Debian Administration

Using Samba on Debian Linux

This article will show you how to install Samba 3.X on Debian Linux 3.1 (Sarge) and make it authenticate against a Windows server running Active Directory. It is not intended on replacing the actual official Samba 3 manual - which is a quite good read anyway.

Core software

I will show two ways of installing Samba: using apt or directly from source in either case make sure apt's package index files are synchronized:

apt-get update
apt-get upgrade 

To install from apt run:

apt-get install samba smbclient winbind krb5-doc krb5-user \
	krb5-config

To compile Samba yourself you need to have MIT Kerberos and OpenLDAP installed:

apt-get install libkrb53 libcupsys2-gnutls10 libldap2 \
	libldap2-dev libkrb5-dev krb5-doc krb5-user \
	krb5-config

Then grap the latest version of the Samba source (for this article we will use samba-3.0.9.tar.gz), and do:

tar zxvf samba-3.0.9.tar.gz -C /tmp/
cd /tmp/samba-3.0.9/source
./configure \
	--prefix=/usr \
	--localstatedir=/var \
	--with-configdir=/etc/samba \
	--with-privatedir=/etc/samba \
	--with-fhs \
	--with-quotas \
	--with-smbmount \
	--with-pam \
	--with-pam_smbpass \
	--with-syslog \
	--with-utmp \
	--with-sambabook=/usr/share/swat/using_samba \
	--with-swatdir=/usr/share/swat \
	--with-shared-modules=idmap_rid \
	--with-libsmbclient \
	--with-automount \
	--with-msdfs \
	--with-ads \
	--with-winbind \
	--with-winbind-auth-challenge \
	--with-manpages-langs=en \
	--with-idmap \
	--with-acl-support \
	--with-ldap
make
make install

Windows server setup

Install a Windows server and make it act as a domain controller (see this guide for pointers on setting up a domain controller). I will use the followng server setup:

• Domain administrator acount on Windows server: administrator>
• Domain name: testdomain
• Fully qualified domain name: testdomain.local
• Hostname of Windows domain controller: win2003test
• IP address of Windows domain controller: 192.168.1.101

You should familate yourself with what these cororsponds to in your local domain before continuing with this guide.

Network setup

We need to make sure that DNS is working properly on the server running Samba, this is done by making the Windows Domain controller the default DNS server. To do this I substitute my DNS configuration in /etc/resolve.conf with the folowing:

search testdomain.local
nameserver 192.168.1.101

If you have more than one DNS server in your domain, then also add them here. Test DNS using:

nslookup win2003test
> Server:         192.168.1.101
> Address:        192.168.1.101
> Name:   win2003test.testdomain.local
> Address: 192.168.1.101

Test reverse lookup using:

host 192.168.1.101
> 101.1.168.192.in-addr.arpa domain name pointer
> win2003test.testdomain.local.

If for some reason any of these two test fails, then go through your network setup and this section again. Your DNS must be correctly configured in order to run Samba successfully with Active Directory.

Kerberos setup

We will have to configure Kerberos (or you could avoid this by setting the password server in /etc/samba/smb.conf, to the PDC emulator but then you would be talking old school NTLM with the domain controller). To get real AD working add the folowing lines to /etc/krb5.conf:

[realms]
TESTDOMAIN.LOCAL = {
	kdc = win2003test.testdomain.local
	admin_server = win2003test.testdomain.local
}

Then do:

 kinit administrator@TESTDOMAIN.LOCAL

The syntax is kinit user@REALM, where REALM is your Active Directory domain name and must be all uppercase. If you do not use all uppercase for the realm, you'll either receive this error: kinit(v5): Cannot find KDC for requested realm while getting initial credentials or this error: kinit(v5): KDC reply did not match expectations while getting initial credentials. You can test your kerberos setup by issuing

klist

If it reports that you have no keys in the cache then something is wrong. In the event that you recive: kinit(v5): Clock skew too great while getting initial credentials then make sure that the clock synchronisation between your Windows Server and your Linux server is within five minutes. If the time is off by more then the two servers will unable send ticket information to each other.

Optional: Use a NTP Server

One way to solve the clock synchronisation problem is to use a time server (you might even want to use your active directory server(s)). Using a NTP server is optional and not strictly required in order to run a Samba in an AD, but anyway here is how it is done. First install the required ntp packages:

apt-get install ntpdate

Then add your favorite time server(s) to '''/etc/ntp.conf''', and execute:

/etc/init.d/ntpdate restart

Samba setup

To connect up to your domain create: /etc/samba/smb.conf and add:

[global]
security = ads
password server = win2003test
encrypt passwords = yes
workgroup = testdomain
realm = TESTDOMAIN.LOCAL
netbios name = temporay
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = Yes

In workgroup insert the domain name, realm should be set to the fully qualified domain name (uppercase). Insert the name of the Windows server to authenticate against in the password server field. We are now ready to start the needed services:

smbd
nmbd

To join the domain in the default organisation unit do:

net ads join -W testdomain -S win2003test -U administrator

or use another unit like this:

net ads join Denmark\/Copenhagen\/Computers -W testdomain \
	-S win2003test -U administrator

Now check if everything works by issuing the folowing commands:

• Test domain computer account: net ads testjoin.
• Test winbindd: wbinfo -u to list AD users and wbinfo -g for groups.
• Test connection to a remote Windows server from the Samba server: smbclient -L //win2003test -k.
• Run wbinfo -t it should return: checking the trust secret via RPC calls succeeded, otherwise you have done somthing wrong (use testparm -v to check your Samba configuration).

Finally test connectivity from a Windows box: Start - Run - \\SAMBASERVER.

 winbind separator = + 

client signing = mandatory