| 1 |
Hello, |
| 2 |
|
| 3 |
I recently set up samba to allow authentification against Active |
| 4 |
Directory for file sharing on a CentOS 4.5. Even if their installer is |
| 5 |
supposed to do it correctly, it didn't work the way I wanted, so I had |
| 6 |
to understand how to set it up manually. |
| 7 |
|
| 8 |
The main problem I found with documentations is that there's no one-shot |
| 9 |
documentation that allows you to join a domain if you meet so many |
| 10 |
obscure error messages like I had. |
| 11 |
|
| 12 |
I have more knowledge on Gentoo than centOs (so redhat), but what I say |
| 13 |
here has only been tested on centOS. |
| 14 |
|
| 15 |
Unfortunately for you, I'm on hollydays and won't go back to office |
| 16 |
until second part of October, so I can only tell you what I remember : |
| 17 |
|
| 18 |
You need : |
| 19 |
- a Kerberos client |
| 20 |
- a ntp daemon to set your clock according to your domain controller |
| 21 |
(more than 5 minutes offset will lead kerberos not to deliver tickets) |
| 22 |
- samba with winbind support |
| 23 |
- manually record your machine in the DNS used by AD |
| 24 |
|
| 25 |
Set up samba with ads security (refer to the official samba howto) |
| 26 |
Be sure your smb.conf has winbind configuration directives |
| 27 |
|
| 28 |
Files I remember I updated (CentOS architecture) : |
| 29 |
- /etc/samba/smb.conf |
| 30 |
- /etc/sysconfig/network (for the hostname of your machine to be the |
| 31 |
FQDN e.g. tux.mywindows.domain.corp and `hostname --fqdn` must |
| 32 |
immediately answer) => /etc/conf.d/hostname on gentoo |
| 33 |
- /etc/nsswitch.conf to add winbind for a few things |
| 34 |
(passwd,group,shadow if I remember, with less priority than file; |
| 35 |
otherwise it will be long to log in as a local user) |
| 36 |
- /etc/krb5.conf /etc/krb.conf[backward compatibility, may not be needed |
| 37 |
on gentoo; try without that's one file less to manage] (documentations |
| 38 |
give the few lines required) |
| 39 |
|
| 40 |
You'll also have to modify PAM config files for local access matching |
| 41 |
against AD, but I didn't tried it. |
| 42 |
|
| 43 |
Before you frag your brain out with samba and winbind, you must succeed |
| 44 |
a `kinit mywindowsuser` and see your ticket with `klist`. And be sure |
| 45 |
you can resolve local names with a nslookup. Some recommend you set the |
| 46 |
name and ip of your Domain Controller (DC) in /etc/hosts to avoid DNS |
| 47 |
failure. |
| 48 |
|
| 49 |
To join a domain, use the net join ads command, as explained in the docs |
| 50 |
: it must work. If it don't, don't look forward: solve this problem as |
| 51 |
it means you cannot access your DC. |
| 52 |
|
| 53 |
There's no need to configure LDAP if you use an AD architecture. And |
| 54 |
unless your DC is configured otherwise, it should offer you all required |
| 55 |
services (kerberos, ntp, dns). |
| 56 |
|
| 57 |
Don't hesitate to set up the log level of samba to 4 or the example |
| 58 |
value of the man page to get what's wrong. |
| 59 |
|
| 60 |
Don't look for complex configuration : a few simple lines does the job |
| 61 |
for matching AD. If you can identify against AD for file shares, then |
| 62 |
you just ( :D ) have to set up pam for the main login. I'd say there are |
| 63 |
3 or 4 winbind directives (uid/gid range, auto append defautl domain, |
| 64 |
etc) in and 5 important samba directives smb.conf. |
| 65 |
|
| 66 |
I hope this fragment can help you a little bit, |
| 67 |
Jil. |
Archives