue I’m facing now is, that users do have to enter their password twice on every logon to the machine. I guess the reason lies somewhere with the pam configuration. But truely speaking, this is the part in your HowTo I did not really understand, but just typed it in…
Any hint?
Excellent, absolutely excellent. Got everything to work by looking at several resources, but yours was very concise and sharp.
May I suggest updating the last part of your wonderful work (the part on the PAM files, common-* files) to reflect the usage of pam-auth-update on Debian. For example, I only had to change /usr/share/pam-configs/winbind to include the pam_mkhomedir.so line under the “Session:” section, then run pam-auth-update… which automatically generated working copies of all the common-* files.
You saved me tons of time and mistakes. Your work is truly appreciated!