diff options
Diffstat (limited to 'docs/htmldocs/ads.html')
| -rw-r--r-- | docs/htmldocs/ads.html | 467 |
1 files changed, 0 insertions, 467 deletions
diff --git a/docs/htmldocs/ads.html b/docs/htmldocs/ads.html deleted file mode 100644 index b7468eb091..0000000000 --- a/docs/htmldocs/ads.html +++ /dev/null @@ -1,467 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->Samba as a ADS domain member</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK -REL="HOME" -TITLE="SAMBA Project Documentation" -HREF="samba-howto-collection.html"><LINK -REL="UP" -TITLE="Type of installation" -HREF="type.html"><LINK -REL="PREVIOUS" -TITLE="Samba Backup Domain Controller to Samba Domain Control" -HREF="samba-bdc.html"><LINK -REL="NEXT" -TITLE="Samba as a NT4 or Win2k domain member" -HREF="domain-member.html"></HEAD -><BODY -CLASS="CHAPTER" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><DIV -CLASS="NAVHEADER" -><TABLE -SUMMARY="Header navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TH -COLSPAN="3" -ALIGN="center" ->SAMBA Project Documentation</TH -></TR -><TR -><TD -WIDTH="10%" -ALIGN="left" -VALIGN="bottom" -><A -HREF="samba-bdc.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="80%" -ALIGN="center" -VALIGN="bottom" -></TD -><TD -WIDTH="10%" -ALIGN="right" -VALIGN="bottom" -><A -HREF="domain-member.html" -ACCESSKEY="N" ->Next</A -></TD -></TR -></TABLE -><HR -ALIGN="LEFT" -WIDTH="100%"></DIV -><DIV -CLASS="CHAPTER" -><H1 -><A -NAME="ADS" -></A ->Chapter 9. Samba as a ADS domain member</H1 -><DIV -CLASS="TOC" -><DL -><DT -><B ->Table of Contents</B -></DT -><DT ->9.1. <A -HREF="ads.html#AEN1363" ->Setup your <TT -CLASS="FILENAME" ->smb.conf</TT -></A -></DT -><DT ->9.2. <A -HREF="ads.html#AEN1376" ->Setup your <TT -CLASS="FILENAME" ->/etc/krb5.conf</TT -></A -></DT -><DT ->9.3. <A -HREF="ads.html#ADS-CREATE-MACHINE-ACCOUNT" ->Create the computer account</A -></DT -><DT ->9.4. <A -HREF="ads.html#ADS-TEST-SERVER" ->Test your server setup</A -></DT -><DT ->9.5. <A -HREF="ads.html#ADS-TEST-SMBCLIENT" ->Testing with <SPAN -CLASS="APPLICATION" ->smbclient</SPAN -></A -></DT -><DT ->9.6. <A -HREF="ads.html#AEN1424" ->Notes</A -></DT -></DL -></DIV -><P ->This is a rough guide to setting up Samba 3.0 with kerberos authentication against a -Windows2000 KDC. </P -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN1363" ->9.1. Setup your <TT -CLASS="FILENAME" ->smb.conf</TT -></A -></H1 -><P ->You must use at least the following 3 options in smb.conf:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> realm = YOUR.KERBEROS.REALM - security = ADS - encrypt passwords = yes</PRE -></P -><P ->In case samba can't figure out your ads server using your realm name, use the -<B -CLASS="COMMAND" ->ads server</B -> option in <TT -CLASS="FILENAME" ->smb.conf</TT ->: -<PRE -CLASS="PROGRAMLISTING" -> ads server = your.kerberos.server</PRE -></P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->You do *not* need a smbpasswd file, and older clients will - be authenticated as if <B -CLASS="COMMAND" ->security = domain</B ->, - although it won't do any harm - and allows you to have local users not in the domain. - I expect that the above required options will change soon when we get better - active directory integration.</P -></TD -></TR -></TABLE -></DIV -></DIV -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN1376" ->9.2. Setup your <TT -CLASS="FILENAME" ->/etc/krb5.conf</TT -></A -></H1 -><P ->The minimal configuration for <TT -CLASS="FILENAME" ->krb5.conf</TT -> is:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->[realms] - YOUR.KERBEROS.REALM = { - kdc = your.kerberos.server - }</PRE -></P -><P ->Test your config by doing a <KBD -CLASS="USERINPUT" ->kinit <VAR -CLASS="REPLACEABLE" ->USERNAME</VAR ->@<VAR -CLASS="REPLACEABLE" ->REALM</VAR -></KBD -> and making sure that - your password is accepted by the Win2000 KDC. </P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->The realm must be uppercase. </P -></TD -></TR -></TABLE -></DIV -><P ->You also must ensure that you can do a reverse DNS lookup on the IP -address of your KDC. Also, the name that this reverse lookup maps to -must either be the netbios name of the KDC (ie. the hostname with no -domain attached) or it can alternatively be the netbios name -followed by the realm. </P -><P ->The easiest way to ensure you get this right is to add a -<TT -CLASS="FILENAME" ->/etc/hosts</TT -> entry mapping the IP address of your KDC to -its netbios name. If you don't get this right then you will get a -"local error" when you try to join the realm.</P -><P ->If all you want is kerberos support in <SPAN -CLASS="APPLICATION" ->smbclient</SPAN -> then you can skip -straight to <A -HREF="ads.html#ADS-TEST-SMBCLIENT" ->Test with <SPAN -CLASS="APPLICATION" ->smbclient</SPAN -></A -> now. -<A -HREF="ads.html#ADS-CREATE-MACHINE-ACCOUNT" ->Creating a computer account</A -> -and <A -HREF="ads.html#ADS-TEST-SERVER" ->testing your servers</A -> -is only needed if you want kerberos -support for <SPAN -CLASS="APPLICATION" ->smbd</SPAN -> and <SPAN -CLASS="APPLICATION" ->winbindd</SPAN ->.</P -></DIV -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="ADS-CREATE-MACHINE-ACCOUNT" ->9.3. Create the computer account</A -></H1 -><P ->As a user that has write permission on the Samba private directory -(usually root) run: -<KBD -CLASS="USERINPUT" ->net ads join</KBD -></P -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN1404" ->9.3.1. Possible errors</A -></H2 -><P -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->"ADS support not compiled in"</DT -><DD -><P ->Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed.</P -></DD -></DL -></DIV -></P -></DIV -></DIV -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="ADS-TEST-SERVER" ->9.4. Test your server setup</A -></H1 -><P ->On a Windows 2000 client try <KBD -CLASS="USERINPUT" ->net use * \\server\share</KBD ->. You should -be logged in with kerberos without needing to know a password. If -this fails then run <KBD -CLASS="USERINPUT" ->klist tickets</KBD ->. Did you get a ticket for the -server? Does it have an encoding type of DES-CBC-MD5 ? </P -></DIV -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="ADS-TEST-SMBCLIENT" ->9.5. Testing with <SPAN -CLASS="APPLICATION" ->smbclient</SPAN -></A -></H1 -><P ->On your Samba server try to login to a Win2000 server or your Samba -server using <SPAN -CLASS="APPLICATION" ->smbclient</SPAN -> and kerberos. Use <SPAN -CLASS="APPLICATION" ->smbclient</SPAN -> as usual, but -specify the <VAR -CLASS="PARAMETER" ->-k</VAR -> option to choose kerberos authentication.</P -></DIV -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN1424" ->9.6. Notes</A -></H1 -><P ->You must change administrator password at least once after DC -install, to create the right encoding types</P -><P ->w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in - their defaults DNS setup. Maybe fixed in service packs?</P -></DIV -></DIV -><DIV -CLASS="NAVFOOTER" -><HR -ALIGN="LEFT" -WIDTH="100%"><TABLE -SUMMARY="Footer navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" -><A -HREF="samba-bdc.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -><A -HREF="samba-howto-collection.html" -ACCESSKEY="H" ->Home</A -></TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" -><A -HREF="domain-member.html" -ACCESSKEY="N" ->Next</A -></TD -></TR -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" ->Samba Backup Domain Controller to Samba Domain Control</TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -><A -HREF="type.html" -ACCESSKEY="U" ->Up</A -></TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" ->Samba as a NT4 or Win2k domain member</TD -></TR -></TABLE -></DIV -></BODY -></HTML ->
\ No newline at end of file |