Suggestions to use Samba in Linux-AD integration scenarios appeared in the comments for the following articles:
Linux, Active Directory, and Windows Server 2003 R2 Revisited
Kerberos-Based SSO with Apache
The idea was that Samba could be used to help automate the process of creating the appropriate service principals in Active Directory. Previously, I had recommended the use of ktpass.exe and separate user accounts for each service principal (i.e., HOST/ or host/, HTTP/, etc.) because of the limitations of ktpass.exe and adding service principals in Active Directory. However, a number of readers pointed out that Samba’s “net ads join†and “net ads keytab†commands could help automate and streamline this process.
Since one of my Linux servers had crashed anyway, I decided to try out the Samba toolset while integrating this new Linux server into my existing Active Directory infrastructure. Here’s what I found and the process that I used to successfully integrate the new Linux server into AD with the Samba tools.
- First, the Kerberos client had to be configured properly. I’ll refer you back to any one of the various Linux-AD integration articles I’ve written for more information on how to setup the /etc/krb5.conf file. You should be able to do a successful “kinit username@AD.DOMAIN.NAME†when /etc/krb5.conf is configured correctly.
- Next, Samba must be properly configured. I used the following settings in /etc/samba/smb.conf:
workgroup = <NetBIOS name of AD domain> security = ads realm = <DNS name of AD domain> use kerberos keytab = true password server = <Space-delimited list of AD DCs>
- For full Linux-AD integration, you must configure the nss_ldap client. Again, I’ll refer you to any one of the various AD integration articles I’ve written for more details on a suggested nss_ldap configuration. When nss_ldap is correctly configured, you should be able to do a “getent password <username>†and get back a list of properties (including UID, home directory, login shell, etc.) for that username.
- Use “kdestroy†to kill any Kerberos credentials you may have established during testing, and then run “kinit <administrative account>@AD.DOMAIN.NAME†to get a Kerberos ticket for an administrative user in the AD domain.
- If the DNS domain of your Linux server will be different than the DNS domain of the AD domain (for example, perhaps your Linux server will be web1.linux.corp.com whereas Active Directory uses ad.corp.com), then create a computer account in Active Directory. If the Linux server’s DNS domain will be the same as the DNS domain for AD, then we can have Samba create it for us. (I ran into problems here since the Linux server does use a different DNS domain than Active Directory, and pre-creating the computer account was the only way to make it work.)
- Run “net ads join†to join the Linux server to Active Directory. As part of this process, it will add various SPNs to the computer account in Active Directory automatically and create the appropriate entries in the local Kerberos keytab (/etc/krb5.keytab, by default). No more ktpass.exe!
At this point, you can configure PAM appropriately (again, refer to one of the previous integration articles for full details on PAM configuration) and login to the Linux server with an Active Directory account.
I used this process to integrate a new CentOS 4.4 server into Active Directory without any problems whatsoever. I used the Kerberos, LDAP, nsswitch.conf, and PAM configurations from this Linux-AD integration article within the framework of the steps listed above and ran into only one problem (that was the issue with the differing DNS domains). Otherwise, it worked just fine.
Thanks to those readers who suggested the use of Samba!
Tags: ActiveDirectory, CentOS, Interoperability, Kerberos, LDAP, Linux, Samba
-
Hi, need help.
I got getent password to work ok ,but steel have problem with samba:
from /var/log/messages:smbd[XXXX]: GSSAPI Error: Miscellaneous failure (No credentials cache found)
smb.conf configured as above.
any idea why? -
Alex,
“getent passwd” tells us if the LDAP configuration is working (which it is, apparently), but you also need to configure Kerberos. I didn’t put Kerberos configuration details in this article because I’ve covered it several times in other articles; refer to this article for more information:
http://blog.scottlowe.org/2006/08/08/linux-active-directory-and-windows-server-2003-r2-revisited/
That should give you the information you need to configure Kerberos properly. Once Kerberos is properly configured, you should be able to use “kinit username” (assuming the default Kerberos realm) and successfully authenticate. “klist” will then show a Kerberos ticket.
Hope this helps,
Scott -
I think that you can skipp step 5 if in step 6 you use ‘net ads join -I IP.ADDR.OF.CG.DC.FOR.ad.corp.com -S DNS.NAME.OF.CG.DC.FOR.ad.corp.com -U Administrator’
-
Help !!
I’m have OpenSuse 10.3 and im trying to join it to a Win2k ADS. When i try to net join -S IP.ADDR -U administrator%password i get: utils/net_rpc_join.c:net_rpc_join_newstyle(350)
Error in domain join verification (credential setup failed): NT_STATUS_INVALID_COMPUTER_NAME Unable to join domain COMBI. The strange thing is I get computerobject in the ADS. I have the same configuration as your previous articles. Kerberos is working fine.any ideas??
-
Hi Arthur,
More important that the disto version you’re running is the Samba version, you can find this using for ex. net -V
You should first check that you can reach the domain CG.DC.FOR.ad.corp.com by using for ex. ping IP.ADDR.OF.CG.DC.FOR.ad.corp.com, if you will use -I, or that you can resolve and reach the host DNS.NAME.OF.CG.DC.FOR.ad.corp.com, if you will use -S, for ex. host/nslookup/dig DNS.NAME.OF.CG.DC.FOR.ad.corp.com and ping DNS.NAME.OF.CG.DC.FOR.ad.corp.com
you can find the list of SRV’s using AD DNS and query for SRV records of type _ldap._tcp.gc._msdcs.
Also if something is not working, restart by first deleting from AD the incomplete entry for the Samba machine and don’t use -S with IP, use -S name or use -I IP, or use -I IP and -S name in the net cmd
-
What’s up guys… I’ve got a quick question (hopefully). I’ve got samba up and running and joined the ad domain and all that business.
The issue i’m having is when I log on to my shared drive ‘MyShare’ it works fine but i see it creates a directory for me called drew (ad domain name)… i’ve tried to log in but can’t. But I can log into the regular samba share..any ideas?
-
Win2k3 and Win2k3 R2 do not appear to support the service principal credentials as you would expect.
A samba net ads join will create a keytab, will populate it with SPNs, will create an AD computer account, and will populate the serviceprincipalnames field for it — however, I have not found a mechanism by which they are directly usable.
IE: kinit -kt /etc/krb5.keytab host/hostname.myfqdn should work, but with SPNs it fails.
What apparently needs to be done, and what ktpass does, is to map the userprincipalname under the account, but unfortunately AD only supports one userprincipalname per user account.
You can create a valid keytab entru by doing net ads join and using the createupn field accordingly, it would seem.
Site Sponsors
8 comments
Comments feed for this article
Trackback link: http://blog.scottlowe.org/2006/12/19/using-samba-in-linux-ad-integration/trackback/