[Samba] Joining Samba 3.0.2 vanilla to ADS

Marcello Melfi marcello.melfi at videotron.ca
Wed Oct 6 03:48:11 GMT 2004


Hi Doug,

Good news for you!

However, as I have mentioned to you in a previous post, you are NOT
performing ADS authentication. You are using Samba's DOMAIN security mode
and, therefore, you are using the NTLM authentication (NT style...) via the
emulator provided by the Win2K3 AD server. In other words, if that emulator
is turned off for security reasons (e.g. your security department requires
Kerberos and wishes to eliminate all NT stuff), then your Samba shares will
no longer work. Then again, if NTLM authentication is enough for your
company, then everything is OK.

Samba's ADS security mode requires MIT (or Heindal) Kerberos and OpenLDAP
packages to be installed on the UNIX system where Samba is installed.

Regards,
 
Marcello

-----Original Message-----
From: samba-bounces+marcello.melfi=videotron.ca at lists.samba.org
[mailto:samba-bounces+marcello.melfi=videotron.ca at lists.samba.org] On Behalf
Of Sylliaasen, Doug
Sent: October 5, 2004 18:42
To: 'samba at lists.samba.org'
Cc: Sylliaasen, Doug
Subject: [Samba] Joining Samba 3.0.2 vanilla to ADS

I've been looking at several posts for weeks now and finally concluded
through testing how to install Samba 3.X into the Windows Active Directory
environment.  I was completely under the impression that you needed to load
Kerbos/ LDAP and a bunch of other stuff.  In our case our ADS is running in
native mode and I was able to join the domain quite easily.  I've tested
authentications and mapping drives .. and it seems to work correctly.. I'm
still trying to to get the winbindd working .. but hopefully I can get the
working soon as well.
 
Here's the sequence I followed:
 
1) Download vanilla Samba 3.0.2 for Solaris 8 .. no special compilation w/
ads - ldap etc
2) installed and configured global parameters below
3) created valid machine account in the ads domain .. made to sure to have
rights to join domain and this account
4) Make sure machine name of the host matches the machine account created in
the ads domain ( netboisname also )
5) samba server is not active/running .. kill all samba processes
6) ADS domain is running in native mode
7) net join -S xxxdomain -U syxxxxx
    password: xxxxx
   Added to Domain xxx  ( response from ADS domain )
8) /etc/init.d/samba.server start
9) Add user accounts and groups to unix host
10) add user account to samba ( smbpasswd -a user12345 )
11) add entries to the /usr/local/samba/lib/user.map file
       user12345 = user12345
       user34565 = user34565
       (unix acct)     ( ads acctname)
 
I then ran SWAT and configured a few shares.. adding the groups to rights on
the folders I was sharing.. home by user default was set.
 
# Samba config file created using SWAT
# from 43.131.5.12 (43.131.5.12)
# Date: 2004/10/05 15:09:55

# Global parameters
[global]
workgroup = AM
netbiosname = machinexxx
 netbios aliases = us-sd-xxx
server string = SD-EC2 Samba Server %h (Samba %v) interfaces =
xx.1xx.16.0/22, 127.0.0.0/8 security = DOMAIN update encrypted = Yes map to
guest = Bad Password password server = ussdiad ussdiax username map =
/usr/local/samba/lib/user.map unix password sync = Yes log file =
/usr/local/samba/var/log.%m max log size = 50 min protocol = LANMAN1 socket
options = TCP_NODELAY IPTOS_THROUGHPUT os level = 0 lm announce = Yes
preferred master = No local master = No domain master = No wins server =
xx.1xx.95.12 hosts allow = 127., 43.
printing = bsd
hide dot files = No
oplocks = No
level2 oplocks = No
 
[homes]
comment = User Home Directories
read only = No
browseable = No

[ptc]
comment = PTC Fileserver Share
path = /export/ptc
invalid users = nobody
valid users = @staff
admin users = @staff
write list = @staff
 
To browse the shares .. users use the start/run entering   \\hostname
<file://\\hostname>   and then ok .,, this returns the browsable shares
The user selects the share and maps the network drive using the connect as
feature  domain\username ..
 
This seems to be working fine so far.. and works the same as the server I
have in the Windows NT Domain environment..
 
-d
 
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba



More information about the samba mailing list