1 |
Thanks everyone. I was actually hoping for a "read the google, newb" |
2 |
response, as long as it had the right search terms, cause I didn't have a |
3 |
clue what to google for :). So again, thanks, I've downloaded a pile of |
4 |
howto's to my workstation and I work on it on my dead time. |
5 |
|
6 |
On Sun, Aug 10, 2008 at 3:09 PM, Jil Larner <jil@××××.eu> wrote: |
7 |
|
8 |
> Hello, |
9 |
> |
10 |
> I recently set up samba to allow authentification against Active Directory |
11 |
> for file sharing on a CentOS 4.5. Even if their installer is supposed to do |
12 |
> it correctly, it didn't work the way I wanted, so I had to understand how to |
13 |
> set it up manually. |
14 |
> |
15 |
> The main problem I found with documentations is that there's no one-shot |
16 |
> documentation that allows you to join a domain if you meet so many obscure |
17 |
> error messages like I had. |
18 |
> |
19 |
> I have more knowledge on Gentoo than centOs (so redhat), but what I say |
20 |
> here has only been tested on centOS. |
21 |
> |
22 |
> Unfortunately for you, I'm on hollydays and won't go back to office until |
23 |
> second part of October, so I can only tell you what I remember : |
24 |
> |
25 |
> You need : |
26 |
> - a Kerberos client |
27 |
> - a ntp daemon to set your clock according to your domain controller (more |
28 |
> than 5 minutes offset will lead kerberos not to deliver tickets) |
29 |
> - samba with winbind support |
30 |
> - manually record your machine in the DNS used by AD |
31 |
> |
32 |
> Set up samba with ads security (refer to the official samba howto) |
33 |
> Be sure your smb.conf has winbind configuration directives |
34 |
> |
35 |
> Files I remember I updated (CentOS architecture) : |
36 |
> - /etc/samba/smb.conf |
37 |
> - /etc/sysconfig/network (for the hostname of your machine to be the FQDN |
38 |
> e.g. tux.mywindows.domain.corp and `hostname --fqdn` must immediately |
39 |
> answer) => /etc/conf.d/hostname on gentoo |
40 |
> - /etc/nsswitch.conf to add winbind for a few things (passwd,group,shadow |
41 |
> if I remember, with less priority than file; otherwise it will be long to |
42 |
> log in as a local user) |
43 |
> - /etc/krb5.conf /etc/krb.conf[backward compatibility, may not be needed on |
44 |
> gentoo; try without that's one file less to manage] (documentations give the |
45 |
> few lines required) |
46 |
> |
47 |
> You'll also have to modify PAM config files for local access matching |
48 |
> against AD, but I didn't tried it. |
49 |
> |
50 |
> Before you frag your brain out with samba and winbind, you must succeed a |
51 |
> `kinit mywindowsuser` and see your ticket with `klist`. And be sure you can |
52 |
> resolve local names with a nslookup. Some recommend you set the name and ip |
53 |
> of your Domain Controller (DC) in /etc/hosts to avoid DNS failure. |
54 |
> |
55 |
> To join a domain, use the net join ads command, as explained in the docs : |
56 |
> it must work. If it don't, don't look forward: solve this problem as it |
57 |
> means you cannot access your DC. |
58 |
> |
59 |
> There's no need to configure LDAP if you use an AD architecture. And unless |
60 |
> your DC is configured otherwise, it should offer you all required services |
61 |
> (kerberos, ntp, dns). |
62 |
> |
63 |
> Don't hesitate to set up the log level of samba to 4 or the example value |
64 |
> of the man page to get what's wrong. |
65 |
> |
66 |
> Don't look for complex configuration : a few simple lines does the job for |
67 |
> matching AD. If you can identify against AD for file shares, then you just ( |
68 |
> :D ) have to set up pam for the main login. I'd say there are 3 or 4 winbind |
69 |
> directives (uid/gid range, auto append defautl domain, etc) in and 5 |
70 |
> important samba directives smb.conf. |
71 |
> |
72 |
> I hope this fragment can help you a little bit, |
73 |
> Jil. |
74 |
> |
75 |
> |
76 |
> |