diff options
Diffstat (limited to 'docs/htmldocs/ads.html')
| -rw-r--r-- | docs/htmldocs/ads.html | 411 |
1 files changed, 0 insertions, 411 deletions
diff --git a/docs/htmldocs/ads.html b/docs/htmldocs/ads.html deleted file mode 100644 index 26ec1d04a7..0000000000 --- a/docs/htmldocs/ads.html +++ /dev/null @@ -1,411 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->Samba as a ADS domain member</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+ -"><LINK -REL="HOME" -TITLE="SAMBA Project Documentation" -HREF="samba-howto-collection.html"><LINK -REL="UP" -TITLE="Type of installation" -HREF="type.html"><LINK -REL="PREVIOUS" -TITLE="How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain" -HREF="samba-bdc.html"><LINK -REL="NEXT" -TITLE="Samba as a NT4 domain member" -HREF="domain-security.html"></HEAD -><BODY -CLASS="CHAPTER" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><DIV -CLASS="NAVHEADER" -><TABLE -SUMMARY="Header navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TH -COLSPAN="3" -ALIGN="center" ->SAMBA Project Documentation</TH -></TR -><TR -><TD -WIDTH="10%" -ALIGN="left" -VALIGN="bottom" -><A -HREF="samba-bdc.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="80%" -ALIGN="center" -VALIGN="bottom" -></TD -><TD -WIDTH="10%" -ALIGN="right" -VALIGN="bottom" -><A -HREF="domain-security.html" -ACCESSKEY="N" ->Next</A -></TD -></TR -></TABLE -><HR -ALIGN="LEFT" -WIDTH="100%"></DIV -><DIV -CLASS="CHAPTER" -><H1 -><A -NAME="ADS">Chapter 8. Samba as a ADS domain member</H1 -><P ->This is a rough guide to setting up Samba 3.0 with kerberos authentication against a -Windows2000 KDC. </P -><P ->Pieces you need before you begin: -<P -></P -><TABLE -BORDER="0" -><TBODY -><TR -><TD ->a Windows 2000 server.</TD -></TR -><TR -><TD ->samba 3.0 or higher.</TD -></TR -><TR -><TD ->the MIT kerberos development libraries (either install from the above sources or use a package). The heimdal libraries will not work.</TD -></TR -><TR -><TD ->the OpenLDAP development libraries.</TD -></TR -></TBODY -></TABLE -><P -></P -></P -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN1187">8.1. Installing the required packages for Debian</H1 -><P ->On Debian you need to install the following packages: -<P -></P -><TABLE -BORDER="0" -><TBODY -><TR -><TD ->libkrb5-dev</TD -></TR -><TR -><TD ->krb5-user</TD -></TR -></TBODY -></TABLE -><P -></P -></P -></DIV -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN1193">8.2. Installing the required packages for RedHat</H1 -><P ->On RedHat this means you should have at least: -<P -></P -><TABLE -BORDER="0" -><TBODY -><TR -><TD ->krb5-workstation (for kinit)</TD -></TR -><TR -><TD ->krb5-libs (for linking with)</TD -></TR -><TR -><TD ->krb5-devel (because you are compiling from source)</TD -></TR -></TBODY -></TABLE -><P -></P -></P -><P ->in addition to the standard development environment.</P -><P ->Note that these are not standard on a RedHat install, and you may need -to get them off CD2.</P -></DIV -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN1202">8.3. Compile Samba</H1 -><P ->If your kerberos libraries are in a non-standard location then - remember to add the configure option --with-krb5=DIR.</P -><P ->After you run configure make sure that include/config.h contains - lines like this:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->#define HAVE_KRB5 1 -#define HAVE_LDAP 1</PRE -></P -><P ->If it doesn't then configure did not find your krb5 libraries or - your ldap libraries. Look in config.log to figure out why and fix - it.</P -><P ->Then compile and install Samba as usual. You must use at least the - following 3 options in smb.conf:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> realm = YOUR.KERBEROS.REALM - security = ADS - encrypt passwords = yes</PRE -></P -><P ->In case samba can't figure out your ads server using your realm name, use the -<B -CLASS="COMMAND" ->ads server</B -> option in <TT -CLASS="FILENAME" ->smb.conf</TT ->: -<PRE -CLASS="PROGRAMLISTING" -> ads server = your.kerberos.server</PRE -></P -><P ->You do *not* need a smbpasswd file, although it won't do any harm - and if you have one then Samba will be able to fall back to normal - password security for older clients. I expect that the above - required options will change soon when we get better active - directory integration.</P -></DIV -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN1217">8.4. Setup your /etc/krb5.conf</H1 -><P ->The minimal configuration for krb5.conf is:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> [realms] - YOUR.KERBEROS.REALM = { - kdc = your.kerberos.server - }</PRE -></P -><P ->Test your config by doing a "kinit USERNAME@REALM" and making sure that - your password is accepted by the Win2000 KDC. </P -><P ->NOTE: The realm must be uppercase. </P -><P ->You also must ensure that you can do a reverse DNS lookup on the IP -address of your KDC. Also, the name that this reverse lookup maps to -must either be the netbios name of the KDC (ie. the hostname with no -domain attached) or it can alternatively be the netbios name -followed by the realm. </P -><P ->The easiest way to ensure you get this right is to add a /etc/hosts -entry mapping the IP address of your KDC to its netbios name. If you -don't get this right then you will get a "local error" when you try -to join the realm.</P -><P ->If all you want is kerberos support in smbclient then you can skip -straight to step 5 now. Step 3 is only needed if you want kerberos -support in smbd.</P -></DIV -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN1227">8.5. Create the computer account</H1 -><P ->Do a "kinit" as a user that has authority to change arbitrary -passwords on the KDC ("Administrator" is a good choice). Then as a -user that has write permission on the Samba private directory -(usually root) run: -<B -CLASS="COMMAND" ->net ads join</B -></P -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN1231">8.5.1. Possible errors</H2 -><P -><P -></P -><DIV -CLASS="VARIABLELIST" -><DL -><DT ->"bash: kinit: command not found"</DT -><DD -><P ->kinit is in the krb5-workstation RPM on RedHat systems, and is in /usr/kerberos/bin, so it won't be in the path until you log in again (or open a new terminal)</P -></DD -><DT ->"ADS support not compiled in"</DT -><DD -><P ->Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed.</P -></DD -></DL -></DIV -></P -></DIV -></DIV -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN1243">8.6. Test your server setup</H1 -><P ->On a Windows 2000 client try <B -CLASS="COMMAND" ->net use * \\server\share</B ->. You should -be logged in with kerberos without needing to know a password. If -this fails then run <B -CLASS="COMMAND" ->klist tickets</B ->. Did you get a ticket for the -server? Does it have an encoding type of DES-CBC-MD5 ? </P -></DIV -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN1248">8.7. Testing with smbclient</H1 -><P ->On your Samba server try to login to a Win2000 server or your Samba -server using smbclient and kerberos. Use smbclient as usual, but -specify the -k option to choose kerberos authentication.</P -></DIV -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN1251">8.8. Notes</H1 -><P ->You must change administrator password at least once after DC install, - to create the right encoding types</P -><P ->w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in - their defaults DNS setup. Maybe fixed in service packs?</P -></DIV -></DIV -><DIV -CLASS="NAVFOOTER" -><HR -ALIGN="LEFT" -WIDTH="100%"><TABLE -SUMMARY="Footer navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" -><A -HREF="samba-bdc.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -><A -HREF="samba-howto-collection.html" -ACCESSKEY="H" ->Home</A -></TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" -><A -HREF="domain-security.html" -ACCESSKEY="N" ->Next</A -></TD -></TR -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" ->How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -><A -HREF="type.html" -ACCESSKEY="U" ->Up</A -></TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" ->Samba as a NT4 domain member</TD -></TR -></TABLE -></DIV -></BODY -></HTML ->
\ No newline at end of file |