diff options
Diffstat (limited to 'docs/docbook/projdoc/ADS-HOWTO.sgml')
| -rw-r--r-- | docs/docbook/projdoc/ADS-HOWTO.sgml | 29 |
1 files changed, 14 insertions, 15 deletions
diff --git a/docs/docbook/projdoc/ADS-HOWTO.sgml b/docs/docbook/projdoc/ADS-HOWTO.sgml index 887ecd74c2..3e34d53c0a 100644 --- a/docs/docbook/projdoc/ADS-HOWTO.sgml +++ b/docs/docbook/projdoc/ADS-HOWTO.sgml @@ -14,8 +14,7 @@ This is a rough guide to setting up Samba 3.0 with kerberos authentication again Windows2000 KDC. </para> -<para>Pieces you need before you begin:</para> -<para> +<para>Pieces you need before you begin: <simplelist> <member>a Windows 2000 server.</member> <member>samba 3.0 or higher.</member> @@ -27,8 +26,7 @@ Windows2000 KDC. <sect1> <title>Installing the required packages for Debian</title> -<para>On Debian you need to install the following packages:</para> -<para> +<para>On Debian you need to install the following packages: <simplelist> <member>libkrb5-dev</member> <member>krb5-user</member> @@ -39,8 +37,7 @@ Windows2000 KDC. <sect1> <title>Installing the required packages for RedHat</title> -<para>On RedHat this means you should have at least: </para> -<para> +<para>On RedHat this means you should have at least: <simplelist> <member>krb5-workstation (for kinit)</member> <member>krb5-libs (for linking with)</member> @@ -60,8 +57,7 @@ to get them off CD2.</para> <para>If your kerberos libraries are in a non-standard location then remember to add the configure option --with-krb5=DIR.</para> -<para>After you run configure make sure that include/config.h it - generates contains +<para>After you run configure make sure that include/config.h contains lines like this:</para> <para><programlisting> @@ -90,10 +86,9 @@ In case samba can't figure out your ads server using your realm name, use the </programlisting> </para> -<para>You do *not* need a smbpasswd file, and older clients will - be authenticated as if "security = domain", although it won't do any harm - and allows you to have local users not in the domain. - I expect that the above +<para>You do *not* need a smbpasswd file, although it won't do any harm + and if you have one then Samba will be able to fall back to normal + password security for older clients. I expect that the above required options will change soon when we get better active directory integration.</para> </sect1> @@ -104,7 +99,7 @@ In case samba can't figure out your ads server using your realm name, use the <para>The minimal configuration for krb5.conf is:</para> <para><programlisting> -[realms] + [realms] YOUR.KERBEROS.REALM = { kdc = your.kerberos.server } @@ -133,7 +128,7 @@ to join the realm. <para> If all you want is kerberos support in smbclient then you can skip straight to step 5 now. Step 3 is only needed if you want kerberos -support for smbd and winbindd. +support in smbd. </para> </sect1> @@ -142,7 +137,9 @@ support for smbd and winbindd. <title>Create the computer account</title> <para> -As a user that has write permission on the Samba private directory +Do a "kinit" as a user that has authority to change arbitrary +passwords on the KDC ("Administrator" is a good choice). Then as a +user that has write permission on the Samba private directory (usually root) run: <command>net ads join</command> </para> @@ -152,6 +149,8 @@ As a user that has write permission on the Samba private directory <para> <variablelist> +<varlistentry><term>"bash: kinit: command not found"</term> +<listitem><para>kinit is in the krb5-workstation RPM on RedHat systems, and is in /usr/kerberos/bin, so it won't be in the path until you log in again (or open a new terminal)</para></listitem></varlistentry> <varlistentry><term>"ADS support not compiled in"</term> <listitem><para>Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed.</para></listitem></varlistentry> </variablelist> |