1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
5 >Samba as a ADS domain member</TITLE
8 CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK
10 TITLE="SAMBA Project Documentation"
11 HREF="samba-howto-collection.html"><LINK
13 TITLE="Type of installation"
14 HREF="type.html"><LINK
16 TITLE="How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain"
17 HREF="samba-bdc.html"><LINK
19 TITLE="Samba as a NT4 domain member"
20 HREF="domain-security.html"></HEAD
31 SUMMARY="Header navigation table"
40 >SAMBA Project Documentation</TH
62 HREF="domain-security.html"
77 >Chapter 9. Samba as a ADS domain member</H1
79 >This is a VERY ROUGH guide to setting up the current (November 2001)
80 pre-alpha version of Samba 3.0 with kerberos authentication against a
81 Windows2000 KDC. The procedures listed here are likely to change as
84 >Pieces you need before you begin:
92 >a Windows 2000 server.</TD
96 >samba 3.0 or higher.</TD
100 >the MIT kerberos development libraries (either install from the above sources or use a package). The heimdal libraries will not work.</TD
104 >the OpenLDAP development libraries.</TD
118 >9.1. Installing the required packages for Debian</H1
120 >On Debian you need to install the following packages:
147 >9.2. Installing the required packages for RedHat</H1
149 >On RedHat this means you should have at least:
157 >krb5-workstation (for kinit)</TD
161 >krb5-libs (for linking with)</TD
165 >krb5-devel (because you are compiling from source)</TD
173 >in addition to the standard development environment.</P
175 >Note that these are not standard on a RedHat install, and you may need
176 to get them off CD2.</P
185 >9.3. Compile Samba</H1
187 >If your kerberos libraries are in a non-standard location then
188 remember to add the configure option --with-krb5=DIR.</P
190 >After you run configure make sure that include/config.h contains
194 CLASS="PROGRAMLISTING"
196 #define HAVE_LDAP 1</PRE
199 >If it doesn't then configure did not find your krb5 libraries or
200 your ldap libraries. Look in config.log to figure out why and fix
203 >Then compile and install Samba as usual. You must use at least the
204 following 3 options in smb.conf:</P
207 CLASS="PROGRAMLISTING"
208 > realm = YOUR.KERBEROS.REALM
209 ads server = your.kerberos.server
211 encrypt passwords = yes</PRE
214 >Strictly speaking, you can omit the realm name and you can use an IP
215 address for the ads server. In that case Samba will auto-detect these.</P
217 >You do *not* need a smbpasswd file, although it won't do any harm
218 and if you have one then Samba will be able to fall back to normal
219 password security for older clients. I expect that the above
220 required options will change soon when we get better active
221 directory integration.</P
230 >9.4. Setup your /etc/krb5.conf</H1
232 >The minimal configuration for krb5.conf is:</P
235 CLASS="PROGRAMLISTING"
237 YOUR.KERBEROS.REALM = {
238 kdc = your.kerberos.server
242 >Test your config by doing a "kinit USERNAME@REALM" and making sure that
243 your password is accepted by the Win2000 KDC. </P
245 >NOTE: The realm must be uppercase. </P
247 >You also must ensure that you can do a reverse DNS lookup on the IP
248 address of your KDC. Also, the name that this reverse lookup maps to
249 must either be the netbios name of the KDC (ie. the hostname with no
250 domain attached) or it can alternatively be the netbios name
251 followed by the realm. </P
253 >The easiest way to ensure you get this right is to add a /etc/hosts
254 entry mapping the IP address of your KDC to its netbios name. If you
255 don't get this right then you will get a "local error" when you try
256 to join the realm.</P
258 >If all you want is kerberos support in smbclient then you can skip
259 straight to step 5 now. Step 3 is only needed if you want kerberos
269 >9.5. Create the computer account</H1
271 >Do a "kinit" as a user that has authority to change arbitrary
272 passwords on the KDC ("Administrator" is a good choice). Then as a
273 user that has write permission on the Samba private directory
286 >9.5.1. Possible errors</H2
294 >"bash: kinit: command not found"</DT
297 >kinit is in the krb5-workstation RPM on RedHat systems, and is in /usr/kerberos/bin, so it won't be in the path until you log in again (or open a new terminal)</P
300 >"ADS support not compiled in"</DT
303 >Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed.</P
317 >9.6. Test your server setup</H1
319 >On a Windows 2000 client try <B
321 >net use * \\server\share</B
323 be logged in with kerberos without needing to know a password. If
324 this fails then run <B
327 >. Did you get a ticket for the
328 server? Does it have an encoding type of DES-CBC-MD5 ? </P
337 >9.7. Testing with smbclient</H1
339 >On your Samba server try to login to a Win2000 server or your Samba
340 server using smbclient and kerberos. Use smbclient as usual, but
341 specify the -k option to choose kerberos authentication.</P
352 >You must change administrator password at least once after DC install,
353 to create the right encoding types</P
355 >w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in
356 their defaults DNS setup. Maybe fixed in service packs?</P
364 SUMMARY="Footer navigation table"
375 HREF="samba-bdc.html"
384 HREF="samba-howto-collection.html"
393 HREF="domain-security.html"
403 >How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</TD
417 >Samba as a NT4 domain member</TD