Académique Documents
Professionnel Documents
Culture Documents
Authentication on UNIX
Enabling Active Directory Authentication on a Samba Server
Enable AD-based authentication to your Samba shares.
The following procedure has been tested with Solaris 8 and 9, Samba 3.0.12pre1 and 3.0.13, MIT
Kerberos V5 1.4, and OpenLDAP 2.2.24. Software was compiled with GCC 3.3.2. The procedure
assumes installations based in /opt/local.
1. Download and install the required software.
1. Before installing, make sure that /usr/ucb is not in your PATH environment variable,
or at least that it's toward the end.
2. Build and install MIT Kerberos V5.
1. Download from the MIT Kerberos site and unpack.
2. From the src subdirectory: ./configure --prefix=/opt/local
3. make
4. sudo make install
3. Build and install OpenLDAP.
1. Download from the OpenLDAP site and unpack.
2. ./configure --prefix=/opt/local --disable-bdb
--enable-null --without-tls
3. make depend
4. make
5. sudo make install
4. Build and install Samba.
1. Download from the Samba site and unpack.
2. Set the CFLAGS environment variable to "-O2".
3. Set the LDFLAGS environment variable to "-L/opt/local/lib -Wl,R/opt/local/lib".
4. Set the CPPFLAGS environment variable to "-I/opt/local/include".
5. From the source subdirectory: ./configure --prefix=/opt/local
--exec-prefix=/opt/local/samba --withlogfilebase=/var/log --withsslinc=/opt/local/ssl/include --withssllib=/opt/local/lib --with-included-popt --withsmbwrapper --with-syslog --with-automount --with-pam
--with-ldap --with-ads --with-winbind --withkrb5=/opt/local
6. make
7. sudo make install
2. Configure the server.
1. Add the Active Directory DNS suffix (e.g. ad.example.com) to the search
statement in /etc/resolv.conf.
auth sufficient
pam_winbind.so.1
account sufficient
pam_winbind.so.1
auth sufficient
auth required
account sufficient
account requisite
account required
account required
session required
password required
password requisite
password requisite
password required
pam_winbind.so.1
pam_unix.so.1 try_first_pass
pam_winbind.so.1
pam_roles.so.1
pam_projects.so.1
pam_unix_account.so.1
pam_unix_session.so.1
pam_dhkeys.so.1
pam_authtok_get.so.1
pam_authtok_check.so.1
pam_authtok_store.so.1
1. id username should provide the UNIX UID and primary group for the
specified AD user.
2. getent group groupname should provide the UNIX GID and members of
the specified AD group.
3. Use chown and chgrp to change file and directory ownerships to AD users and
groups, and verify that ls -l displays the AD usernames and group names.
3. Test authentication via PAM.
1. Login with an AD username and password, via SSH for instance.
Once logged in as an AD user, you should be able to use id or groups
to get the full list of AD groups to which the user belongs.
2. Test read/write access to files and directories owned by AD users and groups.