Differences between version 20 and predecessor to the previous major change of HowtoSamba3AndActiveDirectory.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 20 | Last edited on Friday, June 17, 2005 11:40:30 am | by CraigBox | Revert |
| Older page: | version 11 | Last edited on Tuesday, April 20, 2004 5:08:54 am | by AristotlePagaltzis | Revert |
@@ -1,119 +1 @@
-''What's this
? It's a near-copy of
ActiveDirectorySamba, but not linked from anywhere and with a lot of stuff deleted
? Please don't [DisagreeByDeleting | Wiki:DisagreeByDeleting]. Can someone who has Samba3 experience shed light on the changes between this page and the other?'' --AristotlePagaltzis
-
-----
-
-This simple guide is a mostly accurate way to set up a Samba machine as a DomainMember in a Windows 2000 or Windows 2003 ActiveDirectory Domain.
-
-The following setup is used:
- 192.168..1 test1.thinclient.test.org (the AD server, hereafter known as the server)
- 192.168..209 mail.thinclient.test.org (samba3 machine)
-
-The Samba system is based upon a stock standard RedHat 9 system with the samba software upgraded to Samba3 (using RPM)
-
-The following steps are needed to get the system functioning:
-# configure name resolution using either dns or a hosts file
-# configure samba and winbindd
-# configure kerberos
-# testing the kerberos configuration
-# good luck
-
-
-! Configure name resolution
-
-ActiveDirectory relies HEAVILY on DNS to resolve not only host names but services they provide as well. To set up DNS on the linux box, see the DNSHowTo, otherwise consult necessary Windows documentation on setting up forward AND reverse DNS zones.
-
-''As a temporarily solution, you can use hosts based authentication, this is ugly and hacky, and should be avoided at all costs.'' -- JamesSpooner
-
-The first step is to configure name resolution for our systems. The kerberos authentication system, which we will configure later on, requires us to be able to do a reverse lookup on an IP address to get a fully qualified domain name (FQDN).
-There are two ways to do this, the cheap and nasty method is to use a hosts file on both systems, which will have entries similar to the following.
-
-Samba machine%%%
-''/etc/hosts''
-
- 127...1 mail mail.thinclient.test.org localhost.localdomain localhost
- 192.168..1 test1 test1.thinclient.test.org
- 192.168..209 mail mail.thinclient.test.org
-
-''Surely it would be better to put the FQDN first, and not alias localhost to a name other than localhost?'' -- PerryLorier
-
-Windows Active Directory server%%%
-''%Systemroot%\System32\drivers\etc\hosts''[1]
-
- 127...1 test1 test1.thinclient.test.org localhost.localdomain localhost
- 192.168..1 test1 test1.thinclient.test.org
- 192.168..209 mail mail.thinclient.test.org
-
-The correct method is to setup DNS on the server which can be done through the DNS console in the AdministrativeTools section of Windows 2000/2003 Server.
-We won't go into the details of setting this up here, but we will specify the linux side of that here.
-
-''/etc/resolv.conf''
-
- search thinclient.test.org
- domain thinclient.test.org
- nameserver 192.168..1
-
-
-
-! Configure Samba3 and Winbindd
-
-This part is the easy one, we just create ourselves a default Samba configuration with at least the following entries (Note this is a completely empty and default configuration file, and you may wish to add more. A file share would be handy to add).
-
-''/etc/samba/smb.conf''
- [[global]
- # general options
- workgroup = THINCLIENT
- netbios name = MAIL
-
- # winbindd configuration
- winbind separator = +
- idmap uid = 10000-20000
- idmap gid = 10000-20000
- winbind enum users = yes
- winbind enum groups = yes
- template homedir = /home/%D/%U
- template shell = /bin/bash
-
- # Active directory joining
- # "ads server" is only necessary if your kdc can't be located using /etc/krb5.conf -- JamesSpooner
- # ads server = test1.thinclient.test.org
- security = ads
- encrypt passwords = yes
- realm = thinclient.test.org
-
-NB: The important things to pay attention to here are the name of our samba machine (netbios name), the workgroup, and the ActiveDirectory stuff.
-
-! Configure Kerberos5
-
-See ActiveDirectoryKerberos on setting up Kerberos to talk to ActiveDirectory.
-
-We need to generate a key for our samba machine on the Windows server, and securely import this into our samba machine.
-To create the keyfile we run the following on the Windows server:
-
- ktpass - princ host/mail.thinclient.test.org@THINCLIENT.TEST.ORG \
- -mapuser MAIL -pass MAIL1234PASSWORD -out mail.keytab
-
-We then transfer the mail.keytab securely to our samba machine by using something similar to SSH or another secure means. And then on the samba machine we will import the keyfile we just generated by using the ktutil program, which is part of the kerberos distribution. The unix commands for ktutil are as follows:
-
- % __ktutil__
- ktutil: __rkt mail.keytab__
- ktutil: __list__
- ktutil: __wkt /etc/krb5.keytab__
- ktutil: __q__
-
-Alternatively ... as root:
-
- net join -U Administrator%password
-
-This will join the Samba machine to the ActiveDirectory Domain.
-
-
-! References
-
-* Using Kerberos Clients section of the [ Microsoft : Step-by-Step Guide to Kerberos 5 (krb5 1.) Interoperability | http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp ]
-* [ Authentication to ADS | http://mailman.mit.edu/pipermail/kerberos/2002-June/001189.html ]
-* The winbindd and Active Directory Domain Member sections of the [ Samba v3 Documentation | http://au1.samba.org/samba/devel/docs/html/Samba-HOWTO-Collection.html ]
-* http://us1.samba.org/samba/docs/man/ [ Realy huge manual for samba 3, in this document you can find almost everything ]
-----
-
-! Footnotes
-[1] %Systemroot% is a variable set by Windows NT and onward to mean "the location where Windows is installed", ie c:\winnt, c:\windows, etc.
+<
?plugin RedirectTo page=
ActiveDirectorySamba ?>
