[Samba] Joining Samba 3.0 to a "pure" Active Directory
Antti Tikkanen
antti.tikkanen at hut.fi
Fri Feb 21 10:54:34 GMT 2003
On Thu, 20 Feb 2003, Alexander Skwar wrote:
> Hello.
>
> I'd like to join a Samba 3.0 alpha 21 server running on RedHat 8.0 to an
> Active Directory. This AD does NOT support Windows NT 4.0 Domains.
>
> In a previous mail, I've been asked if I already have Kerberos setup and
> tested. I don't. How do I test if Kerberos is working correctly for me?
As someone suggested, use 'kinit username at REALM'. You asked in another
post how to find out your KDC server: every domain controller is also a
KDC, so you should use that. If you get a Kerberos TGT, you have Kerberos
working.
> If everything is working fine, I'd like the Samba server to join the AD
> "europe.delphiauto.net". For this, I should type "net ads join". How
> do I specify, which AD is to be joined?
In your smb.conf, you should have the lines:
security = ADS
realm = YOUR_KERBEROS_REALM.EXAMPLE.COM
ads server = your_domain_controller.example.com
> And if this is also working, I'd like to be able to login to the Samba
> server with a username/password which is ONLY in the AD. Do I need any
> special privileges in the AD for the server?
I don't know what you mean by "special privileges", but I think not. When
doing 'net ads join', you must have a TGT for a user that has the required
privileges to add a machine account and alter some attributes (a Domain
Admin account will do).
> When this is also working, I'd like offer shares. However, not every
> user should be allowed to "mount" every share - IOW: restriction should
> be done on a per user basis. If I maintain a local smbpasswd, I know
> that this shouldn't be a problem - but what if I use AD to do the
> authentication?
Restrictions can be done on a per user basis, see 'man smb.conf',
especially things such as 'valid users'. When you use 'security = ADS',
this is also not a problem.
Antti
--
Antti.Tikkanen at hut.fi
Helsinki University of Technology
Computing Centre
More information about the samba
mailing list