• Home
• About Me
• Asus A4000
• Cat 5 Wiring
• Samba File Server
• Samba Print Server
• Samba and Winbind
• POP and SMTP by Telnet
• Cobalt Fans
• Code Bucket
• Rogues
• Recommended Sites
• Linux Google
• Online Man Pages
• Random Rants
• Server Depression

Integrating Samba into a Windows 2000 Active Directory Domain

Ever tried to integrate a Samba fileserver into an Active Directory domain?
Sorting out access permissions can be a nightmare, especially if you've got to create local users in order to restrict access. The good news is that you don't need to anymore. Providing you're using up to date versions (I'll post exactly which later - I've always updated as necessary without noting the version numbers too closely, but RedHat 9 comes with everything you need.) all you need to do is use WinBind. This marvellous little daemon will acccess your Active Directory and pull out the list of users and groups.

All you need to do is configure and run WinBind, tell your Samba Server to use WinBind for authentication and confiure your Samba Config for the permissions.
If you want to know how to get Samba up and running in hte first place then you ought to be looking at how to set up Samba

(If you want more detail, clearer explanation or can't make out what on earth I'm on about, this is one of the best explanations I found http://linux.ctyme.com/userdoc/swat/help/winbind.html)

It is that simple! The complicated bit is making sure you've got the right version of Samba and the required libraries and versions.
(Remember you can update multiple RPM's simultaneously to sort out problems with dependancies)

Tell WinBind where to pull the Active Directory Information From

create or edit /etc/pam_smb.conf
(where [DOMAIN] is you Active Directory Domain and [DC1] and [DC2} are 2 domain controllers.)

# pam_smb.conf
[DOMAIN]
[DC1]
[DC2}

Tell your Linux Server to use WinBind for authentication

Change the three lines in /etc/nsswitch.conf as to add winbind as a valid source for information.


# /etc/nsswitch.conf
#
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis

passwd: files winbind db nisplus
shadow: files winbind db nisplus
group: files winbind db nisplus



Now, you can decide the services which can use Winbind for authentication

(all these files are in /etc/pam.d )
First off, the one we're going through all this for

Samba validation to your file shares /etc/pam.d/samba
#%PAM-1.0
auth required /lib/security/pam_winbind.so
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_winbind.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_winbind.so


And now a couple of other useful options (but think about what/who you're allowing access to)
Local Login to your Linux server /etc/pam.d/login

#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so


SSH Login to your Linux server (including sftp) /etc/pam.d/sshd

#%PAM-1.0
#auth required /lib/security/pam_stack.so service=system-auth
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_limits.so
session optional /lib/security/pam_console.so


Configure Samba to use Winbind

Edit /etc/samba/smb.conf and in the server setting section add or modify defaults to

## Winbind
##

# specify the uid range which can be used by winbindd
# to allocate uids for Windows users as necessary
winbind uid = 10000-65000

# specify the uid range which can be used by winbindd
# to allocate uids for Windows users as necessary
winbind gid = 10000-65000

# Define a home directory to be given to passwd(5) style entries
# generated by libnss_winbind.so. You can use variables here
template homedir = /home/%D/%U

# Specify a shell for all winbind user entries return by the
# libnss_winbind.so library.
template shell = /bin/bash

# What character should be used to separate the DOMAIN and Username
# for a Windows user. The default is DOMAIN\user, but many people
# prefer DOMAIN+user
winbind separator = +

winbind enum users = yes
winbind enum groups = yes


Now configure your shares

[Files]
available = yes
browseable = yes
path = /home/samba/files
public = yes
writable = yes
valid users = nobody DOMAIN+User1 DOMAIN+User2 DOMAIN+User3 localuser
create mask = 764
inherit permissions = yes

[Websites]
available = yes
browseable = yes
path = /home/samba/websites
public = yes
writable = yes
valid users = nobody DOMAIN+User1 DOMAIN+User2 DOMAIN+User3 DOMAIN+User4 localuser
force user = nobody
force group = nobody
create mask = 755
inherit permissions = yes

The two shares shown are available to the specified Domain users (include the DOMAIN and + separator with the username) together with a local user on the samba server. Only the users explicitly listed can access the files since a Windows 2000 machine will not try and connect as nobody to access files in the shares.
I've used the create mask and inherit in the Files share to enable other domain users access to read and write files in the share irrespective of the creator.
The Websites share is slightly different in that the path allows access to Apache Document roots. In order for edited cgi's to be created and remain executable, they must be 755 and the ownership must be appropriate to apache script permissions - in this case nobody:nobody.

Join your Samba server to the Domain


smbpasswd -j DOMAIN -r DC1 -U Administrator

The proper response to the command should be: "Joined the domain DOMAIN" where DOMAIN is your DOMAIN name.
Start the winbindd daemon and try wbinfo -u to verify it's working
(You should see a list of DOMAIN+Usernames)
I added the winbindd startup into the /etc/rc.d/init.d/smb script to ensure winbind starts and restart with Samba.