Wednesday, July 28, 2010

Connecting RHEL to Active Directory Server through Samba

The following article is applicable to Red Hat Enterprise Linux versions 3 and newer only. The Samba packages available from Red Hat for Red Hat Enterprise Linux 2.1 are not capable of domain membership in Active Directory mode.

Step 1: (Red Hat Enterprise Linux 3 Only)

Ensure Server Is Running Latest Samba Packages

The most important part of successfully joining Samba on a Red Hat Enterprise Linux 3 system to a domain in Active Directory Services (ADS) mode is to make sure the server is running the latest Samba packages available from Red Hat Network (RHN). Changes were made in the upstream Samba source code starting at 3.0.8 which have dramatically improved the AD compatibility of Samba running on Red Hat Enterprise Linux 3 systems. Versions of Red Hat's Samba packages prior to 3.0.9-1.3E.3 have various problems, especially with regard to AD compatibility, and should not be used.

The command up2date samba samba-client samba-common executed as the root user will update the key Samba packages to the latest version. If the server is running Samba packages prior to 3.0.9-1.3E.2, the MIT kerberos packages will also be automatically updated when using the command shown above.

The Samba packages available for Red Hat Enterprise Linux 4 are known to work well in ADS mode.

Step 2: Configure the /etc/krb5.conf file

The /etc/krb5.conf file must be configured for the Kerberos components of Samba's AD support to work properly. See additional Knowledgebase articles on how to configure kerberos for Active Directory (AD) integration for an example of a properly-configured krb5.conf file.

When editing krb5.conf, pay strict attention to the syntax shown in the example and avoid using statements not shown in the example. Each place the example Active Directory/Kerberos realm name is shown in lowercase should be edited to contain the name of your Kerberos realm in lowercase. Each place the example realm name is shown in uppercase should be edited to contain the name of your Kerberos realm in uppercase.

In the [realms] section of your /etc/krb5.conf, it is advised to define the Key Distribution Center (KDC) by its numeric IP address as shown in the article. If the KDC is specified by hostname instead, the hostname specified MUST be resolvable via DNS by the Samba server.

Step 3: Configure the /etc/samba/smb.conf file

To join Samba to an AD domain in security = ADS mode, the following lines need to exist in the [global] section of /etc/samba/smb.conf file:

security = ADS
workgroup = MYDOMAIN

The security = ADS statement tells Samba to authenticate to the specified domain's domain controllers (DC's) using ADS protocols.

The workgroup = MYDOMAIN statement defines the "Pre-Windows 2000 Domain Name" for the domain Samba will be joined to. This is also known as the "short" domain name, and MYDOMAIN should be edited to define the same domain name Windows users choose from the Log on to: listbox when logging into their workstations with accounts in this domain. The short domain name should not be confused with the Active Directory/Kerberos Realm name.

The realm = MY.ACTIVE.DIRECTORY.NAME statement defines the name of the Kerberos realm (which is also the name of the Active Directory) for the domain Samba will be joined to. This should match the Kerberos realm used in /etc/krb5.conf, soMY.ACTIVE.DIRECTORY.NAME should be edited to reflect the correct Kerberos realm name.

Additional smb.conf statements which may be necessary
DC and Samba server in Separate IP Subnets
If the DC is in a different IP subnet than the Samba server, the DC may need to be defined with a password server statement in the [global] section. Defining the DC by IP address is recommended:

# IP address of the Domain Controller
password server =

Note that the routers between the two subnets must be configured properly to forward Samba traffic between the Samba server and the DC. Other articles in the Red Hat Knowledgebase contain details on the ports and protocols used by Samba.

Windows 2003 Domain Controllers

If the DC is a Windows 2003 server, the following statements may need to be added to the [global] section of smb.conf before Samba will work properly:

client use spnego = no
server signing = auto

Step 4: Join Samba to the Domain

Make sure Samba and Winbind services are stopped first:
# service smb stop
Shutting down SMB services: [ OK ]
Shutting down NMB services: [ OK ]

# service winbind stop
Shutting down Winbind services: [ OK ]

Then join Samba to the domain using the following command:
# net ads join -U username

where username is a domain user account which has sufficient rights to add workstations to the domain. You should be prompted for the password for this domain user account, then an attempt to join the domain will be performed. A successful join should look something like this:

# net ads join -U Administrator
Administrator's password:
Using short domain name -- MYDOMAIN
For more information regarding Samba configuration, we would recommend the following sources of information:
The Samba documentation contained in /usr/share/doc/samba-, on any Red Hat system with the base samba RPM installed. Complete illustrated reference manuals are provided in both PDF and HTML formats in this directory.
The smb.conf man page, viewable by running the command man smb.conf.