How to integrate Authentication Services and Samba?
NOTE: This is a suggested guide only. For direct or specific assistance setting up and configuring Samba please contact Samba or OS vendor support or Professional Services at this URL.
https://support.oneidentity.com/professional-services-product-select
NOTE: This configuration should allow Authentication Services and Samba to exist independently on the same host. This configuration is designed so they can use the same Active Directory computer object instead of having to have multiple objects. Depending on environment of needs that might be required.
Minimum version 3.3.16 for Samba is recommended.
Join Samba to Active Directory (AD) per instructions for your local distribution. If you run into issue contact your Samba distribution for support.
NOTE: If Authentication Services is already joined it should first be unjoined prior to this implementation.
NOTE: Not all steps for setting Samba up are necessary and should be reviewed thoroughly for your needs.
NOTE: Samba MUST be configured and working with Activity Directory before configuring Authentication Services to work with the preexisting Active Directory object created by Samba. One Identity support does not provide support for Samba configuration.
The MIT kerberos krb5.conf option "inludedir" is currently not supported by Heimdal that is shipped with Authentication Services. This will need to be commented out or a separate vas.conf used instead of the symlink.
NOTE: Authentication Services should be installed but not joined at this stage.
Step 1: Symlink krb5.keytab to host.keytab. In some instances the krb5 files could be /etc/krb5/krb5.conf or /etc/krb5/host.keytab
$ ln -s /etc/krb5.keytab /etc/opt/quest/vas/host.keytab
Step 2: Symlink krb5.conf to vas.conf
$ ln -s /etc/krb5.conf /etc/opt/quest/vas/vas.conf
Step 3: Join Authentication Services to Active Directory using the preexisting host object (Created from the samba join command).
$ /opt/quest/bin/vastool -u host/ join -f <REALM>
NOTE: <REALM> should be the same value as what was set for default_realm in the krb5.conf when configuring Samba.
Step 4: Syncing password
At this point the samba join is broken because the vastool join changed the AD host objects password. The AD password will need to be resynced with the Samba backend secrets database.
NOTE: If not running as root and sudo is required, be sure to run the net changesecretpw with sudo as well.
$ sudo /opt/quest/bin/vastool -q -u host/ passwd -r -o | sudo net -f -i changesecretpw
Validate that the samba ads join is still valid
$ net ads testjoin
Validate that the Authentication Services join is still valid
$ /opt/quest/bin/vastool status
Step 5: Ensuring Password Sync is retained
Active Directory expects computer objects to initiate a password change, by default, every 30 days. Both Samba and Authentication Services will attempt to do this.
A simple example of the password change script can be created by running the following:
Step 6: The last thing that needs to be done is to disable Samba from changing the computer objects password and be done by editing smb.conf and setting:
NOTE: To validate that the password change script will work, a manual password change can be executed
$ net ads testjoin
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center