wbinfo -n "Domain Users"

It will spit out the SID for the Domain Users group. Something like this:

S-1-5-21-((some number))-((some number))-((some number)) Domain Group (2)

Take that number and change the Pam_winbind.so line in /etc/pam.d/common-session to look like this:

session sufficient pam_winbind.so require_membership_of=S-1-5-21-((some number))-((some number))-((some number)

login as root.

to set up the filesystem:

cd /home
mkdir HR
chgrp corporate_HR HR
chmod 2771 HR

set up the share:

[HR]
comment    =    share for corporate HR group
readonly    =   no
inherrit owner    =    yes
inherit permissions    =    yes
authorized users    =    @ACME\corporate_HR @ACME\admins
force group    =    ACME\corporate_HR

aptitude purge network-manager-gnome network-manager 

If this is a VMware Virtual machine, install VMware tools. The prerequisites for Debian Lenny are:

aptitude install build-essential openssl libssl-dev linux-headers-$(uname -r) psmiscapt

You may have to manually create a DNS entry for your server. Just to be safe, do that now.

If you plan to support NTFS-like ACL’s, install support for it now.

aptitude install acl

now, you need to mount the partition with ACL’s enabled, to do this, edit your /etc/fstab.

nano /etc/fstab

The line I needed looked like this:

/dev/sda9 / ext3 acl,defaults 0 1

The important part is to get “acl” into the options list. Dont forget the comma.
I recommend rebooting just to make sure your fstab is set before you continue.
It’s easy to screw something up here and make your system unbootable, so if you reboot, and cant get your system back up and running, get into single user mode, and use this command. (You will have to adjust /dev/sda1 to your root partition. In my experience, it is usually /dev/sda1 or /dev/hda1. Use fdisk -l to list the partitions on the disk.

mount -o remount,rw /dev/sda1

Now lets get the samba and kerberos software packages installed.

aptitude install samba ntpdate smbclient winbind krb5-config krb5-user

Put in the Workgroup/domain info when prompted if you like. They will set up some .conf files for you, but we’re not going to use them anyways. We wont worry about WINS for now.
Now lets stop samba and winbind:

/etc/init.d/samba stop /etc/init.d/winbind stop

move the /etc/samba files somewhere

mkdir /etc/samba/vanillaconf mv /etc/samba/* /etc/samba/vanillaconf/

create your own /etc/samba/smb.conf: Make sure that the domain and realm fields are all caps.

[global] workgroup = ((DOMAIN)) server string = %h server wins support = no security = ads realm = ((DOMAIN)).COM encrypt passwords = yes obey pam restrictions = yes winbind use default domain = yes winbind enum users = yes winbind enum groups = yes template shell = /bin/bash idmap uid = 10000-20000 idmap gid = 10000-20000 

sync time

ntpdate ((domain controller))

now that samba knows what domain its part of, and we have a basic config for it, we need to get the authentication part working. Kerberos is the softare that communicates with your Active Directory domain to authenticate users.

nano /etc/krb5.conf

configure domain in /etc/krb5.conf. important parts:

[libdefaults] default_realm = ((domain)).COM [realms] ((DOMAIN.COM)) = { kdc = ((domain controller)) kdc = ((backup DC)) admin_server = (domain controller)) } [domain_realm] .(domain).com = (domain controller).(domain).COM

do a test by typing:

kinit [username]

then type:

klist

if you get some output looking like this, you are ready to go.

Ticket cache: FILE:/tmp/krb5cc_0 Default principal: (username)@(domain).COM Valid starting Expires Service principal 04/27/09 13:54:23 04/27/09 23:54:26 krbtgt/(domain).COM@(domain).COM renew until 04/27/09 23:54:23

To get Debian to recognize your Active Directory users, you need to update /etc/nsswitch.conf

nano /etc/nsswitch.conf

add “winbind” to the passwd and group lines. if you have “compat” in the line, put in like this:

passwd: compat winbind passwd_compat: winbind group: compat winbind group_compat: winbind 

Now start samba and winbind back up

/etc/init.d/winbind start /etc/init.d/samba start

Join your machine to the domain.

net ads join -U (administrative user)

You should see

Joined '(server name)' to realm '(domain).com'

If you see

No DNS domain configured for '(servername)'. Unable to perform DNS Update. DNS update failed!

Don’t worry. Just create an entry in your DNS server for the samba machine.
Test if winbind is working properly with

wbinfo -t

If you get

checking the trust secret via RPC calls failed Could not check secret

Then restart winbind:

/etc/init.d/winbind restart

allow AD accounts to logon to the machine:

# /etc/pam.d/common-account account sufficient pam_winbind.so account required pam_unix.so 

# /etc/pam.d/common-auth auth sufficient pam_winbind.so auth required pam_unix.so use_first_pass nullok_secure

# /etc/pam.d/common-session session required pam_mkhomedir.so skel=/etc/skel/ umask=0066 session sufficient pam_winbind.so session required pam_unix.so

It is critical that “obey pam restrictions” is set to “yes”. in your smb.conf for these pam settings to take effect.There are some other changes to these Pam.d settings i decided to make upon putting the server into production. I will write about that in another page [link].

Now, give your admin group from AD root access to the box

aptitude install sudo visudo

add this line:

%(domain)\\(admin's group) ALL =(ALL) ALL

When creating shares, to give an AD user access to a share, use:(More info in the future)

valid users = (domain)\username

to give an AD group access to a share, use:

valid users = @(domain)\groupname

Sometimes, I have to reboot my windows client machine to make it work… fyi.
Sources:

• O’reilly Samba book 3rd Edition.
• http://www.ccs.neu.edu/home/battista/documentation/winbind/index.html
• …Countless articles, mailing lists, forums.

apt-get install samba

edit the config:

nano /etc/samba/smb.conf

set security to “share”

security = share

and guest account to nobody

guest account = nobody

then you just need to create your share like this:

[guest share]
comment = a guest share
path = /path/to/files
browseable = yes
read only = yes
guest ok = yes