Integrating samba 3 into a windows2003 Domain
时间:2006-04-09 来源:wxb517xz
Integrating samba 3 into a windows2003 Domain
Date: 2005-6-17
Summary
This How-To will walk you through integrating your Samba file servers in to a Windows 2003 Domain.
Backgroud
We are ready to upgrade previous Windows 2000 farms to Microsoft’s most talked about OS.This is a very good achievement for them and also one that will benefit existing Windows infrastructures.
With that said, on the other side of the tracks, we see that penguin in the sky, making headlines as well. Some organizations have already took the leap, and have started bringing in Linux very slowly, as well as some of the more bold organizations willing to totally replace their existing Windows infrastructure with Linux.
Can we integrate Linux, from a file sharing perspective, in to Windows 2003 domains? Well, up until now, Samba, file sharing services for Linux and Unix variants, has been revolutionary in doing just such a thing within Windows NT and Windows 2000 domains. But, we all know Microsoft doesn't want its open-source rival to be that tightly integrated with its Windows products, we then began wondering whether they had changed the behavior of the SMB (server message block) protocol in Windows 2003 at all. From a security standpoint, they have, within relation to Active Directory.
The guide that follows will show you how to integrate our Samba servers running Linux in to your newly stocked Windows 2003 domains with Active Directory, using Samba 3.0.14a (current stage of development), Kerberos for authentication with Active Directory, and Winbind for making windows users available to the Samba server.
Invironment:
Windows 2003 Primary Domain Controller - IP Address: 192.168.80.10- HOSTNAME: ZQDC2
Red Hat Linux 9 - IP Address: 192.168.80.8- HOSTNAME: SAM01
Tools needed:
[root@sam01 root]# rpm -qa | grep openldap
openldap-devel-2.0.27-8
openldap-2.0.27-8
openldap-clients-2.0.27-8
[root@sam01 root]# rpm -qa | grep pam
pam-devel-0.75-48
pam_krb5-2.1.2-1
pam_smb-1.1.6-7
pam-0.75-48
would also install the smb package as well so samba must upgrad to 3.0.0 or later
would also install the krb5 package as well so krb5 must upgrad to1.3.1 or later
Downloading the Samba Distribution ,frist installing samba:
$ tar xvfz samba-latest.tar.gz
cd samba-3.0.14a /source
./configure
--with-smbwrapper #allows programs running on the Unix host to access SMB shared folders
--with-smbmount #allows SMB shared folders to be mounted
--with-msdfs #support for Microsoft Distributed file
--with-syslog
--with-winbind #suppport join the windows pdc
--with-pam #support pam authentication
--with-krb5 #support kerberos authentication
--with-ads #support samba join win200x DC
--with-ldap
2>&1 | tee config.my.log
make 2>&1 | tee make.log
make install 2>&1 | tee make-install.log #default located /usr/local/samba
Upgrading installation:
1) rpm package:
rpm -e samba
rpm -e samba-client
rpm -e samba-common
rpm –Uvh samba-latest.i386.rpm
Or rpmbuild –rebuild samba-latest.src.rpm
cd /usr/src/redhat/rpms/i386
rpm –Uvh samba-latest.rpm
2) tar package:
autoconf
make clean
rm config.cache
rm –rf /usr/local/samba
reinstalling samba
Configure samba for GUI:
1)Enabling SWAT:
Cat /etc/service
Swat 901/tcp #add it to the end of the file
2)use your web browser to connect to http://localhost:901
Starting the Samba Daemons:
1)Starting the manually:
# /usr/local/samba/bin/smbd -D
# /usr/local/samba/bin/nmbd -D
# /usr/local/samba/bin/wibindd -D
2)Starting script:
# Script para Samba
# Source function library.
./etc/init.d/functions
RETVAL=0
prog="Samba"
start() {
echo -n $"Starting $prog: "
daemon /usr/local/samba/sbin/smbd -D
daemon /usr/local/samba/sbin/nmbd -D
daemon /usr/local/samba/sbin/winbindd
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /usr/local/samba/var/locks
return $RETVAL
}
stop() {
echo -n $"Shutting down $prog: "
killproc smbd
killproc nmbd
killproc winbindd
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/samba
return $RETVAL
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload)
stop
start
RETVAL=$?
;;
status)
status smbd
status nmbd
status winbindd
RETVAL=$?
;;
who)
/usr/local/samba/bin/smbstatus
;;
config)
vi /usr/local/samba/lib/smb.conf
;;
*)
echo $"Usage: $0 {start|stop|restart|status|who|config}"
exit 1
esac
exit $RETVAL
with the script can start and stop samba:
/etc/rc.d/init.d/smb start
/etc/rc.d/init.d/smb stop
Testing the Samba Daemons:
/usr/local/samba/bin/smbclient -U% -L localhost
/usr/local/samba/bin/testparm ../lib/smb.conf #test samba conf file
Connect from a Remote SMB Client:
C:\> net use d: \\servername\service
A Basic Samba Configuration File:
# Global parameters
[global]
workgroup = I-ZQ-LOCAL # domain
realm = I-ZQ.COM
server string = Wiki_FStore Server
security = ADS # domain authentication
client schannel = No
obey pam restrictions = Yes
pam password change = Yes
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
unix password sync = Yes
log file = /usr/local/samba/var/sam.log
max log size = 30000000
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain master = No
dns proxy = No
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /home/winnt/%D/%U
template shell = /bin/bash
winbind separator = +
hosts allow = 192.168.
[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0664
valid users = @"I-ZQ-LOCAL+domain users" #domain users
directory mask = 0775
browseable = No
Configure samba authentication:
1)cp ../samba/source/nsswitch/libnss_winbind.so /lib # winbind library
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
/sbin/ldconfig -v | grep winbind # make sure system can find the file
2)make nsswitch/pam_winbind.so
cp ../samba/source/nsswitch/pam_winbind.so /lib/security # pam library
3)configure the /etc/nsswith.conf
vi /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
4)configure the /etc/pam.d
cat /etc/pam.d/sshd
#%PAM-1.0
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_limits.so
session required /lib/security/pam_mkhomedir.so
session optional /lib/security/pam_console.so
cat /etc/pam.d/samba
#%PAM-1.0
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
cat /etc/pam.d/system-auth
#%PAM-1.0
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
# Note: The above line is complete. There is nothing following the '='
password sufficient /lib/security/$ISA/pam_unix.so \
nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
password required /lib/security/$ISA/pam_deny.so
Notes: We shalll want to insert the lines above that are in italics. I pam samba config file should look similarly if not almost identically to the lines above (minus the lines in italics) if you are on Red Hat. If it does, I have included the appropriate vi commands for editing the file below, to insert the new lines
5) configure the /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = I-ZQ.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
I-ZQ.COM = {
kdc = zqdc2.i-zq.com
admin_server = zqdc2.i-zq.com
default_domain = I-ZQ.COM
}
[domain_realm]
.zqdc2.i-zq.com = I-ZQ.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
krb4_convert = false
}
Notes: To obtain this information from our Domain Controller, right click on my computer->computer name tab->and the full name of your domain will be listed below the Full computer name line on the computer name tab. You will also want to replace IP_ADDRESS in the instructions below (192.168.80.10 in the config file) to the domain controller's IP address.
6) configure the npt
install the ntp4171 on windows2003 PDC
start the ntpd
ntpdate 192.168.80.8
7) configure the kdc
kinit administrator@I-ZQ-LOCAL #Test the kerberos
usr/local/samba/bin/smbclient //ZQDC2/c$ -k
Note: Make sure the times are in sync with your domain controller and your samba server, otherwise you will recieve a message like this, "kinit(v5): Clock skew too great while getting initial credentials", and things will not work
Enter your password for the share if we get prompted to enter one (we shouldn't because we are already logged in to the domain as administrator).
.
8) join the windows:
net rpc join -S I-ZQ-LOCAL -U Administrator
net ads administrator
Note: We shall then see a success message saying that we SAMBA Host has joined your windows 2003 DOMAIN (for example in the test scenario for this guide: Joined sam01' to Domain I-ZQ-LOCAL)
9) test the domain users and groups:
wbinfo -u
wbinfo -g
wbinfo -t #checking the trust secret via RPC calls succeeded
wbinfo -D I-ZQ-LOCAL # view the PDC info
Name : I-ZQ-LOCAL
Alt_Name : I-ZQ.COM
SID : S-1-5-21-2007172020-1639523183-3157189061
Active Directory : Yes
Native : No
Primary : Yes
Sequence : 17603
Sys Note: A bug was noticed in the version of winbindd that is compiled from this 3.0.14a release. That is to be expected, as there are probably other bugs in this samba release because it is samba software at this point. It seems as though the winbindd deamon needs to be "woken up". so to speak.. Windows will then kick back again with the login screen. Now you may enter a windows user for login and that particular user's password,(ex: I-ZQ-LOCAL+USER) then click ok. You will now be able to browse the samba share.
There you have it, you have just integrated your Samba server in to your Windows 2003 Domain. You can access any machine in the Domain and their shares from the samba server. The same can be done from any windows box in the domain accessing samba shares. The beauty here is that windows users can log in with their own credentials on to samba shares. This is the work of winbindd. Winbind creates maps of domain users and binds them with UID and GID 10000-20000 on to the samba server when those credentials accesses it.
The only security feature we disabled on the Domain Controller is the default signing procedure that takes place on the communication route within Active Directory schema's. On Windows 2000 and Windows NT domains, this signing of packets was not enabled by default. Once Samba nears beta of 3
相关阅读 更多 +
