Linux Small Business Server - Samba with LDAP and Kerberos (part 3)

Category: myblog Written by Jiri Kanicky Hits: 3059

We are going to configure Samba to work with LDAP and Kerberos in this article. This will provide storage access to Windows clients through SMB protocol.

Prerequisites

LDAP and Kerberos on Debian Wheezy

Install Required Packages

Install Samba server on the same LDAP/Kerberos server we created in our previous article.

# apt-get install samba

Kerberos Configuration

Create principal for Samba

kadmin:  addprinc -randkey cifs/srv-file1.firma.local
WARNING: no policy specified for cifs/This email address is being protected from spambots. You need JavaScript enabled to view it.; defaulting to no policy
Principal "cifs/This email address is being protected from spambots. You need JavaScript enabled to view it." created.
kadmin:

Export it to keytab

kadmin:  ktadd cifs/This email address is being protected from spambots. You need JavaScript enabled to view it.

Test keytab

klist -k

Samba Configuration

The following smb.conf configuration should work:

[global]
        workgroup = domain
        server string = %h server (Samba %v)
        netbios name = srv
        dns proxy = no
        map to guest = Bad User

        security = ADS
        realm = DOMAIN.TLD
        kerberos method = dedicated keytab
;       kerberos method = secrets and keytab
        dedicated keytab file = /etc/krb5.keytab

        encrypt passwords = yes
        usershare allow guests = no

#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
   max log size = 1000

# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
;   syslog only = no

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
   syslog = 0

# Do something sensible when Samba crashes: mail the admin a backtrace
   panic action = /usr/share/samba/panic-action %d

#======================= Share Definitions =======================

[public]
   comment = "Public share for everyone"
   path = /data/public
   browsable = yes
   guest ok = yes
   read only = no
   create mask = 0755


[private]
   comment = data storage
   path = /data/private
   browseable = yes
   read only = no
   inherit permissions = yes
   guest ok = no
   printable = no

Note: Restart samba service after editing config.

Test Samba

On Linux machine: Login with LDAP/Kerberos user on the server and run the following commands:

# testparm -s
# smbtree
# smbclient -k -d 3 \\\\srv.domain.tld\\cifs_share


On Windows machine: Search network for computers. Open the server. Map drive using specific LDAP/Kerberos user.