Join SAMBA to Active Directory domain and File, Directory, and Share Access Controls
Step 1: Install the Required Packages
Code:
apt-get install krb5-user
apt-get install winbind samba
Step 2: Edit the /etc/krb5.conf File
Code:
[libdefaults]
default_realm = CONNECTA.LOCAL
ticket_lifetime = 24000
[realms]
CONNECTA.LOCAL = {
kdc = mercury.connecta.local
admin_server = mercury.connecta.local
default_domain = CONNECTA.LOCAL
}
[domain_realm]
.connecta.local = CONNECTA.LOCAL
connecta.local = CONNECTA.LOCAL
.kereberos.server = mercury.connecta.local
Step 3:
Edit /etc/samba/smb.conf
Notes: Change the NETBIOS name parameter to be correct for the server. Make a backup copy of the original file!!! ) Make the edits. The configuration shown is the bare minimum and doesn't share anything.
Code:
[global]
workgroup = CONNECTA
security = ads
netbios name =COPPELIUS001
realm = CONNECTA.LOCAL
preferred master = yes
encrypt passwords = yes
log file = /var/log/samba/%m
winbind separator = +
password server = mercury.connecta.local
idmap uid = 600-20000
idmap gid = 600-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
guest account = nobody
template shell = /bin/bash
nt acl support = true
2) Test the configuration with the "testparm" command
Code:
testparm
Step 4: Edit /etc/nsswitch.conf to look like the example below
Code:
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Step 5: Modify the PAM settings
1) /etc/pam.d/common-account should contain only the following lines
Code:
account sufficient pam_winbind.so account required pam_unix.so
2) /etc/pam.d/common-auth should contain only the following lines
Code:
auth sufficient pam_winbind.so auth required pam_unix.so nullok_secure use_first_pass
3) Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below
Code:
password required pam_unix.so nullok obscure min=4 max=50 md5
4) Make sure the /etc/pam.d/common-session file contains the following line
Code:
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
Step 6: Make a directory to hold domain user home directories
Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file
Code (if you want to use WORKGROUP):
mkdir /home/DOMAIN
Step 7: Initialize Kerberos
1) Code:
kinit domain_admin_account@CONNECTA.LOCAL
Next check to be sure you got a ticket from the domain controller It's possible that With ADMINISTRATOR you have problem, then you must change ADMINSITRATOR's password on Active-Directory!!
2)KLIST Shows the current ticket(s):
Code:
klist
Step 8: Join the system to the set Computer name in /etc/hosts to fully qualified name (example: aspirin.CONNECTA.LOCAL)
Code:
net ads join -U administrator@CONNECTA.LOCAL
Error:
kinit(v5): Clock skew too great while getting initial => The time at server and client are not same, and must be synchronized.
Step 9: Restart Samba-related Services (Or reboot the server)
Note: The order is important
Code:
/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start
Step 8: Enable ACL (Access Control List) support for the file system
Code:
mount / -o remount,acl
If you want to add it at startup, edit /etc/fstab in the following way:
/dev/hda1 / ext3 defaults,acl 0 0
Now set up ACL tools, which allows us to assign ACL to files:
Code:
# apt-get install acl
Step 9: Make a directory for sharing
Example:
Code:
mkdir /home/masoud/share/newtest
chgrp "Domain Users" /home/masoud/share/newtest
Step 10: add share properties in smb.conf
Code:
[newtest]
path = /data
available = yes
browsable = yes
read only = no
public = yes
writable = yes
security mask = 0777
force security mode = 0
directory security mask = 0777
force directory security mode = 0
nt acl support = yes
store dos attributes = yes
dos filemode = yes
Step 11-1: Share permission management in WINDOWS
1. Launch the NT4 Server Manager and click on the Samba server you want to administer. From the menu select Computer, then click on Shared Directories.
2. Click on the share that you wish to manage and click the Properties tab, then click the Permissions tab. Now you can add or change access control settings as you wish.
or:
from Control Panel -> Administrative Tools run Computer Management:
1. After launching the MMC with the Computer Management snap-in,click the menu item Action and select Connect to another computer.If you are not logged onto a domain you will be prompted to enter a domain login user identifier and a password. This will authenticate
you to the domain. If you are already logged in with administrative privilege, this step is not offered.
2. If the Samba server is not shown in the Select Computer box, type in the name of the target Samba server in the field Name:. Now click the on [+] next to System Tools, then on the [+] next to Shared Folders in the left panel.
3. In the right panel, double-click on the share on which you wish to set access control permissions. Then click the tab Share Permissions. It is now possible to add access control entities to the shared folder. Remember to set what type of access (full control, change, read) you wish to assign for each entry
Warning:
Be careful. If you take away all permissions from the Everyone user without removing this user, effectively no user will be able to access the share. This is a result of what is known as ACL precedence. Everyone with no access means that MaryK who is part of the group Everyone will have no access even if she is given explicit full control access.
Step 11-2: Share permission management in UBUNTU
setfacl: This utility sets Access Control Lists (ACLs) of files and directories.
-R : Recursive
-m : Modify
-x : Delete
Code:
setfacl -R -m user:suresh:rwx /home/share/newtest
geftacl: This utility shows Access Control Lists (ACLs) of files and directories.
Code:
getfacl /home/share/newtest
=========================================================================
Map a Windows Folder to a Ubuntu Directory:
kinit suresh@CONNECTA.LOCAL
sudo mount -t cifs -o username=suresh //192.168.0.1/C$ /home/share/suresh
Step 1: Install the Required Packages
Code:
apt-get install krb5-user
apt-get install winbind samba
Step 2: Edit the /etc/krb5.conf File
Code:
[libdefaults]
default_realm = CONNECTA.LOCAL
ticket_lifetime = 24000
[realms]
CONNECTA.LOCAL = {
kdc = mercury.connecta.local
admin_server = mercury.connecta.local
default_domain = CONNECTA.LOCAL
}
[domain_realm]
.connecta.local = CONNECTA.LOCAL
connecta.local = CONNECTA.LOCAL
.kereberos.server = mercury.connecta.local
Step 3:
Edit /etc/samba/smb.conf
Notes: Change the NETBIOS name parameter to be correct for the server. Make a backup copy of the original file!!! ) Make the edits. The configuration shown is the bare minimum and doesn't share anything.
Code:
[global]
workgroup = CONNECTA
security = ads
netbios name =COPPELIUS001
realm = CONNECTA.LOCAL
preferred master = yes
encrypt passwords = yes
log file = /var/log/samba/%m
winbind separator = +
password server = mercury.connecta.local
idmap uid = 600-20000
idmap gid = 600-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
guest account = nobody
template shell = /bin/bash
nt acl support = true
2) Test the configuration with the "testparm" command
Code:
testparm
Step 4: Edit /etc/nsswitch.conf to look like the example below
Code:
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Step 5: Modify the PAM settings
1) /etc/pam.d/common-account should contain only the following lines
Code:
account sufficient pam_winbind.so account required pam_unix.so
2) /etc/pam.d/common-auth should contain only the following lines
Code:
auth sufficient pam_winbind.so auth required pam_unix.so nullok_secure use_first_pass
3) Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below
Code:
password required pam_unix.so nullok obscure min=4 max=50 md5
4) Make sure the /etc/pam.d/common-session file contains the following line
Code:
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
Step 6: Make a directory to hold domain user home directories
Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file
Code (if you want to use WORKGROUP):
mkdir /home/DOMAIN
Step 7: Initialize Kerberos
1) Code:
kinit domain_admin_account@CONNECTA.LOCAL
Next check to be sure you got a ticket from the domain controller It's possible that With ADMINISTRATOR you have problem, then you must change ADMINSITRATOR's password on Active-Directory!!
2)KLIST Shows the current ticket(s):
Code:
klist
Step 8: Join the system to the set Computer name in /etc/hosts to fully qualified name (example: aspirin.CONNECTA.LOCAL)
Code:
net ads join -U administrator@CONNECTA.LOCAL
Error:
kinit(v5): Clock skew too great while getting initial => The time at server and client are not same, and must be synchronized.
Step 9: Restart Samba-related Services (Or reboot the server)
Note: The order is important
Code:
/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start
Step 8: Enable ACL (Access Control List) support for the file system
Code:
mount / -o remount,acl
If you want to add it at startup, edit /etc/fstab in the following way:
/dev/hda1 / ext3 defaults,acl 0 0
Now set up ACL tools, which allows us to assign ACL to files:
Code:
# apt-get install acl
Step 9: Make a directory for sharing
Example:
Code:
mkdir /home/masoud/share/newtest
chgrp "Domain Users" /home/masoud/share/newtest
Step 10: add share properties in smb.conf
Code:
[newtest]
path = /data
available = yes
browsable = yes
read only = no
public = yes
writable = yes
security mask = 0777
force security mode = 0
directory security mask = 0777
force directory security mode = 0
nt acl support = yes
store dos attributes = yes
dos filemode = yes
Step 11-1: Share permission management in WINDOWS
1. Launch the NT4 Server Manager and click on the Samba server you want to administer. From the menu select Computer, then click on Shared Directories.
2. Click on the share that you wish to manage and click the Properties tab, then click the Permissions tab. Now you can add or change access control settings as you wish.
or:
from Control Panel -> Administrative Tools run Computer Management:
1. After launching the MMC with the Computer Management snap-in,click the menu item Action and select Connect to another computer.If you are not logged onto a domain you will be prompted to enter a domain login user identifier and a password. This will authenticate
you to the domain. If you are already logged in with administrative privilege, this step is not offered.
2. If the Samba server is not shown in the Select Computer box, type in the name of the target Samba server in the field Name:. Now click the on [+] next to System Tools, then on the [+] next to Shared Folders in the left panel.
3. In the right panel, double-click on the share on which you wish to set access control permissions. Then click the tab Share Permissions. It is now possible to add access control entities to the shared folder. Remember to set what type of access (full control, change, read) you wish to assign for each entry
Warning:
Be careful. If you take away all permissions from the Everyone user without removing this user, effectively no user will be able to access the share. This is a result of what is known as ACL precedence. Everyone with no access means that MaryK who is part of the group Everyone will have no access even if she is given explicit full control access.
Step 11-2: Share permission management in UBUNTU
setfacl: This utility sets Access Control Lists (ACLs) of files and directories.
-R : Recursive
-m : Modify
-x : Delete
Code:
setfacl -R -m user:suresh:rwx /home/share/newtest
geftacl: This utility shows Access Control Lists (ACLs) of files and directories.
Code:
getfacl /home/share/newtest
=========================================================================
Map a Windows Folder to a Ubuntu Directory:
kinit suresh@CONNECTA.LOCAL
sudo mount -t cifs -o username=suresh //192.168.0.1/C$ /home/share/suresh
