From c25c6614139d3f8a3eba60ae305e75bf03201e53 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Fri, 27 May 2005 22:21:47 +0000 Subject: Progress update. (This used to be commit 3542c6883c4b07cc0be13036708dfffec2062c88) --- docs/Samba-Guide/SBE-2000UserNetwork.xml | 1 + docs/Samba-Guide/SBE-AddingUNIXClients.xml | 298 ++++++++++++----------------- docs/Samba-Guide/SBE-MakingHappyUsers.xml | 1 + 3 files changed, 124 insertions(+), 176 deletions(-) (limited to 'docs/Samba-Guide') diff --git a/docs/Samba-Guide/SBE-2000UserNetwork.xml b/docs/Samba-Guide/SBE-2000UserNetwork.xml index 3418be7520..2023e43f92 100644 --- a/docs/Samba-Guide/SBE-2000UserNetwork.xml +++ b/docs/Samba-Guide/SBE-2000UserNetwork.xml @@ -781,6 +781,7 @@ passdb backend = ldapsam:ldap://master.abmas.biz \ + Implementation Steps for an LDAP Slave Server SUSE Linux diff --git a/docs/Samba-Guide/SBE-AddingUNIXClients.xml b/docs/Samba-Guide/SBE-AddingUNIXClients.xml index c5a6b4349b..95625f0a74 100644 --- a/docs/Samba-Guide/SBE-AddingUNIXClients.xml +++ b/docs/Samba-Guide/SBE-AddingUNIXClients.xml @@ -1158,15 +1158,10 @@ Joined domain MEGANET2. Active Directory Domain with Samba Domain Member Server - - Active Directory - join - - Kerberos - - Domain Member - server - + + Active Directoryjoin + Kerberos + Domain Memberserver One of the much-sought-after features new to Samba-3 is the ability to join an Active Directory domain using Kerberos protocols. This makes it possible to operate an entire Windows network without the need to run NetBIOS over TCP/IP and permits more secure networking in general. An @@ -1175,15 +1170,11 @@ Joined domain MEGANET2. in. For now, we simply focus on how a Samba-3 server can be made a domain member server. - - Active Directory - - LDAP - - Identity resolution - - Kerberos - + + Active Directory + LDAP + Identity resolution + Kerberos The diagram in demonstrates how Samba-3 interfaces with Microsoft Active Directory components. It should be noted that if Microsoft Windows Services for UNIX (SFU) has been installed and correctly configured, it is possible to use client LDAP @@ -1219,6 +1210,8 @@ Joined domain MEGANET2. + Joining a Samba Server as an ADS Domain Member + smbd @@ -1289,28 +1282,16 @@ massive:/usr/sbin # smbd -b | grep LDAP support. You are relieved to know that it is safe to progress. - - Kerberos - libraries - - MIT Kerberos - - Heimdal Kerberos - - Kerberos - MIT - - Kerberos - Heimdal - - Red Hat Linux - - SUSE Linux - - SerNet - - validated - + + Kerberoslibraries + MIT Kerberos + Heimdal Kerberos + KerberosMIT + KerberosHeimdal + Red Hat Linux + SUSE Linux + SerNet + validated The next step is to identify which version of the Kerberos libraries have been used. In order to permit Samba-3 to interoperate with Windows 2003 Active Directory, it is essential that it has been linked with either MIT Kerberos version 1.3.1 or later, @@ -1345,9 +1326,8 @@ massive:/usr/sbin # smbd -b | grep LDAP Edit or create the NSS control file so it has the contents shown in . - - /etc/samba/secrets.tdb - + + /etc/samba/secrets.tdb Delete the file /etc/samba/secrets.tdb if it exists. Of course, you do keep a backup, don't you? @@ -1361,9 +1341,8 @@ massive:/usr/sbin # smbd -b | grep LDAP - - testparm - + + testparm Validate your &smb.conf; file using testparm (as you have done previously). Correct all errors reported before proceeding. The command you execute is: @@ -1374,13 +1353,9 @@ massive:/usr/sbin # smbd -b | grep LDAP ADS domain, let's move on. - - net - ads - join - - Kerberos - + + netadsjoin + Kerberos This is a good time to double-check everything and then execute the following command when everything you have done has checked out okay: @@ -1392,26 +1367,21 @@ Joined 'FRAN' to realm 'LONDON.ABMAS.BIZ' using Kerberos protocols. - - silent return - - failed join - + + silent return + failed join In the event that you receive no output messages, a silent return means that the domain join failed. You should use ethereal to identify what may be failing. Common causes of a failed join include: - - name resolution - Defective - + + name resolutionDefective Defective or misconfigured DNS name resolution. - - Restrictive security - + + Restrictive security Restrictive security settings on the Windows 200x ADS domain controller preventing needed communications protocols. You can check this by searching the Windows Server 200x Event Viewer. @@ -1427,26 +1397,19 @@ Joined 'FRAN' to realm 'LONDON.ABMAS.BIZ' functionality. - - net - rpc - join - - RPC - - mixed mode - + + netrpcjoin + RPC + mixed mode In any case, never execute the net rpc join command in an attempt to join the Samba server to the domain, unless you wish not to use the Kerberos security protocols. Use of the older RPC-based domain join facility requires that Windows Server 200x ADS has been configured appropriately for mixed mode operation. - - tdbdump - - /etc/samba/secrets.tdb - + + tdbdump + /etc/samba/secrets.tdb If the tdbdump is installed on your system (not essential), you can look inside the /etc/samba/secrets.tdb file. If you wish to do this, execute: @@ -1480,9 +1443,8 @@ data = "E\89\F6?" in this book). - - wbinfo - + + wbinfo This is a good time to verify that everything is working. First, check that winbind is able to obtain the list of users and groups from the ADS domain controller. Execute the following: @@ -1546,16 +1508,10 @@ LONDON+DnsUpdateProxy:x:10008: This is very pleasing. Everything works as expected. - - net - ads - info - - Active Directory - server - - Kerberos - + + netadsinfo + Active Directoryserver + Kerberos You may now perform final verification that communications between Samba-3 winbind and the Active Directory server is using Kerberos protocols. Execute the following: @@ -1834,28 +1790,30 @@ data = "\00\00\00\00bp\00\00\06krbtgt\06krbtgt- - An example &smb.conf; file for and ADS domain environment is shown here: - -# Global parameters -[global] - workgroup = KPAK - netbios name = BIGJOE - realm = CORP.KPAK.COM - server string = Office Server - security = ADS - allow trusted domains = No - idmap backend = idmap_rid:KPAK=500-100000000 - idmap uid = 500-100000000 - idmap gid = 500-100000000 - template shell = /bin/bash - winbind use default domain = Yes - winbind enum users = No - winbind enum groups = No - winbind nested groups = Yes - printer admin = "Domain Admins" - + An example &smb.conf; file for an ADS domain environment is shown in . + +Example &smb.conf; File Using <constant>idmap_rid</constant> +Global parameters + +KPAK +BIGJOE +CORP.KPAK.COM +Office Server +ADS +No +idmap_rid:KPAK=500-100000000 +500-100000000 +500-100000000 +/bin/bash +Yes +No +No +Yes +"KPAK\Domain Admins" + + large domain Active Directory @@ -1956,27 +1914,25 @@ administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash The example in is for an ADS-style domain. - + Typical ADS Style Domain &smb.conf; File - -# Global parameters -[global] - workgroup = SNOWSHOW - netbios name = GOODELF - realm = SNOWSHOW.COM - server string = Samba Server - security = ADS - log level = 1 ads:10 auth:10 sam:10 rpc:10 - ldap admin dn = cn=Manager,dc=SNOWSHOW,dc=COM - ldap idmap suffix = ou=Idmap - ldap suffix = dc=SNOWSHOW,dc=COM - idmap backend = ldap:ldap://ldap.snowshow.com - idmap uid = 150000-550000 - idmap gid = 150000-550000 - template shell = /bin/bash - winbind use default domain = Yes - - +Global parameters + +SNOWSHOW +GOODELF +SNOWSHOW.COM +Samba Server +ADS +1 ads:10 auth:10 sam:10 rpc:10 +cn=Manager,dc=SNOWSHOW,dc=COM +ou=Idmap +dc=SNOWSHOW,dc=COM +ldap:ldap://ldap.snowshow.com +150000-550000 +150000-550000 +/bin/bash +Yes + realm @@ -2157,23 +2113,26 @@ Joined 'GOODELF' to realm 'SNOWSHOW.COM' - The following is an example &smb.conf; file: - -# Global parameters -[global] - workgroup = BOBBY - realm = BOBBY.COM - security = ADS - idmap uid = 150000-550000 - idmap gid = 150000-550000 - template shell = /bin/bash - winbind cache time = 5 - winbind use default domain = Yes - winbind trusted domains only = Yes - winbind nested groups = Yes - + An example &smb.conf; file is shown in . + +ADS Membership Using RFC2307bis Identity Resolution &smb.conf; File +Global parameters + +BUBBAH +MADMAX +BUBBAH.COM +Samba Server +ADS +150000-550000 +150000-550000 +/bin/bash +Yes +Yes +Yes + + nss_ldap The DMS must be joined to the domain using the usual procedure. Additionally, it is necessary @@ -2314,23 +2273,18 @@ hosts: files wins support via Samba-3. - - Windows Services for UNIX - SUS - + + Windows Services for UNIXSUS On the other hand, if the authentication and identity resolution backend must be provided by a Windows NT4-style domain or from an Active Directory Domain that does not have the Microsoft Windows Services for UNIX installed, winbind is your best friend. Specific guidance for these situations now follows. - - PAM - - Identity resolution - - NSS - + + PAM + Identity resolution + NSS To permit users to log onto a Linux system using Windows network credentials, you need to configure identity resolution (NSS) and PAM. This means that the basic steps include those outlined above with the addition of PAM configuration. Given that most workstations (desktop/client) @@ -2566,19 +2520,13 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass - - NIS - - encrypted passwords - - smbpasswd - - tdbsam - - passdb backend - - Winbind - + + NIS + encrypted passwords + smbpasswd + tdbsam + passdb backend + Winbind You can use NIS for your UNIX accounts. NIS does not store the Windows encrypted passwords that need to be stored in one of the acceptable passdb backends. Your choice of backend is limited to smbpasswd or @@ -2586,11 +2534,9 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass SIDs from trusted domains to local UID/GID values. - - winbind trusted domains only - - getpwnam() - + + winbind trusted domains only + getpwnam() On a domain member server, you effectively map Windows domain users to local users that are in your NIS database by specifying the winbind trusted domains only. This causes user and group account lookups to be routed via diff --git a/docs/Samba-Guide/SBE-MakingHappyUsers.xml b/docs/Samba-Guide/SBE-MakingHappyUsers.xml index 4173fd267c..fd032a28fc 100644 --- a/docs/Samba-Guide/SBE-MakingHappyUsers.xml +++ b/docs/Samba-Guide/SBE-MakingHappyUsers.xml @@ -2870,6 +2870,7 @@ smb: \> q + Printer Configuration Steps Configure all network-attached printers to have a fixed IP address. -- cgit