Wednesday, 5 October 2011

Debian Squeeze samba domain member fileserver

I struggled to find information on how to set up a samba domain member server on Debian Squeeze. This is how I got it working.

NTP
Firstly we install and configure an NTP client. This is needed to keep Kerberos happy, if the time is out by more than 5 mins Kerberos refuses to work.
apt-get install ntp
If you machine can access internet time servers, then this is all you need to do, ntp will happily start connecting  to the Debian time server pool and sync your time.


I have my own time server set up so in /etc/ntp.conf I commented out the server directives for the Debian time server pools and added my own server with the following:
server time.mycompany.com
Restart the ntp daemon with :
/etc/init.d/ntp restart
You can check what ntp gets up to with:
tail -f /var/log/syslog
You will hopefully see something like the following:

Oct  1 10:34:12 myserver ntpd[3757]: ntpd 4.2.4p4@1.1520-o Sun Nov 22 16:14:34 UTC 2009 (1)
Oct  1 10:34:12 myserver ntpd[3758]: precision = 1.000 usec
Oct  1 10:34:12 myserver ntpd[3758]: Listening on interface #0 wildcard, 0.0.0.0#123 Disabled
Oct  1 10:34:12 myserver ntpd[3758]: Listening on interface #1 wildcard, ::#123 Disabled
Oct  1 10:34:12 myserver ntpd[3758]: Listening on interface #2 lo, ::1#123 Enabled
Oct  1 10:34:12 myserver ntpd[3758]: Listening on interface #3 eth0, fe80::250:56ff:fe84:1#123 Enabled
Oct  1 10:34:12 myserver ntpd[3758]: Listening on interface #4 lo, 127.0.0.1#123 Enabled
Oct  1 10:34:12 myserver ntpd[3758]: Listening on interface #5 eth0, 192.168.0.100#123 Enabled
Oct  1 10:34:12 myserver ntpd[3758]: kernel time sync status 0040
Oct  1 10:34:12 myserver ntpd[3758]: frequency initialized 0.000 PPM from /var/lib/ntp/ntp.drift
Oct  1 10:43:28 myserver ntpd[3758]: synchronized to 192.168.0.2, stratum 3
Oct  1 10:43:28 myserver ntpd[3758]: time reset +298.707500 s
Oct  1 10:43:28 myserver ntpd[3758]: kernel time sync status change 0001


Kerberos
Install the kerberos client
apt-get install krb5-user
Default Kerberos version 5 realm: <FQDN for your domain>
Kerberos servers for your realm: <FQDN for you dc>
Administrative Server for your Kerberos realm:  <FQDN for you dc>


Test that kerberos is working correctly by running the following command (caps are important):
kinit administrator@MYCOMPANY.COM
This will ask you for the password for the above account, which needs to exist on your Active Directory. If you input the password correctly you should be returned to the command prompt, otherwise you will see something like:
kinit(v5): Preauthentication failed while getting initial credentials
In which case you will need to check the contents of your krb5.conf file.

Samba
Install samba and winbind with:
apt-get install samba winbind
Don't worry what we put for the config of samba as we will replace the file anyway


Move the samba config file out of the way with:
mv /etc/samba/smb.conf /etc/samba/smb.conf.orig 
Create /etc/samba/smb.conf with the following contents, change the workgroup and realm to what your AD is set to.

[global]
        netbios name = sambafileserver
        workgroup = MYCOMPANY
        realm = MYCOMPANY.COM
        server string = Samba Domain Member
        smb ports = 445
        security = ADS
        encrypt passwords = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        winbind nested groups = yes
        winbind separator = +
        idmap uid = 10000-20000
        idmap gid = 10000-20000

        client use spnego = yes
        client ntlmv2 auth = yes

[store]
        comment = file store
        path = /store
        read only = no
        valid users = MYCOMPANY+administrator

There are a couple of things to note about the smb.conf file, workgroup = the short name for your domain (like the domain part of a username when used like so: DOMAIN\username), realm is the FQDN of the domain (the part after the @ when you are using the username format like so: username@DOMAIN.LOCAL)


Create the /store path so that samba can access it to share it out:
mkdir /store 
chmod 777 /store
Edit /etc/nsswitch.conf and ensure that the passwd line looks like this:
passwd:         compat winbind
Restart the samba and winbind services:
/etc/init.d/samba restart ; /etc/init.d/winbind restart
We now need to join the computer to the active directory with:
net ads join -U administrator
As long as the join reports as successful you should be able to ignore any other failures.

Test that winbind can communicate with the domain:
wbinfo -t
If all is well the above command should return:
checking the trust secret for domain NA via RPC calls succeeded
Now jump onto a domain connected windows PC and see if you can create files in the share as the user mentioned in the "valid users" directive of the smb.conf.

No comments:

Post a comment