- Understanding Active Directory Domain Services (AD DS)
- Understanding how Samba communicates with AD DS
- Configuring Samba to work with AD DS
- Interacting with AD DS
- Domain Name System (DNS) for name resolution
- Kerberos version 5 for user authentication
- Lightweight Directory Access Protocol (LDAP) version 3 for directory services
Table 1. Microsoft RFC support for LDAP
RFC | Support | |
---|---|---|
2251 | LDAP v3 | Since Windows 2000 |
2252 | Attribute Syntax Definitions | Since Windows 2000 |
2253 | UTF-8 String Representation of Distinguished Names | Since Windows 2000 |
2254 | LDAP Search Filters Using Strings | Since Windows 2000 |
2255 | The LDAP URL Format | Since Windows 2000 |
2256 | The X.500 User Schema for use with LDAPv3 | Since Windows 2000 |
2829 | Authentication Methods for LDAP | Since Windows 2000 |
2830 | Extension for Transport Layer Security | Since Windows 2000 |
2589 | Extensions for Dynamic Directory Services | Since Windows Server 2003 |
2798 | Defines the inetOrgPerson LDAP Object Class |
Since Windows Server 2003 |
2831 | Using Digest Authentication as an SASL Mechanism | Since Windows Server 2003 |
2891 | LDAP Control Extension for Server Side Sorting of Search Results | Since Windows Server 2003 |
- Locate AD DS domain controllers
- Express the organizational structure in the names of its domains in a hierarchical manner
- Provide a name-resolution service for domain controller location and AD DS domains
DNS | AD DS |
---|---|
Maps domain names to resource records | Stores DNS names as objects (dnsZone ) |
Maps computer names to resource records | Stores computer names as object records |
kbr5
and ldap
libraries. Primarily, this involves a change to the include/config.h header file before running the make
command:
#define HAVE_KRB5 1 |
smbd
to discover what your installation of Samba supports (see Listing 1).
Listing 1. Displaying a partial listing of Kerberos 5 support in Samba
[tbost@samba3 ~]$ smbd -b | grep KRB |
krb5
and ldap
libraries, respectively, on a Fedora distribution. Your output may differ depending on the distribution. Nonetheless, verify that your command output displays HAVE_KRB5_H
and HAVE_LDAP_H
at a minimum.Kerberos and NTP
realms
section of the file along with the fully qualified domain name of the Windows domain server that performs authentication for AD DS (see Listing 2).
Listing 2. Configuring the krb5.conf file
[realms] |
kdc
directive specifies the AD DS controller with host name wins3.lpic302.local. In addition, the admin_server
is specified as the domain controller. The default_domain
parameter is useful if you want Kerberos to assume this domain name when none is expressed by the user.pam_winbind
module, as shown in Listing 3.
Listing 3. Configuring PAM to use pam_winbind
auth sufficient pam_winbind.so |
passwd: files winbind |
realm
and security
, as shown in Listing 4.
Listing 4. Configuring the smb.conf file
[global] |
realm
to the domain name, lpic302.local. The security parameter is set to ADS
. ADS indicates that Samba will operate in AD DS Service security mode. You can set the line windbind use default domain = yes
to eliminate the need to qualify user names and other resources with the domain name when accessing resources. For example, instead of authenticating with LPIC302.LOCAL/tbost, Winbind assumes the domain LPIC302.LOCAL when the user name tbost is specified.net
tool is an extremely useful one for Samba administrators. If you have experience with the Windows net
command, you’ll be familiar with many of its options and functionality. The net ADS
command is what you use when working with AD DS. One of the first things to do is join a domain:
[tbost@samba3 ~]$ sudo net ADS join -U Administrator%password |
net
command to join the domain. Alternatively, you can omit %password
and enter the Windows Administrator account password when prompted. The second command verifies that the server has joined the domain. The third command in the snippet can create (or move from the default Computers object) a computer account for the Samba server in AD DS under ACCOUNTING/Servers. The object organizational unit ACCOUNTING/Servers should already exist in Active Directory if applying the third command. If you need more information about the net
command, its online man page provides a lot of useful information. In addition, you can issue the command net help ADS
, as shown in Listing 5.
Listing 5. Listing users and groups in an AD DS domain
[tbost@samba3 ~]$ net help ADS |
wbinfo
tool, which the Winbind daemon provides, to query AD DS resources:
[tbost@samba3 ~]$ wbinfo -p |
wbinfo
to discover information about the domain. The wbinfo -p
command pings the Winbind daemon to verify that it’s running. The wbinfo -u
command returns a listing of all users in the domain, while wbinfo -g
returns all groups in the domain. Consult the wbinfo
manual for more tool options and functionality.setfacl
and getfacl
commands, you should have little problem learning the smbcacls
command that the Samba client suite provides. You can use the smbcacls
tool to change group and user ownership or manage access control list permissions on shares provided by a Windows Server machine in a domain:
[tbost@samba3 ~]$sudo smbcacls -G LPIC302.LOCALaccounting |
smbcacls
command to change the group permissions on the file private.doc to the accounting group on the shared directory budget on a Windows Server machine to the accounting group within the AD DS domain. The smbcacls --help
command displays the available options to the various functionality of the tool.