Hello! I have recently gone through the hassle of trying to get a CentOS 5 server (no gui) with Samba to use ADS for security. After several days of googling and trying different howtos I finally got it working, I now want to write a howto for CentOS 5, Samba 3.0 and Windows Server 2003 SP2. Basically it's a combination of http://www.howtoforge.com/samba_ads_security_mode and http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html, with additions that actually make things work. Regards, Daniel Lindgren -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.centos.org/pipermail/centos-docs/attachments/20071001/1a6449bf/a...
On Mon, 1 Oct 2007, Daniel Lindgren wrote: > I have recently gone through the hassle of trying to get a CentOS 5 server > (no gui) with Samba to use ADS for security. After several days of googling > and trying different howtos I finally got it working, I now want to write a > howto for CentOS 5, Samba 3.0 and Windows Server 2003 SP2. > > Basically it's a combination of > http://www.howtoforge.com/samba_ads_security_mode and > http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html, > with additions that actually make things work. Consider me a reviewer. I am very interested in your contribution ! -- -- dag wieers, dag@centos.org, http://dag.wieers.com/ -- [Any errors in spelling, tact or fact are transmission errors]
OK, where do I enter the text? Wasn't I supposed to get a wiki page to update? 2007/10/1, Dag Wieers <dag@centos.org>: > > On Mon, 1 Oct 2007, Daniel Lindgren wrote: > > > I have recently gone through the hassle of trying to get a CentOS 5 > server > > (no gui) with Samba to use ADS for security. After several days of > googling > > and trying different howtos I finally got it working, I now want to > write a > > howto for CentOS 5, Samba 3.0 and Windows Server 2003 SP2. > > > > Basically it's a combination of > > http://www.howtoforge.com/samba_ads_security_mode and > > http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html, > > with additions that actually make things work. > > Consider me a reviewer. I am very interested in your contribution ! > > -- > -- dag wieers, dag@centos.org, http://dag.wieers.com/ -- > [Any errors in spelling, tact or fact are transmission errors] > _______________________________________________ > CentOS-docs mailing list > CentOS-docs@centos.org > http://lists.centos.org/mailman/listinfo/centos-docs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.centos.org/pipermail/centos-docs/attachments/20071002/0e572af2/a...
Hi, On Tue, 2 Oct 2007, Daniel Lindgren wrote: > OK, where do I enter the text? Wasn't I supposed to get a wiki page to > update? Do you have some material to show? If that looks ok, we can create a page for you and give write access. -- Daniel
Chris, have you verified that it works? The howtos I've seen look great but don't work, at least not with Samba 3.0.23c that is included in CentoS 5 (yum updated after install). If your two commands is all it takes to access samba shares with ads security in a WIndows Server 2003 SP2 environoment it's amazing. I don't know much about system-config-securitylevel, but if it fixes krb5.conf, nsswitch.conf and smb.conf it should work. For me it took manual editing of krb5.conf, nsswitch.conf, smb.conf and updating to samba 3.0.26 to make it work. 2007/10/2, Daniel de Kok <danieldk@pobox.com>: > > Hi, > > On Tue, 2 Oct 2007, Daniel Lindgren wrote: > > OK, where do I enter the text? Wasn't I supposed to get a wiki page to > > update? > > Do you have some material to show? If that looks ok, we can create a page > for you and give write access. > > -- Daniel > _______________________________________________ > CentOS-docs mailing list > CentOS-docs@centos.org > http://lists.centos.org/mailman/listinfo/centos-docs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.centos.org/pipermail/centos-docs/attachments/20071002/0d8a4ca7/a...
Am Dienstag, den 02.10.2007, 09:32 +0200 schrieb Daniel Lindgren: > Chris, have you verified that it works? The howtos I've seen look > great but don't work, at least not with Samba 3.0.23c that is included > in CentoS 5 (yum updated after install). > > If your two commands is all it takes to access samba shares with ads > security in a WIndows Server 2003 SP2 environoment it's amazing. I > don't know much about system-config-securitylevel, but if it fixes > krb5.conf, nsswitch.conf and smb.conf it should work. > > For me it took manual editing of krb5.conf, nsswitch.conf, smb.conf > and updating to samba 3.0.26 to make it work. These commands work for me, i use them in my postinstall-scripts. I have a Windows Server 2003 SP2. The first command sets up kerberos, the second samba/winbindd. We have ~30 CentOS installations (4 and 5) using winbindd sucessfully all set up with system-config-securitylevel. Chris financial.com AG Munich head office/Hauptsitz M?nchen: Maria-Probst-Str. 19 | 80939 M?nchen | Germany Frankfurt branch office/Niederlassung Frankfurt: Messeturm | Friedrich-Ebert-Anlage 49 | 60327 Frankfurt | Germany Management board/Vorstand: Dr. Steffen Boehnert (CEO/Vorsitzender) | Dr. Alexis Eisenhofer | Dr. Yann Samson | Matthias Wiederwach Supervisory board/Aufsichtsrat: Dr. Dr. Ernst zur Linden (chairman/Vorsitzender) Register court/Handelsregister: Munich ? HRB 128 972 | Sales tax ID number/St.Nr.: DE205 370 553
Daniel Lindgren wrote: > For me it took manual editing of krb5.conf, nsswitch.conf, smb.conf and > updating to samba 3.0.26 to make it work. If Christoph's stuff works, I'd rather go that route in a wiki document than advising people to upgrade to a version we don't ship. Cannot test that though, I have no AD to work against ... Cheers, Ralph -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.centos.org/pipermail/centos-docs/attachments/20071002/c0ffa517/a...
I agree, I'll do a test on a fresh CentOS 5 server (no gui, yum updated) and see if it works in my environment. Regards, Daniel 2007/10/2, Ralph Angenendt <ra+centos@br-online.de>: > > Daniel Lindgren wrote: > > For me it took manual editing of krb5.conf, nsswitch.conf, smb.confand > > updating to samba 3.0.26 to make it work. > > If Christoph's stuff works, I'd rather go that route in a wiki document > than advising people to upgrade to a version we don't ship. > > Cannot test that though, I have no AD to work against ... > > Cheers, > > Ralph > > _______________________________________________ > CentOS-docs mailing list > CentOS-docs@centos.org > http://lists.centos.org/mailman/listinfo/centos-docs > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.centos.org/pipermail/centos-docs/attachments/20071002/10638a97/a...
OK, now I've tried it and it works like a charm. This is a stub for a howto in the wiki: * Verified on a CentOS 5.0 Server install, updated and rebooted. * Install and configure ntp to make sure time is in sync with AD domain controller. * chkconfig ntpd on * patch /usr/share/authconfig/authconfig.py (unless CentOS 5.1) * chkconfig smb on * chkconfig winbind on * set variables to appropriate values for your domain * authconfig --enableshadow --enablemd5 --enablekrb5 --krb5realm=$KRB_REALM --krb5kdc=$AD_SERVER --kickstart * authconfig-tui --kickstart --enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=$KRB_REALM --smbservers=$AD_SERVER --winbindjoin="$ADMIN" --winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --smbworkgroup=$SMBWG --enablelocauthorize * create samba share, testparm * (re)start samba * from windows client: net view \\centosserver * try connecting to share * troubleshooting: verify that ntpd/smb/winbind are all started, verify time is in sync on all machines, try logging off/on Windows client The full article would of course include more commands and info. Regards, Daniel -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.centos.org/pipermail/centos-docs/attachments/20071002/fc6a5d2c/a...
Daniel, for me adding a samba/winbindd server to the domain is 2 calls to system-config-securitylevel_: authconfig --enableshadow --enablemd5 --enablekrb5 --krb5realm= $KRB_REALM --k rb5kdc=$AD_SERVER --kickstart authconfig-tui --kickstart --enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=$KRB_REALM --smbservers=$AD_SERVER --winbindjoin="Administrator" --winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --smbworkgroup=FINANCIAL --enablelocauthorize So what is the big deal here? Oh yea you need a patched authconfig until CentOS 5.1 is released, see http://bugs.centos.org/view.php?id=2213. Maybe you could modify your contribution a bit... Chris Am Montag, den 01.10.2007, 19:32 +0200 schrieb Daniel Lindgren: > Hello! > > I have recently gone through the hassle of trying to get a CentOS 5 > server (no gui) with Samba to use ADS for security. After several days > of googling and trying different howtos I finally got it working, I > now want to write a howto for CentOS 5, Samba 3.0 and Windows Server > 2003 SP2. > > Basically it's a combination of > http://www.howtoforge.com/samba_ads_security_mode and > http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html, with additions that actually make things work. > > Regards, > Daniel Lindgren financial.com AG Munich head office/Hauptsitz M?nchen: Maria-Probst-Str. 19 | 80939 M?nchen | Germany Frankfurt branch office/Niederlassung Frankfurt: Messeturm | Friedrich-Ebert-Anlage 49 | 60327 Frankfurt | Germany Management board/Vorstand: Dr. Steffen Boehnert (CEO/Vorsitzender) | Dr. Alexis Eisenhofer | Dr. Yann Samson | Matthias Wiederwach Supervisory board/Aufsichtsrat: Dr. Dr. Ernst zur Linden (chairman/Vorsitzender) Register court/Handelsregister: Munich ? HRB 128 972 | Sales tax ID number/St.Nr.: DE205 370 553