From a84f1e7535b64dcfb1f274097cf947d0ad6fd1ec Mon Sep 17 00:00:00 2001
From: Gerald Carter This is a VERY ROUGH guide to setting up the current (November 2001)
-pre-alpha version of Samba 3.0 with kerberos authentication against a
-Windows2000 KDC. The procedures listed here are likely to change as
-the code develops.Chapter 9. Samba as a ADS domain member
Chapter 8. Samba as a ADS domain member
Pieces you need before you begin:
On Debian you need to install the following packages:
On RedHat this means you should have at least:
If your kerberos libraries are in a non-standard location then remember to add the configure option --with-krb5=DIR.
realm = YOUR.KERBEROS.REALM - ads server = your.kerberos.server security = ADS encrypt passwords = yes
Strictly speaking, you can omit the realm name and you can use an IP - address for the ads server. In that case Samba will auto-detect these.
In case samba can't figure out your ads server using your realm name, use the +ads server option in smb.conf: +ads server = your.kerberos.server
You do *not* need a smbpasswd file, although it won't do any harm and if you have one then Samba will be able to fall back to normal @@ -225,9 +225,7 @@ CLASS="SECT1" >
The minimal configuration for krb5.conf is:
Do a "kinit" as a user that has authority to change arbitrary passwords on the KDC ("Administrator" is a good choice). Then as a @@ -281,9 +277,7 @@ CLASS="SECT2" >
On a Windows 2000 client try 9.7. Testing with smbclient
8.7. Testing with smbclient
On your Samba server try to login to a Win2000 server or your Samba server using smbclient and kerberos. Use smbclient as usual, but @@ -345,9 +335,7 @@ CLASS="SECT1" >
You must change administrator password at least once after DC install, to create the right encoding types