Using Samba on Debian Linux

Posted by ltackmann on Thu 26 Jan 2006 at 10:29

This article will show you how to install Samba 3.X on Debian Linux 3.1 (Sarge) and make it authenticate against a Windows server running Active Directory. It is not intended on replacing the actual official Samba 3 manual - which is a quite good read anyway.

Core software

I will show two ways of installing Samba: using apt or directly from source in either case make sure apt's package index files are synchronized:
apt-get update
apt-get upgrade 
To install from apt run:
apt-get install samba smbclient winbind krb5-doc krb5-user \
	krb5-config
To compile Samba yourself you need to have MIT Kerberos and OpenLDAP installed:
apt-get install libkrb53 libcupsys2-gnutls10 libldap2 \
	libldap2-dev libkrb5-dev krb5-doc krb5-user \
	krb5-config
Then grap the latest version of the Samba source (for this article we will use samba-3.0.9.tar.gz), and do:
tar zxvf samba-3.0.9.tar.gz -C /tmp/
cd /tmp/samba-3.0.9/source
./configure \
	--prefix=/usr \
	--localstatedir=/var \
	--with-configdir=/etc/samba \
	--with-privatedir=/etc/samba \
	--with-fhs \
	--with-quotas \
	--with-smbmount \
	--with-pam \
	--with-pam_smbpass \
	--with-syslog \
	--with-utmp \
	--with-sambabook=/usr/share/swat/using_samba \
	--with-swatdir=/usr/share/swat \
	--with-shared-modules=idmap_rid \
	--with-libsmbclient \
	--with-automount \
	--with-msdfs \
	--with-ads \
	--with-winbind \
	--with-winbind-auth-challenge \
	--with-manpages-langs=en \
	--with-idmap \
	--with-acl-support \
	--with-ldap
make
make install


Windows server setup

Install a Windows server and make it act as a domain controller (see this guide for pointers on setting up a domain controller). I will use the followng server setup:
  • Domain administrator acount on Windows server: administrator>
  • Domain name: testdomain
  • Fully qualified domain name: testdomain.local
  • Hostname of Windows domain controller: win2003test
  • IP address of Windows domain controller: 192.168.1.101
You should familate yourself with what these cororsponds to in your local domain before continuing with this guide.



Network setup

We need to make sure that DNS is working properly on the server running Samba, this is done by making the Windows Domain controller the default DNS server. To do this I substitute my DNS configuration in /etc/resolve.conf with the folowing:
search testdomain.local
nameserver 192.168.1.101
If you have more than one DNS server in your domain, then also add them here. Test DNS using:
nslookup win2003test
> Server:         192.168.1.101
> Address:        192.168.1.101
> Name:   win2003test.testdomain.local
> Address: 192.168.1.101
Test reverse lookup using:
host 192.168.1.101
> 101.1.168.192.in-addr.arpa domain name pointer
> win2003test.testdomain.local.
If for some reason any of these two test fails, then go through your network setup and this section again. Your DNS must be correctly configured in order to run Samba successfully with Active Directory.



Kerberos setup

We will have to configure Kerberos (or you could avoid this by setting the password server in /etc/samba/smb.conf, to the PDC emulator but then you would be talking old school NTLM with the domain controller). To get real AD working add the folowing lines to /etc/krb5.conf:
[realms]
TESTDOMAIN.LOCAL = {
	kdc = win2003test.testdomain.local
	admin_server = win2003test.testdomain.local
}
Then do:
 kinit administrator@TESTDOMAIN.LOCAL
The syntax is kinit user@REALM, where REALM is your Active Directory domain name and must be all uppercase. If you do not use all uppercase for the realm, you'll either receive this error: kinit(v5): Cannot find KDC for requested realm while getting initial credentials or this error: kinit(v5): KDC reply did not match expectations while getting initial credentials. You can test your kerberos setup by issuing
klist
If it reports that you have no keys in the cache then something is wrong. In the event that you recive: kinit(v5): Clock skew too great while getting initial credentials then make sure that the clock synchronisation between your Windows Server and your Linux server is within five minutes. If the time is off by more then the two servers will unable send ticket information to each other.



Optional: Use a NTP Server

One way to solve the clock synchronisation problem is to use a time server (you might even want to use your active directory server(s)). Using a NTP server is optional and not strictly required in order to run a Samba in an AD, but anyway here is how it is done. First install the required ntp packages:
apt-get install ntpdate
Then add your favorite time server(s) to '''/etc/ntp.conf''', and execute:
/etc/init.d/ntpdate restart


Samba setup

To connect up to your domain create: /etc/samba/smb.conf and add:
[global]
security = ads
password server = win2003test
encrypt passwords = yes
workgroup = testdomain
realm = TESTDOMAIN.LOCAL
netbios name = temporay
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = Yes
In workgroup insert the domain name, realm should be set to the fully qualified domain name (uppercase). Insert the name of the Windows server to authenticate against in the password server field. We are now ready to start the needed services:
smbd
nmbd
To join the domain in the default organisation unit do:
net ads join -W testdomain -S win2003test -U administrator
or use another unit like this:
net ads join Denmark\/Copenhagen\/Computers -W testdomain \
	-S win2003test -U administrator
Now check if everything works by issuing the folowing commands:
  • Test domain computer account: net ads testjoin.
  • Test winbindd: wbinfo -u to list AD users and wbinfo -g for groups.
  • Test connection to a remote Windows server from the Samba server: smbclient -L //win2003test -k.
  • Run wbinfo -t it should return: checking the trust secret via RPC calls succeeded, otherwise you have done somthing wrong (use testparm -v to check your Samba configuration).
Finally test connectivity from a Windows box: Start - Run - \\SAMBASERVER.

 

 


Posted by Anonymous (84.194.xx.xx) on Thu 26 Jan 2006 at 10:52
This is good and short. Like the best HOWTOs!

Especially the fact that it's just a full-Debian-compliant-howto is fantastic. Thanks for it!

For people interested, I wrote a Add a Debian Linux Samba 3 server to your Windows NT4 domain HOWTO. For the good, old, (and still running) NT4 domains, the Debian way ;)

[ Parent | Reply to this comment ]

Posted by ltackmann (80.162.xx.xx) on Thu 26 Jan 2006 at 11:08
Thanks I am glad my English is understood by others than myself.

I just discovered some batly formated html (the Windows admin account is "administrator" not "administrator>") and a couple of spelling mistakes. I have fixed them in the version I originally posted on my blog, but have been unable to update the one here.

[ Parent | Reply to this comment ]

Posted by Anonymous (80.28.xx.xx) on Thu 26 Jan 2006 at 19:03
Any link for authenticate ONLY A LINUX CLIENT into Windows Domain. ONLY AUTHENTICATE. Thanks

[ Parent | Reply to this comment ]

Posted by bitlz (212.57.xx.xx) on Fri 27 Jan 2006 at 05:53
add to your /etc/apt/sources.list:
deb http://www.backports.org/debian/ sarge-backports main contrib non-free


and just install latest samba from backports
#aptitude update
#aptitude install samba


wbr, eugene v. samusev

[ Parent | Reply to this comment ]

Posted by Anonymous (195.212.xx.xx) on Fri 27 Jan 2006 at 08:28
Is it necessary for this Howto to compile samba from the sources?

Sarge is shipped with version 3.0.14a and on samba.org there is version 3.0.21a available.

Thanks
Markus

[ Parent | Reply to this comment ]

Posted by ltackmann (80.162.xx.xx) on Fri 27 Jan 2006 at 09:18
In the article I state: I will show two ways of installing Samba: using apt or directly from source. So no it is not necessary I just choose to include it because there are some bugs in the current Sarge samba that can be eliminated by compiling a never version.

Regards.

Lars Roland

[ Parent | Reply to this comment ]

Posted by Anonymous (195.212.xx.xx) on Fri 27 Jan 2006 at 10:28
Hi Lars,

thanks for the clarification.
Which bugs are in the sarge samba version?
Do they taint the ADS connectivity?

Greets
Markus

[ Parent | Reply to this comment ]

Posted by ltackmann (80.162.xx.xx) on Fri 27 Jan 2006 at 10:57
There is a problem with NTLM connectivity to Windows servers if they have applied "Update Rollup 1 for Windows 2000 SP4". It is only a minor annyance, but it breaks RPC style connects from winbind. Calling it a bug may be wrong, but it is a known problem.


Regards

Lars Roland

[ Parent | Reply to this comment ]

Posted by Anonymous (82.209.xx.xx) on Sun 12 Feb 2006 at 19:50
Debian administrators? Heh. Why not to rebuild debian package? ./configure && make && make install is not a debian way.

[ Parent | Reply to this comment ]

Posted by hypatia (199.223.xx.xx) on Tue 21 Feb 2006 at 17:30
Nice tutorial. It worked well for me until I ran "wbinfo -t". I got the following error:
checking the trust secret via RPC calls failed
error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
Could not check secret

[ Parent | Reply to this comment ]

Posted by Anonymous (81.133.xx.xx) on Fri 24 Feb 2006 at 14:10
I'm getting a similar error too ...

wbinfo -t
checking the trust secret via RPC calls failed
error code was (0x0)
Could not check secret

[ Parent | Reply to this comment ]

Posted by Anonymous (80.162.xx.xx) on Fri 24 Feb 2006 at 14:20
Just ignore this if you are not using winbind. I have been unable to update the article to reflect that this winbind check will only work on never samba releases.

[ Parent | Reply to this comment ]

Posted by Anonymous (141.62.xx.xx) on Fri 18 Apr 2008 at 10:34
I had the same error. After a restart of winbind (/etc/init.d/winbind restart) the error disappeared.

[ Parent | Reply to this comment ]

Posted by Anonymous (210.18.xx.xx) on Sat 2 May 2009 at 00:05
try it by typing the command
setenforce 0 on bin/bash shell
and then restart winbind servies.

[ Parent | Reply to this comment ]

Posted by Anonymous (116.212.xx.xx) on Tue 19 Jan 2010 at 08:49
asdasdasd

[ Parent | Reply to this comment ]

Posted by Anonymous (200.31.xx.xx) on Tue 28 Feb 2006 at 23:06
Perfecto, es un gran tutorial, Gracias a los amigos de Debian Administration por compartir un gran tutorial...gracias

Fredy Gonzales P.
fredyg@negosat.com

[ Parent | Reply to this comment ]

Posted by Anonymous (68.112.xx.xx) on Tue 7 Mar 2006 at 01:44
Thank you. This was terrific and I managed to get this far successfully. Now I want to create shares on my samba server (which I can do successfully); but how do I get the shares created on samba to have the Active Directory permissions (acls)?

[ Parent | Reply to this comment ]

Posted by Anonymous (62.214.xx.xx) on Wed 22 Mar 2006 at 14:31
That's my problem, too.
Everything works fine but when I open \\myserver from Windows it asks for Username and Password but I want it to authenticate against my ADS.

But its a very nice and easy to untderstand Tutorial, thanks a lot!

[ Parent | Reply to this comment ]

Posted by Anonymous (57.74.xx.xx) on Mon 31 Jul 2006 at 15:42
hi, i think that you have to tell pam that auth to ADS

[ Parent | Reply to this comment ]

Posted by Anonymous (70.56.xx.xx) on Sat 17 Feb 2007 at 22:12
One key thing missing from this tutorial, which is an awesome HOWTO, is the fact you need to change the group on the directory or file using an OU or CN from AD, i.e., chgrp "Domain Admins" /home/share. This path should be the same path as the share in your Samba config file (smb.conf). You do have configure pam to use winbind, but it works great.

[ Parent | Reply to this comment ]

Posted by Anonymous (216.105.xx.xx) on Thu 16 Mar 2006 at 13:46
THANKS! the kerberos setup portion helped me get me libapache2-mod-auth-kerb working! great howto.

[ Parent | Reply to this comment ]

Posted by bacula (86.135.xx.xx) on Sat 25 Mar 2006 at 20:21
[ View Weblogs ]
i would love this samba server setup in debian way instead of compiling from sourceeasy samba server setup in debian and this is most lovely setup

[ Parent | Reply to this comment ]

Posted by Anonymous (222.165.xx.xx) on Fri 31 Mar 2006 at 05:15
Hi,
We find this article very useful in installing samba on debian system.
But we have faced a problem while installing, that is when we issue apt-get to install the required debian packages, due to a dependancy it automatically installs postgresql-7.5. But we are already using postgresql-7.4 and we need to install samba keeping our existing postgresql-7.4 version. If somebody has the packages which can work with postgresql-7.4, please share that information with us.

Thanks in advance,
Amal.

[ Parent | Reply to this comment ]

Posted by ltackmann (212.242.xx.xx) on Sat 1 Apr 2006 at 16:23
emm postgresql 7.5 does not exists, latest version in the 7.X branch is 7.4.12 (see http://www.postgresql.org/).

[ Parent | Reply to this comment ]

Posted by debstar (196.192.xx.xx) on Thu 27 Jul 2006 at 14:52
[ View debstar's Scratchpad | View Weblogs ]

Good article. I read the fine manual but your article is straightforward.
For me, I had to set :
 winbind separator = + 

to avoid some errors from winbind. However, when I want to mount some shares I got this error message :
cli_negprot: SMB signing is mandatory and we have disabled it.
even if I set :
client signing = mandatory 

Do you have an advice for this?

NMC
RATOANDROMANANA Nirina Michel

[ Parent | Reply to this comment ]

Posted by Anonymous (62.252.xx.xx) on Sun 27 Aug 2006 at 13:04
A brief article of similar quality would be helpful (and appears to be lacking) on setting up a Samba client running under Debian along with a Samba server connecting to provide effective 2-way transferability with hosts within a Windows workgroup (i.e. no Domain server). I gave up running a windows domain in my living room a few years ago and saved sereval £'s a month off my electric bill :)
regards
Ethan

[ Parent | Reply to this comment ]

Posted by pdizzyz (70.56.xx.xx) on Sat 17 Feb 2007 at 23:10
Excellent article. There are a few things that I found from some other tutorials that help resolve some errors I encountered. But since this HOWTO was the simplest to follow and is Debian specific I decided to post them here.

First of are the PAM configs /etc/pam.d/common-*, there are a few entries you need to make,

in each of the common-* config files add the following lines,

auth sufficient pam_winbind.so use_first_pass
account sufficient pam_winbind.so

The next thing to update is the /etc/nsswitch.conf

passwd: winbind compat
shadow: winbind compat
group: winbind compat

The last thing I found I needed to do was to use the `chgrp` to change the group ownership of the share, i.e., the path in the share in the smb.conf file, to use an AD group.

This one was took me a little longer to figure out, but there are two ways this can look depending on the smb.conf entries.

If winbind use default domain = Yes then your AD groups are as they appear when browsing through AD. So I used

chgrp "Domain Admins" /home/adminshare

If winbind use default domain = NO then your AD groups may need the domain prefixed to the group, assuming your domain is TEST.COM

chgrp "TEST+Domain Admins" /home/adminshare

If you are unsure of how winbind reads or browses the AD you can simply just use wbinfo -g and the list is returns is the format you should use.

You may get an error that the user or group doesn't exist. This means that the PAM and nsswitch are not set up properly.

The last thing to make sure all works it to use, again assuming TEST.COM,

smbclient //[server]/[share] -U test/joe

this should promt for a password and when successful show smb:>.

I received two different types of errors,

NT_STATUS_LOGON FAILURE, this was when it was not able to find the user in AD. It was usually caused by a syntax error on my part. It means it either can't connect or it can't find the user.

NT_STATUS_ACCESS_DENIED, this was when I didn't have access to the share. This was a good error because it meant everything was working correctly with AD and it became a permissions issue.

I may have left something out, I wrote this from memory mostly. Let me know if it helps.

Peter

[ Parent | Reply to this comment ]

Posted by Anonymous (84.191.xx.xx) on Tue 22 May 2007 at 13:26
lovely howto! maybe you should update the part concerning the necessary packages, the libpam-dev is missing for configure to add pam support when compiling.

aptitude install libpam-dev

another advance seems to be the ability to automatically update dns entries on the ms dns server if you use the brandnew :) 3.0.25 samba release.

./configure --with-dnsupdate

thanx alot for the great tutorial!
ben

[ Parent | Reply to this comment ]

Posted by Anonymous (84.191.xx.xx) on Tue 22 May 2007 at 13:31
ups, add uuid support for dns update capability

aptitude install uuid-dev

cheers

[ Parent | Reply to this comment ]

Posted by Anonymous (196.203.xx.xx) on Mon 19 May 2008 at 17:11
i need ti install this to be a server not ti be a client samba.

[ Parent | Reply to this comment ]

Posted by Anonymous (71.225.xx.xx) on Thu 10 Jul 2008 at 03:28
Dear All,
I got an error message after tar the package.

configure: error: expected an absolute directory for --localstatedir: var.

Could you give me a hand?

Thanks!

Xinkang

[ Parent | Reply to this comment ]

Posted by Anonymous (174.20.xx.xx) on Wed 11 Nov 2009 at 07:03
nuther linux workgroup deadend

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

What do you use for configuration management?








( 472 votes ~ 5 comments )

 

 

Related Links