Introduction

Samba is a tool most known for it’s ability to provide windows file sharing cababilities to linux/unix platforms. With very little effort you can set up a Samba file server which will cost you very little. If you had to go out and buy one of the Windows server editions you’d be up for at least a couple of thousand dollars in windows licenses.

In addition to basic file server, Samba actually join your Windows Domain, which allows it to authenticate users against your Window security infrastructure. There’s no need to synchronise user databased between systems, because Samba reads all this information directly from your domain controller(s). So restricting access to Samba shares to particular Windows users or groups is simply a matter of a little configuration.

This also opens the door for other applications running in your unix environment to authenticate against a Windows Domain. For example, authenticating users when accessing the internet through a Squid web proxy (but I’ll leave the configuration of that for another day…).

Installation

I’m not going to go into too much detail here, because installation is usually handled pretty well by most linux distributions. We user Debian Linux which automates most of the installation process. If you want to roll it your self grab it from the Samba download page and follow the very good documentation. If like us you use Debian just run:

# apt-get install samba winbind

Winbind is the part of samba that is responsible for for integrating windows authentication and the user database into unix.

NOTE: I’m assuming you’re using Samba 3.0.x, which has been out since Sept 2003, so there’s no good reason not to be running it. I’m using 3.0.7 because it provides the latest and greatest functionality to authenticate to a Windows domain… and fixes a couple of issues.

Configuration

Open up the Samba config file smb.conf, which on Debian is located /etc/samba.

First set the workgroup setting to the name of your windows domain, e.g.

workgroup = MYDOMAIN

To instruct Samba to use the domain for it’s user/group database you need to set the security settting as follows:

security = DOMAIN

To allow winbind to map windows users and groups into the unix world you need to instruct winbind which uid and gid ranges to use. Make sure these don’t overlap with entries in your /etc/passwd and /etc/group files. Add entries like the following:

idmap uid = 10000-20000
idmap gid = 10000-20000

And by setting the following you won’t have to prefix your usernames with the domain (i.e. MYDOMAINuser) from within unix, because the default domain will be assumed by default.

winbind use default domain = Yes

Then save your changes to smb.conf.

Joining the Domain

Before you restart your Samba daemons for the changes to take effect, you need to do the following to join your Samba machine to the windows domain. You’ll probably need to be running as root. The username/password you specify here is a Admin user on your windows domains that has permission to add machines to the domain.

# net rpc join -UAdministrator%'password'
Joined domain MYDOMAIN.

Now you can (re)start your sambe service (smbd, nmbd, winbind). On Debian do:

# /etc/init.d/samba restart
Stopping Samba daemons: nmdb smbd.
Starting Samba daemons: nmdb smbd.
# /etc/init.d/winbind restart
Restarting the Winbind daemon: winbindd.

Now you have to tell your system to use winbind in addition to the standard files (/etc/passwd and /etc/group) as a user/group database. To do this edit /etc/nsswitch.conf as follows:

passwd: files winbind
group:  files winbind
hosts:  files dns winbind

And then we need to tell winbind what user to use when initiating sessions to your domain controller. To do this (using an admin user on your domain):

# wbinfo --set-auth-user=Administrator%password

Testing it all

And finally we should be able to test that all the above works ….

# wbinfo -u
MYDOMAINAdministrator
MYDOMAINGuest
MYDOMAINmatt
... remainder of domain users ...

If you got a list of users from your domain then we’re cooking with gas! wbinfo -g will give you a list of all your domain groups.

To check that winbind is doing it’s job you should be able to query the unix user database and find users from your windows domain, like below:

# getent passwd Administrator
Administrator:x:10000:10000::/home/MYDOMAIN/Administrator:/bin/false

Woohoo … it’s working. Winbind is authenticating to the windows domain. More later on useful ways on how to make use of this.