Samba, Active Directory & LDAP

From SambaWiki
Revision as of 15:44, 14 May 2009 by 5mi11er (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Integrating Samba, Active Directory and LDAP

Abstract

I may have inadvertently stumbled onto a semi-nice hack for configuring Samba authenticating against AD, but using the UID/GID information from OpenLDAP.

History: how I got here

It is so frustrating to me that Microsoft's Authentication mechanism is totally incompatible with mechanisms available with OpenLDAP. When attempting to integrate Windows and Linux environments together, eventually you realize that there's currently no getting around having to store two password fields, one for windows type authentication, another for linux type authentication.

For me, I distrust Microsoft to the degree that I don't want to modify the AD schema to allow AD to store Linux information, and there's enough magic going on that I don't want to try to fool M$ into thinking that OpenLDAP is actually AD. I know both those options are technically possible, but, if I still have to store two password fields, then I might as well just deal with having to administer both AD and OpenLDAP; after all, most of the linux information is exclusive of the windows information and vice versa. The few overlapping areas aren't really of great concern to me; do I really care if their phone/address information is accurate? No, I care if they have appropriate access rights.

The Problem

So, I created OpenLDAP instance(s) to centralize Linux logins, and it is also used for authentication of internal web services like Open Fire IM, a Xoops Forum, Confluence, etc. AD is used for windows authentication.

Now we go to configure Samba, and we run straight into the problem. On the one hand, OpenLDAP contains the user's uid and gid numbers that we want Samba to recognize, but we can't authenticate a windows share using OpenLDAP, we have to use AD. But, an unmodified AD schema has no way to store the appropriate uid/gid numbers.

One potential solution is for Linux to run Winbind, which has the ability to map AD Security Identifiers (SID's) to uids and gids, but keeping such a table accurate would create time consuming and tedious administration tasks. It appears, we've got a catch 22 situation with no clean solution.

The Solution I stumbled upon

So, I began by configuring Kerberos, Samba and Winbind according to the Samba wiki but ignoring the PAM configuration because I don't want Linux login's to authenticate against AD. After setting things up as shown in the configuration areas below, but with winbind also configured, I discovered that when users mapped the Samba home directory, the uid/gid numbers that were being used were, in fact, coming from the OpenLDAP server, and was NOT the automatically generated SID/UID/GID mapping created by Winbind!

The username was identical in AD and OpenLDAP, and the OpenLDAP information in the nsswitch.conf file was listed first, so that's what was being used; I didn't need Winbind at all. So, I just removed the Winbind option from the /etc/nsswitch.conf and /etc/samba/smb.conf files altogether.

So, as long as the AD "user logon name", and OpenLDAP uid strings match for all the users that need linux logins and Samba mappings, you don't need to use winbind at all.

Why it works

Samba will authenticate against AD, and then utilize the normal 'getent' system calls to gather the uid/gid numbers, and those will come from OpenLDAP, and/or the local system files as configured within the nsswitch.conf file.

Prerequisites

  • Linux server configured to use OpenLDAP for authentication
    • OpenLDAP server on the network
    • OpenLDAP client configured properly on the target server
    • Nss_LDAP configured properly on the target server
    • PAM configured properly on the target server
  • Samba installed on the target server
  • Kerberos installed on the target server

Kerberos Configuration

/etc/krb5.conf

default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 DOMAIN.COM = {
  kdc = dc1.domain.com:88
  admin_server = dc1.domain.com:749
  default_domain = domain.com
 }

[domain_realm]
 .domain.com = DOMAIN.COM
 domain.com = DOMAIN.COM

Configure nsswitch

/etc/nsswitch.conf

passwd:       files ldap
shadow:       files ldap
group:        files ldap

Samba Configuration

/etc/samba/smb.conf

[global]
        workgroup = DOMAIN
        server string = Samba Server Version %v

        security = ADS
        realm = DOMAIN.COM

        encrypt passwords = yes
        log level = 3
        log file = /var/log/samba/%U.log
        max log size = 50
        template shell = /bin/bash

[homes]
        comment = Home Directories
        browseable = no
        writable = yes
        force create mode = 0660
        force directory mode = 0770

Establish AD Connection

AD needs to have the machine register as a member of the AD domain, first initialize the Kerberos connection:

kinit <domain administrator@domain.com>

You'll need to provide the appropriate password, then:

net ads join "Computers"

If successful it should return a notification that the computer was connect to Active Directory.

Start Samba Services

Service smbd start

Map a drive to the samba share

As an appropriate user logged into the AD domain, just type this at a windows command prompt:

net use <drive letter>: \\<server>\homes