Procedures for Enabling Active Directory

Authentication on UNIX
Enabling Active Directory Authentication on a Samba Server
Enable AD-based authentication to your Samba shares.
The following procedure has been tested with Solaris 8 and 9, Samba 3.0.12pre1 and 3.0.13, MIT
Kerberos V5 1.4, and OpenLDAP 2.2.24. Software was compiled with GCC 3.3.2. The procedure
assumes installations based in /opt/local.
1. Download and install the required software.
1. Before installing, make sure that /usr/ucb is not in your PATH environment variable,
or at least that it's toward the end.
2. Build and install MIT Kerberos V5.
1. Download from the MIT Kerberos site and unpack.
2. From the src subdirectory: ./configure --prefix=/opt/local
3. make
4. sudo make install
3. Build and install OpenLDAP.
1. Download from the OpenLDAP site and unpack.
2. ./configure --prefix=/opt/local --disable-bdb
--enable-null --without-tls
3. make depend
4. make
5. sudo make install
4. Build and install Samba.
1. Download from the Samba site and unpack.
2. Set the CFLAGS environment variable to "-O2".
3. Set the LDFLAGS environment variable to "-L/opt/local/lib -Wl,R/opt/local/lib".
4. Set the CPPFLAGS environment variable to "-I/opt/local/include".
5. From the source subdirectory: ./configure --prefix=/opt/local
--exec-prefix=/opt/local/samba --withlogfilebase=/var/log --withsslinc=/opt/local/ssl/include --withssllib=/opt/local/lib --with-included-popt --withsmbwrapper --with-syslog --with-automount --with-pam
--with-ldap --with-ads --with-winbind --withkrb5=/opt/local
6. make
7. sudo make install
2. Configure the server.
1. Add the Active Directory DNS suffix (e.g. ad.example.com) to the search
statement in /etc/resolv.conf.

2. Create /opt/local/etc/krb5.conf that looks something like the following

(using a site-specific KDC):
[libdefaults]
default_realm = AD.EXAMPLE.COM
[realms]
AD.EXAMPLE.COM = {
kdc = dc1.ad.example.com
}
[domain_realms]
.kerberos.server = AD.EXAMPLE.COM

3. Set up /opt/local/samba/lib/smb.conf to include the following parameters

in the [globals] section (substituting a local DC for the password server):
workgroup = EXAMPLE
realm = ad.example.com
security = ADS
password server = dc1.ad.example.com
encrypt passwords = yes
allow trusted domains = yes
username map = /opt/local/samba/lib/user.map

4. In /opt/local/samba/lib/user.map, map AD usernames to corresponding

UNIX usernames, with each line looking like this:
1. unixuser = EXAMPLE\aduser
5. Create an init script and links to start and stop smbd, nmbd, and winbindd. Here's an
example:
#!/bin/sh
SMBDIR=/opt/local/samba
if [ ! -d $SMBDIR ]; then
exit
fi
case "$1" in
'start')
$SMBDIR/sbin/nmbd -D
$SMBDIR/sbin/smbd -D
$SMBDIR/sbin/winbindd
echo "Started SAMBA - smbd and nmbd and winbindd"
;;
'stop')
$SMBDIR/bin/smbcontrol nmbd shutdown
$SMBDIR/bin/smbcontrol smbd shutdown
$SMBDIR/bin/smbcontrol winbindd shutdown
;;
*)
echo "Usage: /etc/init.d/smb.server { start | stop }"
;;
esac

3. Join the server to the Active Directory domain.

1. Have someone create a machine account for the Samba server in the AD domain.
1. If the server's hostname doesn't meet AD naming requirements, you'll need to
construct a hostname that does. Use this hostname as the netbios name in
smb.conf. Also, you should probably add this hostname as an alias for the
server's real hostname in DNS.
2. sudo /opt/local/bin/kinit DomainAdmin@AD.EXAMPLE.COM
1. Make sure the realm name is entered in all caps.
2. You'll be prompted for a domain admin password.
3. sudo /opt/local/samba/bin/net ads join -U DomainAdmin
1. The -U option isn't required if this command is run shortly after the kinit.
4. Start the daemons: sudo /etc/init.d/smb.server start.
5. Test SMB access.

Enabling Active Directory Authentication on UNIX

Enable AD-based authentication to your UNIX system.
The following procedure has been tested with Solaris 8 and 9, MIT Kerberos V5 1.4, and OpenLDAP
2.2.24. Software was compiled with GCC 3.3.2. The procedure assumes installations based in
/opt/local.
1. Download and install MIT Kerberos V5, OpenLDAP, and Samba as described in the procedure
to enable AD authentication on a Samba server. In addition:
1. If /usr is mounted read-only, sudo mount -o remount /usr.
2. From the source/nsswitch/ directory of the Samba source distribution, copy
libnss_winbind.so to /usr/lib/nss_winbind.so.1, with 0555
permissions.
3. From the source/nsswitch/ directory of the Samba source distribution, copy
pam_winbind.so to /usr/lib/security/ with 0555 permissions, and create a
symlink to it from /usr/lib/security/pam_winbind.so.1.
2. Configure the host.
1. Configure resolv.conf, krb5.conf, and smb.conf as described in the
procedure to enable AD authentication on a Samba server.
2. Add the following lines to smb.conf, substituting appropriate values for template
home directories, login shells, and UID/GID ranges:
winbind separator = +
winbind use default domain = yes
winbind enum users = no
winbind enum groups = no
winbind cache time = 1800
idmap uid = 100000-200000
idmap gid = 100000-200000
template homedir = /home/%U
template shell = /bin/tcsh

3. In /etc/nsswitch.conf, add winbind [TRYAGAIN=2] to the end of the

passwd and group lines.
4. In /etc/pam.conf:
1. To the auth section of each service for which AD authentication will be enabled
(typically login and other), add a line like the following at the beginning:
other

auth sufficient

pam_winbind.so.1

Also, add try_first_pass to the end of subsequent lines using

pam_unix.so.1, pam_unix_auth.so.1, or pam_dial_auth.so.1.
2. To the account section of each relevant service, add a line like the following at
the beginning:
other

account sufficient

pam_winbind.so.1

3. For example, on Solaris 9, the lines for other services in /etc/pam.conf

might look like this:
other
other
other
other
other
other
other
other
other
other
other

auth sufficient
auth required
account sufficient
account requisite
account required
account required
session required
password required
password requisite
password requisite
password required

pam_winbind.so.1
pam_unix.so.1 try_first_pass
pam_winbind.so.1
pam_roles.so.1
pam_projects.so.1
pam_unix_account.so.1
pam_unix_session.so.1
pam_dhkeys.so.1
pam_authtok_get.so.1
pam_authtok_check.so.1
pam_authtok_store.so.1

5. In /opt/local/etc/sshd_config, the UsePAM parameter should be set to yes.

6. Create an init script and symlinks as described in the procedure to enable AD
authentication on a Samba server. However, you only need to run winbindd, not nmbd
or smbd.
3. Enable Active Directory lookups and authentication.
1. Join the host to the Active Directory domain as described in the procedure to enable AD
authentication on a Samba server.
2. Kill the nscd process, and disable it from starting again.
1. If you have rcstart installed, you can run: sudo /etc/init.d/nscd
stop; sudo rcstart -n nscd.
3. Start winbindd with the init script.
4. Test AD lookups and authentication.
1. Test Active Directory connectivity via Kerberos and LDAP.
1. Use /opt/local/samba/bin/wbinfo -n username to get the SID for
an AD username.
2. Use /opt/local/samba/bin/wbinfo -s SID to get the username or
group name for an AD SID.
3. Use /opt/local/samba/bin/wbinfo -g to get the list of AD groups.
(This can take a while if there are a lot of groups, and may take several tries until
winbindd can receive and cache the results.)
2. Test lookups via the name service switch.

1. id username should provide the UNIX UID and primary group for the
specified AD user.
2. getent group groupname should provide the UNIX GID and members of
the specified AD group.
3. Use chown and chgrp to change file and directory ownerships to AD users and
groups, and verify that ls -l displays the AD usernames and group names.
3. Test authentication via PAM.
1. Login with an AD username and password, via SSH for instance.
Once logged in as an AD user, you should be able to use id or groups
to get the full list of AD groups to which the user belongs.
2. Test read/write access to files and directories owned by AD users and groups.

Mapping Active Directory Users to Existing UNIX UIDs

Use this procedure on systems where AD user accounts should correspond to UNIX user accounts on
other systems. Among other things, this allows NFS shares from a UNIX server to work on an Active
Directory UNIX client. The normal behavior of winbind is to arbitrarily assign UIDs to users from the
range specified in smb.conf. GIDs will continue to be assigned to groups automatically by winbind
after following this procedure.
Open issue: Is there any way to restrict login access to an AD client?
1. Enable AD authentication as described above.
2. Ensure that the range specified by idmap uid in smb.conf covers the range of UNIX UIDs
to which accounts will be assigned.
winbind lookups for UIDs outside that range will fail.
NB: It's best not to use this procedure on systems that have a mix of AD accounts and
UNIX accounts. If both types of accounts have UIDs within the same range, then
winbind could automatically assign a UID for an existing UNIX account to an
inappropriate AD account.
3. Install wbuser, a custom script used to list, add, and remove the UID/SID mappings stored in
/opt/local/samba/var/locks/winbindd_idmap.tdb.
4. If desired, print a list of the current mappings with wbuser -l.
5. For each user, execute sudo wbuser -a username UID, where username is the AD
username, and UID is the UNIX UID assigned to it.
6. Create a home directory for the user if necessary.