CIFS + Acitve Directory
From SysadminPunk Wiki!
Contents |
CIFS + Active Directory + Logon & Logoff Scripts
- My Method for using a Linux Shared Folder as an Active Directory Users Home Directory. Directory Name is based on Username
Verify your Samba Installation
Make sure Samba has been compiled to support Kerberos, LDAP, Active Directory, and Winbind.
# cd /usr/sbin # smbd -b | grep LDAP HAVE_LDAP_H HAVE_LDAP HAVE_LDAP_DOMAIN2HOSTLIST
# smbd -b | grep KRB HAVE_KRB5_H HAVE_ADDRTYPE_IN_KRB5_ADDRESS HAVE_KRB5
# smbd -b | grep ADS WITH_ADS WITH_ADS # smbd -b | grep WINBIND WITH_WINBIND WITH_WINBIND
- If any of these are inconsistent then you probably need to recompile Samba.
Configure Kerberos
This is the absolute minimum Kerberos configuration file, /etc/krb5.conf, for connecting to this domain:
# vi /etc/krb5.conf
'libdefaults'
default_realm = CORP.BIZ.COM
'realms' CORP.BIZ.COM = {
kdc = DC1.CORP.BIZ.COM
}
'domain_realms'
.kerberos.server = CORP.BIZ.COM
Use uppercase where it shows. Now try to connect, and mind your cases:
# kinit Administrator@CORP.BIZ.COM Password for Administrator@CORP.BIZ.COM
Add important servers to your local /etc/hosts file. It speeds up lookups and provides a fallback in case the DNS servers go down:
# vi /etc/hosts 172.16.0.252 DC1.CORP.BIZ.COM DC1
Configure smb.conf file
[global]
workgroup = BIZ
dns proxy = yes
security = domain
server string = %h
password server = DC1
netbiosname = NAS
winbind seperator = +
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /mnt/data/BIZ/%U
template shell = /bin/bash
winbind use default domain = Yes
log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d
encrypt passwords = yes
obey pam restrictions = yes
invalid users = root
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
[md0]
writable = yes
locking = yes
path = /mnt/md0
public = yes
[md1]
writable = yes
locking = yes
path = /mnt/md1
public = yes
block size = 8192
[backup]
comment = Backup fws
path = /mnt/data/backup
valid users = devel
public = yes
browseable = yes
writable = yes
[homes]
comment = Users Home Directories
path = /mnt/data/BIZ/%U
browseable = no
writeable = yes
create mask = 0770
force create mode = 0770
directory mode = 0770
force directory mode = 0770
veto files = /~/.*/
[shared]
comment = Shared Files
path = /mnt/data/shared
browseable = yes
writable = yes
valid users = "@BIZ+shared user group","@BIZ+shared user group2"
guest ok = no
printable = no
[logs]
comment = Shared Files
path = /mnt/data/logs
valid users = "@BIZ+LOG Admins", @BIZ+IT
read only = No
create mask = 0770
force create mode = 0770
directory mask = 0770
force directory mode = 0770
Save your changes and run
# testparm
This checks smb.conf for syntax errors. Any errors must be corrected before going ahead. Then start up Samba:
# /etc/init.d/samba start
Add Server to Active Directory
Join your Samba machine to Active Directory:
# net ads join -U Administrator Administrator's password: Joined 'sanj-nas1' to realm 'CORP.BIZ.COM.'
Configure nsswitch.conf
Edit /etc/nsswitch.conf. The first three lines are the most important; the others vary according to your system:
passwd: compat winbind group: compat winbind shadow: compat hosts: files dns wins networks: files dns protocols: db files services: db files ethers: db files rpc: db files
Save changes, start Winbind and restart Samba Now verify that windbind is working. These commands pull lists of users and groups from the AD domain controller:
# wbinfo -u guest administrator leetadmin sysop
Done.
- Logon.vbs
' VBScript. ' Biz.com.
' Purpose of script is to map network drives for our Biz Team
' ******************************************
' Logon Popup - Currently disabled
' set WshShell = CreateObject("WScript.Shell")
' Result = WshShell.Popup("Authorized Use Only!", 4, "Auctiva.com", 64)
Option Explicit
Dim objNetwork
Dim strDriveLetter, strRemotePath, strUserName
Set objNetwork = WScript.CreateObject("WScript.Network")
strUserName = objNetwork.UserName
On Error Resume Next
strDriveLetter = "H:"
strRemotePath = "\\nas1\" & strUsername
objNetwork.MapNetworkDrive strDriveLetter, strRemotePath
WScript.Echo "Mapped drive "& strDriveLetter & " to " & strRemotePath
'objNetwork.MapNetworkDrive "S:","\\nas1\shared", True
Wscript.Quit
' End of Biz.com. Logon Script
- and the Logoff Script....
' VBScript. ' Biz.com.
' Purpose of script is to UNmap network drives for our San Jose Team
' ******************************************
' Logon Popup - Currently disabled
' set WshShell = CreateObject("WScript.Shell")
' Result = WshShell.Popup("Authorized Use Only!", 4, "Biz.com", 64)
Option Explicit
Dim ObjNetwork
Set objNetwork = CreateObject("WScript.Network")
' **** UnMount H: ***
' objNetwork.RemoveNetworkDrive "H:"
' *** UnMount S: ***
' objNetwork.RemoveNetworkDrive "S:"
Wscript.Quit
' End of Biz.com. Logoff Script
