Configuring Samba to use the Domain Security Mode
CONFIGURING SAMBA TO USE THE DOMAIN SECURITY MODE
The intended audience of this article are those who are already experienced with configuring Samba. It is not meant to be an introduction to Samba. It is assumed that the reader has sucessfully configured a Samba server in the past using the share or user security modes or has a thorough understanding of how it is done. The reader would not need experience in configuring Samba to act as a Primary Domain Controller(PDC). This article is not intended for those who have never used Samba before.
The intent of this article is to show you how to configure your Samba server to function as a Domain Member Server in a Windows 2k/2k3 Active Directory(AD) domain, a Windows NT 4 type domain or a Samba PDC domain. This involves using the security = domain option in your smb.conf file.
This will work with an AD domain in native or mixed mode. If the AD domain is operating in native mode, it must permit the use of NT comptible authentication protocols. If it doesn't, you need to use the ADS security mode which is discussed in another article.
In this article, when I use the word domain it refers to any of the 3 types of domains just mentioned.
Why would you want to do this? This eliminates the need to create separate Samba user accounts on your Linux server so your Windows users can access the Samba shares. Besides eliminating a lot of administrative overhead, without this, you would need to try to keep the password for the Samba user account synched with the password for the user in the domain. If you didn't and a Windows user changed their password, they would be prompted for a password every time they accessed a Samba share.
Also, if you want to use winbind, your Samba server MUST be a domain member server. Winbind is beyond the scope of this article and is covered an another article.
The only distribution of Linux I've tried this on is Red Hat so that's what this article is geared towards. It should work on any distribution of Linux however.
This is the setup on my network:
Samba Member Servers:
Red Hat 7.2 with Samba 2.2.8a
host/NetBIOS name - smblinux(10.10.1.37)
Red Hat 9 with Samba 3.0
host/NetBIOS name - net3(10.10.1.43)
Win2k AD DC running SP4
Machine name - pe500sc(10.10.1.35)
Second Win2k AD DC named mainnt(10.10.1.3)
AD domain name - the_cowans
Network domain name - the_cowans.com
Running DNS for the entire network
Running WINS for the entire network
The configurations in this article will work with either Samba 2.2 or 3. The only difference is the command used to join the domain as we shall see.
It is assumed that the reader already has Samba installed on their Linux machine.
Before you make the configuration changes to your smb.conf file and execute the commands to join the domain, be sure you stop the Samba services running on your Linux machine.
Here's what my smb.conf file on the Samba member server looks like with the options that pertain to the domain membership in bold:
netbios name = smblinux
server string = Samba Domain Member server
# The following three lines define the domain, the security mode
# and the servers the Samba server can use for authentication
workgroup = the_cowans
security = domain
password server = 10.10.1.35, 10.10.1.3
# The following 3 lines ensure that the Samba server won't compete
# with the domain controller to be the master browser on the network.
# These lines can be used with any Samba server, not necessarily a domain
# member server. However, with the presence of a domain controller on the
# the network, they are especially important.
local master = no
domain master = no
preferred master = no
# Since we are authenticating with a domain controller, we must use
# encrypted passwords
encrypt passwords = yes
# Our printing setup
printcap name = /etc/printcap
load printers = yes
printing = lprng
log file = /var/log/samba/%m.log
max log size = 0
#Network performance option
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# Since we're using WINS on the network, have the Samba serve register with it
wins server = 10.10.1.3
dns proxy = no
#============================ Share Definitions ==============================
# A share any authenticated user can read/download from but only
# rlcowan can write to
path = /sharefile
browseable = yes
writeable = no
write list = rlcowan
guest ok = no
# A free for all share that any authenticated user can read/write to
path = /public
browseable = yes
writeable = yes
guest ok = no
#Share out all printers
comment = All Printers
path = /var/spool/samba
browseable = yes
guest ok = yes
writable = no
printable = yes
The only difference in the smb.conf files for the 2 domain member servers I have is the netbios name line. On the Red Hat 7.2 machine it says netbios name = smblinux. On the Red Hat 9 machine it says netbios name = net3.
Once you make the changes to smb.conf and before you start Samba, you need to join the domain. Before you do so there are several things that you need to do:
- if there is a file named /etc/samba/secrets.tdb either delete, move or rename it. This file would be from any previous connections to the domain. A new one will be created when you join the domain.
- if there is a file named /etc/samba/machine.sid, do the same thing to it
- Create a machine account in your domain for your Samba server. If there is an existing machine account for the server, delete it and create a new one. In my Win2k AD domain, I checked the box that said "Allow pre-Windows 2000 computers to use this account" in the New Object-Computer dialog box. On a Samba PDC, you need to create both a Linux user account and a Samba machine account.
- if your Windows domain is an AD domain, make sure your Linux machine is using the DNS servers for that domain as it's name servers. These name servers should be listed in /etc/resolv.conf.
Here's the commands you use as root to join the domain.
If your Samba domain member server is running Samba 2.2 execute:
smbpasswd -j DOMAIN_NAME -r PDC_NAME -U Administrator%password
You need to use a username that has permission to join computers to the domain. In my case the command looked like this:
[root@smblinux samba]# smbpasswd -j the_cowans -r pe500sc -U rlcowan%password
2003/12/20 13:56:37 : change_trust_account_password: Changed password for domain THE_COWANS.
Joined domain THE_COWANS.
After that you will see a new secrets.tdb file in /etc/samba. If you look at the properties for the machine account on your domain server, it should show the OS as Windows NT 4.0. This is the default for Samba 2.2.
If your Samba domain member server is running Samba 3 execute:
net rpc join -S servername -Uadministrator%password
Even though the Samba 3 documentation says it is not necessary with Samba 3 to specify the DOMAIN_NAME or the PDC_NAME, I found that I needed to provide the server name of the domain controller with the -S option.
On my Red Hat 9 machine running Samba 3.0 I executed:
[root@Net1 etc]# net rpc join -S pe500sc -Urlcowan%123password
Joined domain THE_COWANS.
After that you will see a new secrets.tdb file in /etc/samba. If you look at the properties for the machine account on your domain server, it will probably show no OS listed.
Once you've successfully joined the domain, start Samba in Red Hat using:
service smb start
or use whatever command you use with your distribution to start Samba. You are now ready to assign permissions and test your Samba domain member server.
If you have problems joining the domain, check for mistakes in your smb.conf file and make any needed corrections. Before you attempt to join the domain again, remove and recreate the machine accounts you created on the domain controller and remove the secrets.tdb file on your Samba domain member server.
The quickest test is to use the smbclient command on your Samba member server to test authentication via the domain controller. Execute something similar to this:
[root@Net3 root]# smbclient -L net3 -Urlcowan
Use a user account that is in your domain and that also has a matching Linux user account on the local server. The results should look similar to this:
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Domain Member server)
ADMIN$ IPC IPC Service (Samba Domain Member server)
NET3 Samba Domain Member server
You should now be able to access the shares on your Samba server from your Windows machines. In my case, I have XP Pro machines as clients. I can access the shares on my Samba Domain Member Servers without any problems.
One advantage to using this type of authentication is that you don't need to create Samba user accounts on the Linux server with the smbpasswd command as you do with the user security mode. There is no need for the /etc/samba/smbpasswd file. You and your Windows users only need to be concerned with one user account.
However, each user that accesses the Samba server will still need to have a valid Linux user account on the server that matches the name of their user account in the domain. The purpose of this account is to control access to the the Linux file system. The password for that account does not need to match the Win2k AD domain account password. The account doesn't even need to have the ability to log in locally to the Linux machine. It does have to exist however and it must have the proper permissions to the directories you are sharing out with Samba for the user to access them. This is really no different than when using the user security mode with Samba.
To get around the need for for local Linux user accounts, you need to use winbind. But that's the subject of another article.
If God hadn't meant for us to use GUI tools, there wouldn't have been a Xerox PARC.