Using Samba with VAS and Active Directory
- Steps
- 1. Install Heimdal
- 2. Install Samba
- 3. Join the domain using VAS
- 4. Link krb5.conf
- 5. Join the domain using Samba
- 6. Verify join
- 7. Start Samba
- 8. Verify Samba
- 9. Schedule computer password update
- Conclusion
Steps
Follow these steps to get Samba running on a VAS-enabled host.
1. Install Heimdal
Download Heimdal (6.3 or greater) and compile with prefix to keep it separate from the system-installed libraries. (It is easier to manage that way.)
$ ./configure --prefix=/opt/heimdal && make && make install
2. Install Samba
Download the Samba source (I used 3.0.14a) then configure and make it.
$ ./configure --without-winbind --with-ldap --with-ads --prefix=/opt/samba --with-krb5=/opt/heimdal
Create a /opt/samba/lib/smb.conf file with the following basic settings.
[global] realm = EXAMPLE.COM workgroup = EXAMPLE security = ADS encrypt passwords = Yes use spnego = Yes client use spnego = Yes use kerberos keytab = Yes machine password timeout = 0 [homes] comment = Home directories
I recommend using this basic configuration to initially validate Samba.
Feel free to add on to this configuration but I do not recommend changing
any of the [global] values we've defined here.
3. Join the domain using VAS
Join AD with VAS, and then remove the host.keytab because samba will be re-creating this (without overwriting it).
# /opt/vas/bin/vastool -u Administrator join example.com # rm -f /etc/opt/vas/host.keytab
Both VAS and Samba will want to mange the keytab so we're better off
preventing both of them from doing it. Make sure smb.conf always has
and set the following with vastool.
machine password timeout = 0
# /opt/vas/bin/vastool configure vas vascd password-change-interval 0
4. Link krb5.conf
Link the VAS configuration to the krb5.conf so Samba knows what keytab to modify.
# ln -s /etc/opt/vas/vas.conf /etc/krb5.conf
5. Join the domain using Samba
Re-join AD with Samba.
# net -U Administrator ads join
6. Verify join
Ensure that VAS is happy with the newly created host.keytab by running vastool flush
# /opt/vas/bin/vastool flush
Or by running a host kinit
# /opt/vas/bin/vastool -u host/ kinit host/If the users and groups cache were reloaded or the kinit was successful, VAS is happy with the new keytab.
7. Start Samba
Start nmbd and smbd.
# /opt/samba/sbin/nmbd -D # /opt/samba/sbin/smbd -D
You'll want to put these into a startup or startsrc script.
8. Verify Samba
Test VAS by logging in as a VAS/AD user and ensure you have a ticket.
$ /opt/vas/bin/vastool klist
Test Samba with both NTLM and GSSAPI/Kerberos by listing the shares
on the local host's FQDN (replace rh1.example.com with your FQDN).
$ /opt/samba/bin/smbclient -L //rh1.example.com $ /opt/samba/bin/smbclient -k -L //rh1.example.com
9. Schedule computer password update
Now everything is working, but it probably won't be in another 30 days because your computer account password will expire in Active Directory. So we need to set up a script/cron to take care of this password change requirement.
# crontab -e
Add a crontab entry that looks like this:
# Refresh the host key on the 1st and 15th day of each month at 12:45am 45 0 1,15 * * /bin/sh /opt/vintela/vas/bin/chhostpass.sh
Now create the chhostpass.sh script with the following content
#! /bin/sh
# /opt/vintela/vas/bin/chhostpass.sh
#
# This script resets the machine password (host key) in Active Directory.
# It should be run at least once every 30 days, as root.
#
DATE=`date -I`
if [ -f /etc/opt/vintela/vas/host.keytab ]; then
cp /etc/opt/vintela/vas/host.keytab \
/etc/opt/vintela/vas/host.keytab.old.$DATE
fi
if /opt/samba/bin/net ads changetrustpw &&
/opt/vintela/vas/bin/vastool -u host/ kinit host/
then
/opt/vintela/vas/bin/vastool flush
else
echo "$0: The password change failed. Please change manually." >&2
fi
Conclusion
Now Samba and the script are in control of managing the AD host key.
— Kyle Robinson