sorry about that last email that did not contain the resource i used. I think it was because i copied the contents of a website which could have been considered advertisement because of some of images. In either case enjoy:
http://www.wlug.org.nz/HowtoSamba3AndActiveDirectory ----- Original Message ----- From: "Rashaad S. Hyndman" <[EMAIL PROTECTED]> To: "Rashaad S. Hyndman" <[EMAIL PROTECTED]>; "Tom Skeren" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, July 23, 2004 2:18 PM Subject: Re: [Samba] security = ADS - IT WORKS!!!!!!!!! > Halleluiah!!!!!!!!! It works. With all the documentation I've read including > the official samba-3 howto for setting up ADS none of them mentioned what > happened to be the most critical piece of information, winbind! Now I've > seen a couple post that mentioned this daemon but it was not included in the > official howto's so I skipped over it. In Either case I've included the > article that I used to get my samba ADS implementation working. If you have > followed other howto's you have probably got 99% of the work done. If you > happen to have more questions please feel free to email me and I'll dictate > exactly what I have in my environment. > > Thanks for your input, > R. > > > > > > > Howto Samba 3 And Active Directory > G o o g l e users: We have detected that you were searching for howto samba > ads. > > The Waikato Linux Users Group hope that this page answers your questions, > but, if it doesn't, we politely request that if/when you find the answer to > your question you contibute your information back into this Wiki (via the > Edit button at the bottom of the page) so that others can also find this > information easier. > > We also suggest that if this page doesn't answer your question, try > Searching the wiki, or, to find pages similar to this one, try or . > > What's this? It's a near-copy of ActiveDirectorySamba, but not linked > from anywhere and with a lot of stuff deleted? Please don't > DisagreeByDeleting. Can someone who has Samba3 experience shed light on the > changes between this page and the other? --AristotlePagaltzis > > ActiveDirectorySamba is a correct howto for setting up Samba 3 with > ActiveDirectory. So it's basically a copy paste from there to here and > delete the other. -- GerwinVanDeSteeg > > > -------------------------------------------------------------------------- > > This simple guide is a mostly accurate way to set up a Samba machine > as a DomainMember in a Windows 2000 or Windows 2003 ActiveDirectory Domain. > > The following setup is used: > > 192.168.0.1 test1.thinclient.test.org (the AD server, hereafter > known as the server) > > 192.168.0.209 mail.thinclient.test.org (samba3 machine) > > The Samba system is based upon a stock standard RedHat 9 system with > the samba software upgraded to Samba3 (using RPM) > > The following steps are needed to get the system functioning: > > 1.. configure name resolution using either dns or a hosts file > 2.. configure samba and winbindd > 3.. configure kerberos > 4.. testing the kerberos configuration > 5.. good luck > Configure name resolution > ActiveDirectory relies HEAVILY on DNS to resolve not only host names > but services they provide as well. To set up DNS on the linux box, see the > DNSHowTo, otherwise consult necessary Windows documentation on setting up > forward AND reverse DNS zones. > > As a temporarily solution, you can use hosts based authentication, > this is ugly and hacky, and should be avoided at all costs. -- JamesSpooner > > The first step is to configure name resolution for our systems. The > kerberos authentication system, which we will configure later on, requires > us to be able to do a reverse lookup on an IP address to get a fully > qualified domain name (FQDN). There are two ways to do this, the cheap and > nasty method is to use a hosts file on both systems, which will have entries > similar to the following. > > Samba machine > /etc/hosts > > 127.0.0.1 mail mail.thinclient.test.org > localhost.localdomain localhost > > 192.168.0.1 test1 test1.thinclient.test.org > > 192.168.0.209 mail mail.thinclient.test.org > > Surely it would be better to put the FQDN first, and not alias > localhost to a name other than localhost? -- PerryLorier > > Windows Active Directory server > %Systemroot%\System32\drivers\etc\hosts[1] > > 127.0.0.1 test1 test1.thinclient.test.org > localhost.localdomain localhost > > 192.168.0.1 test1 test1.thinclient.test.org > > 192.168.0.209 mail mail.thinclient.test.org > > The correct method is to setup DNS on the server which can be done > through the DNS console in the AdministrativeTools section of Windows > 2000/2003 Server. We won't go into the details of setting this up here, but > we will specify the linux side of that here. > > /etc/resolv.conf > > search thinclient.test.org > > domain thinclient.test.org > > nameserver 192.168.0.1 > > Configure Samba3 and Winbindd > This part is the easy one, we just create ourselves a default Samba > configuration with at least the following entries (Note this is a completely > empty and default configuration file, and you may wish to add more. A file > share would be handy to add). > > /etc/samba/smb.conf > > [global] > > # general options > > workgroup = THINCLIENT > > netbios name = MAIL > > # winbindd configuration > > winbind separator = + > > idmap uid = 10000-20000 > > idmap gid = 10000-20000 > > winbind enum users = yes > > winbind enum groups = yes > > template homedir = /home/%D/%U > > template shell = /bin/bash > > # Active directory joining > > # "ads server" is only necessary if your kdc can't be located > using /etc/krb5.conf -- JamesSpooner > > # ads server = test1.thinclient.test.org > > security = ads > > encrypt passwords = yes > > realm = thinclient.test.org > > NB: The important things to pay attention to here are the name of our > samba machine (netbios name), the workgroup, and the ActiveDirectory stuff. > > Configure Kerberos5 > See ActiveDirectoryKerberos on setting up Kerberos to talk to > ActiveDirectory. > > We need to generate a key for our samba machine on the Windows server, > and securely import this into our samba machine. To create the keyfile we > run the following on the Windows server: > > ktpass - princ host/[EMAIL PROTECTED] \ > > -mapuser MAIL -pass MAIL1234PASSWORD -out mail.keytab > > We then transfer the mail.keytab securely to our samba machine by > using something similar to SSH or another secure means. And then on the > samba machine we will import the keyfile we just generated by using the > ktutil program, which is part of the kerberos distribution. The unix > commands for ktutil are as follows: > > % ktutil > > ktutil: rkt mail.keytab > > ktutil: list > > ktutil: wkt /etc/krb5.keytab > > ktutil: q > > Alternatively ... as root: > > net join -U Administrator%password > > This will join the Samba machine to the ActiveDirectory Domain. > > References > a.. Using Kerberos Clients section of the Microsoft : Step-by-Step > Guide to Kerberos 5 (krb5 1.0) Interoperability > b.. Authentication to ADS > c.. The winbindd and Active Directory Domain Member sections of the > Samba v3 Documentation > d.. Realy huge manual for samba 3, in this document you can find > almost everything > > -------------------------------------------------------------------------- > > Footnotes > > [1] %Systemroot% is a variable set by Windows NT and onward to mean > "the location where Windows is installed", ie c:\winnt, c:\windows, etc. > This news side bar needs a browser with "iframe" support. > > No pages link to HowtoSamba3AndActiveDirectory. > > Please visit the WlugSponsors. > > > > -------------------------------------------------------------------------- -- > ---- > > Last edited on Tuesday, June 1, 2004 10:04:05 pm by AlastairPorter. > > Please note that any user can change the contents of pages on this site, and > therefore the Waikato Linux Users Group can offer no assurances that the > information is correct, and the information on this site is not necessarily > the opinion of the Waikato Linux Users Group, or any of its members. > Copyright is retained by the individual authors of a page. If you have any c > omplaints about the contents of this page, please do not hesitate to contact > the Waikato Linux Users Group, or, click the Edit button below! > > > -------------------------------------------------------------------------- -- > ---- > > > Sign In > > > > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba