From 68b7b2c34d833fdf4605e2c7c7dfcd9fd3b06519 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 11 Dec 2001 22:53:21 +0000 Subject: ads howto update (This used to be commit 188e59ae965e959e286eb650a90e62204a978fc2) --- docs/textdocs/ADS-HOWTO.txt | 38 +++++++++++++------------------------- 1 file changed, 13 insertions(+), 25 deletions(-) (limited to 'docs/textdocs/ADS-HOWTO.txt') diff --git a/docs/textdocs/ADS-HOWTO.txt b/docs/textdocs/ADS-HOWTO.txt index f20ae5e1f6..7a066c69ec 100644 --- a/docs/textdocs/ADS-HOWTO.txt +++ b/docs/textdocs/ADS-HOWTO.txt @@ -11,25 +11,19 @@ the code develops. Pieces you need before you begin: -- a Windows 2000 server running at least service pack 2 +- a Windows 2000 server - the latest CVS source code for Samba. See http://cvs.samba.org/ for how to fetch this. - the MIT kerberos development libraries (either install from the above sources or use a package). Under debian you need "libkrb5-dev" and "krb5-user". The heimdal libraries will not work. -- Cyrys SASL, including the gssapi mechanism. -- the OpenLDAP development libraries. These must be compiled - with Cyrus SASL enabled. +- the OpenLDAP development libraries. On RedHat this means you should have at least: krb5-workstation (for kinit) krb5-libs (for linking with) krb5-devel (because you are compiling from source) -cyrus -cyrus-sasl -cyrus-sasl-devel -cyrus-sasl-gssapi in addition to the standard development environment. @@ -39,20 +33,20 @@ to get them off CD2. Also check that you have the latest copy of this HOWTO. It is available from http://samba.org/ftp/tridge/kerberos/HOWTO - Step 1: Compile Samba If your kerberos libraries are in a non-standard location then - remember to add the configure option --with-krb5=DIR. For example, - on RedHat you will need --with-krb5=/usr/kerberos + remember to add the configure option --with-krb5=DIR. - After you run configure make sure that include/config.h contains a - line like this: + After you run configure make sure that include/config.h contains + lines like this: #define HAVE_KRB5 1 + #define HAVE_LDAP 1 - If it doesn't then configure did not find your krb5 libraries. Look - in config.log to figure out why and fix it. + If it doesn't then configure did not find your krb5 libraries or + your ldap libraries. Look in config.log to figure out why and fix + it. Then compile and install Samba as usual. You must use at least the following 3 options in smb.conf: @@ -62,6 +56,9 @@ Step 1: Compile Samba security = ADS encrypt passwords = yes + Strictly speaking, you can omit the realm name and you can use an IP + address for the ads server. In that case Samba will auto-detect these. + You do *not* need a smbpasswd file, although it won't do any harm and if you have one then Samba will be able to fall back to normal password security for older clients. I expect that the above @@ -73,16 +70,13 @@ Step 2: Setup your /etc/krb5.conf The minimal configuration for krb5.conf is: - [libdefaults] - default_realm = YOUR.KERBEROS.REALM - [realms] YOUR.KERBEROS.REALM = { kdc = your.kerberos.server } - Test your config by doing a "kinit USERNAME" and making sure that + Test your config by doing a "kinit USERNAME@REALM" and making sure that your password is accepted by the Win2000 KDC. NOTE: The realm must be uppercase. @@ -121,12 +115,6 @@ Step 3: Create the computer account - Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed. - - "Unknown authentication method" - - the cyrus-sasl-gssapi package is not installed. - The RPM (assuming RedHat 7.2) is on CD2 - - - "ads_add_machine_acct: Invalid DN syntax" - - The 'realm' paramater has not been added to your smb.conf Step 4: Test your server setup -- cgit