video on demand1.
check kerberos, ldap, ads and winbind support.
# cat /etc/hosts
(output skipped)
192.168.1.215 kpsuse1.netapp.local kpsuse1
192.168.1.216 kpsuse2.netapp.local kpsuse2
192.168.1.120 dc.netapp.local dc
# cd /usr/sbin
# smbd -b | grep LDAP
HAVE_LDAP_H
HAVE_LDAP
HAVE_LDAP_DOMAIN2HOSTLIST
...
root@windbag:/usr/sbin# smbd -b | grep KRB
HAVE_KRB5_H
HAVE_ADDRTYPE_IN_KRB5_ADDRESS
HAVE_KRB5
...
root@windbag:/usr/sbin# smbd -b | grep ADS
WITH_ADS
WITH_ADS
root@windbag:/usr/sbin# smbd -b | grep WINBIND
WITH_WINBIND
WITH_WINBIND
2. Configure and Test Kerberos
Let's say our Active Directory domain server is dc.netapp.local,
and the Samba server is named samba1. This is the absolute minimum Kerberos
configuration file, /etc/krb5.conf, for connecting to this domain:
[libdefaults]
default_realm = NETAPP.LOCAL
[realms]
NETAPP.LOCAL = {
kdc = 192.168.1.120
}
[domain_realm]
.netapp.local = NETAPP.LOCAL
netapp.local = NETAPP.LOCAL
Use uppercase where it shows. Now try to connect, and mind your cases.
Make sure NTP is configured
(note: kinit is part of krb5-client (suse) and krb5-workstation (redhat)
# zypper install krb5-client
# kinit Administrator@NETAPP.LOCAL
Password for Administrator@NETAPP.LOCAL netapp
using short domain name -- NETAPP
Joined 'KPSUZE1' to dns domain 'netapp.local'
3. Configure /etc/hosts
Even if your DNS servers are perfect in every way, it is a good idea to add
important servers to your local /etc/hosts file. It speeds up lookups and
provides a fallback in case the DNS servers go down:
192.168.1.215 kpsuse1.netapp.local kpsuse1
192.168.1.120 dc.netapp.local dc
4.
Configure Samba
This example smb.conf shows a basic setup for a printer server and home shares.
Shares are configured in the usual manner, only the global section changes when
you join to an AD domain.
# Global parameters
[global]
realm = NETAPP.LOCAL
security = ADS
template homedir = /home/%D/%U
template shell = /bin/bash
usershare allow guests = No
winbind refresh tickets = yes
workgroup = NETAPP
winbind offline logon = yes
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = Yes
# Winbind settings
# For testing
# A shared folder for testing purposes
[SharedFolder]
path = /data/
available = yes
public = yes
writable = yes
force create mode = 0666
force directory mode = 0777
The workgroup is the name of your AD domain. Server string is a comment describing the server,
make this anything you want. Log level runs from 0, for no logging, to 10, extreme logging.
See man smbd.conf for the rest.
# chmod 777 /data
(just for testing)
Save your changes and run
# testparm
This checks smb.conf for syntax errors. Any errors must be corrected before going ahead.
Then start up Samba:
# /etc/init.d/samba start
or
# chkconfig smb on
# service smb start
Make sure NTP is configured
Finally, join your Samba machine to Active Directory:
# net ads join -U Administrator
Administrator's password: netapp
Joined 'SAMBA1' to realm 'DOMAIN.NET.'
(note: make sure /etc/resolv.conf is correct)
The Samba box will now appear as a machine account under "Computers" in your AD console.
Now stop Samba until the final steps are completed.
Join Samba 3 to Your Active Directory Domain
Enabling Windbind
change /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
hosts: files mdns_minimal dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files
bootparams: files
automount: files nis
aliases: files
Save your changes, and fire up windbind and Samba:
# zypper install samba-winbind
# zypper install apache2-mod_auth_ntlm_winbind
# chkconfig winbind on
# service winbind start
# /etc/init.d/samba start
or
# service smb start
Now verify that windbind is working. These commands pull lists of users and groups from the
AD domain controller:
# wbinfo -u
NETAPP\administrator
NETAPP\guest
NETAPP\support_388945a0
NETAPP\iusr_dc
NETAPP\iwam_dc
NETAPP\krbtgt
NETAPP\instructor1
NETAPP\user1
NETAPP\user2
NETAPP\user3
NETAPP\user4
NETAPP\user5
# wbinfo -g
NETAPP\helpservicesgroup
NETAPP\telnetclients
NETAPP\iis_wpg
NETAPP\wins users
NETAPP\dhcp users
NETAPP\dhcp administrators
NETAPP\domain computers
NETAPP\domain controllers
NETAPP\schema admins
# net ads info
LDAP server: 192.168.1.120
LDAP server name: dc.netapp.local
Realm: NETAPP.LOCAL
Bind Path: dc=NETAPP,dc=LOCAL
LDAP port: 389
Server time: Tue, 21 May 2013 17:02:16 CEST
KDC server: 192.168.1.120
Server time offset: 56
# smbclient -L kpsuse1
Enter root's password:
Domain=[NETAPP] OS=[Unix] Server=[Samba 3.6.12-59.2.1-2924-SUSE-SL12.3-x86_64]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba 3.6.12-59.2.1-2924-SUSE-SL12.3-x86_64)
data Disk data
Troubleshooting
If you've gotten this far and everything works, your Samba server is now a fully-fledged member of your
Active Directory domain, and can be managed like any other AD object. A nice bonus is you may have local Linux
accounts on the Samba box that are not visible in Active Directory; which means your Samba admins can SSH directly
into the Samba server for admin chores, and not have to fuss with AD roadblocks.
A good troubleshooting guide is chapter 9 of "Samba-3 by Example" (Adding UNIX/LINUX Servers and Clients).
Also refer to chapter 12 (Identity Mapping) of "The Official Samba-3 HOWTO and Reference Guide" to learn about
winbind in greater depth.
NOTE:
mounting the share from another suse client that is in the same domain
# mkdir /data
# mount -t cifs //servername/sharename /data -o "username=administrator.domain=NETAPP.LOCAL"
If you want automatic krb connection, you can create a keytab file. Nice for when you are scripting.
# ktutil
ktutil: addent -password -p administrator@NETAPP.LOCAL -k 1 -e rc4-hmac
Password for administrator@NETAPP.LOCAL:
ktutil: wkt admin.keytab
ktutil: quit
# kinit administrator@NETAPP.LOCAL -k -t admin.keytab
For more keytab examples : http://kb.iu.edu/data/aumh.html