[Samba] security = ADS - IT WORKS!!!!!!!!!

Rashaad S. Hyndman IslandBwoy at ToughGuy.net
Fri Jul 23 19:30:51 GMT 2004


For sure. I'll do that on the weekend!


----- Original Message ----- 
From: "John H Terpstra" <jht at samba.org>
To: "Rashaad S. Hyndman" <IslandBwoy at ToughGuy.net>
Cc: <samba at lists.samba.org>
Sent: Friday, July 23, 2004 3:05 PM
Subject: Re: [Samba] security = ADS - IT WORKS!!!!!!!!!


> Rashaad,
>
> While all this is fresh in your mind, and you are still and expert, would
you
> please send me patches for the Samba-HOWTO-Collection and for Samba-Guide
so
> that we can update the documentation.
>
> By fixing the documentation others may avoid the pain you went through.
>
> - John T.
>
> On Friday 23 July 2004 12:40, Rashaad S. Hyndman wrote:
> > sorry about that last email that did not contain the resource i used. I
> > think it was because i copied the contents of a website which could have
> > been considered advertisement because of some of images.  In either case
> > enjoy:
> >
> > http://www.wlug.org.nz/HowtoSamba3AndActiveDirectory
> >
> >
> > ----- Original Message -----
> > From: "Rashaad S. Hyndman" <IslandBwoy at ToughGuy.net>
> > To: "Rashaad S. Hyndman" <IslandBwoy at ToughGuy.net>; "Tom Skeren"
> > <tms3 at fskklaw.com>
> > Cc: <samba at lists.samba.org>
> > Sent: Friday, July 23, 2004 2:18 PM
> > Subject: Re: [Samba] security = ADS - IT WORKS!!!!!!!!!
> >
> > > Halleluiah!!!!!!!!! It works. With all the documentation I've read
> >
> > including
> >
> > > the official samba-3 howto for setting up ADS none of them mentioned
what
> > > happened to be the most critical piece of information, winbind!  Now
I've
> > > seen a couple post that mentioned this daemon but it was not included
in
> >
> > the
> >
> > > official howto's so I skipped over it.  In Either case I've included
the
> > > article that I used to get my samba ADS implementation working.  If
you
> >
> > have
> >
> > > followed other howto's you have probably got 99% of the work done.  If
> > > you happen to have more questions please feel free to email me and
I'll
> >
> > dictate
> >
> > > exactly what I have in my environment.
> > >
> > > Thanks for your input,
> > > R.
> > >
> > >
> > >
> > >
> > >
> > >
> > > Howto Samba 3 And Active Directory
> > > G o o g l e users: We have detected that you were searching for howto
> >
> > samba
> >
> > > ads.
> > >
> > > The Waikato Linux Users Group hope that this page answers your
questions,
> > > but, if it doesn't, we politely request that if/when you find the
answer
> >
> > to
> >
> > > your question you contibute your information back into this Wiki (via
the
> > > Edit button at the bottom of the page) so that others can also find
this
> > > information easier.
> > >
> > > We also suggest that if this page doesn't answer your question, try
> > > Searching the wiki, or, to find pages similar to this one, try or .
> > >
> > >       What's this? It's a near-copy of ActiveDirectorySamba, but not
> >
> > linked
> >
> > > from anywhere and with a lot of stuff deleted? Please don't
> > > DisagreeByDeleting. Can someone who has Samba3 experience shed light
on
> >
> > the
> >
> > > changes between this page and the other? --AristotlePagaltzis
> > >
> > >       ActiveDirectorySamba is a correct howto for setting up Samba 3
with
> > > ActiveDirectory. So it's basically a copy paste from there to here and
> > > delete the other. -- GerwinVanDeSteeg
> > >
> > >
> >
> -------------------------------------------------------------------------
> > >-
> > >
> > >       This simple guide is a mostly accurate way to set up a Samba
> > > machine as a DomainMember in a Windows 2000 or Windows 2003
> > > ActiveDirectory
> >
> > Domain.
> >
> > >       The following setup is used:
> > >
> > >         192.168.0.1   test1.thinclient.test.org  (the AD server,
> > > hereafter known as the server)
> > >
> > >         192.168.0.209 mail.thinclient.test.org   (samba3 machine)
> > >
> > >       The Samba system is based upon a stock standard RedHat 9 system
> > > with the samba software upgraded to Samba3 (using RPM)
> > >
> > >       The following steps are needed to get the system functioning:
> > >
> > >         1.. configure name resolution using either dns or a hosts file
> > >         2.. configure samba and winbindd
> > >         3.. configure kerberos
> > >         4.. testing the kerberos configuration
> > >         5.. good luck
> > >       Configure name resolution
> > >       ActiveDirectory relies HEAVILY on DNS to resolve not only host
> > > names but services they provide as well. To set up DNS on the linux
box,
> > > see the DNSHowTo, otherwise consult necessary Windows documentation on
> > > setting up forward AND reverse DNS zones.
> > >
> > >       As a temporarily solution, you can use hosts based
authentication,
> > > this is ugly and hacky, and should be avoided at all costs. --
> >
> > JamesSpooner
> >
> > >       The first step is to configure name resolution for our systems.
The
> > > kerberos authentication system, which we will configure later on,
> > > requires us to be able to do a reverse lookup on an IP address to get
a
> > > fully qualified domain name (FQDN). There are two ways to do this, the
> > > cheap and nasty method is to use a hosts file on both systems, which
will
> > > have
> >
> > entries
> >
> > > similar to the following.
> > >
> > >       Samba machine
> > >       /etc/hosts
> > >
> > >         127.0.0.1       mail    mail.thinclient.test.org
> > > localhost.localdomain   localhost
> > >
> > >         192.168.0.1     test1   test1.thinclient.test.org
> > >
> > >         192.168.0.209   mail    mail.thinclient.test.org
> > >
> > >       Surely it would be better to put the FQDN first, and not alias
> > > localhost to a name other than localhost? -- PerryLorier
> > >
> > >       Windows Active Directory server
> > >       %Systemroot%\System32\drivers\etc\hosts[1]
> > >
> > >         127.0.0.1       test1   test1.thinclient.test.org
> > > localhost.localdomain   localhost
> > >
> > >         192.168.0.1     test1   test1.thinclient.test.org
> > >
> > >         192.168.0.209   mail    mail.thinclient.test.org
> > >
> > >       The correct method is to setup DNS on the server which can be
done
> > > through the DNS console in the AdministrativeTools section of Windows
> > > 2000/2003 Server. We won't go into the details of setting this up
here,
> >
> > but
> >
> > > we will specify the linux side of that here.
> > >
> > >       /etc/resolv.conf
> > >
> > >         search      thinclient.test.org
> > >
> > >         domain      thinclient.test.org
> > >
> > >         nameserver  192.168.0.1
> > >
> > >       Configure Samba3 and Winbindd
> > >       This part is the easy one, we just create ourselves a default
Samba
> > > configuration with at least the following entries (Note this is a
> >
> > completely
> >
> > > empty and default configuration file, and you may wish to add more. A
> > > file share would be handy to add).
> > >
> > >       /etc/samba/smb.conf
> > >
> > >         [global]
> > >
> > >           # general options
> > >
> > >           workgroup = THINCLIENT
> > >
> > >           netbios name = MAIL
> > >
> > >           # winbindd configuration
> > >
> > >           winbind separator = +
> > >
> > >           idmap uid = 10000-20000
> > >
> > >           idmap gid = 10000-20000
> > >
> > >           winbind enum users = yes
> > >
> > >           winbind enum groups = yes
> > >
> > >           template homedir = /home/%D/%U
> > >
> > >           template shell = /bin/bash
> > >
> > >           # Active directory joining
> > >
> > >           # "ads server" is only necessary if your kdc can't be
located
> > > using /etc/krb5.conf -- JamesSpooner
> > >
> > >           # ads server = test1.thinclient.test.org
> > >
> > >           security = ads
> > >
> > >           encrypt passwords = yes
> > >
> > >           realm = thinclient.test.org
> > >
> > >       NB: The important things to pay attention to here are the name
of
> >
> > our
> >
> > > samba machine (netbios name), the workgroup, and the ActiveDirectory
> >
> > stuff.
> >
> > >       Configure Kerberos5
> > >       See ActiveDirectoryKerberos on setting up Kerberos to talk to
> > > ActiveDirectory.
> > >
> > >       We need to generate a key for our samba machine on the Windows
> >
> > server,
> >
> > > and securely import this into our samba machine. To create the keyfile
we
> > > run the following on the Windows server:
> > >
> > >         ktpass - princ
host/mail.thinclient.test.org at THINCLIENT.TEST.ORG
> > > \
> > >
> > >                    -mapuser MAIL -pass MAIL1234PASSWORD -out
mail.keytab
> > >
> > >       We then transfer the mail.keytab securely to our samba machine
by
> > > using something similar to SSH or another secure means. And then on
the
> > > samba machine we will import the keyfile we just generated by using
the
> > > ktutil program, which is part of the kerberos distribution. The unix
> > > commands for ktutil are as follows:
> > >
> > >         % ktutil
> > >
> > >         ktutil: rkt mail.keytab
> > >
> > >         ktutil: list
> > >
> > >         ktutil: wkt /etc/krb5.keytab
> > >
> > >         ktutil: q
> > >
> > >       Alternatively ... as root:
> > >
> > >         net join -U Administrator%password
> > >
> > >       This will join the Samba machine to the ActiveDirectory Domain.
> > >
> > >       References
> > >         a.. Using Kerberos Clients section of the Microsoft :
> > > Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability
> > >         b.. Authentication to ADS
> > >         c.. The winbindd and Active Directory Domain Member sections
of
> >
> > the
> >
> > > Samba v3 Documentation
> > >         d.. Realy huge manual for samba 3, in this document you can
find
> > > almost everything
> > >
> >
> -------------------------------------------------------------------------
> > >-
> > >
> > >       Footnotes
> > >
> > >       [1] %Systemroot% is a variable set by Windows NT and onward to
mean
> > > "the location where Windows is installed", ie c:\winnt, c:\windows,
etc.
> > >      This news side bar needs a browser with "iframe" support.
> > >
> > >       No pages link to HowtoSamba3AndActiveDirectory.
> > >
> > >       Please visit the WlugSponsors.
> > >
> > >
> > >
> >
> -------------------------------------------------------------------------
> > >-
> >
> > --
> >
> > > ----
> > >
> > > Last edited on Tuesday, June 1, 2004 10:04:05 pm by AlastairPorter.
> > >
> > > Please note that any user can change the contents of pages on this
site,
> >
> > and
> >
> > > therefore the Waikato Linux Users Group can offer no assurances that
the
> > > information is correct, and the information on this site is not
> >
> > necessarily
> >
> > > the opinion of the Waikato Linux Users Group, or any of its members.
> > > Copyright is retained by the individual authors of a page. If you have
> > > any
> >
> > c
> >
> > > omplaints about the contents of this page, please do not hesitate to
> >
> > contact
> >
> > > the Waikato Linux Users Group, or, click the Edit button below!
> > >
> > >
> >
> -------------------------------------------------------------------------
> > >-
> >
> > --
> >
> > > ----
> > >
> > >
> > >      Sign In
>
> -- 
> John H Terpstra
> Samba-Team Member
> Phone: +1 (650) 580-8668
>
> Author:
> The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
> Samba-3 by Example, ISBN: 0131472216
> Hardening Linux, ISBN: 0072254971
> OpenLDAP by Example, ISBN: 0131488732
> Other books in production.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba



More information about the samba mailing list