Join a Linux server to Active Directory with Samba 3.0
By Scott Lowe MCSE, Special to ZDNet Asia
Thursday, October 10, 2002 12:00 PM
Thursday, October 10, 2002 12:00 PM
Windows 2000 and Active Directory wreaked some havoc with Samba 2. But developers have been working hard on Samba 3, which overcomes the AD hurdle. Get a sneak preview of the new file and authentication freeware solution.
As Linux becomes more prevalent in enterprises, the need for interoperability between it and incumbent operating systems becomes more important. After all, nobody wants to add a new system if it will require a whole new set of administration tools and additional user accounts.
One tool that has become ubiquitous in Linux configurations is Samba, the open source file services and authorization software. The release of Windows 2000 and its use of Active Directory complicated integrating a Linux server in a Microsoft environment, which had become a snap with Windows NT and Samba version 2.2.x. Although Samba can still be used as a domain controller, it requires a mixed-mode Windows 2000 domain, in which some Windows NT 4.0 domain controllers are still present. (Samba is considered a Windows NT 4.0 domain controller.)
In addition, Windows 2000 (and XP) uses Active Directory with the Kerberos authentication protocol, which presents new challenges for interoperability. Some administrators want to move to a native mode Active Directory domain but still provide a central authentication service, so a new way to handle authentication needs to be devised.
Enter Samba 3.0. The Samba team is providing the means to handle this very task in it newest version, which is still under development. I’m going to show you how to use the latest alpha version of Samba to allow your Linux server to authenticate against a Windows 2000 domain controller.
From alpha to final code
This article employs the latest alpha version of Samba 3.0. Although not ready for production networks, the alpha code does work and, according to the road map, will not drastically change when the full public release is ready. After a lengthy chat with the Samba development team, I was reassured that coming changes to Samba 3.0 (from alpha to the final release) will primarily be the addition of features and the stabilization of the code. The installation and configurations shown in this article are not likely to change.
What you need
To get Samba 3.0 up and running, you must have:
- Windows 2000 Server acting as a domain controller.
- The OpenLDAP development libraries for Linux. As of this writing, version 2.0.23-4 is the latest release and can be downloaded here.
- The MIT Kerberos development libraries for Linux. As of this writing, these libraries are at version 1.2.4-1. krb5-devel can be downloaded here; \\krb5-libs can be downloaded here; and krb5-workstation can be downloaded here.
- The latest version of the Samba alpha code. (I chose not to get the CVS version.) As of this writing, build 17 of the Samba code was the latest and can be downloaded here.
If you’re not sure whether you have these libraries installed, you can use the RPM command to find out. Use the rpm -qa |grep openldap command to see whether you have the openldap-devel library and use rpm –qa | grep krb to check for the Kerberos libraries. If you are missing any of these libraries, install them with the rpm –i libraryname command. The only library I was missing in my default Red Hat Linux 7.3 installation was the krb5-workstation library.
IP addresses
The IP addresses of the machines used in this article will be:
Win2K - 10.109.10.133
Linux - 10.109.10.132
Installing Samba 3.0
The installation of Samba 3.0 is fairly straightforward. Follow these steps:
- Expand the Samba 3.0 distribution with the command gunzip -cd samba-3.0-alpha17.tar.gz | tar xvf -.
- Switch to the source directory of the newly created directory with the command cd samba-3.0-alpha17/source.
- Run the configuration script, using the command /configure -prefix=/usr/local/samba to instruct the script to install Samba into /usr/local/samba.
- Make sure that the lines #define HAVE KRB5 1 and #define HAVE LDAP 1 are present in the include/config.h file.
- Compile the application with the make command.
- Install the application with the make install command.
Configuring Kerberos
You need to configure some parameters to let the Kerberos process know how to handle the Active Directory server. Listing A shows the entire contents of my /etc/krb5.conf file. Make the appropriate modifications to your configuration, keeping in mind that case matters to Kerberos; SLOWE.COM and slowe.com do not match.
You have one more thing to check. While it might sound trivial, I cannot stress enough the importance of clock synchronization between your Windows 2000 Server and your Linux server. If the time is off by more than five minutes, the two servers will be able to communicate, but no ticket information will work. This is easy to troubleshoot because you will be greeted with kinit(v5): Clock skew too great while getting initial credentials when you test Kerberos.
To make sure that your connection is working, run the command /usr/kerberos/bin/kinit nuser@SLOWE.COM. The Kerberos kinit command will test communication between your servers. The syntax is kinit user@REALM, where REALM is your Active Directory domain name and must be uppercase. If you do not use all uppercase for the realm, you’ll receive this error:
kinit(v5): Cannot find KDC for requested realm while getting initial credentials.
If communication is working, you’ll be prompted for the user password. When entered correctly, you’ll simply come back to a bash prompt. If entered incorrectly, you’ll receive the error: kinit(v5): Preauthentication failed while getting initial credentials.
» Achieve enhanced server performance with energy-efficient blade technology
The Samba Road Map URL is: (web link)
I have installed Samba 2.0.6 on FreeBSD 4.4 - works great! It comes with the Ports collection.
Posted by Dwight Walker on Monday, November 18 2002 12:10 PM