1 |
Hello, |
2 |
|
3 |
I recently set up samba to allow authentification against Active |
4 |
Directory for file sharing on a CentOS 4.5. Even if their installer is |
5 |
supposed to do it correctly, it didn't work the way I wanted, so I had |
6 |
to understand how to set it up manually. |
7 |
|
8 |
The main problem I found with documentations is that there's no one-shot |
9 |
documentation that allows you to join a domain if you meet so many |
10 |
obscure error messages like I had. |
11 |
|
12 |
I have more knowledge on Gentoo than centOs (so redhat), but what I say |
13 |
here has only been tested on centOS. |
14 |
|
15 |
Unfortunately for you, I'm on hollydays and won't go back to office |
16 |
until second part of October, so I can only tell you what I remember : |
17 |
|
18 |
You need : |
19 |
- a Kerberos client |
20 |
- a ntp daemon to set your clock according to your domain controller |
21 |
(more than 5 minutes offset will lead kerberos not to deliver tickets) |
22 |
- samba with winbind support |
23 |
- manually record your machine in the DNS used by AD |
24 |
|
25 |
Set up samba with ads security (refer to the official samba howto) |
26 |
Be sure your smb.conf has winbind configuration directives |
27 |
|
28 |
Files I remember I updated (CentOS architecture) : |
29 |
- /etc/samba/smb.conf |
30 |
- /etc/sysconfig/network (for the hostname of your machine to be the |
31 |
FQDN e.g. tux.mywindows.domain.corp and `hostname --fqdn` must |
32 |
immediately answer) => /etc/conf.d/hostname on gentoo |
33 |
- /etc/nsswitch.conf to add winbind for a few things |
34 |
(passwd,group,shadow if I remember, with less priority than file; |
35 |
otherwise it will be long to log in as a local user) |
36 |
- /etc/krb5.conf /etc/krb.conf[backward compatibility, may not be needed |
37 |
on gentoo; try without that's one file less to manage] (documentations |
38 |
give the few lines required) |
39 |
|
40 |
You'll also have to modify PAM config files for local access matching |
41 |
against AD, but I didn't tried it. |
42 |
|
43 |
Before you frag your brain out with samba and winbind, you must succeed |
44 |
a `kinit mywindowsuser` and see your ticket with `klist`. And be sure |
45 |
you can resolve local names with a nslookup. Some recommend you set the |
46 |
name and ip of your Domain Controller (DC) in /etc/hosts to avoid DNS |
47 |
failure. |
48 |
|
49 |
To join a domain, use the net join ads command, as explained in the docs |
50 |
: it must work. If it don't, don't look forward: solve this problem as |
51 |
it means you cannot access your DC. |
52 |
|
53 |
There's no need to configure LDAP if you use an AD architecture. And |
54 |
unless your DC is configured otherwise, it should offer you all required |
55 |
services (kerberos, ntp, dns). |
56 |
|
57 |
Don't hesitate to set up the log level of samba to 4 or the example |
58 |
value of the man page to get what's wrong. |
59 |
|
60 |
Don't look for complex configuration : a few simple lines does the job |
61 |
for matching AD. If you can identify against AD for file shares, then |
62 |
you just ( :D ) have to set up pam for the main login. I'd say there are |
63 |
3 or 4 winbind directives (uid/gid range, auto append defautl domain, |
64 |
etc) in and 5 important samba directives smb.conf. |
65 |
|
66 |
I hope this fragment can help you a little bit, |
67 |
Jil. |