- Understanding Active Directory Domain Services (AD DS)
- Understanding how Samba communicates with AD DS
- Configuring Samba to work with AD DS
- Interacting with AD DS
- Domain Name System (DNS) for name resolution
- Kerberos version 5 for user authentication
- Lightweight Directory Access Protocol (LDAP) version 3 for directory services
|2251||LDAP v3||Since Windows 2000|
|2252||Attribute Syntax Definitions||Since Windows 2000|
|2253||UTF-8 String Representation of Distinguished Names||Since Windows 2000|
|2254||LDAP Search Filters Using Strings||Since Windows 2000|
|2255||The LDAP URL Format||Since Windows 2000|
|2256||The X.500 User Schema for use with LDAPv3||Since Windows 2000|
|2829||Authentication Methods for LDAP||Since Windows 2000|
|2830||Extension for Transport Layer Security||Since Windows 2000|
|2589||Extensions for Dynamic Directory Services||Since Windows Server 2003|
||Since Windows Server 2003|
|2831||Using Digest Authentication as an SASL Mechanism||Since Windows Server 2003|
|2891||LDAP Control Extension for Server Side Sorting of Search Results||Since Windows Server 2003|
- Locate AD DS domain controllers
- Express the organizational structure in the names of its domains in a hierarchical manner
- Provide a name-resolution service for domain controller location and AD DS domains
|Maps domain names to resource records||Stores DNS names as objects (
|Maps computer names to resource records||Stores computer names as object records|
ldaplibraries. Primarily, this involves a change to the include/config.h header file before running the
#define HAVE_KRB5 1
smbdto discover what your installation of Samba supports (see Listing 1).
[tbost@samba3 ~]$ smbd -b | grep KRB
ldaplibraries, respectively, on a Fedora distribution. Your output may differ depending on the distribution. Nonetheless, verify that your command output displays
HAVE_LDAP_Hat a minimum.
realmssection of the file along with the fully qualified domain name of the Windows domain server that performs authentication for AD DS (see Listing 2).
kdcdirective specifies the AD DS controller with host name wins3.lpic302.local. In addition, the
admin_serveris specified as the domain controller. The
default_domainparameter is useful if you want Kerberos to assume this domain name when none is expressed by the user.
pam_winbindmodule, as shown in Listing 3.
auth sufficient pam_winbind.so
passwd: files winbind
security, as shown in Listing 4.
realmto the domain name, lpic302.local. The security parameter is set to
ADS. ADS indicates that Samba will operate in AD DS Service security mode. You can set the line
windbind use default domain = yesto eliminate the need to qualify user names and other resources with the domain name when accessing resources. For example, instead of authenticating with LPIC302.LOCAL/tbost, Winbind assumes the domain LPIC302.LOCAL when the user name tbost is specified.
nettool is an extremely useful one for Samba administrators. If you have experience with the Windows
netcommand, you’ll be familiar with many of its options and functionality. The
net ADScommand is what you use when working with AD DS. One of the first things to do is join a domain:
[tbost@samba3 ~]$ sudo net ADS join -U Administrator%password
netcommand to join the domain. Alternatively, you can omit
%passwordand enter the Windows Administrator account password when prompted. The second command verifies that the server has joined the domain. The third command in the snippet can create (or move from the default Computers object) a computer account for the Samba server in AD DS under ACCOUNTING/Servers. The object organizational unit ACCOUNTING/Servers should already exist in Active Directory if applying the third command. If you need more information about the
netcommand, its online man page provides a lot of useful information. In addition, you can issue the command
net help ADS, as shown in Listing 5.
[tbost@samba3 ~]$ net help ADS
wbinfotool, which the Winbind daemon provides, to query AD DS resources:
[tbost@samba3 ~]$ wbinfo -p
wbinfoto discover information about the domain. The
wbinfo -pcommand pings the Winbind daemon to verify that it’s running. The
wbinfo -ucommand returns a listing of all users in the domain, while
wbinfo -greturns all groups in the domain. Consult the
wbinfomanual for more tool options and functionality.
getfaclcommands, you should have little problem learning the
smbcaclscommand that the Samba client suite provides. You can use the
smbcaclstool to change group and user ownership or manage access control list permissions on shares provided by a Windows Server machine in a domain:
[tbost@samba3 ~]$sudo smbcacls -G LPIC302.LOCALaccounting
smbcaclscommand to change the group permissions on the file private.doc to the accounting group on the shared directory budget on a Windows Server machine to the accounting group within the AD DS domain. The
smbcacls --helpcommand displays the available options to the various functionality of the tool.