Installation and Configuration of Samba in ADS Mode (Authentication on an AD Server)
Introduction
Samba is free software under GPL license supporting the SMB/CIFS protocol. This protocol is used by Microsoft for sharing various resources (files, printers, etc.) between computers running Windows. Samba allows Unix systems to access the resources of these systems and vice-versa.
Previously, PCs equipped with DOS and early Windows versions sometimes had to install a TCP/IP stack and a set of Unix-originated software: NFS client, FTP, telnet, lpr, etc. This was heavy and penalizing for the PCs of that time, and it also forced their users to adopt dual habits, adding those of UNIX to those of Windows. Samba therefore adopts the opposite approach.
Its name comes from the file and print sharing protocol from IBM and reused by Microsoft called SMB (Server message block), to which were added the two vowels a: “SaMBa”.
Samba was originally developed by Andrew Tridgell in 1991 and today receives contributions from about twenty developers from around the world under his coordination. He gave it this name by choosing a name close to SMB by querying a Unix dictionary with the grep command:
grep "^s.*m.*b" /usr/dict/words
When the two file sharing systems (NFS, Samba) are installed for comparison, Samba proves less efficient than NFS in terms of transfer rates.
Nevertheless, a study has shown that Samba 3 was up to 2.5 times faster than the SMB implementation of Windows Server 2003. See the information on LinuxFr.
However, Samba is not compatible with IPv6.
The “ADS” mode allows using an LDAP server on a MS Windows AD (Active Directory) to authenticate users for accessing Samba shares. This solution is quite complex to implement but ensures increased security (authentication via Kerberos) for your server.
Note: It is imperative to have set up ACL: Implementation of NT-type rights before continuing.
Active Directory is at the heart of Microsoft Windows systems; it is in charge of managing user accounts, authentications, but also a large number of information about machines.
Active Directory relies on different network protocols:
- DNS (name resolution)
- LDAP (directory querying)
- Kerberos V (authentication, ticket distribution)
- NTP (date and time synchronization of machines)
- SMB/CIFS (resource sharing)
Introduction to UNIX User Management
The management of LINUX user accounts is carried out using different components in accordance with UNIX philosophy (a program does one thing and does it well). Among these different actors, we find:
PAM (Pluggable Authentication Modules) allows, among other things, to select different authentication procedures and sources (e.g.: Authentication by smart cards, Databases, Directories…).
NSS (Name Services Switch) allows Unix to provide correspondence services between names of all kinds (machine names and user names) and the identifiers of these same objects for the machine (IP addresses and uid/gid) using various sources (Files, Directories…).
Integration of a Samba Server into an Active Directory Domain
Integrating a Samba server into an Active Directory domain requires configuring a Kerberos client on the Samba machine. Kerberos is an authentication system that allows servers to authenticate users and communicate securely. In order to achieve the integration of the LINUX server to the AD domain, additional components are required.
Kerberos
It is necessary to configure a Kerberos client to validate the identity of the LINUX server in the Microsoft network. This will communicate with the AD server to make “ticket” requests to the KDC which will be used to ensure the authenticity and security of communications.
Time Synchronization
First, we need to ensure that our AD and our Samba server are at the same time. For this, we just need to synchronize the time with an NTP server:
|
|
|
|
Installing the Kerberos Client
Now we need to install Kerberos authentication:
|
|
Configuring the Kerberos Client
Please edit the /etc/krb5.conf
file:
|
|
Here are the correspondences:
IMPORTANT: It is imperative to respect the case for all names.
- EXAMPLE.COM: DNS name of the AD
- ad.example.com: FQDN
Verification of the Kerberos Connection
|
|
Samba
To access shared resources (SMB/CIFS) of the Windows domain, a Samba installation is required on the Linux server which will mainly play the role of an SMB/CIFS client.
Samba will also use MSRPC commands to communicate with the AD server to perform various operations: adding information about the LINUX server in the directory, listing user/group accounts, transmitting authentication requests…
Installation
To install Samba:
|
|
Configuration
To configure Samba, edit the /etc/samba/smb.conf
file:
|
|
Adapt all this to your configuration. Then restart Samba:
|
|
Creating the Machine Account for the Samba Server in Active Directory
This will add the Samba machine to AD:
|
|
Verification of Access via Kerberos to the Shared Resources of the “AD” Server
|
|
Verification of “Mounting” a Shared Resource
|
|
Also see the commands:
|
|
and
|
|
Unified Authentication UNIX / Windows
The Winbind component of Samba helps solve unified authentication problems. It mainly allows, with the help of PAM (Pluggable Authentication Modules) and NSS (Name Service Switch), to make Windows domain users appear as UNIX accounts.
Installation
|
|
Configuration
The configuration of Winbind is done in the Samba configuration file. So edit /etc/samba/smb.conf
:
|
|
Verification of Winbind Functionality
Adapt all this to your configuration. Then restart Samba and Winbind:
|
|
- User account query:
wbinfo -u
- Group query:
wbinfo -g
Adding Winbind Support to NSS
Edit the /etc/nsswitch.conf
file:
|
|
Adapt these lines to your configuration.
Verification of NSS+Winbind Functionality
This should display a mix between your local user configuration (/etc/passwd
), groups (/etc/group
) and accounts in the AD:
|
|
Adding Winbind Support to PAM
Debian
For all of the following, adapt to your configuration. Edit /etc/pam.d/common-auth
:
|
|
Then edit /etc/pam.d/common-account
:
|
|
Now edit /etc/pam.d/common-session
:
|
|
If you don’t have these files, it is possible that everything is in /etc/pam.d/system-auth
.
Red-Hat
For all of the following, adapt to your configuration. Edit /etc/pam.d/login
:
|
|
Verification of PAM+Winbind Authentication
Let’s create a folder:
|
|
It is possible to log in on a console with an account declared in AD:
- 1st time try to authenticate on the AD.
- 2nd password for the local system.
You can also do an ssh, but first, you need to restart the service:
|
|
|
|
No need to create POSIX or Samba accounts for shares anymore:
|
|
|
|
Connection
Windows
To connect from Windows, in a link window, type this:
\\IP_of_samba_server\Share_name
You will directly access the share
Unix (Linux/Mac…)
You must have smbfs installed before continuing:
|
|
Then, just create a folder and mount the share in it:
|
|
References
Samba: https://www.samba.org
ADS Documentation
Samba ADS on CentOS Documentation
Last updated 02 Dec 2008, 07:24 +0200.