->Prequisites:
Please make sure you have the following patch installed.
Samba support of ADS on default installation is available from Solaris 10 update 4.
Patch# is 119757-12 (sparc) but you should use the latest revision (-12) of the patch because there were also the fixes from the samba upstream
Solaris patch
# showrev -p | grep 119757-12
Patch: 119757-12 Obsoletes: Requires: 119042-09, 119254-51, 121901-01, 125077-02 Incompatibles: Packages: SUNWsmbar, SUNWsmbau, SUNWsmbac
#uname -v
Generic_127127-11
Samba version
#smbd -V
Version 3.0.28
DNS and nsswitch
->Add Samba server to the DNS
->Edit /etc/resolv.conf as follows
domain pankajgautam.com
nameserver 10.11.4.62
nameserver 10.11.4.87
search pankajgautam.com
->Edit /etc/inet/hosts with FQDN
root@sun1 # cat /etc/inet/hosts
#
# Internet host table
#
127.0.0.1 localhost
10.11.155.141 sun1.pankajgautam.com sun1 loghost
10.11.155.180 dom1.pankajgautam.com dom1
10.11.4.62 fd913xsm01.pankajgautam.com fd913xsm01
10.11.4.87 fd913xsm02.pankajgautam.com fd913xsm02
->Edit /etc/nsswitch.conf with "dns" for "hosts" and "ipnodes"
Sample file below:
root@sun1 # cat /etc/nsswitch.conf
#
# Copyright 2006 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)nsswitch.ldap 1.10 06/05/03 SMI"
#
# /etc/nsswitch.ldap:
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
# LDAP service requires that svc:/network/ldap/client:default be enabled
# and online.
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd: files winbind ldap
group: files winbind ldap
# consult /etc "files" only if ldap is down.
hosts: dns files wins
# Note that IPv4 addresses are searched for in all of the ipnodes databases
# before searching the hosts databases.
ipnodes: dns files
networks: dns ldap [NOTFOUND=return] files
protocols: db ldap [NOTFOUND=return] files
rpc: db ldap [NOTFOUND=return] files
ethers: db ldap [NOTFOUND=return] files
netmasks: ldap [NOTFOUND=return] files
bootparams: ldap [NOTFOUND=return] files
publickey: ldap [NOTFOUND=return] files
netgroup: ldap
automount: files ldap
aliases: files ldap
# for efficient getservbyname() avoid ldap
services: db files ldap
printers: user files ldap
auth_attr: files ldap
prof_attr: files ldap
project: files ldap
tnrhtp: files ldap
tnrhdb: files ldap
Kerberos
-> Edit /etc/krb5/krb5.conf to be point the correct realm and kdc
Sample file below:
root@sun1 # cat /etc/krb5/krb5.conf
#
# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)krb5.conf 1.4 07/11/14 SMI"
#
# krb5.conf template
# In order to complete this configuration file
# you will need to replace the __
# with appropriate values for your network and uncomment the
# appropriate entries.
#
gettime -s fd913xsm01.pankajgautam.com
[libdefaults]
default_realm = pankajgautam.com
dns_lookup_kdc = true
verify_ap_req_nofail = false
[realms]
pankajgautam.com = {
kdc = fd913xsm01.pankajgautam.com
kdc = fd913xsm02.pankajgautam.com
admin_server = fd913xsm01.pankajgautam.com
}
[domain_realm]
.pankajgautam.com = pankajgautam.com
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.
period = 1d
# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)
versions = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
gkadmin = {
help_url = http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
}
-> Start the dns/client service svcadm enable dns/client
...and most probably reboot
ADS side:
-> Create a domain user with non expiry passwd which can be used to
we are using the same username created for STARS ldap query
-> Create the kerberos key for the samba server with the ADS non-expiry user using ktpass utility on command line. please note the "ktpass" utility is the part of the "Windows Support Tools" which are not part of the default W2k3 server installation and have to be manualy installed from the W2k3-server installation CD
->download ktpass
run this on yr desktop:
C:\Documents and Settings\p139pkg\Desktop\ktpass>
ktpass -princ adsuser@pankajgautam.com -pass passwd -out samba.keytab
Key created.
Output keytab to samba.key:
Keytab version: 0x502
keysize 48 adsuser@pankajgautam ptype 1 (KRB5_NT_PRINCIPAL) vno 1 etype 0x1 (D
ES-CBC-CRC) keylength 8 (0x80109ee07ce64945)
example:
ktpass -princ HOST/s10-pc@SMBSETUP.CZECH.SUN.COM -mapuser s10-pc -pass p@sswd -out s10-pc.keytab
Note: for some reason -mapuser didn't work for me.
transport the created samba.keytab file containing the keys to the Samba server. Do this tranport by secure way because the keys are very sensitive information.
Please do not use the /usr/sfw/bin/smbclient -U Administrator '\\ADSserver\cifs_share because the cifs is not a secure protocol in this point.
Install the key from the samba.keytab to /etc/krb5/krb5.keytab using ktutil:
run this on the samba server:
root@sun1 # ktutil
ktutil: list - list all the keys if any
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
ktutil: rkt /opt/samba/samba.keytab - read the keytab file
ktutil: list
slot KVNO Principal - list all the keys if any
---- ---- ---------------------------------------------------------------------
1 1 adsuser@pankajgautam.com
ktutil: wkt /etc/krb5/krb5.keytab - write it to kbr5.conf
^D - quit ktutil
Joining samba server to ADS:
before joining make sure samba, wins, winbind and swat are disabled
root@sun1 # svcadm disable samba winbind swat
Sync the system time with ADS
ntpdate 10.11.4.64
then join to ADS
root@sun1 # /usr/sfw/sbin/net ads -d3 join -U 'pankaj%123'
Using short domain name -- pankajgautam
Joined 'sun1' to realm 'pankajgautam.com'
note: d3 is debug level 3, output of join is without using d3
Initialize kerberos keys
kinit adsuser@pankajgautam.com
Enable Winbind
root@sun1 # svcadm enable winbind
Edit /etc/nscd.conf as below:
enable-cache hosts no
enable-cache group no
enable-cache passwd no
Run these commands to make sure samba server is connected to ADS
# /usr/sfw/sbin/net ads info
LDAP server: 10.11.4.62
LDAP server name: FD913XSm01.pankajgautam.com
Realm: pankajgautam.com
Bind Path: dc=pankajgautam,dc=com
LDAP port: 389
Server time: Fri, 07 Nov 2008 22:22:23 PST
KDC server: 10.11.4.62
Server time offset: 2
# /usr/sfw/bin/wbinfo -u - list all users
# /usr/sfw/bin/wbinfo --own-domain - list yr domain
pankajgautam
# /usr/sfw/bin/wbinfo --sequence
MCV : 499
GOVERSEAS : 114274864
DINES : DISCONNECTED
sun1 : 1226126600
pankajgautam : 296264466
# /usr/sfw/bin/wbinfo -m
ACS-INDIA
SPI
FOREIGN
DINES
GOVERSEAS
FADV
pankajgautam
# /usr/sfw/bin/wbinfo -n adsusername
S-1-5-21-2050513582-853017349-972441984-324865 User (1)
Enable samba and Wins services
root@sun1 # svcadm enable wins samba
Configure smb.conf
smb.conf configuring idmap backend using the RID (part of the SID) to map the SID to POSIX uid/gid. This simple idmap backend ensure the mapping will be tha same on several samba servers running in the same domain on the network so it can be used for clustering of the samba services where the shared volume can be shared by the several samba servers ...for instance using the NFSv4, SAM QFS.
root@sun1 # cat /etc/sfw/smb.conf
[global]
workgroup = pankajgautam
server string = Sparkey Samba Server
security = ads
realm = pankajgautam.com
auth methods = winbind guest sam
use kerberos keytab = true
winbind refresh tickets = true
# winbind configuration
# winbind separator is default set to '\' - so it is fine
winbind normalize names = yes
#winbind separator = +
winbind use default domain = no
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
#winbind nss info = template
winbind nss info = sfu
#template homedir = /samba/home/%D/%U
#template shell = /bin/true
idmap domains = pankajgautam
idmap config pankajgautam:backend = rid
idmap config pankajgautam:base_rid = 500
#idmap config pankajgautam:default = yes
idmap config pankajgautam:readonly = yes
idmap config pankajgautam:range = 100000 - 19999999999999
#idmap uid = 1000000 - 5999999999999
#idmap gid = 1000000 - 5999999999999
idmap config pankajgautam:schema = rfc 2307
idmap alloc backend = tdb
idmap alloc config:range = 1000 - 1000000000
invalid users = root bin daemon lp sys tty
log file = /var/samba/log/log.%m
log level = 3 printdrivers: 0 lanman: 0 smb: 1 rpc_parse: 0 rpc_srv: 0 rpc_cli: 0 passdb: 1 sam: 0 auth: 5 \
winbind: 5 vfs: 0 idmap: 0 quota: 0 acls: 0 locking: 0 msdfs: 0 dmapi: 0
max log size = 1024
#============================ Share Definitions ==============================
[HotFolders]
comment = Folders Stuff
path = /opt/test
public = yes
writable = yes
printable = no
force group = dam
1 comment:
Hi ,
This post is really fantastic and useful, Is there any way to configure quotas for each windows AD users on Solaris samba server.I tried to implement Quota on file system , but repquota command not reflecting the usage for windows AD user.Please suggest some solution if any.
Thanks in advance,
Anbarasu
Post a Comment