We are going to configure Samba to work with LDAP and Kerberos in this article. This will provide storage access to Windows clients through SMB protocol.
Prerequisites
LDAP and Kerberos on Debian Wheezy
Install Required Packages
Install Samba server on the same LDAP/Kerberos server we created in our previous article.
# apt-get install samba
Kerberos Configuration
Create principal for Samba
kadmin: addprinc -randkey cifs/srv-file1.firma.local WARNING: no policy specified for cifs/This email address is being protected from spambots. You need JavaScript enabled to view it.; defaulting to no policy Principal "cifs/This email address is being protected from spambots. You need JavaScript enabled to view it." created. kadmin:
Export it to keytab
kadmin: ktadd cifs/This email address is being protected from spambots. You need JavaScript enabled to view it.
Test keytab
klist -k
Samba Configuration
The following smb.conf configuration should work:
[global] workgroup = domain server string = %h server (Samba %v) netbios name = srv dns proxy = no map to guest = Bad User security = ADS realm = DOMAIN.TLD kerberos method = dedicated keytab ; kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab encrypt passwords = yes usershare allow guests = no #### Debugging/Accounting #### # This tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/log.%m # Put a capping on the size of the log files (in Kb). max log size = 1000 # If you want Samba to only log through syslog then set the following # parameter to 'yes'. ; syslog only = no # We want Samba to log a minimum amount of information to syslog. Everything # should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log # through syslog you should set the following parameter to something higher. syslog = 0 # Do something sensible when Samba crashes: mail the admin a backtrace panic action = /usr/share/samba/panic-action %d #======================= Share Definitions ======================= [public] comment = "Public share for everyone" path = /data/public browsable = yes guest ok = yes read only = no create mask = 0755 [private] comment = data storage path = /data/private browseable = yes read only = no inherit permissions = yes guest ok = no printable = no
Note: Restart samba service after editing config.
Test Samba
On Linux machine: Login with LDAP/Kerberos user on the server and run the following commands:
# testparm -s # smbtree # smbclient -k -d 3 \\\\srv.domain.tld\\cifs_share
On Windows machine: Search network for computers. Open the server. Map drive using specific LDAP/Kerberos user.