Alexander Skwar
2003-Feb-20 09:28 UTC
[Samba] Joining Samba 3.0 to a "pure" Active Directory
Hello. I'd like to join a Samba 3.0 alpha 21 server running on RedHat 8.0 to an Active Directory. This AD does NOT support Windows NT 4.0 Domains. In a previous mail, I've been asked if I already have Kerberos setup and tested. I don't. How do I test if Kerberos is working correctly for me? If everything is working fine, I'd like the Samba server to join the AD "europe.delphiauto.net". For this, I should type "net ads join". How do I specify, which AD is to be joined? And if this is also working, I'd like to be able to login to the Samba server with a username/password which is ONLY in the AD. Do I need any special privileges in the AD for the server? When this is also working, I'd like offer shares. However, not every user should be allowed to "mount" every share - IOW: restriction should be done on a per user basis. If I maintain a local smbpasswd, I know that this shouldn't be a problem - but what if I use AD to do the authentication? Thanks a lot for all your help, Alexander Skwar -- #ifdef STUPIDLY_TRUST_BROKEN_PCMD_ENA_BIT 2.4.0-test2 /usr/src/linux/drivers/ide/cmd640.c
Alexander Skwar
2003-Feb-20 11:16 UTC
[Samba] Joining Samba 3.0 to a "pure" Active Directory
Alexander Skwar schrieb:> In a previous mail, I've been asked if I already have Kerberos setup and > tested. I don't. How do I test if Kerberos is working correctly for me?In an off-list mail, someone told me to try | For test your kerberos | | The command | | Kinit username@DOMAINE.COM | And your password username I'm getting this error: [root@ugkbase samba]# kinit vz6tml@EUROPE.DELPHIAUTO.NET kinit(v5): Cannot find KDC for requested realm while getting initial credentials In the ads documentation file of samba at http://tinyurl.com/64gv I read that I need to configure kerberos first: | The minimal configuration for krb5.conf is: | | [realms] | YOUR.KERBEROS.REALM = { | kdc = your.kerberos.server | } That's what I did not yet do. Suppose I've got some Windows clients which are already in the AD - using these machines, can I figure out the name of the KDC? If so, how? Thanks again, Alexander Skwar -- /* When we have more time, we can teach the penguin to say * "By your command" or "Activating turbo boost, Michael". */ 2.2.16 /usr/src/linux/arch/sparc/prom/sun4prom.c
Antti Tikkanen
2003-Feb-21 10:54 UTC
[Samba] Joining Samba 3.0 to a "pure" Active Directory
On Thu, 20 Feb 2003, Alexander Skwar wrote:> Hello. > > I'd like to join a Samba 3.0 alpha 21 server running on RedHat 8.0 to an > Active Directory. This AD does NOT support Windows NT 4.0 Domains. > > In a previous mail, I've been asked if I already have Kerberos setup and > tested. I don't. How do I test if Kerberos is working correctly for me?As someone suggested, use 'kinit username@REALM'. You asked in another post how to find out your KDC server: every domain controller is also a KDC, so you should use that. If you get a Kerberos TGT, you have Kerberos working.> If everything is working fine, I'd like the Samba server to join the AD > "europe.delphiauto.net". For this, I should type "net ads join". How > do I specify, which AD is to be joined?In your smb.conf, you should have the lines: security = ADS realm = YOUR_KERBEROS_REALM.EXAMPLE.COM ads server = your_domain_controller.example.com> And if this is also working, I'd like to be able to login to the Samba > server with a username/password which is ONLY in the AD. Do I need any > special privileges in the AD for the server?I don't know what you mean by "special privileges", but I think not. When doing 'net ads join', you must have a TGT for a user that has the required privileges to add a machine account and alter some attributes (a Domain Admin account will do).> When this is also working, I'd like offer shares. However, not every > user should be allowed to "mount" every share - IOW: restriction should > be done on a per user basis. If I maintain a local smbpasswd, I know > that this shouldn't be a problem - but what if I use AD to do the > authentication?Restrictions can be done on a per user basis, see 'man smb.conf', especially things such as 'valid users'. When you use 'security = ADS', this is also not a problem. Antti -- Antti.Tikkanen@hut.fi Helsinki University of Technology Computing Centre
Possibly Parallel Threads
- Active Directory - Which Samba version is needed?
- How to join a linux machine to a "pure" Active DirectoryDomain using Samba 3.0alpha21?
- "Called name not present" - Howto solve?
- How to join a linux machine to a "pure" Active Directory Domain using Samba 3.0alpha21?
- Problmes joining Samba server to Active Directory