This simple guide is a mostly accurate way to set up a Samba machine as a DomainMember? in a Windows 2000 or Windows 2003 ActiveDirectory Domain.
The Samba system is based upon a stock standard RedHat 9 system with the samba software upgraded to Samba3 (using RPM)
The following steps are needed to get the system functioning:
ActiveDirectory relies HEAVILY on DNS to resolve not only host names but services they provide as well. To set up DNS on the linux box, see the DNSHowTo, otherwise consult necessary Windows documentation on setting up forward AND reverse DNS zones.
As a temporarily solution, you can use hosts based authentication, this is ugly and hacky, and should be avoided at all costs. -- JamesSpooner
The first step is to configure name resolution for our systems. The kerberos authentication system, which we will configure later on, requires us to be able to do a reverse lookup on an IP address to get a fully qualified domain name (FQDN). There are two ways to do this, the cheap and nasty method is to use a hosts file on both systems, which will have entries similar to the following.
Samba machine
/etc/hosts
127.0.0.1 mail mail.thinclient.test.org localhost.localdomain localhost 192.168.0.1 test1 test1.thinclient.test.org 192.168.0.209 mail mail.thinclient.test.org
Surely it would be better to put the FQDN first, and not alias localhost to a name other than localhost? -- PerryLorier
Windows Active Directory server
%Systemroot%\System32\drivers\etc\hosts1?
127.0.0.1 test1 test1.thinclient.test.org localhost.localdomain localhost 192.168.0.1 test1 test1.thinclient.test.org 192.168.0.209 mail mail.thinclient.test.org
The correct method is to setup DNS on the server which can be done through the DNS console in the AdministrativeTools section of Windows 2000/2003 Server. We won't go into the details of setting this up here, but we will specify the linux side of that here.
/etc/resolv.conf
search thinclient.test.org domain thinclient.test.org nameserver 192.168.0.1
This part is the easy one, we just create ourselves a default Samba configuration with at least the following entries (Note this is a completely empty and default configuration file, and you may wish to add more. A file share would be handy to add).
/etc/samba/smb.conf
[global?
- general options
workgroup = THINCLIENT netbios name = MAIL
- winbindd configuration
winbind separator = + idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash
- Active directory joining
- "ads server" is only necessary if your kdc can't be located using /etc/krb5.conf -- JamesSpooner
- ads server = test1.thinclient.test.org
security = ads encrypt passwords = yes realm = thinclient.test.org
NB: The important things to pay attention to here are the name of our samba machine (netbios name), the workgroup, and the ActiveDirectory stuff.
See ActiveDirectoryKerberos on setting up Kerberos to talk to ActiveDirectory.
We need to generate a key for our samba machine on the Windows server, and securely import this into our samba machine.
ktpass - princ host/mail.thinclient.test.org@THINCLIENT.TEST.ORG \
- mapuser MAIL -pass MAIL1234PASSWORD -out mail.keytab
This will join the Samba machine to the ActiveDirectory Domain.
1? %Systemroot% is a variable set by Windows NT and onward to mean "the location where Windows is installed", ie c:\winnt, c:\windows, etc.
4 pages link to ActiveDirectorySamba: