From b98ddb91f8c04afde80e86be30c1ea5a5978870f Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 2 Oct 2002 21:34:31 +0000 Subject: Convert ADS-HOWTO to SGML and add it to the howto collection Updated generated docs (This used to be commit 3d417179233d0b8e486560c41248888be42bacf9) --- docs/docbook/projdoc/ADS-HOWTO.sgml | 195 ++++++++++++++++++++++++++++++++++++ docs/docbook/projdoc/samba-doc.sgml | 2 + 2 files changed, 197 insertions(+) create mode 100644 docs/docbook/projdoc/ADS-HOWTO.sgml (limited to 'docs/docbook/projdoc') diff --git a/docs/docbook/projdoc/ADS-HOWTO.sgml b/docs/docbook/projdoc/ADS-HOWTO.sgml new file mode 100644 index 0000000000..0d2fda5f78 --- /dev/null +++ b/docs/docbook/projdoc/ADS-HOWTO.sgml @@ -0,0 +1,195 @@ + + + + + AndrewTridgell + + 2002 + + +Using samba 3.0 with ActiveDirectory support + + +This is a VERY ROUGH guide to setting up the current (November 2001) +pre-alpha version of Samba 3.0 with kerberos authentication against a +Windows2000 KDC. The procedures listed here are likely to change as +the code develops. + + +Pieces you need before you begin: + +a Windows 2000 server. +samba 3.0 or higher. +the MIT kerberos development libraries (either install from the above sources or use a package). The heimdal libraries will not work. +the OpenLDAP development libraries. + + + + +Installing the required packages for Debian + +On Debian you need to install the following packages: + +libkrb5-dev +krb5-user + + + + + +Installing the required packages for RedHat + +On RedHat this means you should have at least: + +krb5-workstation (for kinit) +krb5-libs (for linking with) +krb5-devel (because you are compiling from source) + + + +in addition to the standard development environment. + +Note that these are not standard on a RedHat install, and you may need +to get them off CD2. + + + + +Compile Samba +If your kerberos libraries are in a non-standard location then + remember to add the configure option --with-krb5=DIR. + +After you run configure make sure that include/config.h contains + lines like this: + + +#define HAVE_KRB5 1 +#define HAVE_LDAP 1 + + +If it doesn't then configure did not find your krb5 libraries or + your ldap libraries. Look in config.log to figure out why and fix + it. + +Then compile and install Samba as usual. You must use at least the + following 3 options in smb.conf: + + + realm = YOUR.KERBEROS.REALM + ads server = your.kerberos.server + security = ADS + encrypt passwords = yes + + +Strictly speaking, you can omit the realm name and you can use an IP + address for the ads server. In that case Samba will auto-detect these. + +You do *not* need a smbpasswd file, although it won't do any harm + and if you have one then Samba will be able to fall back to normal + password security for older clients. I expect that the above + required options will change soon when we get better active + directory integration. + + + +Setup your /etc/krb5.conf + +The minimal configuration for krb5.conf is: + + + [realms] + YOUR.KERBEROS.REALM = { + kdc = your.kerberos.server + } + + +Test your config by doing a "kinit USERNAME@REALM" and making sure that + your password is accepted by the Win2000 KDC. + +NOTE: The realm must be uppercase. + + +You also must ensure that you can do a reverse DNS lookup on the IP +address of your KDC. Also, the name that this reverse lookup maps to +must either be the netbios name of the KDC (ie. the hostname with no +domain attached) or it can alternatively be the netbios name +followed by the realm. + + + +The easiest way to ensure you get this right is to add a /etc/hosts +entry mapping the IP address of your KDC to its netbios name. If you +don't get this right then you will get a "local error" when you try +to join the realm. + + + +If all you want is kerberos support in smbclient then you can skip +straight to step 5 now. Step 3 is only needed if you want kerberos +support in smbd. + + + + + +Create the computer account + + +Do a "kinit" as a user that has authority to change arbitrary +passwords on the KDC ("Administrator" is a good choice). Then as a +user that has write permission on the Samba private directory +(usually root) run: +net ads join + + + +Possible errors + + + +"bash: kinit: command not found" +kinit is in the krb5-workstation RPM on RedHat systems, and is in /usr/kerberos/bin, so it won't be in the path until you log in again (or open a new terminal) +"ADS support not compiled in" +Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed. + + + + + + + + +Test your server setup + + +On a Windows 2000 client try net use * \\server\share. You should +be logged in with kerberos without needing to know a password. If +this fails then run klist tickets. Did you get a ticket for the +server? Does it have an encoding type of DES-CBC-MD5 ? + + + + + +Testing with smbclient + + +On your Samba server try to login to a Win2000 server or your Samba +server using smbclient and kerberos. Use smbclient as usual, but +specify the -k option to choose kerberos authentication. + + + + + +Notes + +You must change administrator password at least once after DC install, + to create the right encoding types + +w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in + their defaults DNS setup. Maybe fixed in service packs? + + + + diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml index 75c5c379d3..6fb77750e7 100644 --- a/docs/docbook/projdoc/samba-doc.sgml +++ b/docs/docbook/projdoc/samba-doc.sgml @@ -21,6 +21,7 @@ + ]> @@ -78,6 +79,7 @@ Cheers, jerry &Samba-PDC-HOWTO; &Samba-BDC-HOWTO; &Samba-LDAP; +&ADS-HOWTO; &BROWSING; &SPEED; &Other-Clients; -- cgit