summaryrefslogtreecommitdiff
path: root/docs/textdocs/ADS-HOWTO.txt
diff options
context:
space:
mode:
Diffstat (limited to 'docs/textdocs/ADS-HOWTO.txt')
-rw-r--r--docs/textdocs/ADS-HOWTO.txt142
1 files changed, 142 insertions, 0 deletions
diff --git a/docs/textdocs/ADS-HOWTO.txt b/docs/textdocs/ADS-HOWTO.txt
new file mode 100644
index 00000000000..7a066c69ecf
--- /dev/null
+++ b/docs/textdocs/ADS-HOWTO.txt
@@ -0,0 +1,142 @@
+Samba 3.0 prealpha guide to Kerberos authentication
+---------------------------------------------------
+
+Andrew Tridgell
+tridge@samba.org
+
+This is a VERY ROUGH guide to setting up the current (November 2001)
+pre-alpha version of Samba 3.0 with kerberos authentication against a
+Windows2000 KDC. The procedures listed here are likely to change as
+the code develops.
+
+Pieces you need before you begin:
+
+- a Windows 2000 server
+- the latest CVS source code for Samba. See http://cvs.samba.org/ for how to
+ fetch this.
+- the MIT kerberos development libraries (either install from the
+ above sources or use a package). Under debian you need "libkrb5-dev"
+ and "krb5-user". The heimdal libraries will not work.
+- the OpenLDAP development libraries.
+
+On RedHat this means you should have at least:
+
+krb5-workstation (for kinit)
+krb5-libs (for linking with)
+krb5-devel (because you are compiling from source)
+
+in addition to the standard development environment.
+
+Note that these are not standard on a RedHat install, and you may need
+to get them off CD2.
+
+Also check that you have the latest copy of this HOWTO. It is
+available from http://samba.org/ftp/tridge/kerberos/HOWTO
+
+Step 1: Compile Samba
+
+ If your kerberos libraries are in a non-standard location then
+ remember to add the configure option --with-krb5=DIR.
+
+ After you run configure make sure that include/config.h contains
+ lines like this:
+
+ #define HAVE_KRB5 1
+ #define HAVE_LDAP 1
+
+ If it doesn't then configure did not find your krb5 libraries or
+ your ldap libraries. Look in config.log to figure out why and fix
+ it.
+
+ Then compile and install Samba as usual. You must use at least the
+ following 3 options in smb.conf:
+
+ realm = YOUR.KERBEROS.REALM
+ ads server = your.kerberos.server
+ security = ADS
+ encrypt passwords = yes
+
+ Strictly speaking, you can omit the realm name and you can use an IP
+ address for the ads server. In that case Samba will auto-detect these.
+
+ You do *not* need a smbpasswd file, although it won't do any harm
+ and if you have one then Samba will be able to fall back to normal
+ password security for older clients. I expect that the above
+ required options will change soon when we get better active
+ directory integration.
+
+
+Step 2: Setup your /etc/krb5.conf
+
+ The minimal configuration for krb5.conf is:
+
+ [realms]
+ YOUR.KERBEROS.REALM = {
+ kdc = your.kerberos.server
+ }
+
+
+ Test your config by doing a "kinit USERNAME@REALM" and making sure that
+ your password is accepted by the Win2000 KDC.
+
+ NOTE: The realm must be uppercase.
+
+ You also must ensure that you can do a reverse DNS lookup on the IP
+ address of your KDC. Also, the name that this reverse lookup maps to
+ must either be the netbios name of the KDC (ie. the hostname with no
+ domain attached) or it can alternatively be the netbios name
+ followed by the realm.
+
+ The easiest way to ensure you get this right is to add a /etc/hosts
+ entry mapping the IP address of your KDC to its netbios name. If you
+ don't get this right then you will get a "local error" when you try
+ to join the realm.
+
+* If all you want is kerberos support in smbclient then you can skip
+* straight to step 5 now. Step 3 is only needed if you want kerberos
+* support in smbd.
+
+
+Step 3: Create the computer account
+
+ Do a "kinit" as a user that has authority to change arbitrary
+ passwords on the KDC ("Administrator" is a good choice). Then as a
+ user that has write permission on the Samba private directory
+ (usually root) run:
+
+ net ads join
+
+ Possible errors:
+ - "bash: kinit: command not found":
+ - kinit is in the krb5-workstation RPM on RedHat systems, and is
+ in /usr/kerberos/bin, so it won't be in the path until
+ you log in again (or open a new terminal)
+ - "ADS support not compiled in"
+ - Samba must be reconfigured (remove config.cache) and
+ recompiled (make clean all install) after the kerberos libs
+ and headers are installed.
+
+
+Step 4: Test your server setup
+
+ On a Windows 2000 client try "net use * \\server\share". You should
+ be logged in with kerberos without needing to know a password. If
+ this fails then run "klist tickets". Did you get a ticket for the
+ server? Does it have an encoding type of DES-CBC-MD5 ?
+
+Step 5: Testing with smbclient
+
+ On your Samba server try to login to a Win2000 server or your Samba
+ server using smbclient and kerberos. Use smbclient as usual, but
+ specify the -k option to choose kerberos authentication.
+
+
+--------
+
+NOTES:
+ - must change administrator password at least once after DC install,
+ to create the right encoding types
+
+ - w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in
+ their defaults DNS setup. Maybe fixed in service packs?
+
View Lorry Controller Status