In our November 2003 issue, we saw how you can use Samba 3 to migrate your existing Win NT PDC to a Linux box (Migrating from NT to Linux, page 104). Another important feature of Samba 3 is that it can easily join a Linux machine to an existing Win 2000 or 2003 Active Directory.
Here we will see how you can use Samba and Kerberos to add a Linux machine to an Active Directory controlled by a Win 2000 Advance Server. Kerberos authenticates the Linux machine against the Domain Controller. Though we will use PCQLinux (full install) as the client Linux machine, you can use any distro you like–the only requirement is Samba 3 and krb5-1.2.5. PCQLinux 8.0 comes with krb pre installed, but you need to install Samba 3. To install Samba 3, first copy samba-3.0.0-1.i386.rpm from our November PCQ Essential CD to your home directory and run the command as below.
#rpm —Uvh samba-3.0.0-1.i386.rpm
|
Be sure to use ‘—Uvh’ switch. If you try to install Samba 3 with ‘ivh’ switch, then it can show conflicts with the pre-installed previous version of Samba. Now after Samba is ready, give your Linux machine an FQDN (Fully Qualified Domain Name) within the realm of your Active Directory. This step is not mandatory but will benefit you when working on the network. To do this, let’s suppose that the realm of the Active Directory on which we are going to join the Linux machine is PCQ.LOCAL. Now, open the file called /etc/sysconfig/network and add
HOSTNAME=linclnt.pcq.local.
Now check weather krb5 is installed on your machine. To do so run the following command.
#rpm —qa krb5-workstation
The command should return something like krb5-workstation-1.2.5-8. If nothing is returned, then it means that krb5 is not installed. To install it, insert your PCQLinux 8.0 CD-2 (given with the March 2003 issue) and run the command as below.
#rpm —ivh /mnt/cdrom/PCQuest/RPMS/krn5-workstation-1.2.5-8.rpm
Configuring Kerberos
Open the file /etc/krb5.conf and change ‘libdefaults’, ‘realms’ and ‘domain_realm’ part of the file so that it looks like this.
ticket_lifetime = 24000
default_realm = PCQ.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
PCQ.LOCAL = {
kdc = 192.168.1.10:88
admin_server = Kerberos.example.com:749
default_domain = PCQ.LOCAL
}
.pcq.local = PCQ.LOCAL
pcq.local = PCQ.LOCAL
Keep the other parts unchanged. Remember that we are supposing that the realm of your Active Directory is ‘PCQ.LOCAL’ and the IP address of your Domain Controller is 192.168.1.10.
Configuring Samba
Open the file /etc/samba/smb.conf and change the following variables in the ‘global’ section with the values given below.
worksgrup = PCQ
ads server = 192.168.1.10
realm = PCQ.LOCAL
netbios name = linclnt
security = ADS
Now save the file and exit to the terminal.
Joining to ADS
At this moment we are just two commands far from joining the machine to the ADS. To do so first run the following command to authenticate your machine against the ADS.
#kinit administrator@PCQ.LOCAL
This will ask you for the password of the administrator user of your ADS. Provide the password and hit Enter. The only thing to keep in mind at this stage is the proper case.
Here you should use the same case for the realm that you have used in your krb5.conf and that is upper case. So, for
example, if you use administrator@pcq.local or something like this, Kerberos won’t let you authenticate.
After getting authenticated, its time to add the machine to ADS. To do so run the following command.
#net ads join —S PCQ.LOCAL
This will give an output something like “Joined ‘linclnt’ to realm ‘PCQ.LOCAL’. To check that everything worked properly, go to your Domain Controller and open ‘Active Directory Users and Computers’ and go to Computers. You will see your Linux machine listed there.
Accessing a Share from ADS
Now let’s try accessing something from the network which has administrator access. For this create a share (for example, test) in your Domain Controller or any Windows machine in your realm and give the access to only Administrator User. Now come to your Linux machine and run the following command to connect to the share with Kerberos authentication.
#smbclient //192.168.1.10/test —k
And it will give you proper access to the test folder.
Anindya Roy