| 1 |
Thanks everyone. I was actually hoping for a "read the google, newb" |
| 2 |
response, as long as it had the right search terms, cause I didn't have a |
| 3 |
clue what to google for :). So again, thanks, I've downloaded a pile of |
| 4 |
howto's to my workstation and I work on it on my dead time. |
| 5 |
|
| 6 |
On Sun, Aug 10, 2008 at 3:09 PM, Jil Larner <jil@××××.eu> wrote: |
| 7 |
|
| 8 |
> Hello, |
| 9 |
> |
| 10 |
> I recently set up samba to allow authentification against Active Directory |
| 11 |
> for file sharing on a CentOS 4.5. Even if their installer is supposed to do |
| 12 |
> it correctly, it didn't work the way I wanted, so I had to understand how to |
| 13 |
> set it up manually. |
| 14 |
> |
| 15 |
> The main problem I found with documentations is that there's no one-shot |
| 16 |
> documentation that allows you to join a domain if you meet so many obscure |
| 17 |
> error messages like I had. |
| 18 |
> |
| 19 |
> I have more knowledge on Gentoo than centOs (so redhat), but what I say |
| 20 |
> here has only been tested on centOS. |
| 21 |
> |
| 22 |
> Unfortunately for you, I'm on hollydays and won't go back to office until |
| 23 |
> second part of October, so I can only tell you what I remember : |
| 24 |
> |
| 25 |
> You need : |
| 26 |
> - a Kerberos client |
| 27 |
> - a ntp daemon to set your clock according to your domain controller (more |
| 28 |
> than 5 minutes offset will lead kerberos not to deliver tickets) |
| 29 |
> - samba with winbind support |
| 30 |
> - manually record your machine in the DNS used by AD |
| 31 |
> |
| 32 |
> Set up samba with ads security (refer to the official samba howto) |
| 33 |
> Be sure your smb.conf has winbind configuration directives |
| 34 |
> |
| 35 |
> Files I remember I updated (CentOS architecture) : |
| 36 |
> - /etc/samba/smb.conf |
| 37 |
> - /etc/sysconfig/network (for the hostname of your machine to be the FQDN |
| 38 |
> e.g. tux.mywindows.domain.corp and `hostname --fqdn` must immediately |
| 39 |
> answer) => /etc/conf.d/hostname on gentoo |
| 40 |
> - /etc/nsswitch.conf to add winbind for a few things (passwd,group,shadow |
| 41 |
> if I remember, with less priority than file; otherwise it will be long to |
| 42 |
> log in as a local user) |
| 43 |
> - /etc/krb5.conf /etc/krb.conf[backward compatibility, may not be needed on |
| 44 |
> gentoo; try without that's one file less to manage] (documentations give the |
| 45 |
> few lines required) |
| 46 |
> |
| 47 |
> You'll also have to modify PAM config files for local access matching |
| 48 |
> against AD, but I didn't tried it. |
| 49 |
> |
| 50 |
> Before you frag your brain out with samba and winbind, you must succeed a |
| 51 |
> `kinit mywindowsuser` and see your ticket with `klist`. And be sure you can |
| 52 |
> resolve local names with a nslookup. Some recommend you set the name and ip |
| 53 |
> of your Domain Controller (DC) in /etc/hosts to avoid DNS failure. |
| 54 |
> |
| 55 |
> To join a domain, use the net join ads command, as explained in the docs : |
| 56 |
> it must work. If it don't, don't look forward: solve this problem as it |
| 57 |
> means you cannot access your DC. |
| 58 |
> |
| 59 |
> There's no need to configure LDAP if you use an AD architecture. And unless |
| 60 |
> your DC is configured otherwise, it should offer you all required services |
| 61 |
> (kerberos, ntp, dns). |
| 62 |
> |
| 63 |
> Don't hesitate to set up the log level of samba to 4 or the example value |
| 64 |
> of the man page to get what's wrong. |
| 65 |
> |
| 66 |
> Don't look for complex configuration : a few simple lines does the job for |
| 67 |
> matching AD. If you can identify against AD for file shares, then you just ( |
| 68 |
> :D ) have to set up pam for the main login. I'd say there are 3 or 4 winbind |
| 69 |
> directives (uid/gid range, auto append defautl domain, etc) in and 5 |
| 70 |
> important samba directives smb.conf. |
| 71 |
> |
| 72 |
> I hope this fragment can help you a little bit, |
| 73 |
> Jil. |
| 74 |
> |
| 75 |
> |
| 76 |
> |
Archives