how to ubuntu samba file sharing with ad 2003 authentication

7/23/2019 How to Ubuntu Samba File Sharing With AD 2003 Authentication

1/12

How to Ubuntu Samba file sharing with AD 2003 authentication

https://help.ubuntu.com/community/ActiveDirectoryWinbindHowtohttp://www.thaiadmin.org/board/index.php?topic=40947.0

Linux Server Windows Server

2 Server user AD2003

Windows 2003AD

Hostname = mydc IP = 192.168.1.250 Domain = domain.local

Ubuntu 9.04 package openssh-server putty

Hostname = mysmb IP = 192.168.1.251 Domain = domain.local

Ubuntu update 1

apt-get update

/etc/hostname

127.0.0.1 localhost

192.168.1.251 mysmb.domain.local mysmb

192.168.1.250 mydc.domain.local mydc

ping AD Server

ping mydc.domain.local

Ctrl + C ping

apt-get install krb5-user libpam-krb5 samba winbind acl ntp

kerberos,REALM server name Enter config file /etc/default/ntpdate sync AD

NTPDATE_USE_NTP_CONF=yes

NTPSERVERS="mydc.domain.local"

NTPOPTIONS="-u"

krb5.conf

cp -rav /etc/krb5.conf /etc/krb5.conf.default

/etc/krb5.conf

[logging]default = FILE:/var/log/krb5.log[libdefaults]ticket_lifetime = 24000

clock_skew = 300default_realm = DOMAIN.LOCALkrb4_config = /etc/krb.confkrb4_realms = /etc/krb.realmskdc_timesync = 1
https://help.ubuntu.com/community/ActiveDirectoryWinbindHowtohttps://help.ubuntu.com/community/ActiveDirectoryWinbindHowtohttp://www.thaiadmin.org/board/index.php?topic=40947.0http://www.thaiadmin.org/board/index.php?topic=40947.0http://www.thaiadmin.org/board/index.php?topic=40947.0https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto


2/12

ccache_type = 4forwardable = trueproxiable = truedefault_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5v4_instance_resolve = falsev4_name_convert = {host = {rcmd = host

ftp = ftp}plain = {something = something-else}}fcc-mit-ticketflags = true[realms]DOMAIN.LOCAL = {kdc = mydc.domain.localadmin_server = mydc.domain.localdefault_domain = DOMAIN.LOCAL

}[domain_realm].domain.local = DOMAIN.LOCALdomain.local = DOMAIN.LOCAL[login]krb4_convert = truekrb4_get_tickets = false

smb.conf

cp -rav /etc/samba/smb.conf /etc/samba/smb.conf.default

/etc/samba/smb.conf [global]security = adsrealm = DOMAIN.LOCALpassword server = mydc.domain.localworkgroup = DOMAINidmap uid = 10000-20000idmap gid = 10000-20000winbind enum users = yeswinbind enum groups = yestemplate homedir = /home/%Utemplate shell = /bin/bash

client use spnego = yesclient ntlmv2 auth = yesencrypt passwords = yeswinbind use default domain = yesrestrict anonymous = 2map acl inherit = yesnt acl support = yesdisable spoolss = yes

/etc/pam.d/

cp -rav /etc/pam.d/common-account /etc/pam.d/common-account.default

cp -rav /etc/pam.d/common-auth /etc/pam.d/common-auth.default

cp -rav /etc/pam.d/common-session /etc/pam.d/common-session.default


3/12

cp -rav /etc/pam.d/sudo /etc/pam.d/sudo.default4

/etc/pam.d/common-account

account sufficient pam_winbind.soaccount required pam_unix.so

/etc/pam.d/common-auth

auth sufficient pam_winbind.soauth sufficient pam_unix.so nullok_secure use_first_passauth required pam_deny.so

/etc/pam.d/common-session

session required pam_unix.sosession required pam_mkhomedir.so umask=0022 skel=/etc/skel

/etc/pam.d/sudo

#%PAM-1.0@include common-authauth sufficient pam_winbind.soauth sufficient pam_unix.so use_first_passauth required pam_deny.so

@include common-acc

restart service

/etc/init.d/ntp restart

/etc/init.d/samba restart Ubuntu 10.04 /etc/init.d/smbrestart

/etc/init.d/winbind restart

[email protected]

password administrator ad Error krb5.conf test kerberos

klist

Ticket cache: FILE:/tmp/krb5cc_0Default principal:[email protected]

Valid starting Expires Service principal01/21/05 10:28:51 01/21/05 20:27:43 krbtgt/[email protected]

renew until 08/14/10 13:43:46

Join Domain host DNS record Windows Type Host (A) DNS
mailto:[email protected]:[email protected]:[email protected]


4/12

net join ads [email protected]

password administrator AD 2 ()join domain complete

/etc/init.d/samba restart

/etc/init.d/winbind restart

wbinfo -ug

show user group windows authen

cp -rav /etc/nsswitch.conf /etc/nsswitch.conf.default

/etc/nsswitch.conf

passwd: compat winbindgroup: compat winbindshadow: compathosts: files mdns4_minimal [NOTFOUND=return] dns mdns4

networks: filesprotocols: db filesservices: db filesethers: db filesrpc: db filesnetgroup: nis

getent passwd

AD

getent group

group AD /etc/group


5/12

admin:x:117:olduser, ActiveDirectoryUser

/etc/sudoers

%adgroup ALL=(ALL) ALL

Reboot 1 Active Directory Users and Computers mysmb AD 2003

Ubuntu Samba Windows 2003 AD AD 2003 4User

IT ServiceIT01, IT02 ()AccountingAcc01, Acc02 MarketingMkt01, Mk02

PublicUser Acc User Accounting() IT User User IT01 Operation User IT01 Acc01

Anonymous (Login) notebook , User IT User ( IT) Webmin() Samba User Owner Group Owner IT Webmin Read only groups Read/Write Group


6/12

Windows 2003 AD OU (Organizational Unit) OU Samba OU Resource Group

Public Public_Access Group

Acc_Access, IT_Access, Operation_Access OK


7/12

User User IT01 OU IT Service OU User

Next


8/12

Password 2 , , , Next Finish

User IT02, Acc01, Acc02, Mkt01, Mkt02 OU Windows () Ubuntu Public, Acc, IT, Operation/home mkdir

mkdir /home/public/home/acc/home/it/home/operation

555+chmod

chmod 770 /home/public /home/acc /home/operation

chmod 750 /home/it

770 (User Owner) Group Owner 750 Owner 4 User=root Group=root

lsl /home

/home

drwxrwx--- 2 root root 4096 2010-08-14 15:07 accdrwxr-x--- 2 root root 4096 2010-08-14 15:07 itdrwxrwx--- 2 root root 4096 2010-08-14 15:07 operationdrwxrwx--- 2 root root 4096 2010-08-14 15:07 public

root 2 root User root root Group root User GroupAD 2003

chown root:public_access /home/public

chown root:acc_access /home/acc

chown root:operation_access /home/operation

chown it01:it_access /home/it


9/12

lsl /home

Group /home/it User it01

drwxrwx--- 2 root acc_access 4096 2010-08-14 15:07 accdrwxr-x--- 2 it01 it_access 4096 2010-08-14 15:07 itdrwxrwx--- 2 root operation_access 4096 2010-08-14 15:07 operation

drwxrwx--- 2 root public_access 4096 2010-08-14 15:07 public

/etc/samba/smb.conf

[Public]comment = Publicwriteable = yespath = /home/publicdelete readonly = yesforce create mode = 770force directory mode = 770directory mode = 770

create mode = 770[IT]comment = IT Servicewriteable = yespath = /home/itdelete readonly = yesforce create mode = 750force directory mode = 750directory mode = 750create mode = 750[Scan]

comment = Scan

writeable = yespath = /home/scandelete readonly = yesforce create mode = 770force directory mode = 770directory mode = 770create mode = 770[ACC]

comment =Accountingwriteable = yespath = /home/accdelete readonly = yesforce create mode = 770

force directory mode = 770directory mode = 770create mode = 770

comment , Restart Samba

/etc/init.d/samba restart


10/12

Windows (XP SP3) \\mysmb \\192.168.1.251 domain.local User / Password

Domain Administrator ()


11/12

Acc_Access, IT_Access, Operation_Access, Public_Access User GroupWindows 2003 AD OU IT ServiceIT01 Add to Group

Public_Access Check Names OK

User User

Acc_Access= Acc01, Acc02IT_Access = IT02, Acc01, Acc02, Mkt01, Mkt02(IT01 Owner User IT)Operation_Access= IT01, Acc01Public_Access= IT01, IT02, Acc01, Acc02, Mkt01, Mkt02

Add Logon User User IT02 Mkt01 Operation Error ()

Acc01 IT01 User IT01 IT User Error


12/12

User / Group smb.conf restart service Samba ,

--------------------------------------------------------------------------------------------------------------By NarinNil | 14 Aug 2010 |[email protected]|http://www.facebook.com/narinnil
mailto:[email protected]:[email protected]:[email protected]://www.facebook.com/narinnilhttp://www.facebook.com/narinnilhttp://www.facebook.com/narinnilhttp://www.facebook.com/narinnilmailto:[email protected]

how to ubuntu samba file sharing with ad 2003 authentication

Documents