samba - Feb 2003 - Joining Samba 3.0 to a "pure" Active Directory

Hello.

I'd like to join a Samba 3.0 alpha 21 server running on RedHat 8.0 to an
Active Directory.  This AD does NOT support Windows NT 4.0 Domains.

In a previous mail, I've been asked if I already have Kerberos setup and
tested.  I don't.  How do I test if Kerberos is working correctly for me?

If everything is working fine, I'd like the Samba server to join the AD
"europe.delphiauto.net".  For this, I should type "net ads
join".  How
do I specify, which AD is to be joined?

And if this is also working, I'd like to be able to login to the Samba
server with a username/password which is ONLY in the AD.  Do I need any
special privileges in the AD for the server?

When this is also working, I'd like offer shares.  However, not every
user should be allowed to "mount" every share - IOW: restriction
should
be done on a per user basis.  If I maintain a local smbpasswd, I know
that this shouldn't be a problem - but what if I use AD to do the
authentication?

Thanks a lot for all your help,
Alexander Skwar
-- 
#ifdef STUPIDLY_TRUST_BROKEN_PCMD_ENA_BIT
        2.4.0-test2 /usr/src/linux/drivers/ide/cmd640.c

Alexander Skwar schrieb:
> In a previous mail, I've been asked if I already have Kerberos setup
and
> tested.  I don't.  How do I test if Kerberos is working correctly for
me?
In an off-list mail, someone told me to try

| For test your kerberos
|
| The command
|
| Kinit username@DOMAINE.COM
| And your password username

I'm getting this error:

[root@ugkbase samba]# kinit vz6tml@EUROPE.DELPHIAUTO.NET
kinit(v5): Cannot find KDC for requested realm while getting initial
credentials

In the ads documentation file of samba at http://tinyurl.com/64gv I read
that I need to configure kerberos first:

| The minimal configuration for krb5.conf is:
|
| [realms]
|     YOUR.KERBEROS.REALM = {
|	 kdc = your.kerberos.server
|     }

That's what I did not yet do.

Suppose I've got some Windows clients which are already in the AD -
using these machines, can I figure out the name of the KDC?  If so, how?

Thanks again,


Alexander Skwar
-- 
/* When we have more time, we can teach the penguin to say
 * "By your command" or "Activating turbo boost, Michael".
 */
	2.2.16 /usr/src/linux/arch/sparc/prom/sun4prom.c

On Thu, 20 Feb 2003, Alexander Skwar wrote:
> Hello.
>
> I'd like to join a Samba 3.0 alpha 21 server running on RedHat 8.0 to
an
> Active Directory.  This AD does NOT support Windows NT 4.0 Domains.
>
> In a previous mail, I've been asked if I already have Kerberos setup
and
> tested.  I don't.  How do I test if Kerberos is working correctly for
me?
As someone suggested, use 'kinit username@REALM'. You asked in another
post how to find out your KDC server: every domain controller is also a
KDC, so you should use that. If you get a Kerberos TGT, you have Kerberos
working.
> If everything is working fine, I'd like the Samba server to join the AD
> "europe.delphiauto.net".  For this, I should type "net ads
join".  How
> do I specify, which AD is to be joined?
In your smb.conf, you should have the lines:

  security = ADS
  realm = YOUR_KERBEROS_REALM.EXAMPLE.COM
  ads server = your_domain_controller.example.com
> And if this is also working, I'd like to be able to login to the Samba
> server with a username/password which is ONLY in the AD.  Do I need any
> special privileges in the AD for the server?
I don't know what you mean by "special privileges", but I think
not. When
doing 'net ads join', you must have a TGT for a user that has the
required
privileges to add a machine account and alter some attributes (a Domain
Admin account will do).
> When this is also working, I'd like offer shares.  However, not every
> user should be allowed to "mount" every share - IOW: restriction
should
> be done on a per user basis.  If I maintain a local smbpasswd, I know
> that this shouldn't be a problem - but what if I use AD to do the
> authentication?
Restrictions can be done on a per user basis, see 'man smb.conf',
especially things such as 'valid users'. When you use 'security =
ADS',
this is also not a problem.

Antti

-- 

Antti.Tikkanen@hut.fi
Helsinki University of Technology
Computing Centre