Samba 3 and joining an Active Directory/domain

Updated 13-February-2004
We have Samba 3.0 running on Fedora Linux 1.0, and also on our MacOS X 10.3 systems. We'd like to be able to join the CIT domain (Active Directory) and seamlessly share files back and forth.

Configuring smb.conf

Note: On Fedora Linux 1.0 the default Samba distribution has some problems -- particularly with smbmount. So we start with rpms for Updates to these RPMs can be found at http://us4.samba.org/samba/ftp/Binary_Packages/Fedora/RPMS/i386/core/1/.

To test with the new DC03 testbed domain, I am starting with an smb.conf file which looks like this (note the netbios name entry -- for dual-boot machines we don't want the samba account to be using the same computer account in the active directory as the Windows environment on that machine). 

netbios name = acdsmb-doctor
realm = DC03.UCAR.EDU
security = ADS
encrypt passwords = yes
wins server = 128.117.233.4 128.117.233.2 128.117.233.3
workgroup = DC03
password server = *

[homes]
        comment = acd-doctor.acd.ucar.edu Home Directories
        browseable = yes
        writeable = yes
        writeable = yes
        preserve case = yes
        short preserve case = yes
[printers]
        comment = All Printers
        path = /var/spool/samba
        browseable = no
        printable = yes
Be sure to run "service samba restart" when done with the configuration.

Configuring Kerberos

In addition, we'll need to set up Kerberos authentication. I use an /etc/krb5.conf file which looks like this: 

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = DC03.UCAR.EDU
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 DC03.UCAR.EDU = {
  kdc = dc1.dc03.ucar.edu:88
  kdc = dc2.dc03.ucar.edu:88
  kdc = dc3.dc03.ucar.edu:88
  admin_server = dc1.dc03.ucar.edu:749
  default_domain = dc03.ucar.edu
 }

[domain_realm]
 .ucar.edu = DC03.UCAR.EDU
 .acd.ucar.edu = DC03.UCAR.EDU
 .cit.ucar.edu = DC03.UCAR.EDU

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
and I use a kdc.conf file which looks like this: 

[kdcdefaults]
 acl_file = /var/kerberos/krb5kdc/kadm5.acl
 dict_file = /usr/share/dict/words
 admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
 v4_mode = nopreauth

[realms]
 DC03.UCAR.EDU = {
  master_key_type = des-cbc-crc
  supported_enctypes = des3-cbc-raw:normal des3-cbc-raw:norealm \
    des3-cbc-raw:onlyrealm des3-cbc-sha1:normal des3-cbc-sha1:norealm \
    des3-cbc-sha1:onlyrealm des-cbc-crc:v4 des-cbc-crc:afs3 \
    des-cbc-crc:normal des-cbc-crc:norealm des-cbc-crc:onlyrealm \
    des-cbc-md4:v4 des-cbc-md4:afs3 des-cbc-md4:normal des-cbc-md4:norealm \
    des-cbc-md4:onlyrealm des-cbc-md5:v4 des-cbc-md5:afs3 des-cbc-md5:normal \
    des-cbc-md5:norealm des-cbc-md5:onlyrealm des-cbc-raw:v4 des-cbc-raw:afs3 \
    des-cbc-raw:normal des-cbc-raw:norealm des-cbc-raw:onlyrealm \
    des-cbc-sha1:v4 des-cbc-sha1:afs3 des-cbc-sha1:normal \
    des-cbc-sha1:norealm des-cbc-sha1:onlyrealm
With kerberos set up, we can test by authenticating from the command line. For example: kinit ACDAdmin@DC03.UCAR.EDU. Use the kdestroy command to return the ticket.

Join the domain

To join the domain we use the Samba "net join" command. A couple of things for us to consider are:

Setting up a Linux-based share

The /etc/smb.conf file in our case, sets up the home directory as a share. To mount my home directory from a Windows machine on the DC03 domain, I do this: Everything worked. I was not prompted for a password when connecting to the Samba share. This is because the initial authentication to the domain granted the Windows machine a ticket which is then used for subsequent share connections on the domain including those with Samba environments that have been joined to the domain.

CIT domain files

The following files currently work for the CIT domain and Samba v3.

Our /etc/smb.conf file looks like: 

realm = CIT.UCAR.EDU
security = ADS
encrypt passwords = yes
wins server = 128.117.234.4 128.117.234.2 128.117.234.3
password server = *
workgroup = CIT

[homes]
        comment = Home Directories
        browseable = yes
        writeable = yes
        writeable = yes
        preserve case = yes
        short preserve case = yes
And our /etc/krb5.conf file looks like: 
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = CIT.UCAR.EDU
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 CIT.UCAR.EDU = {
  kdc = dcml.cit.ucar.edu:88
  kdc = dccg.cit.ucar.edu:88
  kdc = dcfl.cit.ucar.edu:88
  admin_server = dccg.cit.ucar.edu:749
  default_domain = cit.ucar.edu
 }

[domain_realm]
 .ucar.edu = CIT.UCAR.EDU
 .acd.ucar.edu = CIT.UCAR.EDU
 .cit.ucar.edu = CIT.UCAR.EDU

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
To join the domain we use the command: 
sudo net ads join /Divisions/ACD/Computers/Mesa -U ACDAdmin -S dccg.cit.ucar.edu

References