[Samba] Making Red Hat 3 Authenticate against AD Domain

Tue Oct 19 18:18:04 GMT 2004

The default version of kerberos that ships with RHEL AS is 1.2 something
and the default samba rpm is built against this version.  In order for a
samba box to become a member of an active directory domain, Kerberos
1.3+ is required. This is why it is necessary to download the latest
binary of kerberos from the following location and download and compile
Samba.

Kerberos:
http://web.mit.edu/kerberos/dist/krb5/1.3/krb5-1.3.5-i686-pc-linux-gnu.t
ar
Samba: http://us3.samba.org/samba/ftp/samba-latest.tar.gz

-----Original Message-----
From: David Nickel [mailto:dnickel at gmail.com] 
Sent: Tuesday, October 19, 2004 11:46 AM
To: Kevin Riggins
Cc: samba at lists.samba.org
Subject: Re: [Samba] Making Red Hat 3 Authenticate against AD Domain

I am using the kinit that is default rpm with RHEL AS 
which kinit is returning: /usr/kerberos/bin/kinit

On Tue, 19 Oct 2004 11:09:42 -0500, Kevin Riggins
<kevin.riggins at comdev.com> wrote:
> I also thought of something else, make sure you are using the binaries
> that were installed by the new Kerberos package.  I accomplished this
by
> putting /usr/local/bin and /usr/local/sbin at the beginning of my path
> statement.  This needs to be done prior to compiling Samba, because
> Samba uses the krb5-config command to configure itself for Kerberos.
> 
> If `which kinit` returns anything other than /usr/local/bin, this is
> contributing to the problem.
> 
> My bad, sorry.
> 
> No services are necessary for the Kerberos portion of the setup.
> 
> Kevin
> 
> 
> 
> -----Original Message-----
> From: David Nickel [mailto:dnickel at gmail.com]
> Sent: Tuesday, October 19, 2004 10:59 AM
> To: Kevin Riggins
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Making Red Hat 3 Authenticate against AD Domain
> 
> I have tried the uppercase, lowercase and any combinations. I have
> made the following changes to my krb5.conf file and still get the same
> error. What services need to be started? Thanks alot for your input.
> 
> On Tue, 19 Oct 2004 10:44:29 -0500, Kevin Riggins
> <kevin.riggins at comdev.com> wrote:
> > One other thing.  My /etc/krb5.conf file is a bit different than the
> one
> > given on the page I sent you to.
> >
> > The pertinent portion being below:
> >
> > [libdefaults]
> >  ticket_lifetime = 24000
> >  default_realm = COMDEV.COM
> >  default_tgs_enctypes = rc4-hmac
> >  default_tkt_enctypes = rc4-hmac
> >  forwardable = true
> >  proxiable = true
> >  dns_lookup_realm = false
> >  dns_lookup_kdc = false
> >
> >
> >
> >
> > -----Original Message-----
> > From: David Nickel [mailto:dnickel at gmail.com]
> > Sent: Tuesday, October 19, 2004 10:15 AM
> > To: Kevin Riggins
> > Cc: samba at lists.samba.org
> > Subject: Re: [Samba] Making Red Hat 3 Authenticate against AD Domain
> >
> > Thanks for the link and info. I have tried it, but when I get to the
> > testing kerberos I get an error.
> >
> > command: kinit ADMINISTRATOR at domain.com
> > error: kinit(v5): KDC has no support for encryption type while
getting
> > initial credentials
> >
> > FYI: All I want to do is allow my users, once they logon on to there
> > domain computers, map to their directory on the web server through
> > domain authentication instead of the local /etc/passwd file.
> >
> > On Tue, 19 Oct 2004 08:58:17 -0500, Kevin Riggins
> > <kevin.riggins at comdev.com> wrote:
> > > David,
> > >
> > > I found this webpage to be very useful for setting up samba with
> > active
> > > directory authentication -
> > > http://www.rongage.org/manual_samba_howto.html.  I started with a
> very
> > > base install of WBEL without samba.  The version of Kerberos that
> > comes
> > > with WBEL is not new enough to work with a Win2K AD domain or at
> least
> > I
> > > could never get it to work. I used the latest versions of Samba
and
> > > Kerberos.  OpenLDAP was not needed since it was already installed
on
> > the
> > > box.
> > >
> > > My homes share definition looks like this:
> > >
> > > [global]
> > >        template homedir = /home/%D/%U
> > >
> > > [homes]
> > >        comment = Home Directories
> > >        create mask = 0600
> > >        directory mask = 0700
> > >        read only = no
> > >        browseable = no
> > >        valid users = @"Domain Admins",@"Domain Users"
> > >        veto oplock files = /*.xls/
> > >
> > > The "veto oplock files = /*.xls/" line is to take care of a
problem
> > with
> > > excel thinking that a file has been changed since opened when it
> > > actually hasn't been.
> > >
> > > I created the /home/<DOMAIN>/ directory with the group set to
> "Domain
> > > Admins" and group rights of u+rwx,g+rwsx,o-rwsx so that I could
use
> > > "Active Directory Users and Computers" to set the home directory.
> The
> > > domain name had to be all caps for it to work right.  Right now I
am
> > > manually creating the home directory and setting ownership and
> > > permissions.  Haven't been able to get the home directory creation
> > > through "Active Directory Users and Computers" working yet.
> > >
> > > Kevin Riggins, CISSP
> > > Quester Linguistics, Inc.
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: David Nickel [mailto:dnickel at gmail.com]
> > > Sent: Tuesday, October 19, 2004 8:31 AM
> > > To: samba at lists.samba.org
> > > Subject: [Samba] Making Red Hat 3 Authenticate against AD Domain
> > >
> > > I have a Red Hat 3 AS server I am trying to set Samba 3 up on. I
> want
> > > to use the homes function of Samba and I want user's to
authenticate
> > > against my AD domain. I am having a problem making the server a
> member
> > > server of my domain.
> > >
> > > I tried using the smbpasswd command and got the error about trying
> net
> > > join for this action. Also, is there anything else I have to do to
> get
> > > my users to authenticate against the AD domain?
> > >
> > > Any help and suggestions would be much appreciated.
> > >
> > > Thanks,
> > >
> > > David
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  http://lists.samba.org/mailman/listinfo/samba
> > >
> >
>