1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
5 >Samba as a ADS domain member</TITLE
8 CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
10 TITLE="SAMBA Project Documentation"
11 HREF="samba-howto-collection.html"><LINK
13 TITLE="Type of installation"
14 HREF="type.html"><LINK
16 TITLE="Samba Backup Domain Controller to Samba Domain Control"
17 HREF="samba-bdc.html"><LINK
19 TITLE="Samba as a NT4 or Win2k domain member"
20 HREF="domain-member.html"></HEAD
31 SUMMARY="Header navigation table"
40 >SAMBA Project Documentation</TH
62 HREF="domain-member.html"
77 >Chapter 9. Samba as a ADS domain member</H1
87 HREF="ads.html#AEN1363"
95 HREF="ads.html#AEN1376"
103 HREF="ads.html#ADS-CREATE-MACHINE-ACCOUNT"
104 >Create the computer account</A
108 HREF="ads.html#ADS-TEST-SERVER"
109 >Test your server setup</A
113 HREF="ads.html#ADS-TEST-SMBCLIENT"
121 HREF="ads.html#AEN1424"
127 >This is a rough guide to setting up Samba 3.0 with kerberos authentication against a
141 >You must use at least the following 3 options in smb.conf:</P
144 CLASS="PROGRAMLISTING"
145 > realm = YOUR.KERBEROS.REALM
147 encrypt passwords = yes</PRE
150 >In case samba can't figure out your ads server using your realm name, use the
159 CLASS="PROGRAMLISTING"
160 > ads server = your.kerberos.server</PRE
176 SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
183 >You do *not* need a smbpasswd file, and older clients will
184 be authenticated as if <B
186 >security = domain</B
188 although it won't do any harm
189 and allows you to have local users not in the domain.
190 I expect that the above required options will change soon when we get better
191 active directory integration.</P
209 >The minimal configuration for <TT
215 CLASS="PROGRAMLISTING"
217 YOUR.KERBEROS.REALM = {
218 kdc = your.kerberos.server
222 >Test your config by doing a <KBD
231 > and making sure that
232 your password is accepted by the Win2000 KDC. </P
247 SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
254 >The realm must be uppercase. </P
260 >You also must ensure that you can do a reverse DNS lookup on the IP
261 address of your KDC. Also, the name that this reverse lookup maps to
262 must either be the netbios name of the KDC (ie. the hostname with no
263 domain attached) or it can alternatively be the netbios name
264 followed by the realm. </P
266 >The easiest way to ensure you get this right is to add a
270 > entry mapping the IP address of your KDC to
271 its netbios name. If you don't get this right then you will get a
272 "local error" when you try to join the realm.</P
274 >If all you want is kerberos support in <SPAN
279 HREF="ads.html#ADS-TEST-SMBCLIENT"
286 HREF="ads.html#ADS-CREATE-MACHINE-ACCOUNT"
287 >Creating a computer account</A
290 HREF="ads.html#ADS-TEST-SERVER"
291 >testing your servers</A
293 is only needed if you want kerberos
307 NAME="ADS-CREATE-MACHINE-ACCOUNT"
308 >9.3. Create the computer account</A
311 >As a user that has write permission on the Samba private directory
323 >9.3.1. Possible errors</A
332 >"ADS support not compiled in"</DT
335 >Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed.</P
347 NAME="ADS-TEST-SERVER"
348 >9.4. Test your server setup</A
351 >On a Windows 2000 client try <KBD
353 >net use * \\server\share</KBD
355 be logged in with kerberos without needing to know a password. If
356 this fails then run <KBD
359 >. Did you get a ticket for the
360 server? Does it have an encoding type of DES-CBC-MD5 ? </P
367 NAME="ADS-TEST-SMBCLIENT"
368 >9.5. Testing with <SPAN
374 >On your Samba server try to login to a Win2000 server or your Samba
378 > and kerberos. Use <SPAN
385 > option to choose kerberos authentication.</P
396 >You must change administrator password at least once after DC
397 install, to create the right encoding types</P
399 >w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in
400 their defaults DNS setup. Maybe fixed in service packs?</P
408 SUMMARY="Footer navigation table"
419 HREF="samba-bdc.html"
428 HREF="samba-howto-collection.html"
437 HREF="domain-member.html"
447 >Samba Backup Domain Controller to Samba Domain Control</TD
461 >Samba as a NT4 or Win2k domain member</TD