Differences between version 25 and predecessor to the previous major change of ActiveDirectorySamba.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
Newer page: | version 25 | Last edited on Thursday, June 17, 2004 11:37:43 am | by DanielLawson | Revert |
Older page: | version 22 | Last edited on Thursday, June 17, 2004 10:53:13 am | by GreigMcGill | Revert |
@@ -1,5 +1,5 @@
-This simple guide is a mostly accurate way to set up a Samba machine as a domain member in a Windows 2000 or Windows 2003 Active Directory domain. For a REALLY short version, tested with Win2k3, see SambaADQuickNDirty
.
+This simple guide is a mostly accurate way to set up a Samba machine as a domain member in a Windows 2000 or Windows 2003 Active Directory domain. For a REALLY short version, tested with Win2k3, see the Quick 'n' Dirty instructions at the bottom of the page
.
The following setup is used:
192.168.0.1 test1.thinclient.test.org (the AD server, hereafter known as the server)
192.168.0.209 mail.thinclient.test.org (samba3 machine)
@@ -57,18 +57,23 @@
! Configure Samba3 and Winbindd
This part is the easy one, we just create ourselves a default Samba configuration with at least the following entries (Note this is a completely empty and default configuration file, and you may wish to add more. A file share would be handy to add).
+<verbatim>
''/etc/samba/smb.conf''
[[global]
# general options
workgroup = THINCLIENT
netbios name = MAIL
# winbindd configuration
- winbind separator = + ''The default character
is \ which is good if you use mod_ntlm since that's it's
character,
users only have
to remember 1
syntax''
- idmap uid = 10000-20000 ''alias of winbind uid''
- idmap gid = 10000-20000 ''alias of winbind gid''
+ # default
winbind separator is \,
which is good if you use mod_ntlm since that is the
character it uses.
+ #
users only need
to know the one
syntax
+ winbind separator = +
+
+ # idmap uid and idmap gid are aliases for winbind uid and winbid gid, respectively
+ idmap uid = 10000-20000
+ idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
@@ -76,12 +81,14 @@
# Active directory joining
# "ads server" is only necessary if your kdc can't be located using /etc/krb5.conf -- JamesSpooner
# ads server = test1.thinclient.test.org
security = ads
- encrypt passwords = yes ''This
is now the
default behavior
in Samba 3''
--EnigMa
+ #
encrypt passwords = yes is now default in Samba3
-- EnigMa
+ encrypt passwords = yes
realm = thinclient.test.org
- password server = test1.thinclient.test.org ''This
handles the "ads server =" directive as well''
--EnigMa
-
+ # this
handles the "ads server = " directive as well -- EnigMa
+ password server = test1.thinclient.test.org
+</verbatim>
NB: The important things to pay attention to here are the name of our samba machine (netbios name), the workgroup, and the ActiveDirectory stuff.
! Configure Kerberos5
@@ -205,12 +212,87 @@
* Using Kerberos Clients section of the [ Microsoft : Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability | http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp ]
* [ Authentication to ADS | http://mailman.mit.edu/pipermail/kerberos/2002-June/001189.html ]
* The winbindd and Active Directory Domain Member sections of the [ Samba v3 Documentation | http://au1.samba.org/samba/devel/docs/html/Samba-HOWTO-Collection.html ]
+
+----
+! Quick 'n' Dirty setup for Samba 3 and Windows 2003
+
+These are the absolute bare minimum steps to get your Samba server integrated as a member server in an AD controlled domain with Win2k3 as the DC.
+
+1. ENSURE your samba box has an A record and associated PTR in DNS.
+
+2. On your DC, disable signing: Run Domain Controller Policy tool and edit Account Policies -> Security Options -> Microsoft network client: Digitally sign communications (always) Set this to Disabled. Do the same in the Domain Policy tool. Note, you will need to reboot the server for this step, though it won't tell you to. Disable on your samba server as well with the following in smb.conf
+
+<verbatim>
+ client signing = no
+ client use spnego = no
+</verbatim>
+
+3. On your samba server, install kerberos5, and edit /etc/krb5.conf. It should contain:
+<verbatim>
+[libdefaults]
+ default_realm = YOUR.ADS.DOMAIN
+ dns_lookup_kdc = false
+ dns_lookup_realm = false
+
+[domain_realm]
+ .your.domain.name=YOUR.ADS.DOMAIN
+ your.domain.name=YOUR.ADS.DOMAIN
+
+[realms]
+YOUR.ADS.DOMAIN = {
+ default_domain = your.domain.name
+ kdc = IP.OF.THE.DC
+}
+</verbatim>
+
+4. ensure smb.conf contains
+<verbatim>
+ realm = YOUR.ADS.DOMAIN
+ workgroup = YOUR
+ security = ADS
+</verbatim>
+
+5. Get a ticket using kerberos: kinit administrator (enter the administrator password when prompted). The klist command should then list a ticket.
+
+6. Join the domain using 'net ads join'. This should use the credentials in your kerberos ticket.
+
+7. Set up winbind - ensure the following is in smb.conf
+<verbatim>
+ winbind uid = 10000-20000
+ winbind gid = 10000-20000
+ winbind enum groups = yes
+ winbind enum users = yes
+</verbatim>
+
+8. store your winbind credentials with wbinfo --set-auth-user=DOMAIN\\administrator%password
+
+9. modify /etc/pam.d/samba (on woody) or the appropriate pam file to add "sufficient" for auth and account using pam_winbind.so. These need to go BEFORE the pam_unix.so calls for samba. My /etc/pam.d/samba is as follows:
+
+<verbatim>
+auth sufficient pam_winbind.so
+auth required pam_unix.so nullok
+account sufficient pam_winbind.so
+account required pam_unix.so
+session required pam_unix.so
+password required pam_unix.so
+</verbatim>
+
+10. Modify /etc/nsswitch.conf with the following:
+<verbatim>
+passwd: winbind compat
+group: winbind compat
+shadow: winbind compat
+</verbatim>
+
+11. Restart samba and winbind.
+
+12. All should work. :) Browse your server and see...
----
! Footnotes
[1] %Systemroot% is a variable set by Windows NT and onward to mean "the location where Windows is installed", ie c:\winnt, c:\windows, etc.
-----
CategoryInteroperability