[Samba] security = ADS - IT WORKS!!!!!!!!!
John H Terpstra
jht at samba.org
Fri Jul 23 19:05:11 GMT 2004
Rashaad,
While all this is fresh in your mind, and you are still and expert, would you
please send me patches for the Samba-HOWTO-Collection and for Samba-Guide so
that we can update the documentation.
By fixing the documentation others may avoid the pain you went through.
- John T.
On Friday 23 July 2004 12:40, Rashaad S. Hyndman wrote:
> sorry about that last email that did not contain the resource i used. I
> think it was because i copied the contents of a website which could have
> been considered advertisement because of some of images. In either case
> enjoy:
>
> http://www.wlug.org.nz/HowtoSamba3AndActiveDirectory
>
>
> ----- Original Message -----
> From: "Rashaad S. Hyndman" <IslandBwoy at ToughGuy.net>
> To: "Rashaad S. Hyndman" <IslandBwoy at ToughGuy.net>; "Tom Skeren"
> <tms3 at fskklaw.com>
> Cc: <samba at lists.samba.org>
> Sent: Friday, July 23, 2004 2:18 PM
> Subject: Re: [Samba] security = ADS - IT WORKS!!!!!!!!!
>
> > Halleluiah!!!!!!!!! It works. With all the documentation I've read
>
> including
>
> > the official samba-3 howto for setting up ADS none of them mentioned what
> > happened to be the most critical piece of information, winbind! Now I've
> > seen a couple post that mentioned this daemon but it was not included in
>
> the
>
> > official howto's so I skipped over it. In Either case I've included the
> > article that I used to get my samba ADS implementation working. If you
>
> have
>
> > followed other howto's you have probably got 99% of the work done. If
> > you happen to have more questions please feel free to email me and I'll
>
> dictate
>
> > exactly what I have in my environment.
> >
> > Thanks for your input,
> > R.
> >
> >
> >
> >
> >
> >
> > Howto Samba 3 And Active Directory
> > G o o g l e users: We have detected that you were searching for howto
>
> samba
>
> > ads.
> >
> > The Waikato Linux Users Group hope that this page answers your questions,
> > but, if it doesn't, we politely request that if/when you find the answer
>
> to
>
> > your question you contibute your information back into this Wiki (via the
> > Edit button at the bottom of the page) so that others can also find this
> > information easier.
> >
> > We also suggest that if this page doesn't answer your question, try
> > Searching the wiki, or, to find pages similar to this one, try or .
> >
> > What's this? It's a near-copy of ActiveDirectorySamba, but not
>
> linked
>
> > from anywhere and with a lot of stuff deleted? Please don't
> > DisagreeByDeleting. Can someone who has Samba3 experience shed light on
>
> the
>
> > changes between this page and the other? --AristotlePagaltzis
> >
> > ActiveDirectorySamba is a correct howto for setting up Samba 3 with
> > ActiveDirectory. So it's basically a copy paste from there to here and
> > delete the other. -- GerwinVanDeSteeg
> >
> >
> > -------------------------------------------------------------------------
> >-
> >
> > This simple guide is a mostly accurate way to set up a Samba
> > machine as a DomainMember in a Windows 2000 or Windows 2003
> > ActiveDirectory
>
> Domain.
>
> > The following setup is used:
> >
> > 192.168.0.1 test1.thinclient.test.org (the AD server,
> > hereafter known as the server)
> >
> > 192.168.0.209 mail.thinclient.test.org (samba3 machine)
> >
> > The Samba system is based upon a stock standard RedHat 9 system
> > with the samba software upgraded to Samba3 (using RPM)
> >
> > The following steps are needed to get the system functioning:
> >
> > 1.. configure name resolution using either dns or a hosts file
> > 2.. configure samba and winbindd
> > 3.. configure kerberos
> > 4.. testing the kerberos configuration
> > 5.. good luck
> > Configure name resolution
> > ActiveDirectory relies HEAVILY on DNS to resolve not only host
> > names but services they provide as well. To set up DNS on the linux box,
> > see the DNSHowTo, otherwise consult necessary Windows documentation on
> > setting up forward AND reverse DNS zones.
> >
> > As a temporarily solution, you can use hosts based authentication,
> > this is ugly and hacky, and should be avoided at all costs. --
>
> JamesSpooner
>
> > The first step is to configure name resolution for our systems. The
> > kerberos authentication system, which we will configure later on,
> > requires us to be able to do a reverse lookup on an IP address to get a
> > fully qualified domain name (FQDN). There are two ways to do this, the
> > cheap and nasty method is to use a hosts file on both systems, which will
> > have
>
> entries
>
> > similar to the following.
> >
> > Samba machine
> > /etc/hosts
> >
> > 127.0.0.1 mail mail.thinclient.test.org
> > localhost.localdomain localhost
> >
> > 192.168.0.1 test1 test1.thinclient.test.org
> >
> > 192.168.0.209 mail mail.thinclient.test.org
> >
> > Surely it would be better to put the FQDN first, and not alias
> > localhost to a name other than localhost? -- PerryLorier
> >
> > Windows Active Directory server
> > %Systemroot%\System32\drivers\etc\hosts[1]
> >
> > 127.0.0.1 test1 test1.thinclient.test.org
> > localhost.localdomain localhost
> >
> > 192.168.0.1 test1 test1.thinclient.test.org
> >
> > 192.168.0.209 mail mail.thinclient.test.org
> >
> > The correct method is to setup DNS on the server which can be done
> > through the DNS console in the AdministrativeTools section of Windows
> > 2000/2003 Server. We won't go into the details of setting this up here,
>
> but
>
> > we will specify the linux side of that here.
> >
> > /etc/resolv.conf
> >
> > search thinclient.test.org
> >
> > domain thinclient.test.org
> >
> > nameserver 192.168.0.1
> >
> > Configure Samba3 and Winbindd
> > This part is the easy one, we just create ourselves a default Samba
> > configuration with at least the following entries (Note this is a
>
> completely
>
> > empty and default configuration file, and you may wish to add more. A
> > file share would be handy to add).
> >
> > /etc/samba/smb.conf
> >
> > [global]
> >
> > # general options
> >
> > workgroup = THINCLIENT
> >
> > netbios name = MAIL
> >
> > # winbindd configuration
> >
> > winbind separator = +
> >
> > idmap uid = 10000-20000
> >
> > idmap gid = 10000-20000
> >
> > winbind enum users = yes
> >
> > winbind enum groups = yes
> >
> > template homedir = /home/%D/%U
> >
> > template shell = /bin/bash
> >
> > # Active directory joining
> >
> > # "ads server" is only necessary if your kdc can't be located
> > using /etc/krb5.conf -- JamesSpooner
> >
> > # ads server = test1.thinclient.test.org
> >
> > security = ads
> >
> > encrypt passwords = yes
> >
> > realm = thinclient.test.org
> >
> > NB: The important things to pay attention to here are the name of
>
> our
>
> > samba machine (netbios name), the workgroup, and the ActiveDirectory
>
> stuff.
>
> > Configure Kerberos5
> > See ActiveDirectoryKerberos on setting up Kerberos to talk to
> > ActiveDirectory.
> >
> > We need to generate a key for our samba machine on the Windows
>
> server,
>
> > and securely import this into our samba machine. To create the keyfile we
> > run the following on the Windows server:
> >
> > ktpass - princ host/mail.thinclient.test.org at THINCLIENT.TEST.ORG
> > \
> >
> > -mapuser MAIL -pass MAIL1234PASSWORD -out mail.keytab
> >
> > We then transfer the mail.keytab securely to our samba machine by
> > using something similar to SSH or another secure means. And then on the
> > samba machine we will import the keyfile we just generated by using the
> > ktutil program, which is part of the kerberos distribution. The unix
> > commands for ktutil are as follows:
> >
> > % ktutil
> >
> > ktutil: rkt mail.keytab
> >
> > ktutil: list
> >
> > ktutil: wkt /etc/krb5.keytab
> >
> > ktutil: q
> >
> > Alternatively ... as root:
> >
> > net join -U Administrator%password
> >
> > This will join the Samba machine to the ActiveDirectory Domain.
> >
> > References
> > a.. Using Kerberos Clients section of the Microsoft :
> > Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability
> > b.. Authentication to ADS
> > c.. The winbindd and Active Directory Domain Member sections of
>
> the
>
> > Samba v3 Documentation
> > d.. Realy huge manual for samba 3, in this document you can find
> > almost everything
> >
> > -------------------------------------------------------------------------
> >-
> >
> > Footnotes
> >
> > [1] %Systemroot% is a variable set by Windows NT and onward to mean
> > "the location where Windows is installed", ie c:\winnt, c:\windows, etc.
> > This news side bar needs a browser with "iframe" support.
> >
> > No pages link to HowtoSamba3AndActiveDirectory.
> >
> > Please visit the WlugSponsors.
> >
> >
> >
> > -------------------------------------------------------------------------
> >-
>
> --
>
> > ----
> >
> > Last edited on Tuesday, June 1, 2004 10:04:05 pm by AlastairPorter.
> >
> > Please note that any user can change the contents of pages on this site,
>
> and
>
> > therefore the Waikato Linux Users Group can offer no assurances that the
> > information is correct, and the information on this site is not
>
> necessarily
>
> > the opinion of the Waikato Linux Users Group, or any of its members.
> > Copyright is retained by the individual authors of a page. If you have
> > any
>
> c
>
> > omplaints about the contents of this page, please do not hesitate to
>
> contact
>
> > the Waikato Linux Users Group, or, click the Edit button below!
> >
> >
> > -------------------------------------------------------------------------
> >-
>
> --
>
> > ----
> >
> >
> > Sign In
--
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668
Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
OpenLDAP by Example, ISBN: 0131488732
Other books in production.
More information about the samba
mailing list