Using Samba in Linux-AD Integration19 December 2006 · Filed in Tutorial
Suggestions to use Samba in Linux-AD integration scenarios appeared in the comments for the following articles:
The idea was that Samba could be used to help automate the process of creating the appropriate service principals in Active Directory. Previously, I had recommended the use of
ktpass.exe and separate user accounts for each service principal (i.e., HOST/ or host/, HTTP/, etc.) because of the limitations of
ktpass.exe and adding service principals in Active Directory. However, a number of readers pointed out that Samba’s
net ads join and
net ads keytab commands could help automate and streamline this process.
Since one of my Linux servers had crashed anyway, I decided to try out the Samba toolset while integrating this new Linux server into my existing Active Directory infrastructure. Here’s what I found and the process that I used to successfully integrate the new Linux server into AD with the Samba tools.
First, the Kerberos client had to be configured properly. I’ll refer you back to any one of the various Linux-AD integration articles I’ve written for more information on how to setup the
/etc/krb5.conffile. You should be able to do a successful
kinit [email protected]when
/etc/krb5.confis configured correctly.
Next, Samba must be properly configured. I used the following settings in
workgroup = <NetBIOS name of AD domain> security = ads realm = <DNS name of AD domain> use kerberos keytab = true password server = <Space-delimited list of AD DCs>
For full Linux-AD integration, you must configure the nss_ldap client. Again, I’ll refer you to any one of the various AD integration articles I’ve written for more details on a suggested nss_ldap configuration. When nss_ldap is correctly configured, you should be able to do a
getent password <username>and get back a list of properties (including UID, home directory, login shell, etc.) for that username.
kdestroyto kill any Kerberos credentials you may have established during testing, and then run
kinit <administrative account>@AD.DOMAIN.NAMEto get a Kerberos ticket for an administrative user in the AD domain.
If the DNS domain of your Linux server will be different than the DNS domain of the AD domain (for example, perhaps your Linux server will be web1.linux.corp.com whereas Active Directory uses ad.corp.com), then create a computer account in Active Directory. If the Linux server’s DNS domain will be the same as the DNS domain for AD, then we can have Samba create it for us. (I ran into problems here since the Linux server does use a different DNS domain than Active Directory, and pre-creating the computer account was the only way to make it work.)
net ads jointo join the Linux server to Active Directory. As part of this process, it will add various SPNs to the computer account in Active Directory automatically and create the appropriate entries in the local Kerberos keytab (
/etc/krb5.keytab, by default). No more
At this point, you can configure PAM appropriately (again, refer to one of the previous integration articles for full details on PAM configuration) and login to the Linux server with an Active Directory account.
I used this process to integrate a new CentOS 4.4 server into Active Directory without any problems whatsoever. I used the Kerberos, LDAP, nsswitch.conf, and PAM configurations from this Linux-AD integration article within the framework of the steps listed above and ran into only one problem (that was the issue with the differing DNS domains). Otherwise, it worked just fine.
Thanks to those readers who suggested the use of Samba!Tags: ActiveDirectory · CentOS · Interoperability · Kerberos · LDAP · Linux · Samba Previous Post: Changing the IP Address in Solaris 10 U3 Next Post: VMware Fusion Public Beta