Samba Procedure
Document 1494126.1 1 of 5 https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-sta... How to configure So
Views 155 Downloads 6 File size 333KB
Recommend stories
- Author / Uploaded
- Matthew Mathews
Citation preview
Document 1494126.1
1 of 5
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-sta...
How to configure Solaris Samba to authenticate to and join a Windows Active Directory Server (ADS) Domain (Doc ID 1494126.1) In this Document Goal Solution References
APPLIES TO: Solaris Operating System - Version 10 8/07 U4 to 11.3 [Release 10.0 to 11.0] Information in this document applies to any platform.
GOAL Solaris 10 and later Samba can be configured to join a Windows Domain and authenticate Windows Domain Users via Active Directory. The configuration requires Solaris Samba, Kerberos, and Name Service Switch components be configured to achieve this. The document will provide examples of a configuration and steps that need to be taken to join the Solaris 10 or Solaris 11 Samba server to the Domain and authenticate users via ADS. The procedures are the same except where noted for differences in Solaris 11 and Solaris 11.1. Please note that Solaris 11 and later also provides the SMB and Windows Interoperability capability. It differs significantly from Samba and the configuration referenced in this document. For information on Solaris 11 SMB please refer to the documentation Managing SMB File Sharing and Windows Interoperability in Oracle Solaris 11.1 http://docs.oracle.com/cd/E26502_01/html/E29004/index.html
SOLUTION Most implementations of the Windows Server should automatically create a Computer, User, and DNS records when the Solaris Samba server successfully joins the Domain so no action may be required there. On the Solaris Samba Server the procedure would be the following. It would be suggested to have Solaris 10 Samba patch 119757-21 (SPARC) or 119758-21 (X86) or later installed when using these procedures. The latest recommended samba patch is: Patch-ID# 119757-33 Synopsis: SunOS 5.10: Samba patch - Create the /etc/samba/smb.conf file. For a ADS configuration a configuration such as the following can be used. The realm and workgroup would be replaced by the Realm/Windows Domain and Workgroup that exists in your environment. The following is supplied as a reference. Please refer to Samba Community documentation and Solaris smb.conf man page for more information on options and settings.
[global] realm = NETADM.COM workgroup = NETADM security = ADS # use kerberos keytab ( this option was removed in 3.0.30 and later) encrypt passwords = yes server string = Samba ADS Configuration guest account = nobody kerberos method = dedicated keytab dedicated keytab file = /etc/krb5/krb5.keytab
# winbind configuration:
20/05/17, 1:13 PM
Document 1494126.1
2 of 5
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-sta...
winbind separator = + winbind enum users = yes winbind enum groups = yes template homedir = /samba/pchome/%D/%U template shell = /bin/sh # idmap config NETADM:default = yes (NOTE: This option has been removed in Samba 3.6.8 and later. It can be removed from configurations in those releases) idmap config *:backend = tdb idmap config *:range = 5000-9999 idmap config NETADM:backend = tdb idmap config NETADM:range = 10000-90000
- Share sections would also be added to the smb.conf file to share directories to Windows clients. Please refer to Samba Community documentation and Solaris smb.conf man page for information on share options and settings. - Edit the /etc/nsswitch.conf and add winbind to the passwd: and group: lines: passwd: files winbind group: files winbind [TRYAGAIN=1] In Solaris 11 and later to complete the nsswitch.conf execute the following commands to import the updated nsswitch.conf file into the SMF repository and refresh the Solaris 11 service that exists for the nsswitch operations. # nscfg import -f svc:/system/name-service/switch:default # svcadm refresh svc:/system/name-service/switch:default Execute the following command to restart the nscd daemon: # svcadm restart name-service/cache:default Solaris Kerberos Configuration The Samba ADS configuration requires Kerberos be configured for host authentication with the Windows ADS Server. In almost all cases the Kerberos Domain Controller (KDC) will be the Windows ADS Server and that is the server used in the configuration. In this file the realm would be the Windows Domain and the kdc and admin_server would be the fully qualified hostname for the Windows ADS server that is also the KDC. The hostnames have to be resolved via DNS. - Create a /etc/krb5/krb5.conf file. For example: [libdefaults] default_realm = NETADM.COM dns_lookup_kdc = true [realms] NETADM.COM = { kdc = PC1-ADS.netadm.com admin_server = PC1-ADS.netadm.com } [domain_realm] .netadm.com = NETADM.COM
The Kerberos configuration also requires that there be a /etc/krb5/krb5.keytab file. This file has the keys obtained from the KDC. That will be created in a step that will take place as the Samba and Winbind services are enabled. - Confirm that the date and time are synchronized between the Solaris Samba server and Windows ADS Server/KDC. A difference of even a few minutes (3-5) can invalidate the keys and a error such as "clock skew too large" can be received by the kinit command. The next steps will be to enable the samba and winbind services, join the Samba server to the Windows Domain, and create the krb.keytab file. To join the Domain a system administrator will use a Windows Domain username that had administrator rights, privileges in the Windows Domain. - Enable the Samba service # svcadm enable samba
20/05/17, 1:13 PM
Document 1494126.1
3 of 5
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-sta...
Confirm the samba service is online # svcs samba STATE STIME FMRI online 15:06:22 svc:/network/samba:default - Join the Samba server to the Domain # net ads join -U administrator Enter administrator's password: Using short domain name -- NETADM Joined 'LBL-1130' to realm 'netadm.com' - Create the /etc/krb5/krb5.keytab file. The prompt will call for the Administrator account and password to be entered # net ads keytab create -U administrator Enter administrator's password: # - Confirm that the /etc/krb5/krb5.keytab has been created with the command: # klist -kte /etc/krb5/krb5.keytab Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Timestamp Principal ---- ----------------- --------------------------------------------------------0 09/17/12 18:04:04 host/[email protected] (DES cbc mode with CRC-32) 0 09/17/12 18:04:04 host/[email protected] (DES cbc mode with RSA-MD5) 0 09/17/12 18:04:04 host/[email protected] (ArcFour with HMAC/md5) 0 09/17/12 18:04:04 host/[email protected] (DES cbc mode with CRC-32) 0 09/17/12 18:04:04 host/[email protected] (DES cbc mode with RSA-MD5) 0 09/17/12 18:04:04 host/[email protected] (ArcFour with HMAC/md5) 0 09/17/12 18:04:05 [email protected] (DES cbc mode with CRC-32) 0 09/17/12 18:04:05 [email protected] (DES cbc mode with RSA-MD5) 0 09/17/12 18:04:05 [email protected] (ArcFour with HMAC/md5)
- Confirm the Kerberos client is properly initiated and communicates with the KDC for the Kerberos Realm
# kinit -V [email protected] Password for [email protected]: Authenticated to Kerberos v5 Enable the Winbind service # svcadm enable winbind - Confirm that the samba and winbind services are online: # svcs samba winbind STATE STIME FMRI online 15:06:22 svc:/network/samba:default online 15:09:55 svc:/network/winbind:default
- Confirm that winbindd can be communicated with and return ADS usernames and groups with the commands: wbinfo -p wbinfo -u wbinfo -g - Confirm that the Solaris NSS functions (configured via the /etc/nsswitch.conf) can return Windows ADS user information getent passwd | grep Windows_Domain_Username For example: # getent passwd | grep user1 NETADM+user1:*:11000:11013:user1:/home/NETADM/user1:/bin/csh Once completed a Windows Client system should be able to map a share from the Solaris Samba server and authenticate using the users
20/05/17, 1:13 PM
Document 1494126.1
4 of 5
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-sta...
Windows Domain/ADS username and password. - If it is intended for ADS users to login to the Solaris Samba server via ssh or telnet a pam.conf file with winbind references should be moved into place. Note: Solaris 10 with Samba Patch 119757-20 SPARC / 119758-20 X86 or later installed the pam.conf-winbind2 file provided as a attachment in Document 1413786.1 should be used in the following steps
# cd /etc # cp pam.conf pam.conf.bak # cp pam.conf-winbind pam.conf Note: In Solaris 11.1 and later the PAM configuration has been updated. To add the Winbind PAM module to the configuration make the following modifications Edit the files located under /etc/pam.d/ and add the line for pam_winbind.so.1 as shown in each one of the following files.
# pwd /etc/pam.d # cat login # # Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. # # PAM configuration # # login service (explicit because of pam_dial_auth) # auth definitive pam_user_policy.so.1 auth requisite pam_authtok_get.so.1 auth sufficient pam_winbind.so.1 try_first_pass auth required pam_dhkeys.so.1 auth required pam_unix_auth.so.1 auth required pam_unix_cred.so.1 auth required pam_dial_auth.so.1
# cat other # # Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. # # PAM configuration # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # auth definitive pam_user_policy.so.1 auth requisite pam_authtok_get.so.1 auth sufficient pam_winbind.so.1 try_first_pass auth required pam_dhkeys.so.1 auth required pam_unix_auth.so.1 auth required pam_unix_cred.so.1
account requisite pam_roles.so.1 account sufficient pam_winbind.so.1 try_first_pass account definitive pam_user_policy.so.1 account required pam_unix_account.so.1 account required pam_tsol_account.so.1 # # Default definition for Session management # Used when service name is not explicitly mentioned for session management #
20/05/17, 1:13 PM
Document 1494126.1
5 of 5
session definitive pam_user_policy.so.1 session sufficient pam_winbind.so.1 session required pam_unix_session.so.1
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-sta...
try_first_pass
# cat rlogin # # Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. # # PAM configuration # # rlogin service (explicit because of pam_rhost_auth) # auth definitive pam_user_policy.so.1 auth sufficient pam_rhosts_auth.so.1 auth requisite pam_authtok_get.so.1 auth sufficient pam_winbind.so.1 try_first_pass auth required pam_dhkeys.so.1 auth required pam_unix_auth.so.1 auth required pam_unix_cred.so.1 Please refer to the References section for Samba Community documentation and Oracle Community information resources.
REFERENCES NOTE:1547651.1 - What version of the Solaris 10 Samba Patch is required for ADS authentication with Windows Server 2008 and 2012? http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member NOTE:1554792.1 - After Upgrading to Samba 3.6.4 and later ADS Users Cannot Authenticate for Windows Share or Solaris User Access NOTE:1624663.1 - Samba: 'net ads join' fails with 'kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type NOTE:1413786.1 - Unable To Login Via SSH, Telnet, Or Shell As A ADS User After Solaris 10 Samba Patch 119757-20/119758-20 or later Didn't find what you are looking for?
20/05/17, 1:13 PM