sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-14 19:24:43 +03:00
Code

Convert ADS-HOWTO to SGML and add it to the howto collection

Browse Source 
Updated generated docs
(This used to be commit 3d417179233d0b8e486560c41248888be42bacf9)
This commit is contained in:
Jelmer Vernooij 2002-10-02 21:34:31 +00:00
parent 57b99405d5
commit b98ddb91f8
5 changed files with 1909 additions and 1744 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

195
docs/docbook/projdoc/ADS-HOWTO.sgml Normal file
View File

@ -0,0 +1,195 @@
<chapter id="ADS">
<chapterinfo>
<author>
<firstname>Andrew</firstname><surname>Tridgell</surname>
</author>
<pubdate>2002</pubdate>
</chapterinfo>
<title>Using samba 3.0 with ActiveDirectory support</title>
<para>
This is a VERY ROUGH guide to setting up the current (November 2001)
pre-alpha version of Samba 3.0 with kerberos authentication against a
Windows2000 KDC. The procedures listed here are likely to change as
the code develops.
</para>
<para>Pieces you need before you begin:
<simplelist>
<member>a Windows 2000 server.</member>
<member>samba 3.0 or higher.</member>
<member>the MIT kerberos development libraries (either install from the above sources or use a package). The heimdal libraries will not work.</member>
<member>the OpenLDAP development libraries.</member>
</simplelist>
</para>
<sect1>
<title>Installing the required packages for Debian</title>
<para>On Debian you need to install the following packages:
<simplelist>
<member>libkrb5-dev</member>
<member>krb5-user</member>
</simplelist>
</para>
</sect1>
<sect1>
<title>Installing the required packages for RedHat</title>
<para>On RedHat this means you should have at least:
<simplelist>
<member>krb5-workstation (for kinit)</member>
<member>krb5-libs (for linking with)</member>
<member>krb5-devel (because you are compiling from source)</member>
</simplelist>
</para>
<para>in addition to the standard development environment.</para>
<para>Note that these are not standard on a RedHat install, and you may need
to get them off CD2.</para>
</sect1>
<sect1>
<title>Compile Samba</title>
<para>If your kerberos libraries are in a non-standard location then
remember to add the configure option --with-krb5=DIR.</para>
<para>After you run configure make sure that include/config.h contains
lines like this:</para>
<para><programlisting>
#define HAVE_KRB5 1
#define HAVE_LDAP 1
</programlisting></para>
<para>If it doesn't then configure did not find your krb5 libraries or
your ldap libraries. Look in config.log to figure out why and fix
it.</para>
<para>Then compile and install Samba as usual. You must use at least the
following 3 options in smb.conf:</para>
<para><programlisting>
realm = YOUR.KERBEROS.REALM
ads server = your.kerberos.server
security = ADS
encrypt passwords = yes
</programlisting></para>
<para>Strictly speaking, you can omit the realm name and you can use an IP
address for the ads server. In that case Samba will auto-detect these.</para>
<para>You do *not* need a smbpasswd file, although it won't do any harm
and if you have one then Samba will be able to fall back to normal
password security for older clients. I expect that the above
required options will change soon when we get better active
directory integration.</para>
</sect1>
<sect1>
<title>Setup your /etc/krb5.conf</title>
<para>The minimal configuration for krb5.conf is:</para>
<para><programlisting>
[realms]
YOUR.KERBEROS.REALM = {
kdc = your.kerberos.server
}
</programlisting></para>
<para>Test your config by doing a "kinit USERNAME@REALM" and making sure that
your password is accepted by the Win2000 KDC. </para>
<para>NOTE: The realm must be uppercase. </para>
<para>
You also must ensure that you can do a reverse DNS lookup on the IP
address of your KDC. Also, the name that this reverse lookup maps to
must either be the netbios name of the KDC (ie. the hostname with no
domain attached) or it can alternatively be the netbios name
followed by the realm.
</para>
<para>
The easiest way to ensure you get this right is to add a /etc/hosts
entry mapping the IP address of your KDC to its netbios name. If you
don't get this right then you will get a "local error" when you try
to join the realm.
</para>
<para>
If all you want is kerberos support in smbclient then you can skip
straight to step 5 now. Step 3 is only needed if you want kerberos
support in smbd.
</para>
</sect1>
<sect1>
<title>Create the computer account</title>
<para>
Do a "kinit" as a user that has authority to change arbitrary
passwords on the KDC ("Administrator" is a good choice). Then as a
user that has write permission on the Samba private directory
(usually root) run:
<command>net ads join</command>
</para>
<sect2>
<title>Possible errors</title>
<para>
<variablelist>
<varlistentry><term>"bash: kinit: command not found"</term>
<listitem><para>kinit is in the krb5-workstation RPM on RedHat systems, and is in /usr/kerberos/bin, so it won't be in the path until you log in again (or open a new terminal)</para></listitem></varlistentry>
<varlistentry><term>"ADS support not compiled in"</term>
<listitem><para>Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed.</para></listitem></varlistentry>
</variablelist>
</para>
</sect2>
</sect1>
<sect1>
<title>Test your server setup</title>
<para>
On a Windows 2000 client try <command>net use * \\server\share</command>. You should
be logged in with kerberos without needing to know a password. If
this fails then run <command>klist tickets</command>. Did you get a ticket for the
server? Does it have an encoding type of DES-CBC-MD5 ?
</para>
</sect1>
<sect1>
<title>Testing with smbclient</title>
<para>
On your Samba server try to login to a Win2000 server or your Samba
server using smbclient and kerberos. Use smbclient as usual, but
specify the -k option to choose kerberos authentication.
</para>
</sect1>
<sect1>
<title>Notes</title>
<para>You must change administrator password at least once after DC install,
to create the right encoding types</para>
<para>w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in
their defaults DNS setup. Maybe fixed in service packs?</para>
</sect1>
</chapter>

2
docs/docbook/projdoc/samba-doc.sgml
View File

@ -21,6 +21,7 @@
<!ENTITY GROUP-MAPPING-HOWTO SYSTEM "GROUP-MAPPING-HOWTO.sgml"> <!ENTITY GROUP-MAPPING-HOWTO SYSTEM "GROUP-MAPPING-HOWTO.sgml">
<!ENTITY Portability SYSTEM "Portability.sgml"> <!ENTITY Portability SYSTEM "Portability.sgml">
<!ENTITY Other-Clients SYSTEM "Other-Clients.sgml"> <!ENTITY Other-Clients SYSTEM "Other-Clients.sgml">
<!ENTITY ADS-HOWTO SYSTEM "ADS-HOWTO.sgml">
]> ]>
<book id="Samba-Project-Documentation"> <book id="Samba-Project-Documentation">
@ -78,6 +79,7 @@ Cheers, jerry
&Samba-PDC-HOWTO; &Samba-PDC-HOWTO;
&Samba-BDC-HOWTO; &Samba-BDC-HOWTO;
&Samba-LDAP; &Samba-LDAP;
&ADS-HOWTO;
&BROWSING; &BROWSING;
&SPEED; &SPEED;
&Other-Clients; &Other-Clients;

3237
docs/htmldocs/Samba-HOWTO-Collection.html
View File

File diff suppressed because it is too large Load Diff

77
docs/manpages/smb.conf.5
View File

@ -3,7 +3,7 @@
.\" <http://shell.ipoline.com/~elmert/comp/docbook2X/> .\" <http://shell.ipoline.com/~elmert/comp/docbook2X/>
.\" Please send any bug reports, improvements, comments, patches, .\" Please send any bug reports, improvements, comments, patches,
.\" etc. to Steve Cheng <steve@ggi-project.org>. .\" etc. to Steve Cheng <steve@ggi-project.org>.
.TH "SMB.CONF" "5" "01 October 2002" "" "" .TH "SMB.CONF" "5" "02 oktober 2002" "" ""
.SH NAME .SH NAME
smb.conf \- The configuration file for the Samba suite smb.conf \- The configuration file for the Samba suite
.SH "SYNOPSIS" .SH "SYNOPSIS"
@ -604,12 +604,6 @@ each parameter for details. Note that some are synonyms.
\fIdns proxy\fR \fIdns proxy\fR
.TP 0.2i .TP 0.2i
\(bu \(bu
\fIdomain admin group\fR
.TP 0.2i
\(bu
\fIdomain guest group\fR
.TP 0.2i
\(bu
\fIdomain logons\fR \fIdomain logons\fR
.TP 0.2i .TP 0.2i
\(bu \(bu
@ -994,9 +988,6 @@ each parameter for details. Note that some are synonyms.
\fIuse mmap\fR \fIuse mmap\fR
.TP 0.2i .TP 0.2i
\(bu \(bu
\fIuse rhosts\fR
.TP 0.2i
\(bu
\fIusername level\fR \fIusername level\fR
.TP 0.2i .TP 0.2i
\(bu \(bu
@ -1367,9 +1358,6 @@ each parameter for details. Note that some are synonyms.
\fIshort preserve case\fR \fIshort preserve case\fR
.TP 0.2i .TP 0.2i
\(bu \(bu
\fIstatus\fR
.TP 0.2i
\(bu
\fIstrict allocate\fR \fIstrict allocate\fR
.TP 0.2i .TP 0.2i
\(bu \(bu
@ -2484,40 +2472,6 @@ See also the parameter \fI wins support\fR.
Default: \fBdns proxy = yes\fR Default: \fBdns proxy = yes\fR
.TP .TP
\fBdomain admin group (G)\fR
This parameter is intended as a temporary solution
to enable users to be a member of the "Domain Admins" group when
a Samba host is acting as a PDC. A complete solution will be provided
by a system for mapping Windows NT/2000 groups onto UNIX groups.
Please note that this parameter has a somewhat confusing name. It
accepts a list of usernames and of group names in standard
\fIsmb.conf\fR notation.
See also \fIdomain
guest group\fR, \fIdomain
logons\fR
Default: \fBno domain administrators\fR
Example: \fBdomain admin group = root @wheel\fR
.TP
\fBdomain guest group (G)\fR
This parameter is intended as a temporary solution
to enable users to be a member of the "Domain Guests" group when
a Samba host is acting as a PDC. A complete solution will be provided
by a system for mapping Windows NT/2000 groups onto UNIX groups.
Please note that this parameter has a somewhat confusing name. It
accepts a list of usernames and of group names in standard
\fIsmb.conf\fR notation.
See also \fIdomain
admin group\fR, \fIdomain
logons\fR
Default: \fBno domain guests\fR
Example: \fBdomain guest group = nobody @guest\fR
.TP
\fBdomain logons (G)\fR \fBdomain logons (G)\fR
If set to true, the Samba server will serve If set to true, the Samba server will serve
Windows 95/98 Domain logons for the \fIworkgroup\fR it is in. Samba 2.2 also Windows 95/98 Domain logons for the \fIworkgroup\fR it is in. Samba 2.2 also
@ -5285,7 +5239,7 @@ Default: \fBpreferred master = auto\fR
\fBprefered master (G)\fR \fBprefered master (G)\fR
Synonym for \fI preferred master\fR for people who cannot spell :-). Synonym for \fI preferred master\fR for people who cannot spell :-).
.TP .TP
\fBpreload\fR \fBpreload (G)\fR
This is a list of services that you want to be This is a list of services that you want to be
automatically added to the browse lists. This is most useful automatically added to the browse lists. This is most useful
for homes and printers services that would otherwise not be for homes and printers services that would otherwise not be
@ -6419,17 +6373,6 @@ never need to change this parameter.
Default: \fBstat cache size = 50\fR Default: \fBstat cache size = 50\fR
.TP .TP
\fBstatus (G)\fR
This enables or disables logging of connections
to a status file that smbstatus(1)
can read.
With this disabled \fBsmbstatus\fR won't be able
to tell you what connections are active. You should never need to
change this parameter.
Default: \fBstatus = yes\fR
.TP
\fBstrict allocate (S)\fR \fBstrict allocate (S)\fR
This is a boolean that controls the handling of This is a boolean that controls the handling of
disk space allocation in the server. When this is set to yes disk space allocation in the server. When this is set to yes
@ -6689,20 +6632,6 @@ the tdb internal code.
Default: \fBuse mmap = yes\fR Default: \fBuse mmap = yes\fR
.TP .TP
\fBuse rhosts (G)\fR
If this global parameter is true, it specifies
that the UNIX user's \fI.rhosts\fR file in their home directory
will be read to find the names of hosts and users who will be allowed
access without specifying a password.
\fBNOTE:\fR The use of \fIuse rhosts
\fR can be a major security hole. This is because you are
trusting the PC to supply the correct username. It is very easy to
get a PC to supply a false username. I recommend that the \fI use rhosts\fR option be only used if you really know what
you are doing.
Default: \fBuse rhosts = no\fR
.TP
\fBuser (S)\fR \fBuser (S)\fR
Synonym for \fI username\fR. Synonym for \fI username\fR.
.TP .TP
@ -7137,7 +7066,7 @@ Example: \fBwinbind uid = 10000-20000\fR
.TP .TP
\fBwinbind use default domain\fR \fBwinbind use default domain\fR
.TP .TP
\fBwinbind use default domain\fR \fBwinbind use default domain (G)\fR
This parameter specifies whether the winbindd(8) This parameter specifies whether the winbindd(8)
daemon should operate on users without domain component in their username. daemon should operate on users without domain component in their username.
Users without a domain component are treated as is part of the winbindd server's Users without a domain component are treated as is part of the winbindd server's

142
docs/textdocs/ADS-HOWTO.txt
View File

@ -1,142 +0,0 @@
Samba 3.0 prealpha guide to Kerberos authentication
---------------------------------------------------
Andrew Tridgell
tridge@samba.org
This is a VERY ROUGH guide to setting up the current (November 2001)
pre-alpha version of Samba 3.0 with kerberos authentication against a
Windows2000 KDC. The procedures listed here are likely to change as
the code develops.
Pieces you need before you begin:
- a Windows 2000 server
- the latest CVS source code for Samba. See http://cvs.samba.org/ for how to
fetch this.
- the MIT kerberos development libraries (either install from the
above sources or use a package). Under debian you need "libkrb5-dev"
and "krb5-user". The heimdal libraries will not work.
- the OpenLDAP development libraries.
On RedHat this means you should have at least:
krb5-workstation (for kinit)
krb5-libs (for linking with)
krb5-devel (because you are compiling from source)
in addition to the standard development environment.
Note that these are not standard on a RedHat install, and you may need
to get them off CD2.
Also check that you have the latest copy of this HOWTO. It is
available from http://samba.org/ftp/tridge/kerberos/HOWTO
Step 1: Compile Samba
If your kerberos libraries are in a non-standard location then
remember to add the configure option --with-krb5=DIR.
After you run configure make sure that include/config.h contains
lines like this:
#define HAVE_KRB5 1
#define HAVE_LDAP 1
If it doesn't then configure did not find your krb5 libraries or
your ldap libraries. Look in config.log to figure out why and fix
it.
Then compile and install Samba as usual. You must use at least the
following 3 options in smb.conf:
realm = YOUR.KERBEROS.REALM
ads server = your.kerberos.server
security = ADS
encrypt passwords = yes
Strictly speaking, you can omit the realm name and you can use an IP
address for the ads server. In that case Samba will auto-detect these.
You do *not* need a smbpasswd file, although it won't do any harm
and if you have one then Samba will be able to fall back to normal
password security for older clients. I expect that the above
required options will change soon when we get better active
directory integration.
Step 2: Setup your /etc/krb5.conf
The minimal configuration for krb5.conf is:
[realms]
YOUR.KERBEROS.REALM = {
kdc = your.kerberos.server
}
Test your config by doing a "kinit USERNAME@REALM" and making sure that
your password is accepted by the Win2000 KDC.
NOTE: The realm must be uppercase.
You also must ensure that you can do a reverse DNS lookup on the IP
address of your KDC. Also, the name that this reverse lookup maps to
must either be the netbios name of the KDC (ie. the hostname with no
domain attached) or it can alternatively be the netbios name
followed by the realm.
The easiest way to ensure you get this right is to add a /etc/hosts
entry mapping the IP address of your KDC to its netbios name. If you
don't get this right then you will get a "local error" when you try
to join the realm.
* If all you want is kerberos support in smbclient then you can skip
* straight to step 5 now. Step 3 is only needed if you want kerberos
* support in smbd.
Step 3: Create the computer account
Do a "kinit" as a user that has authority to change arbitrary
passwords on the KDC ("Administrator" is a good choice). Then as a
user that has write permission on the Samba private directory
(usually root) run:
net ads join
Possible errors:
- "bash: kinit: command not found":
- kinit is in the krb5-workstation RPM on RedHat systems, and is
in /usr/kerberos/bin, so it won't be in the path until
you log in again (or open a new terminal)
- "ADS support not compiled in"
- Samba must be reconfigured (remove config.cache) and
recompiled (make clean all install) after the kerberos libs
and headers are installed.
Step 4: Test your server setup
On a Windows 2000 client try "net use * \\server\share". You should
be logged in with kerberos without needing to know a password. If
this fails then run "klist tickets". Did you get a ticket for the
server? Does it have an encoding type of DES-CBC-MD5 ?
Step 5: Testing with smbclient
On your Samba server try to login to a Win2000 server or your Samba
server using smbclient and kerberos. Use smbclient as usual, but
specify the -k option to choose kerberos authentication.
--------
NOTES:
- must change administrator password at least once after DC install,
to create the right encoding types
- w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in
their defaults DNS setup. Maybe fixed in service packs?