Samba 3 file server in an Active Directory domain

  • Tutorial

As promised in a previous article , today I will write how to configure a Samba 3-based file server for users of an Active Directory domain.
What is the difference between this instruction and, for example, this ? Today we will not use winbind. Our kerberos client will work with kdc of their AD site and we don’t need to worry about reconfiguring it when changing the site.

It is assumed that before performing the described actions, the Linux server is entered into the domain as previously described .



Training


Let me remind you that you can get the Open version of PowerBroker Identity Services on the manufacturer’s website , but a link will be provided in exchange for your name, company name and e-mail.
There are 32 and 64 packages in rpm and deb formats. (As well as packages for OS X, AIX, FreeBSD, SOlaris, HP-UX).
The program comes in the form of a self-extracting archive with a package corresponding to the selected system.
On Debian-based systems, the package installs its files in / opt / pbis /.
To enter a computer into a domain, you can use one of two utilities: / opt / pbis / bin / domainjoin-cli or / opt / pbis / bin / domainjoin-gui
Naturally, before entering the domain, it makes sense to configure the ntp client to synchronize time with the domain controller (or with the time server with which your PDC emulator is synchronized).

For integration with samba bundled with PBIS there is a utility
samba-interop-install
# / opt / pbis / bin / samba-interop-install --help
Usage: / opt / pbis / bin / samba-interop-install {options} [smbd path]
Installs interop libraries into directories used by Samba and copies the
machine password from the PowerBroker Identity Services' database to Samba's.
Options are:
    --help Show this help message
    --install Configure smbd to use interop libraries
    --uninstall Deconfigure smbd's use of interop libraries
    --check-version Ensure the version of smbd is supported
    --loglevel {level} Set the logging to error (default), warning, info,
                         verbose, or debug
One of the options, --install, --uninstall, or --check-version must be passed.
The last argument is the path to smbd. If not specified, it will be
automatically detected.


She will allow us to perform some preparatory operations. PBIS does not support integration with all versions of smaba. Supported versions: 3.0.25 and newer from the line 3.0.X, 3.2.X, 3.4.X, 3.5.X, 3.6.X. But without winbind, only versions of samba 3.2.X, 3.5.X, 3.6.X will work (according to the documentation, I checked on samba 3.6.X).
To check if PBIS supports the installed version of Samba, you should do:
# /opt/pbis/bin/samba-interop-install --check-version 
Found smbd version 3.6.6
Samba version supported

As you can see, my version of samba is supported. You can configure communication with samba:
# /opt/pbis/bin/samba-interop-install --install --loglevel debug
[CheckSambaVersion() /builder/src-buildserver/Platform-7.1/src/linux/samba-interop/tools/samba-interop-install.c:500] Found smbd version 3.6.6
[InstallWbclient() /builder/src-buildserver/Platform-7.1/src/linux/samba-interop/tools/samba-interop-install.c:587] Link /usr/lib/x86_64-linux-gnu/libwbclient.so.0 already points to /opt/pbis/lib/libwbclient.so.0
[AddSambaLoadPath() /builder/src-buildserver/Platform-7.1/src/linux/samba-interop/tools/samba-interop-install.c:1100] Samba is already in the load order
[SetPassword() /builder/src-buildserver/Platform-7.1/src/linux/samba-interop/pstore-plugin/samba-pstore-plugin.c:459] Wrote machine password for domain CORP in secrets.tdb
Install successful

Here I specially launched the command in debug mode, so that you can see what samba-interop-install does: it replaces the libwbclient.so.0 library for samba with its own, makes sure that samba starts at system startup, saves the password for the computer account in the samba repository.

Samba configuration

Now you need to configure samba. In smb.conf there should be lines:
[global]
  security = ADS
  workgroup = CONTOSO
  realm = CONTOSO.COM
  machine password timeout = 0

Moreover, the line “machine password timeout = 0” is important; it will not allow samba to change the password of the computer account.
Next, we create a common resource:
[shared-folder]
        comment = Test shared folder
        path = / home / shared-folder
        valid users = CONTOSO \ User1, CONTOSO \ User2, @CONTOSO \ Administrators ^ domain
        read only = No


The final


Do not forget to check the settings:
# testparm

If everything is ok, restart samba.
We are trying to open the newly configured shared folder from another PC.
And enjoy the result.

Also popular now: