diff options
Diffstat (limited to 'docs/textdocs')
-rw-r--r-- | docs/textdocs/ADS-HOWTO.txt | 142 |
1 files changed, 0 insertions, 142 deletions
diff --git a/docs/textdocs/ADS-HOWTO.txt b/docs/textdocs/ADS-HOWTO.txt deleted file mode 100644 index 7a066c69ec..0000000000 --- a/docs/textdocs/ADS-HOWTO.txt +++ /dev/null @@ -1,142 +0,0 @@ -Samba 3.0 prealpha guide to Kerberos authentication ---------------------------------------------------- - -Andrew Tridgell -tridge@samba.org - -This is a VERY ROUGH guide to setting up the current (November 2001) -pre-alpha version of Samba 3.0 with kerberos authentication against a -Windows2000 KDC. The procedures listed here are likely to change as -the code develops. - -Pieces you need before you begin: - -- a Windows 2000 server -- the latest CVS source code for Samba. See http://cvs.samba.org/ for how to - fetch this. -- the MIT kerberos development libraries (either install from the - above sources or use a package). Under debian you need "libkrb5-dev" - and "krb5-user". The heimdal libraries will not work. -- the OpenLDAP development libraries. - -On RedHat this means you should have at least: - -krb5-workstation (for kinit) -krb5-libs (for linking with) -krb5-devel (because you are compiling from source) - -in addition to the standard development environment. - -Note that these are not standard on a RedHat install, and you may need -to get them off CD2. - -Also check that you have the latest copy of this HOWTO. It is -available from http://samba.org/ftp/tridge/kerberos/HOWTO - -Step 1: Compile Samba - - If your kerberos libraries are in a non-standard location then - remember to add the configure option --with-krb5=DIR. - - After you run configure make sure that include/config.h contains - lines like this: - - #define HAVE_KRB5 1 - #define HAVE_LDAP 1 - - If it doesn't then configure did not find your krb5 libraries or - your ldap libraries. Look in config.log to figure out why and fix - it. - - Then compile and install Samba as usual. You must use at least the - following 3 options in smb.conf: - - realm = YOUR.KERBEROS.REALM - ads server = your.kerberos.server - security = ADS - encrypt passwords = yes - - Strictly speaking, you can omit the realm name and you can use an IP - address for the ads server. In that case Samba will auto-detect these. - - You do *not* need a smbpasswd file, although it won't do any harm - and if you have one then Samba will be able to fall back to normal - password security for older clients. I expect that the above - required options will change soon when we get better active - directory integration. - - -Step 2: Setup your /etc/krb5.conf - - The minimal configuration for krb5.conf is: - - [realms] - YOUR.KERBEROS.REALM = { - kdc = your.kerberos.server - } - - - Test your config by doing a "kinit USERNAME@REALM" and making sure that - your password is accepted by the Win2000 KDC. - - NOTE: The realm must be uppercase. - - You also must ensure that you can do a reverse DNS lookup on the IP - address of your KDC. Also, the name that this reverse lookup maps to - must either be the netbios name of the KDC (ie. the hostname with no - domain attached) or it can alternatively be the netbios name - followed by the realm. - - The easiest way to ensure you get this right is to add a /etc/hosts - entry mapping the IP address of your KDC to its netbios name. If you - don't get this right then you will get a "local error" when you try - to join the realm. - -* If all you want is kerberos support in smbclient then you can skip -* straight to step 5 now. Step 3 is only needed if you want kerberos -* support in smbd. - - -Step 3: Create the computer account - - Do a "kinit" as a user that has authority to change arbitrary - passwords on the KDC ("Administrator" is a good choice). Then as a - user that has write permission on the Samba private directory - (usually root) run: - - net ads join - - Possible errors: - - "bash: kinit: command not found": - - kinit is in the krb5-workstation RPM on RedHat systems, and is - in /usr/kerberos/bin, so it won't be in the path until - you log in again (or open a new terminal) - - "ADS support not compiled in" - - Samba must be reconfigured (remove config.cache) and - recompiled (make clean all install) after the kerberos libs - and headers are installed. - - -Step 4: Test your server setup - - On a Windows 2000 client try "net use * \\server\share". You should - be logged in with kerberos without needing to know a password. If - this fails then run "klist tickets". Did you get a ticket for the - server? Does it have an encoding type of DES-CBC-MD5 ? - -Step 5: Testing with smbclient - - On your Samba server try to login to a Win2000 server or your Samba - server using smbclient and kerberos. Use smbclient as usual, but - specify the -k option to choose kerberos authentication. - - --------- - -NOTES: - - must change administrator password at least once after DC install, - to create the right encoding types - - - w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in - their defaults DNS setup. Maybe fixed in service packs? - |