Notes on RedHat / Oracle Enterprise Linux, ADS und Samba

January 17, 2008 by Michael

Recently i needed windows clients to access a directory on the database server from which CLOBs where created. Since the server is an Oracle Enterprise Linux, i could follow the steps explained behind the following link to get Samba up and running with the Active Directory run by a Windows 2k3 server:

Which steps must be done to run Samba with AD-Integration

In short:

Setup Kerberos:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
default_realm = WINDOWS.JARA23.CO.UK
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
 
[realms]
WINDOWS.JARA23.CO.UK = {
   kdc = server.windows.jara23.co.uk
   admin_server = server.windows.jara23.co.uk
   default_domain = windows.jara23.co.uk
}
 
[domain_realm]
.kerberos.server = WINDOWS.JARA23.CO.UK
.windows.jara23.co.uk = WINDOWS.JARA23.CO.UK
 
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
 
[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}

Test this with

kinit admin@WINDOWS.JARA23.CO.UK

After entering a valid password, this command should give no error.

Setup a minimal Samba configuration:

#GLOBAL PARAMETERS
[global]
   workgroup = MIDGARD
   realm = WINDOWS.JARA23.CO.UK
   preferred master = no
   server string = Linux Test Machine
   security = ADS
   encrypt passwords = yes
   log level = 3
   log file = /var/log/samba/%m
   max log size = 50
   printcap name = cups
   printing = cups
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind use default domain = Yes
   winbind nested groups = Yes
   winbind separator = +
   idmap uid = 600-20000
   idmap gid = 600-20000
   ;template primary group = "Domain Users"
   template shell = /bin/bash
 
[homes]
   comment = Home Direcotries
   valid users = %S
   read only = No
   browseable = No
 
[printers]
   comment = All Printers
   path = /var/spool/cups
   browseable = no
   printable = yes
   guest ok = yes

Enable winbind, pam and other parameters with system-config-authentication.

Start Samba and join the domain with:

net ads join -U Administrator

No comments yet

Post a Comment

Your email is never published. We need your name and email address only for verifying a legitimate comment. For more information, a copy of your saved data or a request to delete any data under this address, please send a short notice to michael@simons.ac from the address you used to comment on this entry.
By entering and submitting a comment, wether with or without name or email address, you'll agree that all data you have entered including your IP address will be checked and stored for a limited time by Automattic Inc., 60 29th Street #343, San Francisco, CA 94110-4929, USA. only for the purpose of avoiding spam. You can deny further storage of your data by sending an email to support@wordpress.com, with subject “Deletion of Data stored by Akismet”.
Required fields are marked *