From 5130e1468e2028613a9f5369237db25b091fd548 Mon Sep 17 00:00:00 2001
From: Jelmer Vernooij This is a rough guide to setting up Samba 3.0 with kerberos authentication against a
Windows2000 KDC. Pieces you need before you begin:a Windows 2000 server. samba 3.0 or higher. the MIT kerberos development libraries (either install from the above sources or use a package). The heimdal libraries will not work. the OpenLDAP development libraries.
On Debian you need to install the following packages:
libkrb5-dev |
krb5-user |
On RedHat this means you should have at least:
krb5-workstation (for kinit) |
krb5-libs (for linking with) |
krb5-devel (because you are compiling from source) |
in addition to the standard development environment.
Note that these are not standard on a RedHat install, and you may need -to get them off CD2.
If your kerberos libraries are in a non-standard location then - remember to add the configure option --with-krb5=DIR.
After you run configure make sure that include/config.h it - generates contains - lines like this:
#define HAVE_KRB5 1 -#define HAVE_LDAP 1
If it doesn't then configure did not find your krb5 libraries or - your ldap libraries. Look in config.log to figure out why and fix - it.
Then compile and install Samba as usual. You must use at least the - following 3 options in smb.conf:
You must use at least the following 3 options in smb.conf:You do *not* need a smbpasswd file, and older clients will be authenticated as if "security = domain", although it won't do any harm and allows you to have local users not in the domain. - I expect that the above - required options will change soon when we get better active - directory integration.
The minimal configuration for krb5.conf is:
As a user that has write permission on the Samba private directory @@ -7281,8 +7152,8 @@ CLASS="SECT2" >
On a Windows 2000 client try 8.7. Testing with smbclient8.5. Testing with smbclient
On your Samba server try to login to a Win2000 server or your Samba @@ -7339,12 +7210,12 @@ CLASS="SECT1" >
You must change administrator password at least once after DC install, - to create the right encoding types
You must change administrator password at least once after DC +install, to create the right encoding typesw2k doesn't seem to create the _kerberos._udp and _ldap._tcp in their defaults DNS setup. Maybe fixed in service packs?
security = domain or - security = ads depending on if the PDC is - NT4 or running Active Directory respectivly.
Next change the root# net join -S DOMPDC
+>net rpc join -S DOMPDC
-UAdministrator%password Many people have asked regarding the state of Samba's ability to participate in
-a Windows 2000 Domain. Samba 3.0 is able to act as a member server of a Windows
-2000 domain operating in mixed or native mode. The steps above apply
-to both NT4 and Windows 2000.9.2. Samba and Windows 2000 Domains
Currently, domain security in Samba doesn't free you from @@ -7623,13 +7475,27 @@ CLASS="COMMAND" authenticating to a PDC means that as part of the authentication reply, the Samba server gets the user identification information such as the user SID, the list of NT groups the user belongs to, etc.
NOTE: Much of the text of this document was first published in the Web magazine Doing the NIS/NT Samba. |
New in the Samba 2.0.4 release is the ability for Windows - NT clients to use their native security settings dialog box to - view and modify the underlying UNIX permissions.
Windows NT clients can use their native security settings + dialog box to view and modify the underlying UNIX permissions.Note that this ability is careful not to compromise the security of the UNIX host Samba is running on, and @@ -9573,11 +9442,11 @@ CLASS="SECT1" >
From an NT 4.0 client, single-click with the right
+>From an NT4/2000/XP client, single-click with the right
mouse button on any file or directory in a Samba mounted
drive letter or UNC path. When the menu pops-up, click
on the Properties entry at the bottom of
- the menu. This brings up the normal file properties dialog
- box, but with Samba 2.0.4 this will have a new tab along the top
- marked Security. Click on this tab and you
+> and you
will see three buttons, There is an NT chown command that will work with Samba
and allow a user with Administrator privilege connected
- to a Samba 2.0.4 server as root to change the ownership of
+ to a Samba server as root to change the ownership of
files on both a local NTFS filesystem or remote mounted NTFS
or Samba drive. This is available as part of the "Add"
- button will not return a list of users in Samba 2.0.4 (it will give
+ button will not return a list of users in Samba (it will give
an error message of "The remote procedure call failed
@@ -9973,13 +9841,14 @@ CLASS="SECT1"
> Note that with Samba 2.0.5 there are four new parameters
- to control this interaction. These are : create mask
11.3. Viewing file ownership
11.4. Viewing file or directory permissions
11.4.1. File Permissions
11.4.2. Directory Permissions
11.5. Modifying file or directory permissions
11.6. Interaction with the standard Samba create mask
parameters
Next Samba checks the changed permissions for a file against @@ -10075,8 +9943,7 @@ CLASS="PARAMETER" >force create mode
parameter to provide compatibility - with Samba 2.0.4 where the permission change facility was introduced. +> parameter. To allow a user to modify all the user/group/world permissions on a file with no restrictions set this parameter to 000.force directory mode parameter to provide - compatibility with Samba 2.0.4 where the permission change facility - was introduced.
parameter.In this way Samba enforces the permission restrictions that an administrator can set on a Samba share, whilst still allowing users @@ -10164,37 +10029,13 @@ CLASS="PARAMETER" CLASS="PARAMETER" >force directory security mode = 0
As described, in Samba 2.0.4 the parameters :
create mask
force create mode
directory mask
force directory mode
were used instead of the parameters discussed here.
if you find this version a disaster!
In order to compile samba with ADS support, you need to have installed + on your system: +
the MIT kerberos development libraries (either install from the sources or use a package). The heimdal libraries will not work. |
the OpenLDAP development libraries. |
If your kerberos libraries are in a non-standard location then + remember to add the configure option --with-krb5=DIR.
After you run configure make sure that include/config.h it generates contains lines like this:
#define HAVE_KRB5 1 +#define HAVE_LDAP 1 +
If it doesn't then configure did not find your krb5 libraries or + your ldap libraries. Look in config.log to figure out why and fix + it.
On Debian you need to install the following packages:
libkrb5-dev |
krb5-user |
On RedHat this means you should have at least:
krb5-workstation (for kinit) |
krb5-libs (for linking with) |
krb5-devel (because you are compiling from source) |
in addition to the standard development environment.
Note that these are not standard on a RedHat install, and you may need + to get them off CD2.