Procedures for Enabling Active Directory Authentication on UNIX

Enabling Active Directory Authentication on a Samba Server

Enable AD-based authentication to your Samba shares.

The following procedure has been tested with Solaris 8 and 9, Samba 3.0.12pre1 and 3.0.13, MIT Kerberos V5 1.4, and OpenLDAP 2.2.24. Software was compiled with GCC 3.3.2. The procedure assumes installations based in /opt/local.

  1. Download and install the required software.
    1. Before installing, make sure that /usr/ucb is not in your PATH environment variable, or at least that it's toward the end.
    2. Build and install MIT Kerberos V5.
      1. Download from the MIT Kerberos site and unpack.
      2. From the src subdirectory: ./configure --prefix=/opt/local
      3. make
      4. sudo make install
    3. Build and install OpenLDAP.
      1. Download from the OpenLDAP site and unpack.
      2. ./configure --prefix=/opt/local --disable-bdb --enable-null --without-tls
      3. make depend
      4. make
      5. sudo make install
    4. Build and install Samba.
      1. Download from the Samba site and unpack.
      2. Set the CFLAGS environment variable to "-O2".
      3. Set the LDFLAGS environment variable to "-L/opt/local/lib -Wl,-R/opt/local/lib".
      4. Set the CPPFLAGS environment variable to "-I/opt/local/include".
      5. From the source subdirectory: ./configure --prefix=/opt/local --exec-prefix=/opt/local/samba --with-logfilebase=/var/log --with-sslinc=/opt/local/ssl/include --with-ssllib=/opt/local/lib --with-included-popt --with-smbwrapper --with-syslog --with-automount --with-pam --with-ldap --with-ads --with-winbind --with-krb5=/opt/local
      6. make
      7. sudo make install
  2. Configure the server.
    1. Add the Active Directory DNS suffix (e.g. ad.example.com) to the search statement in /etc/resolv.conf.
    2. Create /opt/local/etc/krb5.conf that looks something like the following (using a site-specific KDC): 
      [libdefaults]
	default_realm = AD.EXAMPLE.COM

[realms]
	AD.EXAMPLE.COM = {
	kdc = dc1.ad.example.com
	}

[domain_realms]
	.kerberos.server = AD.EXAMPLE.COM
    3. Set up /opt/local/samba/lib/smb.conf to include the following parameters in the [globals] section (substituting a local DC for the password server): 
      workgroup = EXAMPLE
realm = ad.example.com
security = ADS
password server = dc1.ad.example.com
encrypt passwords = yes
allow trusted domains = yes
username map = /opt/local/samba/lib/user.map
    4. In /opt/local/samba/lib/user.map, map AD usernames to corresponding UNIX usernames, with each line looking like this:
      • unixuser = EXAMPLE\aduser
    5. Create an init script and links to start and stop smbd, nmbd, and winbindd. Here's an example: 
      #!/bin/sh

SMBDIR=/opt/local/samba

if [ ! -d $SMBDIR ]; then
	exit
fi

case "$1" in
'start')
	$SMBDIR/sbin/nmbd -D
	$SMBDIR/sbin/smbd -D
	$SMBDIR/sbin/winbindd
	echo "Started SAMBA - smbd and nmbd and winbindd"
	;;
'stop')
	$SMBDIR/bin/smbcontrol nmbd shutdown
	$SMBDIR/bin/smbcontrol smbd shutdown
	$SMBDIR/bin/smbcontrol winbindd shutdown
	;;
*)
	echo "Usage: /etc/init.d/smb.server { start | stop }"
	;;
esac
  3. Join the server to the Active Directory domain.
    1. Have someone create a machine account for the Samba server in the AD domain.
      • If the server's hostname doesn't meet AD naming requirements, you'll need to construct a hostname that does. Use this hostname as the netbios name in smb.conf. Also, you should probably add this hostname as an alias for the server's real hostname in DNS.
    2. sudo /opt/local/bin/kinit DomainAdmin@AD.EXAMPLE.COM
      1. Make sure the realm name is entered in all caps.
      2. You'll be prompted for a domain admin password.
    3. sudo /opt/local/samba/bin/net ads join -U DomainAdmin
      • The -U option isn't required if this command is run shortly after the kinit.
  4. Start the daemons: sudo /etc/init.d/smb.server start.
  5. Test SMB access.

Enabling Active Directory Authentication on UNIX

Enable AD-based authentication to your UNIX system.

The following procedure has been tested with Solaris 8 and 9, MIT Kerberos V5 1.4, and OpenLDAP 2.2.24. Software was compiled with GCC 3.3.2. The procedure assumes installations based in /opt/local.

  1. Download and install MIT Kerberos V5, OpenLDAP, and Samba as described in the procedure to enable AD authentication on a Samba server. In addition:
    1. If /usr is mounted read-only, sudo mount -o remount /usr.
    2. From the source/nsswitch/ directory of the Samba source distribution, copy libnss_winbind.so to /usr/lib/nss_winbind.so.1, with 0555 permissions.
    3. From the source/nsswitch/ directory of the Samba source distribution, copy pam_winbind.so to /usr/lib/security/ with 0555 permissions, and create a symlink to it from /usr/lib/security/pam_winbind.so.1.
  2. Configure the host.
    1. Configure resolv.conf, krb5.conf, and smb.conf as described in the procedure to enable AD authentication on a Samba server.
    2. Add the following lines to smb.conf, substituting appropriate values for template home directories, login shells, and UID/GID ranges: 
      winbind separator = +
winbind use default domain = yes
winbind enum users = no
winbind enum groups = no
winbind cache time = 1800
idmap uid = 100000-200000
idmap gid = 100000-200000
template homedir = /home/%U
template shell = /bin/tcsh
    3. In /etc/nsswitch.conf, add winbind [TRYAGAIN=2] to the end of the passwd and group lines.
    4. In /etc/pam.conf:
      1. To the auth section of each service for which AD authentication will be enabled (typically login and other), add a line like the following at the beginning:
        other	auth sufficient		pam_winbind.so.1
        Also, add try_first_pass to the end of subsequent lines using pam_unix.so.1, pam_unix_auth.so.1, or pam_dial_auth.so.1.
      2. To the account section of each relevant service, add a line like the following at the beginning:
        other	account sufficient	pam_winbind.so.1
      3. For example, on Solaris 9, the lines for other services in /etc/pam.conf might look like this: 
        other	auth sufficient		pam_winbind.so.1
other	auth required		pam_unix.so.1 try_first_pass
other	account sufficient	pam_winbind.so.1
other	account requisite	pam_roles.so.1
other	account required	pam_projects.so.1
other	account required	pam_unix_account.so.1
other	session required	pam_unix_session.so.1
other	password required	pam_dhkeys.so.1
other	password requisite	pam_authtok_get.so.1
other	password requisite	pam_authtok_check.so.1
other	password required	pam_authtok_store.so.1
    5. In /opt/local/etc/sshd_config, the UsePAM parameter should be set to yes.
    6. Create an init script and symlinks as described in the procedure to enable AD authentication on a Samba server. However, you only need to run winbindd, not nmbd or smbd.
  3. Enable Active Directory lookups and authentication.
    1. Join the host to the Active Directory domain as described in the procedure to enable AD authentication on a Samba server.
    2. Kill the nscd process, and disable it from starting again.
      • If you have rcstart installed, you can run: sudo /etc/init.d/nscd stop; sudo rcstart -n nscd.
    3. Start winbindd with the init script.
  4. Test AD lookups and authentication.
    1. Test Active Directory connectivity via Kerberos and LDAP.
      1. Use /opt/local/samba/bin/wbinfo -n username to get the SID for an AD username.
      2. Use /opt/local/samba/bin/wbinfo -s SID to get the username or group name for an AD SID.
      3. Use /opt/local/samba/bin/wbinfo -g to get the list of AD groups. (This can take a while if there are a lot of groups, and may take several tries until winbindd can receive and cache the results.)
    2. Test lookups via the name service switch.
      1. id username should provide the UNIX UID and primary group for the specified AD user.
      2. getent group groupname should provide the UNIX GID and members of the specified AD group.
      3. Use chown and chgrp to change file and directory ownerships to AD users and groups, and verify that ls -l displays the AD usernames and group names.
    3. Test authentication via PAM.
      1. Login with an AD username and password, via SSH for instance.
        • Once logged in as an AD user, you should be able to use id or groups to get the full list of AD groups to which the user belongs.
      2. Test read/write access to files and directories owned by AD users and groups.

Mapping Active Directory Users to Existing UNIX UIDs

Use this procedure on systems where AD user accounts should correspond to UNIX user accounts on other systems. Among other things, this allows NFS shares from a UNIX server to work on an Active Directory UNIX client. The normal behavior of winbind is to arbitrarily assign UIDs to users from the range specified in smb.conf. GIDs will continue to be assigned to groups automatically by winbind after following this procedure.

Open issue: Is there any way to restrict login access to an AD client?

  1. Enable AD authentication as described above.
  2. Ensure that the range specified by idmap uid in smb.conf covers the range of UNIX UIDs to which accounts will be assigned.
  3. Install wbuser, a custom script used to list, add, and remove the UID/SID mappings stored in /opt/local/samba/var/locks/winbindd_idmap.tdb.
  4. If desired, print a list of the current mappings with wbuser -l.
  5. For each user, execute sudo wbuser -a username UID, where username is the AD username, and UID is the UNIX UID assigned to it.
  6. Create a home directory for the user if necessary.

Last updated: 12 January 2006
Send comments to: webmaster@occam.com
Copyright © 2005-2006 Occam's Razor. All rights reserved.