The installation of Samba4 as DC is almost finished. Despite some minor issues and a bit of work involved it was a rather pleasant and nice thing to do. I try to document the steps I had to do here as a little reference. Implementing Linux clients is still open, so for now this is very Solaris centric. But should be easy to reproduce on Linux.
Start off with the Samba4 how-to
here. It gives all information needed to build and setup your DC. Once this is completed you are ready to serve Windows clients.
But I want to do a little bit more and use the data in Samba4's LDAP to serve the Unix boxes as well.
For wide parts I followed Scott Lowe's
post on integrating Solaris 10 and Active Directory.
Since a few things differ when using Samba4 as AD I'll list the steps with short comments here again:
I skipped the part about installing the "Server for NIS" on the AD server. When I started off setting things up I didn't the schema use by AD and SFU at hand. But you only need that if you plan to manage you users with the MS tools (MMC and the likes). Since I tend to do that stuff from my Solaris box with a few scripts I found the presence of the posixAccount and shadowAccount objectclasses sufficient. As it turns out the need schema for the SFU stuff can be found
here.
I created a test account with
net newuser test password
and set the required attributes with ldapmodify:
ldapmodify -h ldapserver -D adminsitrator@YOURDOMAIN
dn: cn=test,cn=users,dc=YOURDOMAIN
changetype: modify
add: objectclass
objectclass: posixaccount
-
add: objectclass
objectclass: shadowaccount
-
add: uidnumber
uidnumber: 1000
-
add: gidnumber
gidnumber: 100
-
add:unixhomedirectory
unixhomedirectory: /home/test
-
add: loginshell
loginshell: /bin/tcsh
This will be done with a litte script later, including creating a ZFS dataset for the user, finding the next free uidnumber and so on. For now this is just fine.
Well almost perfect. Unfortunately the MS AD schema used by Samba4 doesn't know anything about automount maps. So I had to add the necessary schema.
The schema definition is
here. This creates an auto_master map with entries for /net and /home and the auto_home map with an entry for
* fileserver:/export/home/&
autmount.ldif can be added using ldapadd. The creation of the actual maps with ldapadd fails though. It gives a naming violation and I haven't found out why yet. Luckily Samba4 brings ldbmodify that can process LDIFs and write them into the database.
Point it to the ldb file for your domain. (Those files are in $SAMBAHOME/private/sam.ldb.d/ ):
ldbmodify -H $SAMBAHOME/private/sam.ldb.d/DC%3DYOURDOMAIN.ldb -U administrator autmount_maps.ldifYou may want to make a backup before ;-)
Next thing is to setup Kerberos. For that to work we need to create service principals in the Kerberos database for each host that we want to join.
Scott's post suggests to create an user account for each Solaris machine and to use ktpass.exe to generate a keytab file. Since I couldn't find a version of ktpass that would work on the Windows7 (virtual machines) I have here, I reverted to an alternative way. The easiest was to just use Samba3 and join the machines as domain members using a minimal smb.conf with
workgroup = DOMAINrealm = REALMsecurity = ADSWhen you have the smb.conf in place do the basic Kerberos setup on your Solaris client. Either use kclient to configure everything or copy the krb5.conf from your S4 DC. That file is created during the provision and can be found in $SAMBAHOME/private/krb5.conf. krb5.conf goes into /etc/krb5 on Solaris.
Test your Kerberos setup with
kinit administrator@REALM (mind the uppercase for the realm). That should exit without failure. You can check your ticket with klist.
If that worked you can now do a
net ads join -U administratorto join the domain. Upon a successful join we can use
net keytab create to write the principal key into a local file. The Samba3 that comes with Solaris10 writes the krb5.keytab in /etc. The Solaris Kerberos client expects that file to be in /etc/krb5 though. So just move it there.
Now we have Kerberos configured and the needed keytab in place.
Tell PAM to use Kerberos for authentication by modifying /etc/pam.conf to look like this:
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth sufficient pam_krb5.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1The last missing piece is the LDAP configuration. For now I trimmed down the ldapclient line from Scott's post to;
ldapclient manual \-a defaultSearchBase=dc=example,dc=com \-a domainName=example.com \-a defaultServerList=172.16.1.10 \-a attributeMap=passwd:gecos=cn \-a attributeMap=passwd:homedirectory=unixHomeDirectory \-a serviceSearchDescriptor=passwd:cn=users,dc=example,dc=com \-a serviceSearchDescriptor=group:cn=users,dc=example,dc=comProblem is that this expects the users to have objectclass posixAccount and shadowAccount (no problem for me, since I set those in my scripts). The windows tools only set objectclass user (see the objectClassMap in Scott's post).
I tried with that mapping in place, but found that
getent passwd fails to list LDAP users,
getent passwd username works,
finger fails, logins work. I assume there is something wrong with getent in Solaris but I need to investigate a litte more.
Without the objectclassmap in place everything works just fine.
One advise - ldapclient copies /etc/nsswitch.ldap to /etc/nsswitch.conf. So go and check that file, especially look at the hosts line. You sure want DNS in there... ;-)
Now users can login with their domain accounts and have a common password for both Windows and Solaris.
I need to play around with the mappings a little more and get a few more maps into LDAP (auth_attr, prof_attr and project at least). Also at the moment I cannot change the password from a Solaris client.
Let me know If you need more details on the bits of the setup, I'll try to help.
