Hello,
I recently set up samba to allow authentification against Active
Directory for file sharing on a CentOS 4.5. Even if their installer is
supposed to do it correctly, it didn't work the way I wanted, so I had
to understand how to set it up manually.
The main problem I found with documentations is that there's no one-shot
documentation that allows you to join a domain if you meet so many
obscure error messages like I had.
I have more knowledge on Gentoo than centOs (so redhat), but what I say
here has only been tested on centOS.
Unfortunately for you, I'm on hollydays and won't go back to office
until second part of October, so I can only tell you what I remember :
You need :
- a Kerberos client
- a ntp daemon to set your clock according to your domain controller
(more than 5 minutes offset will lead kerberos not to deliver tickets)
- samba with winbind support
- manually record your machine in the DNS used by AD
Set up samba with ads security (refer to the official samba howto)
Be sure your smb.conf has winbind configuration directives
Files I remember I updated (CentOS architecture) :
- /etc/samba/smb.conf
- /etc/sysconfig/network (for the hostname of your machine to be the
FQDN e.g. tux.mywindows.domain.corp and `hostname --fqdn` must
immediately answer) => /etc/conf.d/hostname on gentoo
- /etc/nsswitch.conf to add winbind for a few things
(passwd,group,shadow if I remember, with less priority than file;
otherwise it will be long to log in as a local user)
- /etc/krb5.conf /etc/krb.conf[backward compatibility, may not be needed
on gentoo; try without that's one file less to manage] (documentations
give the few lines required)
You'll also have to modify PAM config files for local access matching
against AD, but I didn't tried it.
Before you frag your brain out with samba and winbind, you must succeed
a `kinit mywindowsuser` and see your ticket with `klist`. And be sure
you can resolve local names with a nslookup. Some recommend you set the
name and ip of your Domain Controller (DC) in /etc/hosts to avoid DNS
failure.
To join a domain, use the net join ads command, as explained in the docs
: it must work. If it don't, don't look forward: solve this problem as
it means you cannot access your DC.
There's no need to configure LDAP if you use an AD architecture. And
unless your DC is configured otherwise, it should offer you all required
services (kerberos, ntp, dns).
Don't hesitate to set up the log level of samba to 4 or the example
value of the man page to get what's wrong.
Don't look for complex configuration : a few simple lines does the job
for matching AD. If you can identify against AD for file shares, then
you just ( :D ) have to set up pam for the main login. I'd say there are
3 or 4 winbind directives (uid/gid range, auto append defautl domain,
etc) in and 5 important samba directives smb.conf.
I hope this fragment can help you a little bit,
Jil.
