====== How to join Ubuntu/Samba to a Windows 2003 Active Directory domain ======
Ingredients:
* A Windows network with an Active Directory server (like Windows Server 2003)
* Ubuntu Linux 5.10 installed
* TCP/IP setup properly (the Linux machine taking its address by DHCP from the Windows server)
* No firewall yet on the Linux machine! First get it working, then secure it.
More info:
* [[http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html]]
* [[http://justlinux.com/forum/archive/index.php/t-118512.html]]
===== 1. Installing =====
We assume that Ubuntu Linux has been installed.
Install the following packages with the Synaptic Package Manager. You may need to specify "universe" as an extra source for packages.
* Samba (version 3):
* samba
* samba-common (installed by default)
* smbclient (installed by default)
* winbind
* Kerberos:
* krb5-config
* krb5-user
* ... and any packages that might be needed to meet dependencies.
===== 2. Edit configuration files =====
Edit the following configuration files. We assume the following:
* The local DNS domain is mycompany.local
* The Windows 2003 server is obelix.mycompany.local
==== /etc/samba/smb.conf ====
[global]
security = ADS
realm = MYCOMPANY.LOCAL
workgroup = mycompany
password server = obelix.mycompany.local
wins support = no
wins server = 10.0.20.202
invalid users = root
# Winbind settings
idmap uid = 10000-20000
idmap gid = 10000-20000
# For testing
debuglevel = 2
# A shared folder for testing purposes
[SharedFolder]
path = /home/onno2/Shared_Folder
available = yes
public = yes
writable = yes
force create mode = 0666
force directory mode = 0777
Make sure the path (/home/onno2/Shared_Folder or whatever you choose) exists and that the rights are set properly (''chmod 777 '' or something similar)
==== /etc/krb5.conf ====
[libdefaults]
default_realm = MYCOMPANY.LOCAL
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
[realms]
MYCOMPANY.LOCAL = {
kdc = obelix.mycompany.local
admin_server = obelix.mycompany.local
}
[domain_realm]
.mycompany.local = OBELIX.MYCOMPANY.LOCAL
mycompany.local = OBELIX.MYCOMPANY.LOCAL
[login]
krb4_convert = true
krb4_get_tickets = true
==== /etc/nsswitch ====
The only change here was adding ''winbind'' twice.
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
===== 3. Start or restart services =====
''/etc/init.d/samba restart''\\
''/etc/init.d/winbind restart''\\
===== 4. Join domain =====
''net ads join -U administrator''
If this doesn't work, check the logs in Linux (/var/log/samba/*) and Windows.
===== 5. Test your setup =====
''testparm'' to check if your smb.conf has a correct syntax.\\
''kinit onno@MYCOMPANY.LOCAL'' test if kerberos works properly.\\
''wbinfo -u'' should give a list of users.\\
''wbinfo -g'' should give a list of groups.\\
''getent passwd'' should give a list of users in the passwd style.\\
''getent group'' should give a list of groups.\\
''ls -ltr /var/log/samba'' gives a list of log files, sorted by time of last change.\\
''smbclient -L -U onno'' should give you a list of available shares.\\
If this all works properly, try to access the share (/home/onno2/Shared_Folder) from any Windows machine in the domain by using network neighbourhood.
===== What's next? =====
If all works, try setting up your favorite firewall. I like Shorewall.