SurlyJake Blog

Join Debian Lenny to Active Directory Using Samba

| Comments

If you install GNOME on Debian and intend to use it as a server, first thing you should do is remove the network-manager and network-manager-gnome packages. This tool can be helpful on a desktop, but since we are tweaking DNS, IP addresses, and perhaps even NIC bonding, the network-manager can screw up your settings.

aptitude purge network-manager-gnome network-manager 

If this is a VMware Virtual machine, install VMware tools. The prerequisites for Debian Lenny are:

aptitude install build-essential openssl libssl-dev linux-headers-$(uname -r) psmiscapt

You may have to manually create a DNS entry for your server. Just to be safe, do that now.

If you plan to support NTFS-like ACL’s, install support for it now.

aptitude install acl

now, you need to mount the partition with ACL’s enabled, to do this, edit your /etc/fstab.

nano /etc/fstab

The line I needed looked like this:

/etc/fstab
1
/dev/sda9 / ext3 acl,defaults 0 1

The important part is to get “acl” into the options list. Dont forget the comma. I recommend rebooting just to make sure your fstab is set before you continue. It’s easy to screw something up here and make your system unbootable, so if you reboot, and cant get your system back up and running, get into single user mode, and use this command. (You will have to adjust /dev/sda1 to your root partition. In my experience, it is usually /dev/sda1 or /dev/hda1. Use fdisk -l to list the partitions on the disk.

mount -o remount,rw /dev/sda1

Now lets get the samba and kerberos software packages installed.

aptitude install samba ntpdate smbclient winbind krb5-config krb5-user

Put in the Workgroup/domain info when prompted if you like. They will set up some .conf files for you, but we’re not going to use them anyways. We wont worry about WINS for now. Now lets stop samba and winbind:

/etc/init.d/samba stop
/etc/init.d/winbind stop

move the /etc/samba files somewhere

mkdir /etc/samba/vanillaconf
mv /etc/samba/* /etc/samba/vanillaconf/

create your own /etc/samba/smb.conf: Make sure that the domain and realm fields are all caps.

/etc/samba/smb.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
[global]
workgroup = ((DOMAIN)) 
server string = %h server
wins support = no 
security = ads 
realm = ((DOMAIN)).COM 
encrypt passwords = yes 
obey pam restrictions = yes
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
idmap uid = 10000-20000
idmap gid = 10000-20000 

sync time

ntpdate ((domain controller))

now that samba knows what domain its part of, and we have a basic config for it, we need to get the authentication part working. Kerberos is the softare that communicates with your Active Directory domain to authenticate users.

nano /etc/krb5.conf

configure domain in /etc/krb5.conf. important parts:

/etc/krb5.conf
1
2
3
4
5
6
7
8
9
10
[libdefaults]
default_realm = ((domain)).COM
[realms]
((DOMAIN.COM)) = { 
    kdc = ((domain controller)) 
    kdc = ((backup DC)) 
    admin_server = (domain controller)) 
}
[domain_realm]
.(domain).com = (domain controller).(domain).COM

do a test by typing:

kinit [username]

then type:

klist

if you get some output looking like this, you are ready to go.

Ticket cache: FILE:/tmp/krb5cc_0 Default principal: (username)@(domain).COM Valid starting Expires Service principal 04/27/09 13:54:23 04/27/09 23:54:26 krbtgt/(domain).COM@(domain).COM renew until 04/27/09 23:54:23

To get Debian to recognize your Active Directory users, you need to update /etc/nsswitch.conf

nano /etc/nsswitch.conf

add “winbind” to the passwd and group lines. if you have “compat” in the line, put in like this:

/etch/nsswitch.conf
1
2
3
4
passwd: compat winbind
passwd_compat: winbind
group: compat winbind
group_compat: winbind

Now start samba and winbind back up

/etc/init.d/winbind start
/etc/init.d/samba start

Join your machine to the domain.

net ads join -U (administrative user)

You should see

Joined '(server name)' to realm '(domain).com'

If you see

No DNS domain configured for '(servername)'. Unable to perform DNS Update. DNS update failed!

Don’t worry. Just create an entry in your DNS server for the samba machine. Test if winbind is working properly with

wbinfo -t

If you get

checking the trust secret via RPC calls failed Could not check secret

Then restart winbind:

/etc/init.d/winbind restart

allow AD accounts to logon to the machine:

/etc/pam.d/common-account
1
2
account sufficient pam_winbind.so
account required pam_unix.so
etc/pam.d/common-auth
1
2
3
auth sufficient pam_winbind.so
auth required pam_unix.so
use_first_pass nullok_secure
/etc/pam.d/common-session
1
2
3
session required pam_mkhomedir.so skel=/etc/skel/ umask=0066
session sufficient pam_winbind.so
session required pam_unix.so

It is critical that “obey pam restrictions” is set to “yes”. in your smb.conf for these pam settings to take effect.There are some other changes to these Pam.d settings i decided to make upon putting the server into production. I will write about that in another page [link].

Now, give your admin group from AD root access to the box

aptitude install sudo visudo

add this line:

%(domain)\\(admin's group) ALL =(ALL) ALL

When creating shares, to give an AD user access to a share, use:(More info in the future)

valid users = (domain)\username

to give an AD group access to a share, use:

valid users = @(domain)\groupname

Sometimes, I have to reboot my windows client machine to make it work… fyi. Sources:

Comments