From 6fc57517c2504c9b720744f262fee0bebbb53da6 Mon Sep 17 00:00:00 2001 From: John H Terpstra Date: Thu, 9 Jul 2009 08:19:17 -0500 Subject: Fixes inspired by OPC Oota. --- docs-xml/Samba3-HOWTO/TOSHARG-DomainMember.xml | 28 +++++++++++++++++--------- 1 file changed, 18 insertions(+), 10 deletions(-) (limited to 'docs-xml/Samba3-HOWTO') diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-DomainMember.xml b/docs-xml/Samba3-HOWTO/TOSHARG-DomainMember.xml index b2b58b9c53..fb66f661aa 100644 --- a/docs-xml/Samba3-HOWTO/TOSHARG-DomainMember.xml +++ b/docs-xml/Samba3-HOWTO/TOSHARG-DomainMember.xml @@ -242,6 +242,7 @@ trust account creation. This is a matter of the administrator's choice. /etc/passwd + useradd vipw The first step in manually creating a Machine Trust Account is to manually @@ -476,10 +477,14 @@ with the version of Windows. privileges root When the user elects to make the client a domain member, Windows 200x prompts for - an account and password that has privileges to create machine accounts in the domain. - A Samba administrator account (i.e., a Samba account that has root privileges on the - Samba server) must be entered here; the operation will fail if an ordinary user - account is given. + an account and password that has privileges to create machine accounts in the domain. + + + + A Samba administrator account (i.e., a Samba account that has root privileges on the + Samba server) must be entered here; the operation will fail if an ordinary user account is given. + The necessary privilege can be assured by creating a Samba SAM account for root or + by granting the SeMachineAccountPrivilege privilage to the user account. @@ -539,6 +544,7 @@ with the version of Windows. Samba Client + Joining a Samba client to a domain is documented in the next section. @@ -626,6 +632,7 @@ and be fully trusted by it. + First, you must edit your &smb.conf; file to tell Samba it should now use domain security. @@ -927,7 +934,7 @@ and it may be detrimental. ADS SRV records -DNS zone +DNS zon KDC _kerberos.REALM.NAME Microsoft ADS automatically create SRV records in the DNS zone @@ -1070,6 +1077,7 @@ error when you try to join the realm. Kerberos Create the Computer Account Testing Server Setup + If all you want is Kerberos support in &smbclient;, then you can skip directly to Testing with &smbclient; now. Create the Computer Account and kinit rights - You need to log in to the domain using kinit + You need to login to the domain using kinit USERNAME@REALM. USERNAME must be a user who has rights to add a machine to the domain. @@ -1184,10 +1192,10 @@ folder under Users and Computers. Windows 2000 netuse DES-CBC-MD5 -On a Windows 2000 client, try net use * \\server\share. You should -be logged in with Kerberos without needing to know a password. If this fails, then run +On a Windows 2000 client, try net use * \\server\share. It should be possible +to login with Kerberos without needing to know a password. If this fails, then run klist tickets. Did you get a ticket for the server? Does it have -an encryption type of DES-CBC-MD5? +an encryption type of DES-CBC-MD5? @@ -1206,7 +1214,7 @@ Samba can use both DES-CBC-MD5 encryption as well as ARCFOUR-HMAC-MD5 encoding. smbclient Kerberos Kerberos authentication -On your Samba server try to log in to a Windows 2000 server or your Samba +On your Samba server try to login to a Windows 2000 server or your Samba server using &smbclient; and Kerberos. Use &smbclient; as usual, but specify the option to choose Kerberos authentication. -- cgit