Debian Administration :: Using Samba on Debian Linux

Page 1 of 11

Using Samba on Debian Linux

Posted by ltackmann on Thu 26 Jan 2006 at 10:29

Tags: active directory, kerberos, samba

This article will show you how to install Samba 3.X on Debian Linux 3.1 (Sarge) and make it authenticate against a Windows server running Active Directory. It is not intended on replacing the actual official Samba 3 manual - which is a quite good read anyway.

Core software
I will show two ways of installing Samba: using apt or directly from source in either case make sure apt's package index files are synchronized:
apt-get update apt-get upgrade

To install from apt run:

apt-get install samba smbclient winbind krb5-doc krb5-user \ krb5-config

To compile Samba yourself you need to have MIT Kerberos and OpenLDAP installed:
apt-get install libkrb53 libcupsys2-gnutls10 libldap2 \ libldap2-dev libkrb5-dev krb5-doc krb5-user \ krb5-config

Then grap the latest version of the Samba source (for this article we will use samba3.0.9.tar.gz), and do:

http://www.debian-administration.org/articles/340

7/20/2007

Debian Administration :: Using Samba on Debian Linux

Page 2 of 11

tar zxvf samba-3.0.9.tar.gz -C /tmp/ cd /tmp/samba-3.0.9/source ./configure \ --prefix=/usr \ --localstatedir=/var \ --with-configdir=/etc/samba \ --with-privatedir=/etc/samba \ --with-fhs \ --with-quotas \ --with-smbmount \ --with-pam \ --with-pam_smbpass \ --with-syslog \ --with-utmp \ --with-sambabook=/usr/share/swat/using_samba \ --with-swatdir=/usr/share/swat \ --with-shared-modules=idmap_rid \ --with-libsmbclient \ --with-automount \ --with-msdfs \ --with-ads \ --with-winbind \ --with-winbind-auth-challenge \ --with-manpages-langs=en \ --with-idmap \ --with-acl-support \ --with-ldap make make install

Windows server setup

Install a Windows server and make it act as a domain controller (see this guide for pointers on setting up a domain controller). I will use the followng server setup:
z z z z z

Domain administrator acount on Windows server: administrator> Domain name: testdomain Fully qualified domain name: testdomain.local Hostname of Windows domain controller: win2003test IP address of Windows domain controller: 192.168.1.101

You should familate yourself with what these cororsponds to in your local domain before continuing with this guide.

Network setup
We need to make sure that DNS is working properly on the server running Samba, this is done by making the Windows Domain controller the default DNS server. To do this I substitute my DNS configuration in /etc/resolve.conf with the folowing:

http://www.debian-administration.org/articles/340

7/20/2007

Debian Administration :: Using Samba on Debian Linux

Page 3 of 11

search testdomain.local nameserver 192.168.1.101

If you have more than one DNS server in your domain, then also add them here. Test DNS using:
nslookup win2003test > Server: 192.168.1.101 > Address: 192.168.1.101 > Name: win2003test.testdomain.local > Address: 192.168.1.101

Test reverse lookup using:

host 192.168.1.101 > 101.1.168.192.in-addr.arpa domain name pointer > win2003test.testdomain.local.

If for some reason any of these two test fails, then go through your network setup and this section again. Your DNS must be correctly configured in order to run Samba successfully with Active Directory.

Kerberos setup
We will have to configure Kerberos (or you could avoid this by setting the password server in /etc/samba/smb.conf, to the PDC emulator but then you would be talking old school NTLM with the domain controller). To get real AD working add the folowing lines to /etc/krb5.conf:
[realms] TESTDOMAIN.LOCAL = { kdc = win2003test.testdomain.local admin_server = win2003test.testdomain.local }

Then do:
kinit administrator@TESTDOMAIN.LOCAL

The syntax is kinit user@REALM, where REALM is your Active Directory domain name and must be all uppercase. If you do not use all uppercase for the realm, you'll either receive this error: kinit(v5): Cannot find KDC for requested realm while getting initial credentials or this error: kinit(v5): KDC reply did not match expectations while getting initial credentials. You can test your kerberos setup by issuing
klist

If it reports that you have no keys in the cache then something is wrong. In the event that you recive: kinit(v5): Clock skew too great while getting initial credentials then make sure that the clock synchronisation between your Windows Server and your Linux server is within five minutes. If the time is off by more then the two servers will unable send ticket information to each other.

http://www.debian-administration.org/articles/340

7/20/2007

Debian Administration :: Using Samba on Debian Linux

Page 4 of 11

Optional: Use a NTP Server

One way to solve the clock synchronisation problem is to use a time server (you might even want to use your active directory server(s)). Using a NTP server is optional and not strictly required in order to run a Samba in an AD, but anyway here is how it is done. First install the required ntp packages:
apt-get install ntpdate

Then add your favorite time server(s) to '''/etc/ntp.conf''', and execute:

/etc/init.d/ntpdate restart

Samba setup
To connect up to your domain create: /etc/samba/smb.conf and add:
[global] security = ads password server = win2003test encrypt passwords = yes workgroup = testdomain realm = TESTDOMAIN.LOCAL netbios name = temporay idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind use default domain = Yes

In workgroup insert the domain name, realm should be set to the fully qualified domain name (uppercase). Insert the name of the Windows server to authenticate against in the password server field. We are now ready to start the needed services:
smbd nmbd

To join the domain in the default organisation unit do:

net ads join -W testdomain -S win2003test -U administrator

or use another unit like this:

net ads join Denmark\/Copenhagen\/Computers -W testdomain \ -S win2003test -U administrator

Now check if everything works by issuing the folowing commands:

z z z

Test domain computer account: net ads testjoin. Test winbindd: wbinfo -u to list AD users and wbinfo -g for groups. Test connection to a remote Windows server from the Samba server: smbclient L //win2003test -k. Run wbinfo -t it should return: checking the trust secret via RPC calls succeeded, otherwise you have done somthing wrong (use testparm -v to check your Samba

http://www.debian-administration.org/articles/340

7/20/2007

Debian Administration :: Using Samba on Debian Linux

Page 5 of 11

configuration). Finally test connectivity from a Windows box: Start - Run - \\SAMBASERVER.

Re: Using Samba on Debian Linux

Posted by Anonymous (84.194.xx.xx) on Thu 26 Jan 2006 at 10:52

This is good and short. Like the best HOWTOs! Especially the fact that it's just a full-Debian-compliant-howto is fantastic. Thanks for it! For people interested, I wrote a Add a Debian Linux Samba 3 server to your Windows NT4 domain HOWTO. For the good, old, (and still running) NT4 domains, the Debian way ;)

Re: Using Samba on Debian Linux

Posted by ltackmann (80.162.xx.xx) on Thu 26 Jan 2006 at 11:08 [ Send Message ]

Thanks I am glad my English is understood by others than myself. I just discovered some batly formated html (the Windows admin account is "administrator" not "administrator>") and a couple of spelling mistakes. I have fixed them in the version I originally posted on my blog, but have been unable to update the one here.

Re: Using Samba on Debian Linux

Posted by Anonymous (80.28.xx.xx) on Thu 26 Jan 2006 at 19:03

Any link for authenticate ONLY A LINUX CLIENT into Windows Domain. ONLY AUTHENTICATE. Thanks

Re: Using Samba on Debian Linux

Posted by bitlz (212.57.xx.xx) on Fri 27 Jan 2006 at 05:53 [ Send Message ]

add to your /etc/apt/sources.list: deb http://www.backports.org/debian/ sarge-backports main contrib non-free and just install latest samba from backports #aptitude update #aptitude install samba wbr, eugene v. samusev

Re: Using Samba on Debian Linux

Posted by Anonymous (195.212.xx.xx) on Fri 27 Jan 2006 at 08:28

http://www.debian-administration.org/articles/340

7/20/2007

Debian Administration :: Using Samba on Debian Linux

Page 6 of 11

Is it necessary for this Howto to compile samba from the sources? Sarge is shipped with version 3.0.14a and on samba.org there is version 3.0.21a available. Thanks Markus

Re: Using Samba on Debian Linux

Posted by ltackmann (80.162.xx.xx) on Fri 27 Jan 2006 at 09:18 [ Send Message ]

In the article I state: I will show two ways of installing Samba: using apt or directly from source. So no it is not necessary I just choose to include it because there are some bugs in the current Sarge samba that can be eliminated by compiling a never version. Regards. Lars Roland

Re: Using Samba on Debian Linux

Posted by Anonymous (195.212.xx.xx) on Fri 27 Jan 2006 at 10:28

Hi Lars, thanks for the clarification. Which bugs are in the sarge samba version? Do they taint the ADS connectivity? Greets Markus

Re: Using Samba on Debian Linux

Posted by ltackmann (80.162.xx.xx) on Fri 27 Jan 2006 at 10:57 [ Send Message ]

There is a problem with NTLM connectivity to Windows servers if they have applied "Update Rollup 1 for Windows 2000 SP4". It is only a minor annyance, but it breaks RPC style connects from winbind. Calling it a bug may be wrong, but it is a known problem. Regards Lars Roland

Re: Using Samba on Debian Linux

Posted by Anonymous (82.209.xx.xx) on Sun 12 Feb 2006 at 19:50

Debian administrators? Heh. Why not to rebuild debian package? ./configure && make && make install is not a debian way.

http://www.debian-administration.org/articles/340

7/20/2007

Debian Administration :: Using Samba on Debian Linux

Page 7 of 11

Re: Using Samba on Debian Linux

Posted by hypatia (199.223.xx.xx) on Tue 21 Feb 2006 at 17:30 [ Send Message ]

Nice tutorial. It worked well for me until I ran "wbinfo -t". I got the following error: checking the trust secret via RPC calls failed error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5) Could not check secret

Re: Using Samba on Debian Linux

Posted by Anonymous (81.133.xx.xx) on Fri 24 Feb 2006 at 14:10

I'm getting a similar error too ... wbinfo -t checking the trust secret via RPC calls failed error code was (0x0) Could not check secret

Re: Using Samba on Debian Linux

Posted by Anonymous (80.162.xx.xx) on Fri 24 Feb 2006 at 14:20

Just ignore this if you are not using winbind. I have been unable to update the article to reflect that this winbind check will only work on never samba releases.

Re: Using Samba on Debian Linux

Posted by Anonymous (200.31.xx.xx) on Tue 28 Feb 2006 at 23:06

Perfecto, es un gran tutorial, Gracias a los amigos de Debian Administration por compartir un gran tutorial...gracias Fredy Gonzales P. fredyg@negosat.com

Re: Using Samba on Debian Linux

Posted by Anonymous (68.112.xx.xx) on Tue 7 Mar 2006 at 01:44

Thank you. This was terrific and I managed to get this far successfully. Now I want to create shares on my samba server (which I can do successfully); but how do I get the shares created on samba to have the Active Directory permissions (acls)?

Re: Using Samba on Debian Linux

Posted by Anonymous (62.214.xx.xx) on Wed 22 Mar 2006 at 14:31

That's my problem, too. Everything works fine but when I open \\myserver from Windows it asks for Username and Password but I want it to authenticate against my ADS.

http://www.debian-administration.org/articles/340

7/20/2007

Debian Administration :: Using Samba on Debian Linux

Page 8 of 11

But its a very nice and easy to untderstand Tutorial, thanks a lot!

Re: Using Samba on Debian Linux

Posted by Anonymous (57.74.xx.xx) on Mon 31 Jul 2006 at 15:42

hi, i think that you have to tell pam that auth to ADS

Re: Using Samba on Debian Linux

Posted by Anonymous (70.56.xx.xx) on Sat 17 Feb 2007 at 22:12

One key thing missing from this tutorial, which is an awesome HOWTO, is the fact you need to change the group on the directory or file using an OU or CN from AD, i.e., chgrp "Domain Admins" /home/share. This path should be the same path as the share in your Samba config file (smb.conf). You do have configure pam to use winbind, but it works great.

Re: Using Samba on Debian Linux

Posted by Anonymous (216.105.xx.xx) on Thu 16 Mar 2006 at 13:46

THANKS! the kerberos setup portion helped me get me libapache2-mod-auth-kerb working! great howto.

Re: Using Samba on Debian Linux

Posted by bacula (86.135.xx.xx) on Sat 25 Mar 2006 at 20:21 [ Send Message | View Weblogs ]

i would love this samba server setup in debian way instead of compiling from sourceeasy samba server setup in debian and this is most lovely setup

Re: Using Samba on Debian Linux

Posted by Anonymous (222.165.xx.xx) on Fri 31 Mar 2006 at 05:15

Hi, We find this article very useful in installing samba on debian system. But we have faced a problem while installing, that is when we issue apt-get to install the required debian packages, due to a dependancy it automatically installs postgresql-7.5. But we are already using postgresql-7.4 and we need to install samba keeping our existing postgresql-7.4 version. If somebody has the packages which can work with postgresql-7.4, please share that information with us. Thanks in advance, Amal.

Re: Using Samba on Debian Linux

Posted by ltackmann (212.242.xx.xx) on Sat 1 Apr 2006 at 16:23 [ Send Message ]

emm postgresql 7.5 does not exists, latest version in the 7.X branch is 7.4.12 (see

http://www.debian-administration.org/articles/340

7/20/2007

Debian Administration :: Using Samba on Debian Linux

Page 9 of 11

http://www.postgresql.org/).

Re: Using Samba on Debian Linux

Posted by debstar (196.192.xx.xx) on Thu 27 Jul 2006 at 14:52 [ Send Message | View debstar's Scratchpad | View Weblogs ]

Good article. I read the fine manual but your article is straightforward. For me, I had to set :
winbind separator = +

to avoid some errors from winbind. However, when I want to mount some shares I got this error message : cli_negprot: SMB signing is mandatory and we have disabled it. even if I set :
client signing = mandatory

Do you have an advice for this? NMC RATOANDROMANANA Nirina Michel

Re: Using Samba on Debian Linux

Posted by Anonymous (62.252.xx.xx) on Sun 27 Aug 2006 at 13:04

A brief article of similar quality would be helpful (and appears to be lacking) on setting up a Samba client running under Debian along with a Samba server connecting to provide effective 2way transferability with hosts within a Windows workgroup (i.e. no Domain server). I gave up running a windows domain in my living room a few years ago and saved sereval 's a month off my electric bill :) regards Ethan

Re: Using Samba on Debian Linux

Posted by pdizzyz (70.56.xx.xx) on Sat 17 Feb 2007 at 23:10 [ Send Message ]

Excellent article. There are a few things that I found from some other tutorials that help resolve some errors I encountered. But since this HOWTO was the simplest to follow and is Debian specific I decided to post them here. First of are the PAM configs /etc/pam.d/common-*, there are a few entries you need to make, in each of the common-* config files add the following lines, auth sufficient pam_winbind.so use_first_pass account sufficient pam_winbind.so The next thing to update is the /etc/nsswitch.conf

http://www.debian-administration.org/articles/340

7/20/2007

Debian Administration :: Using Samba on Debian Linux

Page 10 of 11

passwd: winbind compat shadow: winbind compat group: winbind compat The last thing I found I needed to do was to use the `chgrp` to change the group ownership of the share, i.e., the path in the share in the smb.conf file, to use an AD group. This one was took me a little longer to figure out, but there are two ways this can look depending on the smb.conf entries. If winbind use default domain = Yes then your AD groups are as they appear when browsing through AD. So I used chgrp "Domain Admins" /home/adminshare If winbind use default domain = NO then your AD groups may need the domain prefixed to the group, assuming your domain is TEST.COM chgrp "TEST+Domain Admins" /home/adminshare If you are unsure of how winbind reads or browses the AD you can simply just use wbinfo -g and the list is returns is the format you should use. You may get an error that the user or group doesn't exist. This means that the PAM and nsswitch are not set up properly. The last thing to make sure all works it to use, again assuming TEST.COM, smbclient //[server]/[share] -U test/joe this should promt for a password and when successful show smb:>. I received two different types of errors, NT_STATUS_LOGON FAILURE, this was when it was not able to find the user in AD. It was usually caused by a syntax error on my part. It means it either can't connect or it can't find the user. NT_STATUS_ACCESS_DENIED, this was when I didn't have access to the share. This was a good error because it meant everything was working correctly with AD and it became a permissions issue. I may have left something out, I wrote this from memory mostly. Let me know if it helps. Peter

Re: Using Samba on Debian Linux

Posted by Anonymous (84.191.xx.xx) on Tue 22 May 2007 at 13:26

lovely howto! maybe you should update the part concerning the necessary packages, the libpamdev is missing for configure to add pam support when compiling.

http://www.debian-administration.org/articles/340

7/20/2007

Debian Administration :: Using Samba on Debian Linux

Page 11 of 11

aptitude install libpam-dev another advance seems to be the ability to automatically update dns entries on the ms dns server if you use the brandnew :) 3.0.25 samba release. ./configure --with-dnsupdate thanx alot for the great tutorial! ben

Re: Using Samba on Debian Linux

Posted by Anonymous (84.191.xx.xx) on Tue 22 May 2007 at 13:31

ups, add uuid support for dns update capability aptitude install uuid-dev cheers

Articles and comments are the property of their respective posters. Trademarks are the property of their respective owners. Debian is a registered trademark of Software in the Public Interest, Inc. This site is copyright 2004-2007 Pink Pony Productions / Steve Kemp. Site hosting provided by Bytemark Hosting. Email: webmaster@debian-administration.org Article Feeds in Atom, RSS, & RDF formats

http://www.debian-administration.org/articles/340

7/20/2007