Penguin
Recent Changes
Diff: ActiveDirectorySamba
EditPageHistoryDiffInfoLikePages

Differences between version 11 and predecessor to the previous major change of ActiveDirectorySamba.

Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History

Newer page: version 11 Last edited on Sunday, February 8, 2004 4:54:00 pm by EnigMa Revert
Older page: version 3 Last edited on Monday, September 8, 2003 11:22:21 am by GerwinVanDeSteeg Revert
@@ -1,5 +1,5 @@
-This simple guide is a mostly accurate way to set up a Samba machine as a DomainMember in a Windows 2000 or Windows 2003 ActiveDirectory Domain
+This simple guide is a mostly accurate way to set up a Samba machine as a domain member in a Windows 2000 or Windows 2003 Active Directory domain
  
 The following setup is used: 
  192.168.0.1 test1.thinclient.test.org (the AD server, hereafter known as the server) 
  192.168.0.209 mail.thinclient.test.org (samba3 machine) 
@@ -15,9 +15,9 @@
  
  
 ! Configure name resolution 
  
-ActiveDirectory relies HEAVILY on DNS to resolve not only host names but services they provide as well. To set up DNS on the linux box, see the DNSHowTo, otherwise consult necessary Windows documentation on setting up forward AND reverse DNS zones. 
+Active Directory relies HEAVILY on DNS to resolve not only host names but services they provide as well. To set up DNS on the Linux box, see the DNSHowTo, otherwise consult necessary Windows documentation on setting up forward AND reverse DNS zones. 
  
 ''As a temporarily solution, you can use hosts based authentication, this is ugly and hacky, and should be avoided at all costs.'' -- JamesSpooner 
  
 The first step is to configure name resolution for our systems. The kerberos authentication system, which we will configure later on, requires us to be able to do a reverse lookup on an IP address to get a fully qualified domain name (FQDN). 
@@ -38,10 +38,10 @@
  127.0.0.1 test1 test1.thinclient.test.org localhost.localdomain localhost 
  192.168.0.1 test1 test1.thinclient.test.org 
  192.168.0.209 mail mail.thinclient.test.org 
  
-The correct method is to setup DNS on the server which can be done through the DNS console in the AdministrativeTools section of Windows 2000/2003 Server.  
-We won't go into the details of setting this up here, but we will specify the linux side of that here. 
+The correct method is to setup DNS on the server which can be done through the DNS console in the Administrative Tools section of Windows 2000/2003 Server.  
+We won't go into the details of setting this up here, but we will specify the Linux side of that here. 
  
 ''/etc/resolv.conf'' 
  
  search thinclient.test.org 
@@ -74,20 +74,25 @@
  # ads server = test1.thinclient.test.org 
  security = ads 
  encrypt passwords = yes 
  realm = thinclient.test.org 
+ password server = test1.thinclient.test.org  
  
 NB: The important things to pay attention to here are the name of our samba machine (netbios name), the workgroup, and the ActiveDirectory stuff. 
  
 ! Configure Kerberos5 
  
 See ActiveDirectoryKerberos on setting up Kerberos to talk to ActiveDirectory. 
+  
+''If your kerberos setup is good, at this point, you might just want to run'' __net ads join -U Administrator%password__ ''which should do all that _ktpass_ and _ktutil_ stuff on the fly as mentioned in [http://us1.samba.org/samba/docs/man/domain-member.html#ads-member] . Then you can skip to the winbind section below ;-)''  
  
 We need to generate a key for our samba machine on the Windows server, and securely import this into our samba machine. 
 To create the keyfile we run the following on the Windows server: 
  
  ktpass - princ host/mail.thinclient.test.org@THINCLIENT.TEST.ORG \ 
  -mapuser MAIL -pass MAIL1234PASSWORD -out mail.keytab 
+  
+''This and many other tools for managing kerberos in Windows 2000 are located in the support tools which are directly downloadable from Microsoft [http://www.microsoft.com/downloads/details.aspx?familyid=f08d28f3-b835-4847-b810-bb6539362473&displaylang=en]'' -- JanGerle  
  
 We then transfer the mail.keytab securely to our samba machine by using something similar to SSH or another secure means. And then on the samba machine we will import the keyfile we just generated by using the ktutil program, which is part of the kerberos distribution. The unix commands for ktutil are as follows: 
  
  % __ktutil__ 
@@ -99,9 +104,9 @@
 Alternatively ... as root: 
  
  net join -U Administrator%password 
  
-This will join the Samba machine to the ActiveDirectory Domain. 
+This will join the Samba machine to the Active Directory Domain. 
 However this latter will only work if your Kerberos configuration actually works. 
  
 ! (Re)starting Samba and Winbindd 
  
@@ -112,9 +117,9 @@
  
 For some of our paranoid friends, we can check to see if our winbindd is actually running using 
  ps fax | grep winbindd 
  
-Now for a real test, and see if we can get some information off our ActiveDirectory PDC. 
+Now for a real test, and see if we can get some information off our Active Directory PDC. 
  
  /usr/bin/wbinfo -u 
  
 And we should get a list of users in the format THINCLIENT+<username> 
@@ -131,18 +136,32 @@
  THINCLIENT+Domain Users 
  THINCLIENT+Schema Admins 
  .. 
  
-We can now use the getent utility to get a unified list of both the local and PDC usersand groups. These utilities will generate a list of data similar in format to the /etc/passwd and /etc/group files respectively. 
+We can now use the getent utility to get a unified list of both the local and PDC users and groups. These utilities will generate a list of data similar in format to the /etc/passwd and /etc/group files respectively.  
+  
+ add following entries in nssswitch.conf  
+  
+ passwd: files winbind  
+ group: files winbind  
+  
+if you are compiling samba from source then you need to copy following files manually  
+  
+ cp /usr/src/samba-3..1/source/nsswitch/pam_winbind.so /lib/security/  
+ cp /usr/src/samba-3..1/source/nsswitch/libnss_winbind.so /lib/  
+ cp /usr/src/samba-3..1/source/bin/pam_smbpass.so /lib/security/  
+  
+  
+then run following command to get unified entries  
  
  /usr/bin/getent passwd 
  /usr/bin/getent group 
  
 After this we can fix up our init.d startup scripts to automate the startup of winbindd. 
  
 ! Configure PAM and Winbind 
  
-__Before we do anything at all here, we need to make a backup of our /etc/pam.d/* files. Ahd have a linux bootdisk available if possible. If anything goes wrong here, you may not be able to login to your system properly. (So don't reboot or logoff to test, but use a text console)__ 
+__Before we do anything at all here, we need to make a backup of our /etc/pam.d/* files. And have a linux bootdisk available if possible. If anything goes wrong here, you may not be able to login to your system properly. (So don't reboot or logoff to test, but use a text console)__ 
  
 To have our ActiveDirectory users be able to login to our we have to modify our /etc/pam.d/login. 
 We don't need to modify our /etc/pam.d/samba settings as it is already configured for winbind.