summaryrefslogtreecommitdiff
path: root/docs/htmldocs/ads.html
diff options
context:
space:
mode:
Diffstat (limited to 'docs/htmldocs/ads.html')
-rw-r--r--docs/htmldocs/ads.html423
1 files changed, 423 insertions, 0 deletions
diff --git a/docs/htmldocs/ads.html b/docs/htmldocs/ads.html
new file mode 100644
index 0000000000..fc6b78b32c
--- /dev/null
+++ b/docs/htmldocs/ads.html
@@ -0,0 +1,423 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>Samba as a ADS domain member</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK
+REL="HOME"
+TITLE="SAMBA Project Documentation"
+HREF="samba-howto-collection.html"><LINK
+REL="UP"
+TITLE="Type of installation"
+HREF="p544.html"><LINK
+REL="PREVIOUS"
+TITLE="How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain"
+HREF="samba-bdc.html"><LINK
+REL="NEXT"
+TITLE="Samba as a NT4 domain member"
+HREF="domain-security.html"></HEAD
+><BODY
+CLASS="CHAPTER"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>SAMBA Project Documentation</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="samba-bdc.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="domain-security.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="CHAPTER"
+><H1
+><A
+NAME="ADS"
+></A
+>Chapter 8. Samba as a ADS domain member</H1
+><P
+>This is a VERY ROUGH guide to setting up the current (November 2001)
+pre-alpha version of Samba 3.0 with kerberos authentication against a
+Windows2000 KDC. The procedures listed here are likely to change as
+the code develops.</P
+><P
+>Pieces you need before you begin:
+<P
+></P
+><TABLE
+BORDER="0"
+><TBODY
+><TR
+><TD
+>a Windows 2000 server.</TD
+></TR
+><TR
+><TD
+>samba 3.0 or higher.</TD
+></TR
+><TR
+><TD
+>the MIT kerberos development libraries (either install from the above sources or use a package). The heimdal libraries will not work.</TD
+></TR
+><TR
+><TD
+>the OpenLDAP development libraries.</TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></P
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN1178"
+></A
+>8.1. Installing the required packages for Debian</H1
+><P
+>On Debian you need to install the following packages:
+<P
+></P
+><TABLE
+BORDER="0"
+><TBODY
+><TR
+><TD
+>libkrb5-dev</TD
+></TR
+><TR
+><TD
+>krb5-user</TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN1184"
+></A
+>8.2. Installing the required packages for RedHat</H1
+><P
+>On RedHat this means you should have at least:
+<P
+></P
+><TABLE
+BORDER="0"
+><TBODY
+><TR
+><TD
+>krb5-workstation (for kinit)</TD
+></TR
+><TR
+><TD
+>krb5-libs (for linking with)</TD
+></TR
+><TR
+><TD
+>krb5-devel (because you are compiling from source)</TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></P
+><P
+>in addition to the standard development environment.</P
+><P
+>Note that these are not standard on a RedHat install, and you may need
+to get them off CD2.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN1193"
+></A
+>8.3. Compile Samba</H1
+><P
+>If your kerberos libraries are in a non-standard location then
+ remember to add the configure option --with-krb5=DIR.</P
+><P
+>After you run configure make sure that include/config.h contains
+ lines like this:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>#define HAVE_KRB5 1
+#define HAVE_LDAP 1</PRE
+></P
+><P
+>If it doesn't then configure did not find your krb5 libraries or
+ your ldap libraries. Look in config.log to figure out why and fix
+ it.</P
+><P
+>Then compile and install Samba as usual. You must use at least the
+ following 3 options in smb.conf:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+> realm = YOUR.KERBEROS.REALM
+ ads server = your.kerberos.server
+ security = ADS
+ encrypt passwords = yes</PRE
+></P
+><P
+>Strictly speaking, you can omit the realm name and you can use an IP
+ address for the ads server. In that case Samba will auto-detect these.</P
+><P
+>You do *not* need a smbpasswd file, although it won't do any harm
+ and if you have one then Samba will be able to fall back to normal
+ password security for older clients. I expect that the above
+ required options will change soon when we get better active
+ directory integration.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN1205"
+></A
+>8.4. Setup your /etc/krb5.conf</H1
+><P
+>The minimal configuration for krb5.conf is:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+> [realms]
+ YOUR.KERBEROS.REALM = {
+ kdc = your.kerberos.server
+ }</PRE
+></P
+><P
+>Test your config by doing a "kinit USERNAME@REALM" and making sure that
+ your password is accepted by the Win2000 KDC. </P
+><P
+>NOTE: The realm must be uppercase. </P
+><P
+>You also must ensure that you can do a reverse DNS lookup on the IP
+address of your KDC. Also, the name that this reverse lookup maps to
+must either be the netbios name of the KDC (ie. the hostname with no
+domain attached) or it can alternatively be the netbios name
+followed by the realm. </P
+><P
+>The easiest way to ensure you get this right is to add a /etc/hosts
+entry mapping the IP address of your KDC to its netbios name. If you
+don't get this right then you will get a "local error" when you try
+to join the realm.</P
+><P
+>If all you want is kerberos support in smbclient then you can skip
+straight to step 5 now. Step 3 is only needed if you want kerberos
+support in smbd.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN1215"
+></A
+>8.5. Create the computer account</H1
+><P
+>Do a "kinit" as a user that has authority to change arbitrary
+passwords on the KDC ("Administrator" is a good choice). Then as a
+user that has write permission on the Samba private directory
+(usually root) run:
+<B
+CLASS="COMMAND"
+>net ads join</B
+></P
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN1219"
+></A
+>8.5.1. Possible errors</H2
+><P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>"bash: kinit: command not found"</DT
+><DD
+><P
+>kinit is in the krb5-workstation RPM on RedHat systems, and is in /usr/kerberos/bin, so it won't be in the path until you log in again (or open a new terminal)</P
+></DD
+><DT
+>"ADS support not compiled in"</DT
+><DD
+><P
+>Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed.</P
+></DD
+></DL
+></DIV
+></P
+></DIV
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN1231"
+></A
+>8.6. Test your server setup</H1
+><P
+>On a Windows 2000 client try <B
+CLASS="COMMAND"
+>net use * \\server\share</B
+>. You should
+be logged in with kerberos without needing to know a password. If
+this fails then run <B
+CLASS="COMMAND"
+>klist tickets</B
+>. Did you get a ticket for the
+server? Does it have an encoding type of DES-CBC-MD5 ? </P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN1236"
+></A
+>8.7. Testing with smbclient</H1
+><P
+>On your Samba server try to login to a Win2000 server or your Samba
+server using smbclient and kerberos. Use smbclient as usual, but
+specify the -k option to choose kerberos authentication.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN1239"
+></A
+>8.8. Notes</H1
+><P
+>You must change administrator password at least once after DC install,
+ to create the right encoding types</P
+><P
+>w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in
+ their defaults DNS setup. Maybe fixed in service packs?</P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="samba-bdc.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="samba-howto-collection.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="domain-security.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="p544.html"
+ACCESSKEY="U"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Samba as a NT4 domain member</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+> \ No newline at end of file