Planet Malaysia Blog

The following article “How to join Fedora Core 6 Samba Server to Windows 2003 Active Directory?” is tested on [tag]Fedora Core[/tag] 6, [tag]Windows[/tag] XP Professional & Windows 2003 Server running on top of Vmware workstation.

The Servers details are:

Fedora Core 6
IP Address: 192.168.163.128

Windows 2003 Server
IP Address: 192.168.163.130
Active Directory: KSK.COM
Domain Name(Pre-Windows 2000): KSK

Windows XP Professional
IP Address: 192.168.163.129

A. The following software packages are required.

[root@linux ~]# rpm -qa|grep samba
 samba-client-3.0.23c-2
 samba-3.0.23c-2
 system-config-samba-1.2.35-1.1
 samba-common-3.0.23c-2

 [root@linux ~]# rpm -qa|grep krb
 pam_krb5-2.2.11-1
 krb5-devel-1.5-7
 krbafs-devel-1.2.2-10.1
 krb5-libs-1.5-7
 krb5-workstation-1.5-7
 krb5-auth-dialog-0.7-1
 krbafs-1.2.2-10.1

 [root@linux ~]# rpm -qa|grep ntp
 ntp-4.2.2p1-3

B. Clock synchronization
Ensure Clock synchronization between your Fedora Core 6, DNS Server(if available) & Windows 2003 Server. If the server and client clocks are different by more than 5 minutes(default amount in Kerberos 5), Kerberos clients(FC6) can not authenticate to the server. This clock synchronization is necessary to prevent an attacker from using an old Kerberos ticket to masquerade as a valid user. It’s advisable to setup a Network Time Protocol (NTP compatible client/server network. Check ntp.org for more informations.

C. Configure Kerberos

Edit /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 ticket_lifetime = 24000
 default_realm = KSK.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
[realms]
  KSK.COM = {
  kdc = 192.168.163.130
  default_domain = KSK.COM
  kdc = KSK.COM
 }
[domain_realm]
 .KSK.COM = KSK.COM
 KSK.COM = KSK.COM

 ksk.com = KSK.COM
 .ksk.com = KSK.COM
[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

When editing /etc/krb5.conf, please pay attention to the syntax shown in the example as above and avoid using statements not shown in the example and it’s CASE SENSITIVE. In the [realms] sections, it’s advised to define the Key Distribution Center(KDC) with numeric IP Address. Else you have to get DNS server running.

D. Configure Samba Server

Edit /etc/samba/smb.conf

[global]
        workgroup = KSK
        security = ads
        realm = KSK.COM
        client use spnego = no
        server signing = auto
        netbios name = linux
        winbind use default domain = yes
        #removes the domain prefix from usernames
        winbind separator = +
        #this is the seperator used to separate domain from username.
        encrypt passwords = yes

        password server = KSK.COM
        template shell = /bin/bash
[test]
        comment = Test Share using Active Directory
        path = /data
        valid users = @"KSK\Users"
        writeable = yes
        browseable = yes

Now, test the parameters file with command “testparm”. It should print out that everything is okay, and a warning about the + sign possibly causing problems with domain joins. This can be safely ignored. To join Samba to an Active Directory domain , you must specify “security = ads” mode in the [global]section. The “security = ads” statement tells Samba to authenticate to the specified domain controllers(DC’s) using ADS protocols. The “workgroup = KSK” stetement defines the “Pre-Windows 2000 Domain Name”. The “realm = KSK.COM” ststement defines the name of the Kerberos realm(which is also the name of the AD) for the domain Sambae will be joined to. This should match the Kerberos realm used in /etc/krb5.conf. The “client use spnego = no” & “server signing = auto” statement must added into /etc/samba/smb.conf for make sure work properly with Windows 2003 Domain Controllers.

E. Make sure Samba and Winbind services are stopped:

[root@linux ~]# service smb stop
Shutting down SMB services:                                [  OK  ]
Shutting down NMB services:                                [  OK  ]

[root@linux ~]# service winbind stop
Shutting down Winbind services:                            [  OK  ]

The Winbind Daemon will map users and groups from the Active Directory to Linux. If you have any problem with winbind services (e.g. winbindd dead but pid file exists) when running “service winbind status”, please check http://kbase.redhat.com/faq/FAQ_85_5403.shtm for more information.

F. Joining Samba to the Domain Controller

[root@linux ~]# kinit administrator@KSK.COM
(Enter Windows 2003 AD administrator password)

If you getting error message “kinit(v5): Clock skew too great while getting initial credentials” mean that your FC6 & Windows 2003 DC clock are running out. Please make sure it return nothing on the console prompt after enter the administrator password.

[root@linux ~]#net ads join -U administrator
Administrator's password:
Using short domain name -- KSK
Joined 'KSK' to realm 'KSK.COM'

The username: administrator must have sufficient rights to add workstations to the domain. You should be prompted for the password for this domain user account, then an attempt to join the domain will be performed.

If you still have the problem joining domain as mention above, you may try using GUI tools.
Enter “system-config-authentication”, under “User Information”, click “enable Winbind support”, click “Configure Winbind”, make sure “Winbind Domain = KSK”, “Security Model = ads”, “Winbind ADS Realm = KSK.COM”, “Winbind Domain Controllers = KSK.COM” and click “Join Domain”, enter the “administrator password”.

G. Testing
First, create a username “user1″ in AD server & make sure the Windows XP machine can join AD domain successful.

Secondly, create “/data” folder in FC6

[root@linux ~] service smb start
[root@linux ~] service winbind start
[root@linux ~] mkdir /data
[root@linux ~] chmod 777 /data

Login to DC with username “user1″ in Windows XP machine,
click “Run”
click “cmd” and press enter.
Enter “net use j: \\linux\test”
OR
“net use k: \\linux\test /USER:KSK\user1″
You should be able to see drive J: & drive K: which mounted into Samba Server /data folder.

You may also use the command: wbinfo - Query information from winbind daemon

wbinfo -u
Should now list all the members of the domain.

wbinfo -g
Should now list all the groups available in the domain.

wbinfo -a username%password 
checks to see if username using password can
connect to the domain. Remember the password,
you have to type it as part of the command;
it won't ask you for it later. 

[root@linux init.d]# wbinfo -u
KSK\administrator
KSK\guest
KSK\smsserver_mal
KSK\smsclient_mal
KSK\user1
KSK\planetmy

[root@linux init.d]# wbinfo -g
BUILTIN\administrators
BUILTIN\users
KSK\domain computers
KSK\domain controllers
KSK\schema admins
KSK\enterprise admins
KSK\domain admins
KSK\domain users
KSK\domain guests
KSK\group policy creator owners
KSK\dnsupdateproxy

Gongratulation! Enjoy!

Read related posts:

Possibly Related Posts:

• RSS Feed Submissions
• Geo Positions
• Interesting about Google Suggest
• Setup a Linux Highly Availability NFS servers
• How to find empty folders on Linux