sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-04 17:47:26 +03:00
Code
samba-mirror/docs/htmldocs/ads.html

411 lines
7.7 KiB
HTML
Raw Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>Samba as a ADS domain member</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
TITLE="Type of installation"
HREF="type.html"><LINK
REL="PREVIOUS"
TITLE="How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain"
HREF="samba-bdc.html"><LINK
REL="NEXT"
TITLE="Samba as a NT4 domain member"
HREF="domain-security.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>SAMBA Project Documentation</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="samba-bdc.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="domain-security.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="ADS">Chapter 8. Samba as a ADS domain member</H1
><P
>This is a rough guide to setting up Samba 3.0 with kerberos authentication against a
Windows2000 KDC. </P
><P
>Pieces you need before you begin:
<P
></P
><TABLE
BORDER="0"
><TBODY
><TR
><TD
>a Windows 2000 server.</TD
></TR
><TR
><TD
>samba 3.0 or higher.</TD
></TR
><TR
><TD
>the MIT kerberos development libraries (either install from the above sources or use a package). The heimdal libraries will not work.</TD
></TR
><TR
><TD
>the OpenLDAP development libraries.</TD
></TR
></TBODY
></TABLE
><P
></P
></P
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN1187">8.1. Installing the required packages for Debian</H1
><P
>On Debian you need to install the following packages:
<P
></P
><TABLE
BORDER="0"
><TBODY
><TR
><TD
>libkrb5-dev</TD
></TR
><TR
><TD
>krb5-user</TD
></TR
></TBODY
></TABLE
><P
></P
></P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN1193">8.2. Installing the required packages for RedHat</H1
><P
>On RedHat this means you should have at least:
<P
></P
><TABLE
BORDER="0"
><TBODY
><TR
><TD
>krb5-workstation (for kinit)</TD
></TR
><TR
><TD
>krb5-libs (for linking with)</TD
></TR
><TR
><TD
>krb5-devel (because you are compiling from source)</TD
></TR
></TBODY
></TABLE
><P
></P
></P
><P
>in addition to the standard development environment.</P
><P
>Note that these are not standard on a RedHat install, and you may need
to get them off CD2.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN1202">8.3. Compile Samba</H1
><P
>If your kerberos libraries are in a non-standard location then
remember to add the configure option --with-krb5=DIR.</P
><P
>After you run configure make sure that include/config.h contains
lines like this:</P
><P
><PRE
CLASS="PROGRAMLISTING"
>#define HAVE_KRB5 1
#define HAVE_LDAP 1</PRE
></P
><P
>If it doesn't then configure did not find your krb5 libraries or
your ldap libraries. Look in config.log to figure out why and fix
it.</P
><P
>Then compile and install Samba as usual. You must use at least the
following 3 options in smb.conf:</P
><P
><PRE
CLASS="PROGRAMLISTING"
> realm = YOUR.KERBEROS.REALM
security = ADS
encrypt passwords = yes</PRE
></P
><P
>In case samba can't figure out your ads server using your realm name, use the
<B
CLASS="COMMAND"
>ads server</B
> option in <TT
CLASS="FILENAME"
>smb.conf</TT
>:
<PRE
CLASS="PROGRAMLISTING"
> ads server = your.kerberos.server</PRE
></P
><P
>You do *not* need a smbpasswd file, although it won't do any harm
and if you have one then Samba will be able to fall back to normal
password security for older clients. I expect that the above
required options will change soon when we get better active
directory integration.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN1217">8.4. Setup your /etc/krb5.conf</H1
><P
>The minimal configuration for krb5.conf is:</P
><P
><PRE
CLASS="PROGRAMLISTING"
> [realms]
YOUR.KERBEROS.REALM = {
kdc = your.kerberos.server
}</PRE
></P
><P
>Test your config by doing a "kinit USERNAME@REALM" and making sure that
your password is accepted by the Win2000 KDC. </P
><P
>NOTE: The realm must be uppercase. </P
><P
>You also must ensure that you can do a reverse DNS lookup on the IP
address of your KDC. Also, the name that this reverse lookup maps to
must either be the netbios name of the KDC (ie. the hostname with no
domain attached) or it can alternatively be the netbios name
followed by the realm. </P
><P
>The easiest way to ensure you get this right is to add a /etc/hosts
entry mapping the IP address of your KDC to its netbios name. If you
don't get this right then you will get a "local error" when you try
to join the realm.</P
><P
>If all you want is kerberos support in smbclient then you can skip
straight to step 5 now. Step 3 is only needed if you want kerberos
support in smbd.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN1227">8.5. Create the computer account</H1
><P
>Do a "kinit" as a user that has authority to change arbitrary
passwords on the KDC ("Administrator" is a good choice). Then as a
user that has write permission on the Samba private directory
(usually root) run:
<B
CLASS="COMMAND"
>net ads join</B
></P
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN1231">8.5.1. Possible errors</H2
><P
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>"bash: kinit: command not found"</DT
><DD
><P
>kinit is in the krb5-workstation RPM on RedHat systems, and is in /usr/kerberos/bin, so it won't be in the path until you log in again (or open a new terminal)</P
></DD
><DT
>"ADS support not compiled in"</DT
><DD
><P
>Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed.</P
></DD
></DL
></DIV
></P
></DIV
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN1243">8.6. Test your server setup</H1
><P
>On a Windows 2000 client try <B
CLASS="COMMAND"
>net use * \\server\share</B
>. You should
be logged in with kerberos without needing to know a password. If
this fails then run <B
CLASS="COMMAND"
>klist tickets</B
>. Did you get a ticket for the
server? Does it have an encoding type of DES-CBC-MD5 ? </P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN1248">8.7. Testing with smbclient</H1
><P
>On your Samba server try to login to a Win2000 server or your Samba
server using smbclient and kerberos. Use smbclient as usual, but
specify the -k option to choose kerberos authentication.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN1251">8.8. Notes</H1
><P
>You must change administrator password at least once after DC install,
to create the right encoding types</P
><P
>w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in
their defaults DNS setup. Maybe fixed in service packs?</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="samba-bdc.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-howto-collection.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="domain-security.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="type.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Samba as a NT4 domain member</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
View Git Blame Copy Permalink