[Samba] security = ADS - IT WORKS!!!!!!!!!

Rashaad S. Hyndman IslandBwoy at ToughGuy.net
Fri Jul 23 18:40:32 GMT 2004 

sorry about that last email that did not contain the resource i used. I
think it was because i copied the contents of a website which could have
been considered advertisement because of some of images.  In either case
enjoy:

http://www.wlug.org.nz/HowtoSamba3AndActiveDirectory


----- Original Message ----- 
From: "Rashaad S. Hyndman" <IslandBwoy at ToughGuy.net>
To: "Rashaad S. Hyndman" <IslandBwoy at ToughGuy.net>; "Tom Skeren"
<tms3 at fskklaw.com>
Cc: <samba at lists.samba.org>
Sent: Friday, July 23, 2004 2:18 PM
Subject: Re: [Samba] security = ADS - IT WORKS!!!!!!!!!


> Halleluiah!!!!!!!!! It works. With all the documentation I've read
including
> the official samba-3 howto for setting up ADS none of them mentioned what
> happened to be the most critical piece of information, winbind!  Now I've
> seen a couple post that mentioned this daemon but it was not included in
the
> official howto's so I skipped over it.  In Either case I've included the
> article that I used to get my samba ADS implementation working.  If you
have
> followed other howto's you have probably got 99% of the work done.  If you
> happen to have more questions please feel free to email me and I'll
dictate
> exactly what I have in my environment.
>
> Thanks for your input,
> R.
>
>
>
>
>
>
> Howto Samba 3 And Active Directory
> G o o g l e users: We have detected that you were searching for howto
samba
> ads.
>
> The Waikato Linux Users Group hope that this page answers your questions,
> but, if it doesn't, we politely request that if/when you find the answer
to
> your question you contibute your information back into this Wiki (via the
> Edit button at the bottom of the page) so that others can also find this
> information easier.
>
> We also suggest that if this page doesn't answer your question, try
> Searching the wiki, or, to find pages similar to this one, try or .
>
>       What's this? It's a near-copy of ActiveDirectorySamba, but not
linked
> from anywhere and with a lot of stuff deleted? Please don't
> DisagreeByDeleting. Can someone who has Samba3 experience shed light on
the
> changes between this page and the other? --AristotlePagaltzis
>
>       ActiveDirectorySamba is a correct howto for setting up Samba 3 with
> ActiveDirectory. So it's basically a copy paste from there to here and
> delete the other. -- GerwinVanDeSteeg
>
>
> --------------------------------------------------------------------------
>
>       This simple guide is a mostly accurate way to set up a Samba machine
> as a DomainMember in a Windows 2000 or Windows 2003 ActiveDirectory
Domain.
>
>       The following setup is used:
>
>         192.168.0.1   test1.thinclient.test.org  (the AD server, hereafter
> known as the server)
>
>         192.168.0.209 mail.thinclient.test.org   (samba3 machine)
>
>       The Samba system is based upon a stock standard RedHat 9 system with
> the samba software upgraded to Samba3 (using RPM)
>
>       The following steps are needed to get the system functioning:
>
>         1.. configure name resolution using either dns or a hosts file
>         2.. configure samba and winbindd
>         3.. configure kerberos
>         4.. testing the kerberos configuration
>         5.. good luck
>       Configure name resolution
>       ActiveDirectory relies HEAVILY on DNS to resolve not only host names
> but services they provide as well. To set up DNS on the linux box, see the
> DNSHowTo, otherwise consult necessary Windows documentation on setting up
> forward AND reverse DNS zones.
>
>       As a temporarily solution, you can use hosts based authentication,
> this is ugly and hacky, and should be avoided at all costs. -- 
JamesSpooner
>
>       The first step is to configure name resolution for our systems. The
> kerberos authentication system, which we will configure later on, requires
> us to be able to do a reverse lookup on an IP address to get a fully
> qualified domain name (FQDN). There are two ways to do this, the cheap and
> nasty method is to use a hosts file on both systems, which will have
entries
> similar to the following.
>
>       Samba machine
>       /etc/hosts
>
>         127.0.0.1       mail    mail.thinclient.test.org
> localhost.localdomain   localhost
>
>         192.168.0.1     test1   test1.thinclient.test.org
>
>         192.168.0.209   mail    mail.thinclient.test.org
>
>       Surely it would be better to put the FQDN first, and not alias
> localhost to a name other than localhost? -- PerryLorier
>
>       Windows Active Directory server
>       %Systemroot%\System32\drivers\etc\hosts[1]
>
>         127.0.0.1       test1   test1.thinclient.test.org
> localhost.localdomain   localhost
>
>         192.168.0.1     test1   test1.thinclient.test.org
>
>         192.168.0.209   mail    mail.thinclient.test.org
>
>       The correct method is to setup DNS on the server which can be done
> through the DNS console in the AdministrativeTools section of Windows
> 2000/2003 Server. We won't go into the details of setting this up here,
but
> we will specify the linux side of that here.
>
>       /etc/resolv.conf
>
>         search      thinclient.test.org
>
>         domain      thinclient.test.org
>
>         nameserver  192.168.0.1
>
>       Configure Samba3 and Winbindd
>       This part is the easy one, we just create ourselves a default Samba
> configuration with at least the following entries (Note this is a
completely
> empty and default configuration file, and you may wish to add more. A file
> share would be handy to add).
>
>       /etc/samba/smb.conf
>
>         [global]
>
>           # general options
>
>           workgroup = THINCLIENT
>
>           netbios name = MAIL
>
>           # winbindd configuration
>
>           winbind separator = +
>
>           idmap uid = 10000-20000
>
>           idmap gid = 10000-20000
>
>           winbind enum users = yes
>
>           winbind enum groups = yes
>
>           template homedir = /home/%D/%U
>
>           template shell = /bin/bash
>
>           # Active directory joining
>
>           # "ads server" is only necessary if your kdc can't be located
> using /etc/krb5.conf -- JamesSpooner
>
>           # ads server = test1.thinclient.test.org
>
>           security = ads
>
>           encrypt passwords = yes
>
>           realm = thinclient.test.org
>
>       NB: The important things to pay attention to here are the name of
our
> samba machine (netbios name), the workgroup, and the ActiveDirectory
stuff.
>
>       Configure Kerberos5
>       See ActiveDirectoryKerberos on setting up Kerberos to talk to
> ActiveDirectory.
>
>       We need to generate a key for our samba machine on the Windows
server,
> and securely import this into our samba machine. To create the keyfile we
> run the following on the Windows server:
>
>         ktpass - princ host/mail.thinclient.test.org at THINCLIENT.TEST.ORG \
>
>                    -mapuser MAIL -pass MAIL1234PASSWORD -out mail.keytab
>
>       We then transfer the mail.keytab securely to our samba machine by
> using something similar to SSH or another secure means. And then on the
> samba machine we will import the keyfile we just generated by using the
> ktutil program, which is part of the kerberos distribution. The unix
> commands for ktutil are as follows:
>
>         % ktutil
>
>         ktutil: rkt mail.keytab
>
>         ktutil: list
>
>         ktutil: wkt /etc/krb5.keytab
>
>         ktutil: q
>
>       Alternatively ... as root:
>
>         net join -U Administrator%password
>
>       This will join the Samba machine to the ActiveDirectory Domain.
>
>       References
>         a.. Using Kerberos Clients section of the Microsoft : Step-by-Step
> Guide to Kerberos 5 (krb5 1.0) Interoperability
>         b.. Authentication to ADS
>         c.. The winbindd and Active Directory Domain Member sections of
the
> Samba v3 Documentation
>         d.. Realy huge manual for samba 3, in this document you can find
> almost everything
>
> --------------------------------------------------------------------------
>
>       Footnotes
>
>       [1] %Systemroot% is a variable set by Windows NT and onward to mean
> "the location where Windows is installed", ie c:\winnt, c:\windows, etc.
>      This news side bar needs a browser with "iframe" support.
>
>       No pages link to HowtoSamba3AndActiveDirectory.
>
>       Please visit the WlugSponsors.
>
>
>
> --------------------------------------------------------------------------
--
> ----
>
> Last edited on Tuesday, June 1, 2004 10:04:05 pm by AlastairPorter.
>
> Please note that any user can change the contents of pages on this site,
and
> therefore the Waikato Linux Users Group can offer no assurances that the
> information is correct, and the information on this site is not
necessarily
> the opinion of the Waikato Linux Users Group, or any of its members.
> Copyright is retained by the individual authors of a page. If you have any
c
> omplaints about the contents of this page, please do not hesitate to
contact
> the Waikato Linux Users Group, or, click the Edit button below!
>
>
> --------------------------------------------------------------------------
--
> ----
>
>
>      Sign In
>
>
>
>

More information about the samba mailing list