diff options
Diffstat (limited to 'docs/htmldocs/ads.html')
| -rw-r--r-- | docs/htmldocs/ads.html | 332 |
1 files changed, 162 insertions, 170 deletions
diff --git a/docs/htmldocs/ads.html b/docs/htmldocs/ads.html index 45236cda46..26ec1d04a7 100644 --- a/docs/htmldocs/ads.html +++ b/docs/htmldocs/ads.html @@ -5,7 +5,8 @@ >Samba as a ADS domain member</TITLE ><META NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK +CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+ +"><LINK REL="HOME" TITLE="SAMBA Project Documentation" HREF="samba-howto-collection.html"><LINK @@ -13,10 +14,10 @@ REL="UP" TITLE="Type of installation" HREF="type.html"><LINK REL="PREVIOUS" -TITLE="Samba Backup Domain Controller to Samba Domain Control" +TITLE="How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain" HREF="samba-bdc.html"><LINK REL="NEXT" -TITLE="Samba as a NT4 or Win2k domain member" +TITLE="Samba as a NT4 domain member" HREF="domain-security.html"></HEAD ><BODY CLASS="CHAPTER" @@ -72,25 +73,126 @@ WIDTH="100%"></DIV CLASS="CHAPTER" ><H1 ><A -NAME="ADS" -></A ->Chapter 8. Samba as a ADS domain member</H1 +NAME="ADS">Chapter 8. Samba as a ADS domain member</H1 ><P >This is a rough guide to setting up Samba 3.0 with kerberos authentication against a Windows2000 KDC. </P +><P +>Pieces you need before you begin: +<P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>a Windows 2000 server.</TD +></TR +><TR +><TD +>samba 3.0 or higher.</TD +></TR +><TR +><TD +>the MIT kerberos development libraries (either install from the above sources or use a package). The heimdal libraries will not work.</TD +></TR +><TR +><TD +>the OpenLDAP development libraries.</TD +></TR +></TBODY +></TABLE +><P +></P +></P ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1355" ->8.1. Setup your <TT -CLASS="FILENAME" ->smb.conf</TT -></A -></H1 +NAME="AEN1187">8.1. Installing the required packages for Debian</H1 +><P +>On Debian you need to install the following packages: +<P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>libkrb5-dev</TD +></TR +><TR +><TD +>krb5-user</TD +></TR +></TBODY +></TABLE ><P ->You must use at least the following 3 options in smb.conf:</P +></P +></P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1193">8.2. Installing the required packages for RedHat</H1 +><P +>On RedHat this means you should have at least: +<P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>krb5-workstation (for kinit)</TD +></TR +><TR +><TD +>krb5-libs (for linking with)</TD +></TR +><TR +><TD +>krb5-devel (because you are compiling from source)</TD +></TR +></TBODY +></TABLE +><P +></P +></P +><P +>in addition to the standard development environment.</P +><P +>Note that these are not standard on a RedHat install, and you may need +to get them off CD2.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1202">8.3. Compile Samba</H1 +><P +>If your kerberos libraries are in a non-standard location then + remember to add the configure option --with-krb5=DIR.</P +><P +>After you run configure make sure that include/config.h contains + lines like this:</P +><P +><PRE +CLASS="PROGRAMLISTING" +>#define HAVE_KRB5 1 +#define HAVE_LDAP 1</PRE +></P +><P +>If it doesn't then configure did not find your krb5 libraries or + your ldap libraries. Look in config.log to figure out why and fix + it.</P +><P +>Then compile and install Samba as usual. You must use at least the + following 3 options in smb.conf:</P ><P ><PRE CLASS="PROGRAMLISTING" @@ -111,103 +213,34 @@ CLASS="FILENAME" CLASS="PROGRAMLISTING" > ads server = your.kerberos.server</PRE ></P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" ><P ->You do *not* need a smbpasswd file, and older clients will - be authenticated as if <B -CLASS="COMMAND" ->security = domain</B ->, - although it won't do any harm - and allows you to have local users not in the domain. - I expect that the above required options will change soon when we get better - active directory integration.</P -></TD -></TR -></TABLE -></DIV +>You do *not* need a smbpasswd file, although it won't do any harm + and if you have one then Samba will be able to fall back to normal + password security for older clients. I expect that the above + required options will change soon when we get better active + directory integration.</P ></DIV ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1368" ->8.2. Setup your <TT -CLASS="FILENAME" ->/etc/krb5.conf</TT -></A -></H1 +NAME="AEN1217">8.4. Setup your /etc/krb5.conf</H1 ><P ->The minimal configuration for <TT -CLASS="FILENAME" ->krb5.conf</TT -> is:</P +>The minimal configuration for krb5.conf is:</P ><P ><PRE CLASS="PROGRAMLISTING" ->[realms] +> [realms] YOUR.KERBEROS.REALM = { kdc = your.kerberos.server }</PRE ></P ><P ->Test your config by doing a <KBD -CLASS="USERINPUT" ->kinit <VAR -CLASS="REPLACEABLE" ->USERNAME</VAR ->@<VAR -CLASS="REPLACEABLE" ->REALM</VAR -></KBD -> and making sure that +>Test your config by doing a "kinit USERNAME@REALM" and making sure that your password is accepted by the Win2000 KDC. </P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" ><P ->The realm must be uppercase. </P -></TD -></TR -></TABLE -></DIV +>NOTE: The realm must be uppercase. </P ><P >You also must ensure that you can do a reverse DNS lookup on the IP address of your KDC. Also, the name that this reverse lookup maps to @@ -215,65 +248,36 @@ must either be the netbios name of the KDC (ie. the hostname with no domain attached) or it can alternatively be the netbios name followed by the realm. </P ><P ->The easiest way to ensure you get this right is to add a -<TT -CLASS="FILENAME" ->/etc/hosts</TT -> entry mapping the IP address of your KDC to -its netbios name. If you don't get this right then you will get a -"local error" when you try to join the realm.</P -><P ->If all you want is kerberos support in <SPAN -CLASS="APPLICATION" ->smbclient</SPAN -> then you can skip -straight to <A -HREF="ads.html#ADS-TEST-SMBCLIENT" ->Test with <SPAN -CLASS="APPLICATION" ->smbclient</SPAN -></A -> now. -<A -HREF="ads.html#ADS-CREATE-MACHINE-ACCOUNT" ->Creating a computer account</A -> -and <A -HREF="ads.html#ADS-TEST-SERVER" ->testing your servers</A -> -is only needed if you want kerberos -support for <SPAN -CLASS="APPLICATION" ->smbd</SPAN -> and <SPAN -CLASS="APPLICATION" ->winbindd</SPAN ->.</P +>The easiest way to ensure you get this right is to add a /etc/hosts +entry mapping the IP address of your KDC to its netbios name. If you +don't get this right then you will get a "local error" when you try +to join the realm.</P +><P +>If all you want is kerberos support in smbclient then you can skip +straight to step 5 now. Step 3 is only needed if you want kerberos +support in smbd.</P ></DIV ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="ADS-CREATE-MACHINE-ACCOUNT" ->8.3. Create the computer account</A -></H1 +NAME="AEN1227">8.5. Create the computer account</H1 ><P ->As a user that has write permission on the Samba private directory +>Do a "kinit" as a user that has authority to change arbitrary +passwords on the KDC ("Administrator" is a good choice). Then as a +user that has write permission on the Samba private directory (usually root) run: -<KBD -CLASS="USERINPUT" ->net ads join</KBD +<B +CLASS="COMMAND" +>net ads join</B ></P ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN1396" ->8.3.1. Possible errors</A -></H2 +NAME="AEN1231">8.5.1. Possible errors</H2 ><P ><P ></P @@ -281,6 +285,12 @@ NAME="AEN1396" CLASS="VARIABLELIST" ><DL ><DT +>"bash: kinit: command not found"</DT +><DD +><P +>kinit is in the krb5-workstation RPM on RedHat systems, and is in /usr/kerberos/bin, so it won't be in the path until you log in again (or open a new terminal)</P +></DD +><DT >"ADS support not compiled in"</DT ><DD ><P @@ -296,18 +306,16 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="ADS-TEST-SERVER" ->8.4. Test your server setup</A -></H1 +NAME="AEN1243">8.6. Test your server setup</H1 ><P ->On a Windows 2000 client try <KBD -CLASS="USERINPUT" ->net use * \\server\share</KBD +>On a Windows 2000 client try <B +CLASS="COMMAND" +>net use * \\server\share</B >. You should be logged in with kerberos without needing to know a password. If -this fails then run <KBD -CLASS="USERINPUT" ->klist tickets</KBD +this fails then run <B +CLASS="COMMAND" +>klist tickets</B >. Did you get a ticket for the server? Does it have an encoding type of DES-CBC-MD5 ? </P ></DIV @@ -316,37 +324,21 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="ADS-TEST-SMBCLIENT" ->8.5. Testing with <SPAN -CLASS="APPLICATION" ->smbclient</SPAN -></A -></H1 +NAME="AEN1248">8.7. Testing with smbclient</H1 ><P >On your Samba server try to login to a Win2000 server or your Samba -server using <SPAN -CLASS="APPLICATION" ->smbclient</SPAN -> and kerberos. Use <SPAN -CLASS="APPLICATION" ->smbclient</SPAN -> as usual, but -specify the <VAR -CLASS="PARAMETER" ->-k</VAR -> option to choose kerberos authentication.</P +server using smbclient and kerberos. Use smbclient as usual, but +specify the -k option to choose kerberos authentication.</P ></DIV ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1416" ->8.6. Notes</A -></H1 +NAME="AEN1251">8.8. Notes</H1 ><P ->You must change administrator password at least once after DC -install, to create the right encoding types</P +>You must change administrator password at least once after DC install, + to create the right encoding types</P ><P >w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in their defaults DNS setup. Maybe fixed in service packs?</P @@ -396,7 +388,7 @@ ACCESSKEY="N" WIDTH="33%" ALIGN="left" VALIGN="top" ->Samba Backup Domain Controller to Samba Domain Control</TD +>How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</TD ><TD WIDTH="34%" ALIGN="center" @@ -410,7 +402,7 @@ ACCESSKEY="U" WIDTH="33%" ALIGN="right" VALIGN="top" ->Samba as a NT4 or Win2k domain member</TD +>Samba as a NT4 domain member</TD ></TR ></TABLE ></DIV |