{"id":6501,"date":"2017-02-27T09:03:04","date_gmt":"2017-02-27T01:03:04","guid":{"rendered":"http:\/\/rmohan.com\/?p=6501"},"modified":"2017-02-27T09:03:04","modified_gmt":"2017-02-27T01:03:04","slug":"joining-samba-3-on-centos-6-to-active-directory","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=6501","title":{"rendered":"Joining Samba 3 on CentOS 6 to Active Directory"},"content":{"rendered":"<h2>Overview<\/h2>\n<p>In small environments, administering Linux servers using only local accounts is manageable. However, in large environments hosting many hundreds or thousands of servers, the task of administering each server, manually maintaining user accounts and passwords would be a very daunting task. A central Identity and Access solution is required to effectively manage such environments. In large Microsoft Windows datacenters, you typically see Active Directory being used as the Identity and Access solution.<\/p>\n<p>Samba is able to connect to your Active Directory domain to authenticate user credentials from your Windows environment. However, since Samba does not maintain a central identity store,\u00a0<strong>UID<\/strong>s and\u00a0<strong>GID<\/strong>s for each user will be different between each Samba server.<\/p>\n<h3>Where Does This Fit In<\/h3>\n<ul>\n<li>Small linux environment in a Windows-based infrastructure<\/li>\n<\/ul>\n<h3>Before You Begin<\/h3>\n<p>Before you move ahead with this tutorial there are a few prerequisites that must be meet in your environment.<\/p>\n<ul>\n<li><strong>Active Directory<\/strong>\u00a0Domain<\/li>\n<li><strong>Identity Management for Unix<\/strong>\u00a0installed on domain controllers.<\/li>\n<li>One\u00a0<strong>CentOS 6<\/strong>\u00a0server<\/li>\n<li>This lab will use the following variables. You\u2019ll need to modify these to match your own environment.<br \/>\n<table class=\"list\">\n<tbody>\n<tr>\n<th>Domain<\/th>\n<td>CONTOSO.COM<\/td>\n<\/tr>\n<tr>\n<th>Domain Controller<\/th>\n<td>DC01.CONTOSO.COM<\/td>\n<\/tr>\n<tr>\n<th>Samba Server Name<\/th>\n<td>LINUX-SRV1<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<\/ul>\n<p><a name=\"toc2\"><\/a><\/p>\n<h2>Install Required Linux Packages<\/h2>\n<p>Install the following packages onto your Linux machine. You will not be able to join the Active Directory domain or authenticate using domain credentials without them.<\/p>\n<ul>\n<li>Samba<\/li>\n<li>Samba-winbind<\/li>\n<li>oddjob-mkhomedir<\/li>\n<\/ul>\n<p>To install all three packages at the same time, run the following command as\u00a0<strong>Root<\/strong>\u00a0or with Root privileges.<\/p>\n<pre class=\"bash\">yum install samba samba-winbind oddjob-mkhomedir<\/pre>\n<p><a name=\"toc3\"><\/a><\/p>\n<h2>Configuring Samba<\/h2>\n<p>Samba is a critical component that allows Linux to interact with Windows. It must be configured to make the Linux server appear as Windows computer on the network, using NetBIOS broadcasts and Domain prefixes.<\/p>\n<ol>\n<li>Make a backup copy of \/etc\/samba\/smb.conf\n<pre class=\"bash\">cp \/etc\/samba\/smb.conf \/etc\/samba\/smb.conf.old<\/pre>\n<\/li>\n<li>Open\u00a0<strong>\/etc\/samba\/smb.conf<\/strong>\u00a0into a text editor. For this example, I\u2019ll use VI.\n<pre class=\"bash\">vi \/etc\/samba\/smb.conf<\/pre>\n<\/li>\n<li>Edit\u00a0<strong>smb.conf<\/strong>\u00a0to resemble the example below, modifying the highlighted lines to match your environment.\n<div class=\"line\">[global]<\/div>\n<div class=\"line\">\u00a0log file = \/var\/log\/samba\/log.%m<\/div>\n<div class=\"line\">\u00a0max log size = 50<\/div>\n<div class=\"line\">\u00a0security = ads<\/div>\n<div class=\"line highlight\">\u00a0netbios name = LINUX-SRV1<\/div>\n<div class=\"line highlight\">\u00a0realm = CONTOSO.COM<\/div>\n<div class=\"line highlight\">\u00a0password server = MYDC01.CONTOSO.COM MYDC02.CONTOSO.COM<\/div>\n<div class=\"line highlight\">\u00a0workgroup = CONTOSO<\/div>\n<div class=\"line\">\u00a0idmap uid = 10000-500000<\/div>\n<div class=\"line\">\u00a0idmap gid = 10000-500000<\/div>\n<div class=\"line\">\u00a0winbind separator =<\/div>\n<div class=\"line\">\u00a0winbind enum users = no<\/div>\n<div class=\"line\">\u00a0winbind enum groups = no<\/div>\n<div class=\"line\">\u00a0winbind use default domain = yes<\/div>\n<div class=\"line\">\u00a0template homedir = \/home\/%U<\/div>\n<div class=\"line\">\u00a0template shell = \/bin\/bash<\/div>\n<div class=\"line\">\u00a0client use spnego = yes<\/div>\n<div class=\"line\">\u00a0domain master = no<\/div>\n<p>Understanding the options were defining:<\/p>\n<table class=\"list\">\n<tbody>\n<tr>\n<th>netbios name<\/th>\n<td>This netbios (single label) name the Samba server will use for Windows clients.<\/td>\n<\/tr>\n<tr>\n<th>realm<\/th>\n<td>Fully qualified name of the Active Directory domain the Samba server is joining.<\/td>\n<\/tr>\n<tr>\n<th>password server<\/th>\n<td>List of domain controllers, separated by spaces, that will process Samba logon requests.<\/td>\n<\/tr>\n<tr>\n<th>workgroup<\/th>\n<td>Similar to the netbios name for the Samba server, except for the domain. Active Directory domains, like Windows computers, have netbios names.<\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\">For more information on Samba options, go here:<br \/>\n<a href=\"http:\/\/www.samba.org\/samba\/docs\/using_samba\/ch06.html\">http:\/\/www.samba.org\/samba\/docs\/using_samba\/ch06.html<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<\/ol>\n<p><a name=\"toc4\"><\/a><\/p>\n<h2>Modify the Name Service Switch Configuration File<\/h2>\n<p>The Name Service Switch is used by Linux to locate account databases. By default, only local files will accessed. We need to point Linux to a domain controller by adding winbind as a database location.<\/p>\n<ol>\n<li>Open\u00a0<strong>\/etc\/nsswitch.conf<\/strong>\u00a0into a text editor.\n<pre class=\"bash\">vi \/etc\/nsswitch.conf<\/pre>\n<\/li>\n<li>Find the following lines:\n<div class=\"line\">passwd: files<\/div>\n<div class=\"line\">group: files<\/div>\n<p>And append\u00a0<strong>winbind<\/strong>\u00a0to them, as shown below:<\/p>\n<div class=\"line\">passwd: files winbind<\/div>\n<div class=\"line\">group: files winbind<\/div>\n<\/li>\n<\/ol>\n<p><a name=\"toc5\"><\/a><\/p>\n<h2>Edit Kerberos. Configuration File<\/h2>\n<p>Active Directory uses Kerberos, an open source network authentication protocol, to authenticate users. Before your Linux server<\/p>\n<ol>\n<li>Open\u00a0<strong>\/etc\/krb5.conf<\/strong>\u00a0into a text editor\n<pre class=\"bash\">vi \/etc\/krb5.conf<\/pre>\n<\/li>\n<li>Modify it so it looks like the example below, replacing [value] to match your environment.\n<div class=\"line\">[libdefaults]<\/div>\n<div class=\"line highlight\">\u00a0default_realm = CONTOSO.COM<\/div>\n<div class=\"line\">\u00a0dns_lookup_realm = true<\/div>\n<div class=\"line\">\u00a0dns_lookup_kdc = true<\/div>\n<div class=\"line\">\u00a0ticket_lifetime = 24h<\/div>\n<div class=\"line\">\u00a0renew_lifetime = 7d<\/div>\n<div class=\"line\">\u00a0forwardable = true<\/div>\n<div class=\"line\"><\/div>\n<div class=\"line\">\u00a0[realms]<\/div>\n<div class=\"line highlight\">\u00a0REALM.INTERNAL = {<\/div>\n<div class=\"line highlight\">\u00a0kdc = mydc01.contoso.com<\/div>\n<div class=\"line highlight\">\u00a0admin_server = mydc01.contoso.com<\/div>\n<div class=\"line highlight\">\u00a0default_domain = contoso.com<\/div>\n<div class=\"line highlight\">\u00a0}<\/div>\n<div class=\"line\">\u00a0[domain_realm]<\/div>\n<div class=\"line highlight\">\u00a0.contoso.com = CONTOSO.COM<\/div>\n<div class=\"line highlight\">\u00a0contoso.com = CONTOSO.COM<\/div>\n<div class=\"line\"><\/div>\n<\/li>\n<\/ol>\n<p><a name=\"toc6\"><\/a><\/p>\n<h2>Start the Daemons<\/h2>\n<p>User authentication settings have been set. Now we need to start our daemons and configure them to automatically start after each reboot.<\/p>\n<ol>\n<li>Samba Server\n<pre class=\"bash\">service smb start; chkconfig smb on<\/pre>\n<\/li>\n<li>Winbind\n<pre class=\"bash\">service winbind start; chkconfig winbind on<\/pre>\n<\/li>\n<li>Message Bus Daemon\n<pre class=\"bash\">service messagebus start; chkconfig messagebus on<\/pre>\n<\/li>\n<\/ol>\n<p><a name=\"toc7\"><\/a><\/p>\n<h2>Join the Samba Server to the Domain<\/h2>\n<p>We\u2019ve finally reached the part where we can join our Samba server to the Active Directory domain. Run the following command to join the domain, replacing Administrator with the username of a user in your domain who has permissions to join machines:<\/p>\n<pre class=\"bash\">net ads join -U Administrator<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Overview <\/p>\n<p>In small environments, administering Linux servers using only local accounts is manageable. However, in large environments hosting many hundreds or thousands of servers, the task of administering each server, manually maintaining user accounts and passwords would be a very daunting task. A central Identity and Access solution is required to effectively manage such environments. [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6501"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6501"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6501\/revisions"}],"predecessor-version":[{"id":6502,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6501\/revisions\/6502"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6501"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6501"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6501"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}