login as root.

to set up the filesystem:

cd /home
mkdir HR
chgrp corporate_HR HR
chmod 2771 HR

set up the share:

[HR]
comment    =    share for corporate HR group
readonly    =   no
inherrit owner    =    yes
inherit permissions    =    yes
authorized users    =    @ACME\corporate_HR @ACME\admins
force group    =    ACME\corporate_HR

aptitude purge network-manager-gnome network-manager 

If this is a VMware Virtual machine, install VMware tools. The prerequisites for Debian Lenny are:

aptitude install build-essential openssl libssl-dev linux-headers-$(uname -r) psmiscapt

You may have to manually create a DNS entry for your server. Just to be safe, do that now.

If you plan to support NTFS-like ACL’s, install support for it now.

aptitude install acl

now, you need to mount the partition with ACL’s enabled, to do this, edit your /etc/fstab.

nano /etc/fstab

The line I needed looked like this:

/dev/sda9    /    ext3    acl,defaults    0    1

The important part is to get “acl” into the options list. Dont forget the comma.
I recommend rebooting just to make sure your fstab is set before you continue.
It’s easy to screw something up here and make your system unbootable, so if you reboot, and cant get your system back up and running, get into single user mode, and use this command. (You will have to adjust /dev/sda1 to your root partition. In my experience, it is usually /dev/sda1 or /dev/hda1. Use fdisk -l to list the partitions on the disk.

mount -o remount,rw /dev/sda1

Now lets get the samba and kerberos software packages installed.

aptitude install samba ntpdate smbclient winbind krb5-config krb5-user

Put in the Workgroup/domain info when prompted if you like. They will set up some .conf files for you, but we’re not going to use them anyways. We wont worry about WINS for now.
Now lets stop samba and winbind:

/etc/init.d/samba stop
/etc/init.d/winbind stop

move the /etc/samba files somewhere

mkdir /etc/samba/vanillaconf
mv /etc/samba/* /etc/samba/vanillaconf/

create your own /etc/samba/smb.conf: Make sure that the domain and realm fields are all caps.

[global]
workgroup               =       ((DOMAIN))
server string           =       %h server
wins support            =       no

security                =       ads
realm                   =       ((DOMAIN)).COM
encrypt passwords       =       yes
obey pam restrictions   =        yes

winbind use default domain    =    yes
winbind enum users   =      yes
winbind enum groups =      yes
template shell         =       /bin/bash
idmap uid               =       10000-20000
idmap gid               =       10000-20000

sync time

ntpdate ((domain controller))

now that samba knows what domain its part of, and we have a basic config for it, we need to get the authentication part working. Kerberos is the softare that communicates with your Active Directory domain to authenticate users.

nano /etc/krb5.conf

configure domain in /etc/krb5.conf. important parts:

[libdefaults]
default_realm = ((domain)).COM
[realms]
((DOMAIN.COM)) = {
        kdc = ((domain controller))
        kdc = ((backup DC))
        admin_server = (domain controller))
}
[domain_realm]
        .(domain).com = (domain controller).(domain).COM

do a test by typing:

kinit [username]

then type:

klist

if you get some output looking like this, you are ready to go.

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: (username)@(domain).COM

Valid starting     Expires            Service principal
04/27/09 13:54:23  04/27/09 23:54:26  krbtgt/(domain).COM@(domain).COM
        renew until 04/27/09 23:54:23

To get Debian to recognize your Active Directory users, you need to update /etc/nsswitch.conf

nano /etc/nsswitch.conf

add “winbind” to the passwd and group lines. if you have “compat” in the line, put in like this:

passwd:         compat winbind
passwd_compat:  winbind
group:          compat winbind
group_compat:   winbind

Now start samba and winbind back up

/etc/init.d/winbind start
/etc/init.d/samba start

Join your machine to the domain.

net ads join -U (administrative user)

You should see

Joined '(server name)' to realm '(domain).com'

If you see

No DNS domain configured for '(servername)'. Unable to perform DNS Update.
DNS update failed!

Don’t worry. Just create an entry in your DNS server for the samba machiine.
Test if winbind is working properly with

wbinfo -t

If you get

checking the trust secret via RPC calls failed
Could not check secret

Then restart winbind:

/etc/init.d/winbind restart

allow AD accounts to logon to the machine:

# /etc/pam.d/common-account
account    sufficient    pam_winbind.so
account    required    pam_unix.so

# /etc/pam.d/common-auth
auth    sufficient    pam_winbind.so
auth    required    pam_unix.so use_first_pass nullok_secure

# /etc/pam.d/common-session
session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0066
session    sufficient    pam_winbind.so
session required    pam_unix.so

It is critical that “obey pam restrictions” is set to “yes”. in your smb.conf for these pam settings to take effect.There are some other changes to these Pam.d settings i decided to make upon putting the server into production. I will write about that in another page [link].

Now, give your admin group from AD root access to the box

aptitude install sudo
visudo

add this line:

%(domain)\\tcp ALL =(ALL) ALL

When creating shares, to give an AD user access to a share, use:(More info in the future)

valid users    =    (domain)\username

to give an AD group access to a share, use:

valid users    =    @(domain)\groupname

Sometimes, I have to reboot my windows client machine to make it work… fyi.
Sources:

• O’reilly Samba book 3rd Edition.
• http://www.ccs.neu.edu/home/battista/documentation/winbind/index.html
• …Countless articles, mailing lists, forums.

apt-get install samba

edit the config:

nano /etc/samba/smb.conf

set security to “share”

security = share

and guest account to nobody

guest account = nobody

then you just need to create your share like this:

[guest share]
comment = a guest share
path = /path/to/files
browseable = yes
read only = yes
guest ok = yes