diff options
Diffstat (limited to 'docs/htmldocs/ads.html')
| -rw-r--r-- | docs/htmldocs/ads.html | 86 |
1 files changed, 35 insertions, 51 deletions
diff --git a/docs/htmldocs/ads.html b/docs/htmldocs/ads.html index ef019915d8..26ec1d04a7 100644 --- a/docs/htmldocs/ads.html +++ b/docs/htmldocs/ads.html @@ -5,7 +5,8 @@ >Samba as a ADS domain member</TITLE ><META NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK +CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+ +"><LINK REL="HOME" TITLE="SAMBA Project Documentation" HREF="samba-howto-collection.html"><LINK @@ -16,7 +17,7 @@ REL="PREVIOUS" TITLE="How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain" HREF="samba-bdc.html"><LINK REL="NEXT" -TITLE="Samba as a NT4 or Win2k domain member" +TITLE="Samba as a NT4 domain member" HREF="domain-security.html"></HEAD ><BODY CLASS="CHAPTER" @@ -72,16 +73,13 @@ WIDTH="100%"></DIV CLASS="CHAPTER" ><H1 ><A -NAME="ADS" -></A ->Chapter 8. Samba as a ADS domain member</H1 +NAME="ADS">Chapter 8. Samba as a ADS domain member</H1 ><P >This is a rough guide to setting up Samba 3.0 with kerberos authentication against a Windows2000 KDC. </P ><P ->Pieces you need before you begin:</P -><P -><P +>Pieces you need before you begin: +<P ></P ><TABLE BORDER="0" @@ -112,13 +110,10 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1343" ->8.1. Installing the required packages for Debian</A -></H1 -><P ->On Debian you need to install the following packages:</P -><P +NAME="AEN1187">8.1. Installing the required packages for Debian</H1 ><P +>On Debian you need to install the following packages: +<P ></P ><TABLE BORDER="0" @@ -142,13 +137,10 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1350" ->8.2. Installing the required packages for RedHat</A -></H1 -><P ->On RedHat this means you should have at least: </P -><P +NAME="AEN1193">8.2. Installing the required packages for RedHat</H1 ><P +>On RedHat this means you should have at least: +<P ></P ><TABLE BORDER="0" @@ -181,15 +173,12 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1360" ->8.3. Compile Samba</A -></H1 +NAME="AEN1202">8.3. Compile Samba</H1 ><P >If your kerberos libraries are in a non-standard location then remember to add the configure option --with-krb5=DIR.</P ><P ->After you run configure make sure that include/config.h it - generates contains +>After you run configure make sure that include/config.h contains lines like this:</P ><P ><PRE @@ -225,10 +214,9 @@ CLASS="PROGRAMLISTING" > ads server = your.kerberos.server</PRE ></P ><P ->You do *not* need a smbpasswd file, and older clients will - be authenticated as if "security = domain", although it won't do any harm - and allows you to have local users not in the domain. - I expect that the above +>You do *not* need a smbpasswd file, although it won't do any harm + and if you have one then Samba will be able to fall back to normal + password security for older clients. I expect that the above required options will change soon when we get better active directory integration.</P ></DIV @@ -237,15 +225,13 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1375" ->8.4. Setup your /etc/krb5.conf</A -></H1 +NAME="AEN1217">8.4. Setup your /etc/krb5.conf</H1 ><P >The minimal configuration for krb5.conf is:</P ><P ><PRE CLASS="PROGRAMLISTING" ->[realms] +> [realms] YOUR.KERBEROS.REALM = { kdc = your.kerberos.server }</PRE @@ -269,18 +255,18 @@ to join the realm.</P ><P >If all you want is kerberos support in smbclient then you can skip straight to step 5 now. Step 3 is only needed if you want kerberos -support for smbd and winbindd.</P +support in smbd.</P ></DIV ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1385" ->8.5. Create the computer account</A -></H1 +NAME="AEN1227">8.5. Create the computer account</H1 ><P ->As a user that has write permission on the Samba private directory +>Do a "kinit" as a user that has authority to change arbitrary +passwords on the KDC ("Administrator" is a good choice). Then as a +user that has write permission on the Samba private directory (usually root) run: <B CLASS="COMMAND" @@ -291,9 +277,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN1389" ->8.5.1. Possible errors</A -></H2 +NAME="AEN1231">8.5.1. Possible errors</H2 ><P ><P ></P @@ -301,6 +285,12 @@ NAME="AEN1389" CLASS="VARIABLELIST" ><DL ><DT +>"bash: kinit: command not found"</DT +><DD +><P +>kinit is in the krb5-workstation RPM on RedHat systems, and is in /usr/kerberos/bin, so it won't be in the path until you log in again (or open a new terminal)</P +></DD +><DT >"ADS support not compiled in"</DT ><DD ><P @@ -316,9 +306,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1397" ->8.6. Test your server setup</A -></H1 +NAME="AEN1243">8.6. Test your server setup</H1 ><P >On a Windows 2000 client try <B CLASS="COMMAND" @@ -336,9 +324,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1402" ->8.7. Testing with smbclient</A -></H1 +NAME="AEN1248">8.7. Testing with smbclient</H1 ><P >On your Samba server try to login to a Win2000 server or your Samba server using smbclient and kerberos. Use smbclient as usual, but @@ -349,9 +335,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1405" ->8.8. Notes</A -></H1 +NAME="AEN1251">8.8. Notes</H1 ><P >You must change administrator password at least once after DC install, to create the right encoding types</P @@ -418,7 +402,7 @@ ACCESSKEY="U" WIDTH="33%" ALIGN="right" VALIGN="top" ->Samba as a NT4 or Win2k domain member</TD +>Samba as a NT4 domain member</TD ></TR ></TABLE ></DIV |