From 0d3bad2822f38d19622cb01ef523d0459ac3085e Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 26 Nov 2001 06:52:33 +0000 Subject: basic ADS HOWTO (This used to be commit 9ee13fecb1b623e760789d1df7178b085f820700) --- docs/textdocs/ADS-HOWTO.txt | 115 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 115 insertions(+) create mode 100644 docs/textdocs/ADS-HOWTO.txt (limited to 'docs/textdocs') diff --git a/docs/textdocs/ADS-HOWTO.txt b/docs/textdocs/ADS-HOWTO.txt new file mode 100644 index 0000000000..303ba13f98 --- /dev/null +++ b/docs/textdocs/ADS-HOWTO.txt @@ -0,0 +1,115 @@ +Samba 3.0 prealpha guide to Kerberos authentication +--------------------------------------------------- + +Andrew Tridgell +tridge@samba.org + +This is a VERY ROUGH guide to setting up the current (October 2001) +pre-alpha version of Samba 3.0 with kerberos authentication against a +Windows2000 KDC. The procedures listed here are likely to change as +the code develops. + +Pieces you need before you begin: + +- a Windows 2000 server running at least service pack 2 +- the latest CVS source code for Samba. See http://cvs.samba.org/ for how to + fetch this. +- the MIT kerberos development libraries (either install from the + above sources or use a package). Under debian you need "libkrb5-dev" + and "krb5-user". The heimdal libraries will not work. +- the OpenLDAP development libraries. These must be compiled + with Cyrus SASL enabled. + +Also check that you have the latest copy of this HOWTO. It is +available from http://samba.org/ftp/tridge/kerberos/HOWTO + + +Step 1: Compile Samba + + If your kerberos libraries are in a non-standard location then + remember to add the configure option --with-krb5=DIR. For example, + on RedHat you will need --with-krb5=/usr/kerberos + + After you run configure make sure that include/config.h contains a + line like this: + + #define HAVE_KRB5 1 + + If it doesn't then configure did not find your krb5 libraries. Look + in config.log to figure out why and fix it. + + Then compile and install Samba as usual. You must use at least the + following 3 options in smb.conf: + + realm = YOUR.KERBEROS.REALM + ads server = your.kerberos.server + security = ADS + encrypt passwords = yes + + You do *not* need a smbpasswd file, although it won't do any harm + and if you have one then Samba will be able to fall back to normal + password security for older clients. I expect that the above + required options will change soon when we get better active + directory integration. + + +Step 2: Setup your /etc/krb5.conf + + The minimal configuration for krb5.conf is: + + [libdefaults] + default_realm = YOUR.KERBEROS.REALM + + [realms] + YOUR.KERBEROS.REALM = { + kdc = your.kerberos.server + } + + + Test your config by doing a "kinit USERNAME" and making sure that + your password is accepted by the Win2000 KDC. + + NOTE: The realm must be uppercase. + + You also must ensure that you can do a reverse DNS lookup on the IP + address of your KDC. This usually either involves setting up a PTR + record in your DNS server or adding your KDC to /etc/hosts. + + +* If all you want is kerberos support in smbclient then you can skip +* straight to step 5 now. Step 3 is only needed if you want kerberos +* support in smbd. + + +Step 3: Create the computer account + + Do a "kinit" as a user that has authority to change arbitrary + passwords on the KDC ("Administrator" is a good choice). Then as a + user that has write permission on the Samba private directory + (usually root) run: + + net ads join + +Step 4: Test your server setup + + On a Windows 2000 client try "net use * \\server\share". You should + be logged in with kerberos without needing to know a password. If + this fails then run "klist tickets". Did you get a ticket for the + server? Does it have an encoding type of DES-CBC-MD5 ? + +Step 5: Testing with smbclient + + On your Samba server try to login to a Win2000 server or your Samba + server using smbclient and kerberos. Use smbclient as usual, but + specify the -k option to choose kerberos authentication. + + +-------- + +NOTES: + - must change administrator password at least once after DC install, + to create the right encoding types + + - w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in + their defaults DNS setup. Maybe fixed in service packs? + -- cgit