Samba/Active Directory Guide

Centralized authentication with Samba/Win AD
This might look a bit weird at 1st but when working on the migration from samba 3 with LDAP to samba 4 AD.

This seem to be the only choice we have as we have to remove the LDAP Server on the server that running Samba 4 AD.

Else you would have 2 server.

Windows Client using Samba 4 AD and Linux client using an LDAP Server from another which is no longer centralized and defeated the purpose.

Working method and choice
There are a few method.
 * 1) nslcd or nss_pam_ldapd
 * 2) sssd

nslcd or nss_pam_ldapd
If you are using 64 bit system, you will need to unmask it.

This package will provide what is currently provide by nss_ldap and also nss_pam thus the 2 package have to be removed.

Now we can start emerge nss_pam_ldapd

Configuration
There are at least 2 method to work on this solution, the result are same but the way of working it are different.

Pick one...

nss-pam-ldapd Setup

Samba Wiki:Local_user_management_and_authentication/nslcd

Method 1: Connecting to AD via LDAP Bind DN and password
This method will configure to make LDAP binding via an AD account. Communication with AD with this setup is unencrypted, unless your AD and nslcd had setup LDAP over SSL.

Please create a new user with username nslcdconnect and password secret in the AD Server.

You will need to do the following:
 * Enable - disable user change password on next logon
 * Disable - user change password
 * Enable - Password never expired.

Assuming that:


 * Samba AD is running locally and accessible via 127.0.0.1
 * LDAP Base DN is dc=headoffice,dc=location1,dc=company,dc=com

Method 2: Connecting to AD via Kerberos
This method are very similar with the 1st method specially in the configuration you will still need to change the configure to make LDAP connection to an AD Server with the help of Kerberos. But you don't need to specified a bind account and also the communication with AD with this setup is encrypted.

Please create a new user with username nslcdconnect and password secret in the AD Server.

You will need to do the following:
 * Enable - disable user change password on next logon
 * Disable - user change password
 * Enable - Password never expired.

Assuming that:


 * Samba is running locally and accessible via 127.0.0.1
 * LDAP Base DN is dc=headoffice,dc=location1,dc=company,dc=com
 * /etc/hosts and also /etc/conf.d/hostname have the same result with your Samba AD DNS (There will be problem if there are not the same of cannot resolve).
 * hostname = samba4-1.headoffice.company.com
 * AD = headoffice.company.com
 * REALM = HEADOFFICE.COMPANY.COM
 * DOMAINNAME ( NT Style ) COMPANY
 * Already have Kerberos install either mit-krb5 or heimdal.

Now we should export the keytab from AD server for user nslcdconnect. With this keytab we can connect via Kerberos without the need of key in the password for nslcdconnect if configure correctly.

The command below will kept nslcdconnect to the AD server via kerberos using keytab. You will need so the Kerberos ticket and key will be automatically renew when it expired or needed.

Now we can change our to suit Kerberos setup.

Editing /etc/init.d/nslcd to start k5start together
We need to make some change to start k5strt with nslcd so the kerberos ticket will work.

{{FileBox|filename=/etc/init.d/nslcd|title=Add the 2 k5start line below.|lang=bash|1=
 * 1) !/sbin/openrc-run
 * 2) Copyright 1999-2013 Gentoo Foundation
 * 3) Distributed under the terms of the GNU General Public License v2
 * 4) $Header: /var/cvsroot/gentoo-x86/sys-auth/nss-pam-ldapd/files/nslcd-init,v 1.2 2013/02/07 18:11:37 prometheanfire Exp $

extra_commands="checkconfig" cfg="/etc/nslcd.conf"

depend { need net use dns logger }

checkconfig { if [ ! -f "$cfg" ] ; then eerror "Please create $cfg" eerror "Example config: /usr/share/nss-ldapd/nslcd.conf" return 1 fi       return 0 } start { checkpath -q -d /var/run/nslcd -o nslcd:nslcd checkconfig {{!}}{{!}} return $?

ebegin "Starting nslcd" start-stop-daemon --start --pidfile /var/run/nslcd/nslcd.pid \ --exec /usr/sbin/nslcd start-stop-daemon --start --pidfile /var/run/nslcd/nslcd.k5start.pid \ --exec /usr/bin/k5start -- -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k /var/run/nslcd/nslcd.tkt -p /var/run/nslcd/nslcd.k5start.pid eend $? "Failed to start nslcd" }

stop { ebegin "Stopping nslcd" start-stop-daemon --stop --pidfile /var/run/nslcd/nslcd.pid start-stop-daemon --stop --pidfile /var/run/nslcd/nslcd.k5start.pid eend $? "Failed to stop nslcd"

}}

nssswitch.conf connfiguration
You will need to edit your according to the following. This meant that nsswitch will use the new nss-pam-ldapd module.

Executing
We can now start nslcd daemon

to check if our Samba is working fine with our local host use these to verify:

You should see your Users or Groups which have unit UID or GID.

If you don't have it. check your again.

You can now add nslcd using rc-update