-
Title
Example method to integrate Samba and Authentication Services -
Description
How to integrate Authentication Services and Samba?
NOTE: This is a suggested guide only. For direct or specific assistance setting up and configuring Samba please contact Samba or OS vendor support or Professional Services at this URL.
https://support.oneidentity.com/professional-services-product-select
-
Resolution
RESOLUTION:NOTE: This configuration should allow Authentication Services and Samba to exist independently on the same host. This configuration is designed so they can use the same Active Directory computer object instead of having to have multiple objects. Depending on environment of needs that might be required.
Pre-Requisite configuration.
Minimum version 3.3.16 for Samba is recommended.
Join Samba to Active Directory (AD) per instructions for your local distribution. If you run into issue contact your Samba distribution for support.
NOTE: If Authentication Services is already joined it should first be unjoined prior to this implementation.
A walk through tutorial can be found here:NOTE: Not all steps for setting Samba up are necessary and should be reviewed thoroughly for your needs.
NOTE: Samba MUST be configured and working with Activity Directory before configuring Authentication Services to work with the preexisting Active Directory object created by Samba. One Identity support does not provide support for Samba configuration.
The MIT kerberos krb5.conf option "inludedir" is currently not supported by Heimdal that is shipped with Authentication Services. This will need to be commented out or a separate vas.conf used instead of the symlink.
Configure Authentication Services
NOTE: Authentication Services should be installed but not joined at this stage.
Step 1: Symlink krb5.keytab to host.keytab. In some instances the krb5 files could be /etc/krb5/krb5.conf or /etc/krb5/host.keytab
$ ln -s /etc/krb5.keytab /etc/opt/quest/vas/host.keytab
Step 2: Symlink krb5.conf to vas.conf
$ ln -s /etc/krb5.conf /etc/opt/quest/vas/vas.conf
Step 3: Join Authentication Services to Active Directory using the preexisting host object (Created from the samba join command).
$ /opt/quest/bin/vastool -u host/ join -f <REALM>
NOTE: <REALM> should be the same value as what was set for default_realm in the krb5.conf when configuring Samba.
Step 4: Syncing password
At this point the samba join is broken because the vastool join changed the AD host objects password. The AD password will need to be resynced with the Samba backend secrets database.
NOTE: If not running as root and sudo is required, be sure to run the net changesecretpw with sudo as well.
$ sudo /opt/quest/bin/vastool -q -u host/ passwd -r -o | sudo net -f -i changesecretpw
Validate that the samba ads join is still valid
$ net ads testjoin
Validate that the Authentication Services join is still valid
$ /opt/quest/bin/vastool status
Step 5: Ensuring Password Sync is retained
Active Directory expects computer objects to initiate a password change, by default, every 30 days. Both Samba and Authentication Services will attempt to do this.
One possible solution to keep both Samba and Authentication Services in sync when its computer object password change occurs can be implemented by running a password change script that will keep the two in sync.The easiest way to accomplish this is to pass the new computer object's password to the Samba net binary as a parameter to the changesecretpw option. (see: man page for net section for changesecretpw)Authentication Services makes this possible by setting the vas.conf option password-change-script which can be done by running:$ /opt/quest/bin/vastool configure vas vasd password-change-script /etc/opt/quest/vas/password-change-script.shThis options tells vasd to run this script each time its computer object's password is changed. (see: man page for vas.conf section for password-change-script)A simple example of the password change script can be created by running the following:
$ printf '#!/bin/sh\nnet -f -i changesecretpw\n' > /etc/opt/quest/vas/password-change-script.sh$ chmod +x /etc/opt/quest/vas/password-change-script.shStep 6: The last thing that needs to be done is to disable Samba from changing the computer objects password and be done by editing smb.conf and setting:
[global]machine password timeout = 0see: man page for smb.conf section for machine password timeoutsmbd should be told to reload the configuration after the smb.conf changesNOTE: To validate that the password change script will work, a manual password change can be executed
$ /opt/quest/bin/vastool -u host/ passwd -r$ net ads testjoin
If the net ads testjoin command does not return "OK" the password change script may not be working as expected.