From 15311ec2b564505c459aa017b3502afcdf3066e5 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Thu, 24 Apr 2003 19:59:50 +0000 Subject: Update from LanDude (This used to be commit d42170e7f0f48115d81c1a247b3ddfd3f8dca1b9) --- docs/docbook/projdoc/ADS-HOWTO.sgml | 32 ++++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/ADS-HOWTO.sgml b/docs/docbook/projdoc/ADS-HOWTO.sgml index d08833b7fd..c7def652fc 100644 --- a/docs/docbook/projdoc/ADS-HOWTO.sgml +++ b/docs/docbook/projdoc/ADS-HOWTO.sgml @@ -11,7 +11,7 @@ This is a rough guide to setting up Samba 3.0 with kerberos authentication against a Windows2000 KDC. - + Setup your <filename>smb.conf</filename> @@ -44,6 +44,8 @@ In case samba can't figure out your ads server using your realm name, use the Setup your <filename>/etc/krb5.conf</filename> +Note: you will need the krb5 workstation, devel, and libs installed + The minimal configuration for krb5.conf is: @@ -53,10 +55,16 @@ In case samba can't figure out your ads server using your realm name, use the } -Test your config by doing a kinit USERNAME@REALM and making sure that +Test your config by doing a kinit +USERNAME@REALM and making sure that your password is accepted by the Win2000 KDC. -The realm must be uppercase. +The realm must be uppercase or you will get "Cannot find KDC for requested +realm while getting initial credentials" error + +Time between the two servers must be synchronized. You will get a +"kinit(v5): Clock skew too great while getting initial credentials" if the time +difference is more than five minutes. You also must ensure that you can do a reverse DNS lookup on the IP @@ -99,7 +107,15 @@ As a user that has write permission on the Samba private directory "ADS support not compiled in" -Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed. +Samba must be reconfigured (remove config.cache) and recompiled +(make clean all install) after the kerberos libs and headers are installed. + + +net ads join prompts for user name +You need to login to the domain using kinit +USERNAME@REALM. +USERNAME must be a user who has rights to add a machine +to the domain. @@ -110,6 +126,12 @@ As a user that has write permission on the Samba private directory Test your server setup + +If the join was successful, you will see a new computer account with the +NetBIOS name of your Samba server in Active Directory (in the "Computers" +folder under Users and Computers. + + On a Windows 2000 client try net use * \\server\share. You should be logged in with kerberos without needing to know a password. If @@ -136,6 +158,8 @@ specify the -k option to choose kerberos authentication. You must change administrator password at least once after DC install, to create the right encoding types + + w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in their defaults DNS setup. Maybe fixed in service packs? -- cgit