Samba 3 file server in Active Directory domain

As promised in the last article , today I will write how to set up a Samba 3 based file server for users in an Active Directory domain.
What is the difference between this instruction and, for example, this one ? Today we will not use winbind. Our kerberos client will work with the kdc of its AD site and we will not need to worry about its reconfiguration when changing the site.

It is assumed that before performing the described actions, the Linux server was entered into the domain as previously described .


')

Training

Let me remind you that you can get the Open version of PowerBroker Identity Services on the manufacturer’s website , but you will be provided with a link in exchange for your name, company name and e-mail address.
There are 32 and 64 packages in rpm and deb formats. (As well as packages for OS X, AIX, FreeBSD, SOlaris, HP-UX).
The program is delivered as a self-extracting archive with a package corresponding to the selected system.
On Debian-based systems, the package installs its files in / opt / pbis /.
To enter a computer into a domain, you can use one of two utilities: / opt / pbis / bin / domainjoin-cli or / opt / pbis / bin / domainjoin-gui
Naturally, before entering the domain, it makes sense to configure the ntp client to synchronize time with the domain controller (or with the time server with which your PDC emulator is synchronized).

There is a utility for integrating with samba with PBIS
It will allow us to perform some preparatory operations. PBIS does not support integration with all versions of smaba. Versions are supported: 3.0.25 and newer from the 3.0.X, 3.2.X, 3.4.X, 3.5.X, 3.6.X. But without winbind, only versions of samba 3.2.X, 3.5.X, 3.6.X will work (according to the documentation, I checked for samba 3.6.X).
To check if PBIS supports the installed version of Samba, it is worth running:

# /opt/pbis/bin/samba-interop-install --check-version Found smbd version 3.6.6 Samba version supported 

As you can see, the installed version of samba is supported. You can set up communication with samba:

 # /opt/pbis/bin/samba-interop-install --install --loglevel debug [CheckSambaVersion() /builder/src-buildserver/Platform-7.1/src/linux/samba-interop/tools/samba-interop-install.c:500] Found smbd version 3.6.6 [InstallWbclient() /builder/src-buildserver/Platform-7.1/src/linux/samba-interop/tools/samba-interop-install.c:587] Link /usr/lib/x86_64-linux-gnu/libwbclient.so.0 already points to /opt/pbis/lib/libwbclient.so.0 [AddSambaLoadPath() /builder/src-buildserver/Platform-7.1/src/linux/samba-interop/tools/samba-interop-install.c:1100] Samba is already in the load order [SetPassword() /builder/src-buildserver/Platform-7.1/src/linux/samba-interop/pstore-plugin/samba-pstore-plugin.c:459] Wrote machine password for domain CORP in secrets.tdb Install successful 

Here, I specifically launched the command in debug mode to see what samba-interop-install does: it replaces the libwbclient.so.0 library for samba with its own, makes sure that samba starts at system startup, saves the password of the computer account in the samba storage.

Samba configuration

Now you need to configure samba. In smb.conf there should be lines:

  [global]
   security = ADS
   workgroup = CONTOSO
   realm = CONTOSO.COM
   machine password timeout = 0 

And the “machine password timeout = 0” line is important; it will not allow samba to change the password of the computer account.
Further we create the general resource:

  [shared-folder]
         comment = Test shared folder
         path = / home / shared-folder
         valid users = CONTOSO \ User1, CONTOSO \ User2, @CONTOSO \ Administrators ^ domain
         read only = No 

The final

Do not forget to check the settings:

 # testparm 

If everything is ok, restart samba.
We try to open the newly configured shared folder from another PC.
And enjoy the result.