Integrating Samba into a Windows 2000 Active Directory Domain

Ever tried to integrate a Samba fileserver into an Active Directory domain?
Sorting out access permissions can be a nightmare, especially if you've got to create local users in order to restrict access. The good news is that you don't need to anymore. Providing you're using up to date versions (I'll post exactly which later - I've always updated as necessary without noting the version numbers too closely, but RedHat 9 comes with everything you need.) all you need to do is use WinBind. This marvellous little daemon will acccess your Active Directory and pull out the list of users and groups.

All you need to do is configure and run WinBind, tell your Samba Server to use WinBind for authentication and confiure your Samba Config for the permissions.
If you want to know how to get Samba up and running in hte first place then you ought to be looking at how to set up Samba

(If you want more detail, clearer explanation or can't make out what on earth I'm on about, this is one of the best explanations I found http://linux.ctyme.com/userdoc/swat/help/winbind.html)

It is that simple! The complicated bit is making sure you've got the right version of Samba and the required libraries and versions.
(Remember you can update multiple RPM's simultaneously to sort out problems with dependancies)

Tell WinBind where to pull the Active Directory Information From

create or edit /etc/pam_smb.conf
(where [DOMAIN] is you Active Directory Domain and [DC1] and [DC2} are 2 domain controllers.)

# pam_smb.conf [DOMAIN] [DC1] [DC2}

Tell your Linux Server to use WinBind for authentication

Change the three lines in /etc/nsswitch.conf as to add winbind as a valid source for information.


    # /etc/nsswitch.conf

    #

    #passwd: db files nisplus nis

    #shadow: db files nisplus nis

    #group: db files nisplus nis

    

    passwd: files winbind db nisplus

    shadow: files winbind db nisplus

    group: files winbind db nisplus

Now, you can decide the services which can use Winbind for authentication

(all these files are in /etc/pam.d )
First off, the one we're going through all this for

Samba validation to your file shares /etc/pam.d/samba


    #%PAM-1.0

    auth required /lib/security/pam_winbind.so

    auth required /lib/security/pam_stack.so service=system-auth

    account required /lib/security/pam_winbind.so

    account required /lib/security/pam_stack.so service=system-auth

    password required /lib/security/pam_winbind.so

And now a couple of other useful options (but think about what/who you're allowing access to)
Local Login to your Linux server /etc/pam.d/login


    #%PAM-1.0

    auth required /lib/security/pam_securetty.so

    auth sufficient /lib/security/pam_winbind.so

    auth sufficient /lib/security/pam_unix.so use_first_pass

    auth required /lib/security/pam_stack.so service=system-auth

    auth required /lib/security/pam_nologin.so

    account sufficient /lib/security/pam_winbind.so

    account required /lib/security/pam_stack.so service=system-auth

    password required /lib/security/pam_stack.so service=system-auth

    session required /lib/security/pam_stack.so service=system-auth

    session optional /lib/security/pam_console.so

SSH Login to your Linux server (including sftp) /etc/pam.d/sshd


    #%PAM-1.0

    #auth required /lib/security/pam_stack.so service=system-auth

    auth sufficient /lib/security/pam_winbind.so

    auth sufficient /lib/security/pam_unix.so use_first_pass

    auth required /lib/security/pam_stack.so service=system-auth

    auth required /lib/security/pam_nologin.so

    account sufficient /lib/security/pam_winbind.so

    account required /lib/security/pam_stack.so service=system-auth

    password required /lib/security/pam_stack.so service=system-auth

    session required /lib/security/pam_stack.so service=system-auth

    session required /lib/security/pam_limits.so

    session optional /lib/security/pam_console.so

Configure Samba to use Winbind

Edit /etc/samba/smb.conf and in the server setting section add or modify defaults to


    ## Winbind

    ##

    

    # specify the uid range which can be used by winbindd

    # to allocate uids for Windows users as necessary

    winbind uid = 10000-65000

    

    # specify the uid range which can be used by winbindd

    # to allocate uids for Windows users as necessary

    winbind gid = 10000-65000

    

    # Define a home directory to be given to passwd(5) style entries

    # generated by libnss_winbind.so. You can use variables here

    template homedir = /home/%D/%U

    

    # Specify a shell for all winbind user entries return by the

    # libnss_winbind.so library.

    template shell = /bin/bash

    

    # What character should be used to separate the DOMAIN and Username

    # for a Windows user. The default is DOMAIN\user, but many people

    # prefer DOMAIN+user

    winbind separator = +

    

    winbind enum users = yes

    winbind enum groups = yes

Now configure your shares


    [Files] 

    available = yes

    browseable = yes

    path = /home/samba/files

    public = yes

    writable = yes

    valid users = nobody DOMAIN+User1 DOMAIN+User2 DOMAIN+User3 localuser 

    create mask = 764

    inherit permissions = yes

    

    [Websites] 

    available = yes

    browseable = yes

    path = /home/samba/websites

    public = yes

    writable = yes

    valid users = nobody DOMAIN+User1 DOMAIN+User2 DOMAIN+User3 DOMAIN+User4 localuser
    

    force user = nobody

    force group = nobody

    create mask = 755

    inherit permissions = yes

The two shares shown are available to the specified Domain users (include the DOMAIN and + separator with the username) together with a local user on the samba server. Only the users explicitly listed can access the files since a Windows 2000 machine will not try and connect as nobody to access files in the shares.
I've used the create mask and inherit in the Files share to enable other domain users access to read and write files in the share irrespective of the creator.
The Websites share is slightly different in that the path allows access to Apache Document roots. In order for edited cgi's to be created and remain executable, they must be 755 and the ownership must be appropriate to apache script permissions - in this case nobody:nobody.

Join your Samba server to the Domain


    
smbpasswd -j DOMAIN -r DC1 -U Administrator

    
The proper response to the command should be: "Joined the domain DOMAIN"
    where DOMAIN is your DOMAIN name.

Start the winbindd daemon and try wbinfo -u to verify it's working
(You should see a list of DOMAIN+Usernames)
I added the winbindd startup into the /etc/rc.d/init.d/smb script to ensure winbind starts and restart with Samba.