Rashaad, While all this is fresh in your mind, and you are still and expert, would you please send me patches for the Samba-HOWTO-Collection and for Samba-Guide so that we can update the documentation.
By fixing the documentation others may avoid the pain you went through. - John T. On Friday 23 July 2004 12:40, Rashaad S. Hyndman wrote: > sorry about that last email that did not contain the resource i used. I > think it was because i copied the contents of a website which could have > been considered advertisement because of some of images. In either case > enjoy: > > http://www.wlug.org.nz/HowtoSamba3AndActiveDirectory > > > ----- Original Message ----- > From: "Rashaad S. Hyndman" <[EMAIL PROTECTED]> > To: "Rashaad S. Hyndman" <[EMAIL PROTECTED]>; "Tom Skeren" > <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Friday, July 23, 2004 2:18 PM > Subject: Re: [Samba] security = ADS - IT WORKS!!!!!!!!! > > > Halleluiah!!!!!!!!! It works. With all the documentation I've read > > including > > > the official samba-3 howto for setting up ADS none of them mentioned what > > happened to be the most critical piece of information, winbind! Now I've > > seen a couple post that mentioned this daemon but it was not included in > > the > > > official howto's so I skipped over it. In Either case I've included the > > article that I used to get my samba ADS implementation working. If you > > have > > > followed other howto's you have probably got 99% of the work done. If > > you happen to have more questions please feel free to email me and I'll > > dictate > > > exactly what I have in my environment. > > > > Thanks for your input, > > R. > > > > > > > > > > > > > > Howto Samba 3 And Active Directory > > G o o g l e users: We have detected that you were searching for howto > > samba > > > ads. > > > > The Waikato Linux Users Group hope that this page answers your questions, > > but, if it doesn't, we politely request that if/when you find the answer > > to > > > your question you contibute your information back into this Wiki (via the > > Edit button at the bottom of the page) so that others can also find this > > information easier. > > > > We also suggest that if this page doesn't answer your question, try > > Searching the wiki, or, to find pages similar to this one, try or . > > > > What's this? It's a near-copy of ActiveDirectorySamba, but not > > linked > > > from anywhere and with a lot of stuff deleted? Please don't > > DisagreeByDeleting. Can someone who has Samba3 experience shed light on > > the > > > changes between this page and the other? --AristotlePagaltzis > > > > ActiveDirectorySamba is a correct howto for setting up Samba 3 with > > ActiveDirectory. So it's basically a copy paste from there to here and > > delete the other. -- GerwinVanDeSteeg > > > > > > ------------------------------------------------------------------------- > >- > > > > This simple guide is a mostly accurate way to set up a Samba > > machine as a DomainMember in a Windows 2000 or Windows 2003 > > ActiveDirectory > > Domain. > > > The following setup is used: > > > > 192.168.0.1 test1.thinclient.test.org (the AD server, > > hereafter known as the server) > > > > 192.168.0.209 mail.thinclient.test.org (samba3 machine) > > > > The Samba system is based upon a stock standard RedHat 9 system > > with the samba software upgraded to Samba3 (using RPM) > > > > The following steps are needed to get the system functioning: > > > > 1.. configure name resolution using either dns or a hosts file > > 2.. configure samba and winbindd > > 3.. configure kerberos > > 4.. testing the kerberos configuration > > 5.. good luck > > Configure name resolution > > ActiveDirectory relies HEAVILY on DNS to resolve not only host > > names but services they provide as well. To set up DNS on the linux box, > > see the DNSHowTo, otherwise consult necessary Windows documentation on > > setting up forward AND reverse DNS zones. > > > > As a temporarily solution, you can use hosts based authentication, > > this is ugly and hacky, and should be avoided at all costs. -- > > JamesSpooner > > > The first step is to configure name resolution for our systems. The > > kerberos authentication system, which we will configure later on, > > requires us to be able to do a reverse lookup on an IP address to get a > > fully qualified domain name (FQDN). There are two ways to do this, the > > cheap and nasty method is to use a hosts file on both systems, which will > > have > > entries > > > similar to the following. > > > > Samba machine > > /etc/hosts > > > > 127.0.0.1 mail mail.thinclient.test.org > > localhost.localdomain localhost > > > > 192.168.0.1 test1 test1.thinclient.test.org > > > > 192.168.0.209 mail mail.thinclient.test.org > > > > Surely it would be better to put the FQDN first, and not alias > > localhost to a name other than localhost? -- PerryLorier > > > > Windows Active Directory server > > %Systemroot%\System32\drivers\etc\hosts[1] > > > > 127.0.0.1 test1 test1.thinclient.test.org > > localhost.localdomain localhost > > > > 192.168.0.1 test1 test1.thinclient.test.org > > > > 192.168.0.209 mail mail.thinclient.test.org > > > > The correct method is to setup DNS on the server which can be done > > through the DNS console in the AdministrativeTools section of Windows > > 2000/2003 Server. We won't go into the details of setting this up here, > > but > > > we will specify the linux side of that here. > > > > /etc/resolv.conf > > > > search thinclient.test.org > > > > domain thinclient.test.org > > > > nameserver 192.168.0.1 > > > > Configure Samba3 and Winbindd > > This part is the easy one, we just create ourselves a default Samba > > configuration with at least the following entries (Note this is a > > completely > > > empty and default configuration file, and you may wish to add more. A > > file share would be handy to add). > > > > /etc/samba/smb.conf > > > > [global] > > > > # general options > > > > workgroup = THINCLIENT > > > > netbios name = MAIL > > > > # winbindd configuration > > > > winbind separator = + > > > > idmap uid = 10000-20000 > > > > idmap gid = 10000-20000 > > > > winbind enum users = yes > > > > winbind enum groups = yes > > > > template homedir = /home/%D/%U > > > > template shell = /bin/bash > > > > # Active directory joining > > > > # "ads server" is only necessary if your kdc can't be located > > using /etc/krb5.conf -- JamesSpooner > > > > # ads server = test1.thinclient.test.org > > > > security = ads > > > > encrypt passwords = yes > > > > realm = thinclient.test.org > > > > NB: The important things to pay attention to here are the name of > > our > > > samba machine (netbios name), the workgroup, and the ActiveDirectory > > stuff. > > > Configure Kerberos5 > > See ActiveDirectoryKerberos on setting up Kerberos to talk to > > ActiveDirectory. > > > > We need to generate a key for our samba machine on the Windows > > server, > > > and securely import this into our samba machine. To create the keyfile we > > run the following on the Windows server: > > > > ktpass - princ host/[EMAIL PROTECTED] > > \ > > > > -mapuser MAIL -pass MAIL1234PASSWORD -out mail.keytab > > > > We then transfer the mail.keytab securely to our samba machine by > > using something similar to SSH or another secure means. And then on the > > samba machine we will import the keyfile we just generated by using the > > ktutil program, which is part of the kerberos distribution. The unix > > commands for ktutil are as follows: > > > > % ktutil > > > > ktutil: rkt mail.keytab > > > > ktutil: list > > > > ktutil: wkt /etc/krb5.keytab > > > > ktutil: q > > > > Alternatively ... as root: > > > > net join -U Administrator%password > > > > This will join the Samba machine to the ActiveDirectory Domain. > > > > References > > a.. Using Kerberos Clients section of the Microsoft : > > Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability > > b.. Authentication to ADS > > c.. The winbindd and Active Directory Domain Member sections of > > the > > > Samba v3 Documentation > > d.. Realy huge manual for samba 3, in this document you can find > > almost everything > > > > ------------------------------------------------------------------------- > >- > > > > Footnotes > > > > [1] %Systemroot% is a variable set by Windows NT and onward to mean > > "the location where Windows is installed", ie c:\winnt, c:\windows, etc. > > This news side bar needs a browser with "iframe" support. > > > > No pages link to HowtoSamba3AndActiveDirectory. > > > > Please visit the WlugSponsors. > > > > > > > > ------------------------------------------------------------------------- > >- > > -- > > > ---- > > > > Last edited on Tuesday, June 1, 2004 10:04:05 pm by AlastairPorter. > > > > Please note that any user can change the contents of pages on this site, > > and > > > therefore the Waikato Linux Users Group can offer no assurances that the > > information is correct, and the information on this site is not > > necessarily > > > the opinion of the Waikato Linux Users Group, or any of its members. > > Copyright is retained by the individual authors of a page. If you have > > any > > c > > > omplaints about the contents of this page, please do not hesitate to > > contact > > > the Waikato Linux Users Group, or, click the Edit button below! > > > > > > ------------------------------------------------------------------------- > >- > > -- > > > ---- > > > > > > Sign In -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 OpenLDAP by Example, ISBN: 0131488732 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba