Setting up SLES9 as an Active Directory Member Server.
This document (3887636) is provided subject to the disclaimer at the end of this document.
Environment
samba
samba-winbind
Microsoft Windows Server 2003
Situation
Resolution
Microsoft Windows 2003 server setup:
Active Directory - all default options were selected during the install, including setting it up in native mode.
DNS Server for Active Directory domain.
Windows server NetBIOS name: WIN2003SRV
Windows server FQDN: win2003srv.company.com
Active Directory Domain name: company.com
Active Directory NetBIOS name: COMPANY
SUSE LINUX Enterprise Server 9 (SLES9) setup:
Install the following packages: samba, samba-winbind and pam_krb5
Configure to use the Windows server as its DNS server.
Configure ntp client to use the Windows server as its NTP time source.
SLES9 host name: SLES9
SLES9 domain name suffix: company.com
1. Disable the Name Service Cache Daemon as it conflicts* with Winbind:
rcnscd stop
chkconfig -s nscd off
*May need to omit this step as nscd is enabled in SLE 10 after running the "Windows Domain Membership" YaST2 plugin, but samba docs recommend disabling it. Will research.
2. Stop the Samba Daemons (& Winbind Daemon if loaded):
rcsmb stop
rcnmb stop
rcwinbind stop
If you want to allow other users from the same group (or other) to access other user's home directories, you can change the umask to 0022, depending on your needs.
3. Edit the /etc/krb5.conf file to have the following:
[libdefaults]
clockskew = 300
default_realm = COMPANY.COM
[realms]
company.com = {
kdc = win2003srv.company.com
default_domain = COMPANY
kpasswd_server = win2003srv.company.com
}
[domain_realm]
.COMPANY = COMPANY.COM
[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
4. Edit the /etc/samba/smb.conf to have the following:
# Global parameters
[global]
workgroup = COMPANY
realm = COMPANY.COM
security = ADS
map to guest = Bad User
password server = ip_address_of_windows_server
#if you have a large number is users and groups in AD, you may need to change both these settings to accommodate your environment.
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = Yes
# log level = 10
# log file = /var/log/samba/log.%m
#Create a public share to make sure all authenticated users can get to it:
#The path can be anywhere, just make sure it exists. For testing purposes 'chmod 777 /public' to make sure everyone has access.
[public]
comment = public share
path = /public
browseable = Yes
read only = No
5. Edit the passwd: and group: lines in /etc/nsswitch.conf file to include Winbind:
passwd: compat winbind
group: compat winbind
6. Join the samba server to the AD domain:
net ads join -U administrator
If the join fails, add -d10 to the end of the above command and review/analyze the extra information provided on screen.
7. Start the samba daemons:
rcwinbind start
rcnmb start
rcsmb start
If the daemons fail to start, unremark the 2 log parameters in the above smb.conf in the [global] section and restart samba and winbind and review/analyze the logs located in /var/log/samba and the error shown after the command is executed.
8. Enable the Samba Daemons to start on boot:
chkconfig -s winbind on
chkconfig -s nmb on
chkconfig -s smb on
9. List the user and group accounts:
getent passwd
wbinfo -u
getent group
wbinfo -g
10. Test access to the server from a windows workstation that is part of the AD domain:
Go to Start | Run and type \\SLES9
You should see a share called public. You should be able to access that share as a user in the Windows domain.
Enjoy! Unless you need a public share, I recommend you remove the [public] section in the smb.conf file and create your own shares as needed.
If more information is needed regarding the files and parameters used, you can refer to the HOW TO doc at samba.org.
Additional Information
Formerly known as TID# 10097466
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:3887636
- Creation Date: 13-Sep-2007
- Modified Date:03-Mar-2020
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com