Using Samba on Debian Linux

Posted by ltackmann on Thu 26 Jan 2006 at 10:29

This article will show you how to install Samba 3.X on Debian Linux 3.1 (Sarge) and make it authenticate against a Windows server running Active Directory. It is not intended on replacing the actual official Samba 3 manual - which is a quite good read anyway.

Core software

I will show two ways of installing Samba: using apt or directly from source in either case make sure apt's package index files are synchronized: 
apt-get update
apt-get upgrade
To install from apt run: 
apt-get install samba smbclient winbind krb5-doc krb5-user \
	krb5-config
To compile Samba yourself you need to have MIT Kerberos and OpenLDAP installed: 
apt-get install libkrb53 libcupsys2-gnutls10 libldap2 \
	libldap2-dev libkrb5-dev krb5-doc krb5-user \
	krb5-config
Then grap the latest version of the Samba source (for this article we will use samba-3.0.9.tar.gz), and do: 
tar zxvf samba-3.0.9.tar.gz -C /tmp/
cd /tmp/samba-3.0.9/source
./configure \
	--prefix=/usr \
	--localstatedir=/var \
	--with-configdir=/etc/samba \
	--with-privatedir=/etc/samba \
	--with-fhs \
	--with-quotas \
	--with-smbmount \
	--with-pam \
	--with-pam_smbpass \
	--with-syslog \
	--with-utmp \
	--with-sambabook=/usr/share/swat/using_samba \
	--with-swatdir=/usr/share/swat \
	--with-shared-modules=idmap_rid \
	--with-libsmbclient \
	--with-automount \
	--with-msdfs \
	--with-ads \
	--with-winbind \
	--with-winbind-auth-challenge \
	--with-manpages-langs=en \
	--with-idmap \
	--with-acl-support \
	--with-ldap
make
make install


Windows server setup

Install a Windows server and make it act as a domain controller (see this guide for pointers on setting up a domain controller). I will use the followng server setup: You should familate yourself with what these cororsponds to in your local domain before continuing with this guide.



Network setup

We need to make sure that DNS is working properly on the server running Samba, this is done by making the Windows Domain controller the default DNS server. To do this I substitute my DNS configuration in /etc/resolve.conf with the folowing: 
search testdomain.local
nameserver 192.168.1.101
If you have more than one DNS server in your domain, then also add them here. Test DNS using: 
nslookup win2003test
> Server:         192.168.1.101
> Address:        192.168.1.101
> Name:   win2003test.testdomain.local
> Address: 192.168.1.101
Test reverse lookup using: 
host 192.168.1.101
> 101.1.168.192.in-addr.arpa domain name pointer
> win2003test.testdomain.local.
If for some reason any of these two test fails, then go through your network setup and this section again. Your DNS must be correctly configured in order to run Samba successfully with Active Directory.



Kerberos setup

We will have to configure Kerberos (or you could avoid this by setting the password server in /etc/samba/smb.conf, to the PDC emulator but then you would be talking old school NTLM with the domain controller). To get real AD working add the folowing lines to /etc/krb5.conf: 
[realms]
TESTDOMAIN.LOCAL = {
	kdc = win2003test.testdomain.local
	admin_server = win2003test.testdomain.local
}
Then do: 
 kinit administrator@TESTDOMAIN.LOCAL
The syntax is kinit user@REALM, where REALM is your Active Directory domain name and must be all uppercase. If you do not use all uppercase for the realm, you'll either receive this error: kinit(v5): Cannot find KDC for requested realm while getting initial credentials or this error: kinit(v5): KDC reply did not match expectations while getting initial credentials. You can test your kerberos setup by issuing 
klist
If it reports that you have no keys in the cache then something is wrong. In the event that you recive: kinit(v5): Clock skew too great while getting initial credentials then make sure that the clock synchronisation between your Windows Server and your Linux server is within five minutes. If the time is off by more then the two servers will unable send ticket information to each other.



Optional: Use a NTP Server

One way to solve the clock synchronisation problem is to use a time server (you might even want to use your active directory server(s)). Using a NTP server is optional and not strictly required in order to run a Samba in an AD, but anyway here is how it is done. First install the required ntp packages: 
apt-get install ntpdate
Then add your favorite time server(s) to '''/etc/ntp.conf''', and execute: 
/etc/init.d/ntpdate restart


Samba setup

To connect up to your domain create: /etc/samba/smb.conf and add: 
[global]
security = ads
password server = win2003test
encrypt passwords = yes
workgroup = testdomain
realm = TESTDOMAIN.LOCAL
netbios name = temporay
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = Yes
In workgroup insert the domain name, realm should be set to the fully qualified domain name (uppercase). Insert the name of the Windows server to authenticate against in the password server field. We are now ready to start the needed services: 
smbd
nmbd
To join the domain in the default organisation unit do: 
net ads join -W testdomain -S win2003test -U administrator
or use another unit like this: 
net ads join Denmark\/Copenhagen\/Computers -W testdomain \
	-S win2003test -U administrator
Now check if everything works by issuing the folowing commands: Finally test connectivity from a Windows box: Start - Run - \\SAMBASERVER.

This article can be found online at the Debian Administration website at the following bookmarkable URL:

This article is copyright 2006 ltackmann - please ask for permission to republish or translate.