Getting Samba to authenticate to a Windows Domain
Samba is a tool most known for it’s ability to provide windows file sharing cababilities to linux/unix platforms. With very little effort you can set up a Samba file server which will cost you very little. If you had to go out and buy one of the Windows server editions you’d be up for at least a couple of thousand dollars in windows licenses.
In addition to basic file server, Samba actually join your Windows Domain, which allows it to authenticate users against your Window security infrastructure. There’s no need to synchronise user databased between systems, because Samba reads all this information directly from your domain controller(s). So restricting access to Samba shares to particular Windows users or groups is simply a matter of a little configuration.
This also opens the door for other applications running in your unix environment to authenticate against a Windows Domain. For example, authenticating users when accessing the internet through a Squid web proxy (but I’ll leave the configuration of that for another day…).
I’m not going to go into too much detail here, because installation is usually handled pretty well by most linux distributions. We user Debian Linux which automates most of the installation process. If you want to roll it your self grab it from the Samba download page and follow the very good documentation. If like us you use Debian just run:
# apt-get install samba winbind
Winbind is the part of samba that is responsible for for integrating windows authentication and the user database into unix.
NOTE: I’m assuming you’re using Samba 3.0.x, which has been out since Sept 2003, so there’s no good reason not to be running it. I’m using 3.0.7 because it provides the latest and greatest functionality to authenticate to a Windows domain… and fixes a couple of issues.
Open up the Samba config file
smb.conf, which on Debian is located
First set the
workgroup setting to the name of your windows domain, e.g.
workgroup = MYDOMAIN
To instruct Samba to use the domain for it’s user/group database you need to set the
security settting as follows:
security = DOMAIN
To allow winbind to map windows users and groups into the unix world you need to instruct winbind which uid and gid ranges to use. Make sure these don’t overlap with entries in your
/etc/group files. Add entries like the following:
idmap uid = 10000-20000 idmap gid = 10000-20000
And by setting the following you won’t have to prefix your usernames with the domain (i.e. MYDOMAINuser) from within unix, because the default domain will be assumed by default.
winbind use default domain = Yes
Then save your changes to
Joining the Domain
Before you restart your Samba daemons for the changes to take effect, you need to do the following to join your Samba machine to the windows domain. You’ll probably need to be running as root. The username/password you specify here is a Admin user on your windows domains that has permission to add machines to the domain.
# net rpc join -UAdministrator%'password' Joined domain MYDOMAIN.
Now you can (re)start your sambe service (smbd, nmbd, winbind). On Debian do:
# /etc/init.d/samba restart Stopping Samba daemons: nmdb smbd. Starting Samba daemons: nmdb smbd. # /etc/init.d/winbind restart Restarting the Winbind daemon: winbindd.
Now you have to tell your system to use winbind in addition to the standard files (
/etc/group) as a user/group database. To do this edit
/etc/nsswitch.conf as follows:
passwd: files winbind group: files winbind hosts: files dns winbind
And then we need to tell winbind what user to use when initiating sessions to your domain controller. To do this (using an admin user on your domain):
# wbinfo --set-auth-user=Administrator%password
Testing it all
And finally we should be able to test that all the above works ….
# wbinfo -u MYDOMAINAdministrator MYDOMAINGuest MYDOMAINmatt ... remainder of domain users ...
If you got a list of users from your domain then we’re cooking with gas!
wbinfo -g will give you a list of all your domain groups.
To check that winbind is doing it’s job you should be able to query the unix user database and find users from your windows domain, like below:
# getent passwd Administrator Administrator:x:10000:10000::/home/MYDOMAIN/Administrator:/bin/false
Woohoo … it’s working. Winbind is authenticating to the windows domain. More later on useful ways on how to make use of this.