Microsoft Windows Services

Warning: the information on this page is incomplete. For example, it does not contain information on how configure a Samba server as a Windows NT Domain Controller.

Why

All things being equal, I would rather not use non-standard Microsoft Windows protocols. However, all things are not equal. There are Windows machines on our network that use WINS and/or NetBIOS for name resolution, CIFS and/or SMB for file sharing, MSCHAPv2 for Windows authentication and PEAP+MSCHAPv2 for WiFi authentication. Therefore, the server needed to support some Microsoft Windows Services.

What

For GNU/Linux in general and CentOS in particular, the SMB/CIFS implementation of choice is Samba. In addition, Samba can act as a WINS server and a Windows NT domain controller. Therefore, that is what I chose.

Authentication

Because I centralize account management using LDAP, my LDAP server needed to contain Windows authentication information. This meant that there needed to be (1) an LDAP schema definition for the Windows client authentication information, (2) a method to connect Samba to LDAP and (2) a method to populate the LDAP Windows client authentication information. Because Windows relies on an encrypted password rather than a plain text password, the LDAP server needed to contain the encrypted password for Windows client authentication.

For the LDAP schema definition, the Samba package contains the needed OpenLDAP schema file (named 'samba.schema'). In the Samba source tarball, the 'samba.schema' file is found in samba-<version>/examples/LDAP/samba.schema. On CentOS 5.5,the 'samba.schema' file is found in the 'samba' RPM and is installed in the directory '/usr/share/doc/samba-<version>/LDAP/. Once I copied the 'samba.schema' file to the file '/etc/openldap/schema/samba.schema' and restarted my LDAP server, the Windows authentication information fields were available in LDAP.

For connecting Samba to LDAP, the Samba configuration file contains the needed parameters. Feel free to look at my tailored Samba configuration file (/etc/samba/smb.conf). The section on "Password backend using LDAP" contains the parameters that are relavant for the authentication of Windows users and machines.

For populating the Windows client authentication information, I used the smbpasswd utility that is included in the Samba source tarball as well as the CentOS 5.5 'samba-common' RPM.

However, if all you need are the encrypted passwords for MSCHAPv2 authentication so that Windows clients can authenticate with services such as RADIUS or HTTP Proxy Server, then you can generate the encrypted passwords using Perl's Crypt::SmbHash (available in the CentOS 5.5 RPM perl-Crypt-SmbHash) or similar software and populate the LDAP fields using your perferred LDAP management software (I use phpLDAPadmin).