diff options
Diffstat (limited to 'docs/htmldocs/ads.html')
-rw-r--r-- | docs/htmldocs/ads.html | 423 |
1 files changed, 423 insertions, 0 deletions
diff --git a/docs/htmldocs/ads.html b/docs/htmldocs/ads.html new file mode 100644 index 0000000000..fc6b78b32c --- /dev/null +++ b/docs/htmldocs/ads.html @@ -0,0 +1,423 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>Samba as a ADS domain member</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="UP" +TITLE="Type of installation" +HREF="p544.html"><LINK +REL="PREVIOUS" +TITLE="How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain" +HREF="samba-bdc.html"><LINK +REL="NEXT" +TITLE="Samba as a NT4 domain member" +HREF="domain-security.html"></HEAD +><BODY +CLASS="CHAPTER" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="samba-bdc.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="domain-security.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="CHAPTER" +><H1 +><A +NAME="ADS" +></A +>Chapter 8. Samba as a ADS domain member</H1 +><P +>This is a VERY ROUGH guide to setting up the current (November 2001) +pre-alpha version of Samba 3.0 with kerberos authentication against a +Windows2000 KDC. The procedures listed here are likely to change as +the code develops.</P +><P +>Pieces you need before you begin: +<P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>a Windows 2000 server.</TD +></TR +><TR +><TD +>samba 3.0 or higher.</TD +></TR +><TR +><TD +>the MIT kerberos development libraries (either install from the above sources or use a package). The heimdal libraries will not work.</TD +></TR +><TR +><TD +>the OpenLDAP development libraries.</TD +></TR +></TBODY +></TABLE +><P +></P +></P +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1178" +></A +>8.1. Installing the required packages for Debian</H1 +><P +>On Debian you need to install the following packages: +<P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>libkrb5-dev</TD +></TR +><TR +><TD +>krb5-user</TD +></TR +></TBODY +></TABLE +><P +></P +></P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1184" +></A +>8.2. Installing the required packages for RedHat</H1 +><P +>On RedHat this means you should have at least: +<P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>krb5-workstation (for kinit)</TD +></TR +><TR +><TD +>krb5-libs (for linking with)</TD +></TR +><TR +><TD +>krb5-devel (because you are compiling from source)</TD +></TR +></TBODY +></TABLE +><P +></P +></P +><P +>in addition to the standard development environment.</P +><P +>Note that these are not standard on a RedHat install, and you may need +to get them off CD2.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1193" +></A +>8.3. Compile Samba</H1 +><P +>If your kerberos libraries are in a non-standard location then + remember to add the configure option --with-krb5=DIR.</P +><P +>After you run configure make sure that include/config.h contains + lines like this:</P +><P +><PRE +CLASS="PROGRAMLISTING" +>#define HAVE_KRB5 1 +#define HAVE_LDAP 1</PRE +></P +><P +>If it doesn't then configure did not find your krb5 libraries or + your ldap libraries. Look in config.log to figure out why and fix + it.</P +><P +>Then compile and install Samba as usual. You must use at least the + following 3 options in smb.conf:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> realm = YOUR.KERBEROS.REALM + ads server = your.kerberos.server + security = ADS + encrypt passwords = yes</PRE +></P +><P +>Strictly speaking, you can omit the realm name and you can use an IP + address for the ads server. In that case Samba will auto-detect these.</P +><P +>You do *not* need a smbpasswd file, although it won't do any harm + and if you have one then Samba will be able to fall back to normal + password security for older clients. I expect that the above + required options will change soon when we get better active + directory integration.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1205" +></A +>8.4. Setup your /etc/krb5.conf</H1 +><P +>The minimal configuration for krb5.conf is:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> [realms] + YOUR.KERBEROS.REALM = { + kdc = your.kerberos.server + }</PRE +></P +><P +>Test your config by doing a "kinit USERNAME@REALM" and making sure that + your password is accepted by the Win2000 KDC. </P +><P +>NOTE: The realm must be uppercase. </P +><P +>You also must ensure that you can do a reverse DNS lookup on the IP +address of your KDC. Also, the name that this reverse lookup maps to +must either be the netbios name of the KDC (ie. the hostname with no +domain attached) or it can alternatively be the netbios name +followed by the realm. </P +><P +>The easiest way to ensure you get this right is to add a /etc/hosts +entry mapping the IP address of your KDC to its netbios name. If you +don't get this right then you will get a "local error" when you try +to join the realm.</P +><P +>If all you want is kerberos support in smbclient then you can skip +straight to step 5 now. Step 3 is only needed if you want kerberos +support in smbd.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1215" +></A +>8.5. Create the computer account</H1 +><P +>Do a "kinit" as a user that has authority to change arbitrary +passwords on the KDC ("Administrator" is a good choice). Then as a +user that has write permission on the Samba private directory +(usually root) run: +<B +CLASS="COMMAND" +>net ads join</B +></P +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN1219" +></A +>8.5.1. Possible errors</H2 +><P +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>"bash: kinit: command not found"</DT +><DD +><P +>kinit is in the krb5-workstation RPM on RedHat systems, and is in /usr/kerberos/bin, so it won't be in the path until you log in again (or open a new terminal)</P +></DD +><DT +>"ADS support not compiled in"</DT +><DD +><P +>Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed.</P +></DD +></DL +></DIV +></P +></DIV +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1231" +></A +>8.6. Test your server setup</H1 +><P +>On a Windows 2000 client try <B +CLASS="COMMAND" +>net use * \\server\share</B +>. You should +be logged in with kerberos without needing to know a password. If +this fails then run <B +CLASS="COMMAND" +>klist tickets</B +>. Did you get a ticket for the +server? Does it have an encoding type of DES-CBC-MD5 ? </P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1236" +></A +>8.7. Testing with smbclient</H1 +><P +>On your Samba server try to login to a Win2000 server or your Samba +server using smbclient and kerberos. Use smbclient as usual, but +specify the -k option to choose kerberos authentication.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1239" +></A +>8.8. Notes</H1 +><P +>You must change administrator password at least once after DC install, + to create the right encoding types</P +><P +>w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in + their defaults DNS setup. Maybe fixed in service packs?</P +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="samba-bdc.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="domain-security.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="p544.html" +ACCESSKEY="U" +>Up</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>Samba as a NT4 domain member</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file |