Thanks everyone. I was actually hoping for a "read the google, newb" response, as long as it had the right search terms, cause I didn't have a clue what to google for :). So again, thanks, I've downloaded a pile of howto's to my workstation and I work on it on my dead time.
On Sun, Aug 10, 2008 at 3:09 PM, Jil Larner <[EMAIL PROTECTED]> wrote: > Hello, > > I recently set up samba to allow authentification against Active Directory > for file sharing on a CentOS 4.5. Even if their installer is supposed to do > it correctly, it didn't work the way I wanted, so I had to understand how to > set it up manually. > > The main problem I found with documentations is that there's no one-shot > documentation that allows you to join a domain if you meet so many obscure > error messages like I had. > > I have more knowledge on Gentoo than centOs (so redhat), but what I say > here has only been tested on centOS. > > Unfortunately for you, I'm on hollydays and won't go back to office until > second part of October, so I can only tell you what I remember : > > You need : > - a Kerberos client > - a ntp daemon to set your clock according to your domain controller (more > than 5 minutes offset will lead kerberos not to deliver tickets) > - samba with winbind support > - manually record your machine in the DNS used by AD > > Set up samba with ads security (refer to the official samba howto) > Be sure your smb.conf has winbind configuration directives > > Files I remember I updated (CentOS architecture) : > - /etc/samba/smb.conf > - /etc/sysconfig/network (for the hostname of your machine to be the FQDN > e.g. tux.mywindows.domain.corp and `hostname --fqdn` must immediately > answer) => /etc/conf.d/hostname on gentoo > - /etc/nsswitch.conf to add winbind for a few things (passwd,group,shadow > if I remember, with less priority than file; otherwise it will be long to > log in as a local user) > - /etc/krb5.conf /etc/krb.conf[backward compatibility, may not be needed on > gentoo; try without that's one file less to manage] (documentations give the > few lines required) > > You'll also have to modify PAM config files for local access matching > against AD, but I didn't tried it. > > Before you frag your brain out with samba and winbind, you must succeed a > `kinit mywindowsuser` and see your ticket with `klist`. And be sure you can > resolve local names with a nslookup. Some recommend you set the name and ip > of your Domain Controller (DC) in /etc/hosts to avoid DNS failure. > > To join a domain, use the net join ads command, as explained in the docs : > it must work. If it don't, don't look forward: solve this problem as it > means you cannot access your DC. > > There's no need to configure LDAP if you use an AD architecture. And unless > your DC is configured otherwise, it should offer you all required services > (kerberos, ntp, dns). > > Don't hesitate to set up the log level of samba to 4 or the example value > of the man page to get what's wrong. > > Don't look for complex configuration : a few simple lines does the job for > matching AD. If you can identify against AD for file shares, then you just ( > :D ) have to set up pam for the main login. I'd say there are 3 or 4 winbind > directives (uid/gid range, auto append defautl domain, etc) in and 5 > important samba directives smb.conf. > > I hope this fragment can help you a little bit, > Jil. > > >
