Debian Squeeze, Active Directory & Samba

Posted on by Al

[Updated 30/10/2012 to include a configuration option to stop timeout errors]

This originally started as a note to myself should I ever need to revisit this, but I have expanded it a bit to make it a bit more general in case others might find it useful.

I use Debian Squeeze on our Linux servers. I have been trying to get them to authenticate off of our Active Directory/Windows Server 2008. Previously we used OpenLDAP and this worked well, but with AD I’d rather have one authentication system. One password rather than two.

My experience with Winbind has not been favourable. Despite documentation and plenty of blogs with well written examples of how to do it I could not get it to work for me. Most of what is written is from there.

In this blog I will use the following settings on my network which I will use in my examples. You will wish to change them to reflect your own settings:

server1.int.inutility.net – 192.168.188.10 – Windows Active Directory & WINS server
server2.int.inutility.net –  192.168.188.11 – Windows Active Directory server
linux.int.inutility.net – 192.168.188.20 – Debian Linux box to authenticate against AD
INUTILITY – Windows Domain
INT.INUTILITY.NET – Kerberos/AD Realm

Preparation

Active Directory

You can edit this using the “Active Directory Users & Computers” program on your Windows server, finding a user (or group) and going to the “UNIX Attributes” tab. If you do not have this tab then you are missing the “Identify Management for UNIX” role, and you probably want to investigate that before following this.

DNS

If you are just using Windows DNS and Windows DHCP then you are probably already set for this and can probably skip this section.

You need to make sure your domain name is correct.  If you use a mixture of Windows & Linux services (for DHCP & DNS) then you need to make sure your /etc/resolv.conf has the correct “domain” setting to match the DNS of your Windows servers. If not it is possible you may experience a problem later. This may be set manually or automatically from your DHCP server

Secondly you need to make sure your Windows DNS servers are configured. My /etc/resolv.conf is

domain int.inutility.net
search int.inutility.net
nameserver 192.168.188.10
nameserver 192.168.188.11

NTP

It’s good practice to have time syncronised up. My Windows servers both provide NTP service.

apt-get install ntp

Edit the /etc/ntp.conf file, commenting out the existing debian servers and adding in your servers

Line 21

#server 0.debian.pool.ntp.org iburst
#server 1.debian.pool.ntp.org iburst
#server 2.debian.pool.ntp.org iburst
#server 3.debian.pool.ntp.org iburst

server server1.int.inutility.net iburst
server server2.int.inutility.net iburst

You will then need to restart the NTP daemon:

/etc/init.d/ntpd restart

This may take some time to syncronise your Debian server’s clock with that of the Windows Servers’. Check your syslog. ntpd -q will report information on your time servers and syncronisation.

Installation

LDAP Authentication

This allows you to authenticate your users against the Active Directory using LDAP. It allows you to SSH into your server as your AD users and is required to access your server using Samba.

apt-get install libnss-ldapd libpam-ldapd nslcd unscd

This is not to be confused to libpam-ldap and libnss-ldap (no d at the end) which are older methods of LDAP authentication that I have not satisfactorily got working with Active Directory.

It will ask you a few questions while the packages install. For LDAP server URI I entered both my AD servers:

ldap://server1.int.inutility.net/ ldap://server2.int.inutility.net/

You can leave it at one server, or add as many as you want separated by spaces.

You will be asked for your LDAP server search base. It will guess this based on your DNS domain, but sometimes it gets the ending wrong (espcially with country codes). I entered:

dc=int,dc=inutility,dc=net

You will then need to select the Name Services to use with LDAP. Select “group“, “passwd” and “shadow“. It will then finish installation, but there is still a bit to be configured.

It will automatically edit your PAM files (in /etc/pam.d) and your /etc/nsswitch.conf with correct entries so you do not have to unless your set up is a bit unusual. For historical reasons our UIDs start at 500 so I edited the /etc/pam.d/common-* files so the “minimum_uid” entry was 500, not the default 1000.

I use TLS encryption to my servers, using a certificate we have purchased. It requires intermediate certificates which it terms a bundle. You may not require the “tls_cacertfile” entry, but you may require the “ca-certificates” Debian package installed. The “bundle” can be an intermediate chain of Certificate Authorities. Your SSL certificate provider will provide this. Using the “tls_reqcert demand” entry makes sure that if the certificate is not verified the connection will not proceed. Add the following lines to your /etc/nslcd.conf:

# SSL options
ssl starttls
tls_reqcert demand
tls_cacertfile /etc/ssl/certs/bundle.crt

You also require some entries in this file so it knows where to pull all the user information from. Again this is in /etc/nslcd.conf

# Mappings for Active Directory
pagesize 1000
referrals off
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet
filter group (&(objectClass=group)(gidNumber=*))
map    group  uniqueMember     member

After restarting nslcd you should then be able to check users & groups are listed using the getent tool:

/etc/init.d/nslcd restart
Restarting LDAP connection daemon: nslcd.
getent passwd al
al:*:1000:100:Al:/home/al:/bin/bash

You should now be able to SSH into your machine as your Active Directory users, though they may not have home directories (see also the section “Automatic creation of user’s home directory” towards the bottom of the page).

Kerberos

Install the Kerberos packages:

apt-get install krb5-config krb5-user

Then edit /etc/krb5.conf to include entries for your realm:

[libdefaults]
 default_realm = INT.INUTILITY.NET

and

[realms]
        INT.INUTILITY.NET= {
                kdc = 192.168.188.10:88
                admin_server = 192.168.188.10
                default_domain = int.inutility.net
        }
        ATHENA.MIT.EDU = {

and

[domain_realm]
        .int.inutility.net = INT.INUTILITY.NET
        int.inutility.net = INT.INUTILITY.NET
        .mit.edu = ATHENA.MIT.EDU

Samba

Firstly you’ll need to install the samba packages:

apt-get install samba samba-common samba-common-bin

I was asked only for my “Workgroup/Domain Name” which I entered in as “INUTILITY” during installation.

Then you need to make some edits to your /etc/samba/smb.conf.

Add the Kerberos realm:

# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = INUTILITY
   realm = INT.INUTILITY.NET

Add in WINS server:

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
   wins server = 192.168.188.10

To use Active Directory security:

# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
   security = ads

To configure SAMBA not to be the master browser for the domain.

# Domain Master specifies Samba to be the Domain Master Browser. If this
# machine will be configured as a BDC (a secondary logon server), you
# must set this to 'no'; otherwise, the default behavior is recommended.
   domain master = no
   local master = no
   preferred master = no

Restart the samba services to load these settings.

/etc/init.d/samba restart

Joining the domain

You can not joing the domain with the following command (or another administrator account can be used)

net ads join -U Administrator

This suceeds, but reports:

kerberos_kinit_password LINUX$@INT.INUTILITY.NET failed: Client not found in Kerberos database

This is something I’ve not been able to trace down yet, but everything works as expected. I have been advised that this may in fact be down to our incorrect reverse DNS.

You should now be able to access the machine using \\LINUX as per a normal Windows server.

Other useful things

Automatic creation of user’s home directory

If you edit /etc/pam.d/common-session you can add an entry to automatically create a user’s home directory upon login:

session     required      pam_mkhomedir.so skel=/etc/skel umask=0022 silent

This saves you having to manually copy the /etc/skel files for any users who have not logged into the system before.

Leaving the AD Domain

This can be done using the command below and removes your computer’s entry from the Active Directory:

net ads leave -U Administrator

Update 30/10/2012: LDAP timeouts

Occasionally we get the following messages in our syslog:

ldap_search_ext() failed: Can't contact LDAP server
connected to LDAP server ldap://server1.int.inutility.net/

These seem to be due to the AD server(s) timing out the connection without nslcd noticing this, which while not fatal is annoying and can slow down resolving a username & their groups. AD seems to timeout the connections after 2 minutes.

If you put:

idle_timelimit 60

Into your /etc/nslcd.conf file this will disconnect after a minute and reconnect as needed which is a much faster process than the connection failure it was doing.

 

5 thoughts on “Debian Squeeze, Active Directory & Samba

  1. Pingback: Winbind and SSH

Comments are closed.