Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 14 May 2004 16:59:40 -0400
From:      Michael Edenfield <kutulu@kutulu.org>
To:        Eric Masson <e-masson@kisoft-services.com>, Evan Oberholster <eoberholster@aiias.edu>, ports@freebsd.org
Subject:   Re: How-to: Install Samba
Message-ID:  <20040514205940.GA80327@wombat.localnet>
In-Reply-To: <20040513203532.GA1714@minubian.inethouston.net>
References:  <001801c4389e$8bcca790$1400a8c0@aiiasit> <20040513140547.GA72575@minubian.inethouston.net> <20040513140703.GB72575@minubian.inethouston.net> <86d658gwzs.fsf@srvbsdnanssv.interne.kisoft-services.com> <20040513203532.GA1714@minubian.inethouston.net>

next in thread | previous in thread | raw e-mail | index | archive | help

--J/dobhs11T7y2rNN
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

* David W. Chapman Jr. <dwcjr@inethouston.net> [040513 16:35]:
> On Thu, May 13, 2004 at 05:36:23PM +0200, Eric Masson wrote:
> > >>>>> "David" =3D=3D David W Chapman, <David> writes:
> >=20
> > Hello,
> >=20
> >  David> I would recomment 3.0.4 which is in /usr/ports/net/samba-devel
> >  David> though.
> >=20
> > Sorry to jump in this thread, but has anyone succeeded in joining a
> > stock port installed samba to an Active Directory domain ?
> >=20
>=20
> I haven't personally.  According to the samba developers, it will=20
> join AD in 2000 Native mode, but not 2k3 native mode.

I have, (2k) but it's not a quick process.  The major problem appears to=20
be that Heimdal Kerberos, what's in -CURRENT, just doesn't work with
Samba's implementation of Active Directory.  I was able to get a
Kerberos ticket from the ADC but Samba refused to use the tickets or
join the domain.  Once I installed MIT Kerberos from ports, things went=20
really smoothly.  I've actually seen other messages stating the exact
opposite (removing MIT and installing Heimdal worked) but that wasn't my
experience.  Clearly there's still some loose ends to tie up there :)

Here's what I did:

1) If you are running -CURRENT, rebuild world w/out Kerberos.=20

2) If you are running -CURRENT, move the following files out of the way.
(I kept a backup of them, but this is probably not neccessary.
Rebuilding world with Kerberos enabled will replace them).
  * From /usr/bin:  kadmin, kdestroy, kinit, klist, kpasswd,
                    krb5-config, ksu
  * From /usr/lib: libcom_err*, libkadm5*, libkrb5*
  * From /usr/include: com_err.h, gssapi.h, krb5.h

3) Install /usr/ports/security/krb5

4) If you don't have openldap installed, install /usr/ports/openldap22-clie=
nt
(I used v2.1 with no problems, so if you have that already its fine.)

5) Install /usr/ports/net/samba-devel with KRB5_HOME=3D/usr/local

6) Set up the /usr/local/etc/krb5.conf file.  You will need a minumum
of:

[libdefaults]
default_realm=3DYOUR.ADS.DOMAIN

[domain_realm]
=2Eyour.domain.name=3DYOUR.ADS.DOMAIN
your.domain.name=3DYOUR.ADS.DOMAIN

[realms]
YOUR.ADS.DOMAIN =3D {
    default_domain =3D your.domain.name
    kdc =3D IP.OF.YOUR.PDC  IP.OF.YOUR.BDC IP.OF.YOUR.BDC
}


In all of my cases, my machines DNS hostname and ADC domain name were
identical, eg machine kutulu in domain kutulu.localnet had a dns name of
kutulu.kutulu.localnet.  I'm not sure how to deal with them being
different so I never tried :)

Also, you can add the following to the [libdefaults] section to speed
things up a tad:

dns_lookup_kdc =3D false
dns_lookup_realm =3D false

7) In your /usr/local/etc/smb.conf, add the following lines:

realm =3D YOUR.ADS.DOMAIN
workgroup =3D YOUR
security =3D ADS

Specifically, your workgroup should be the "short name" of the domain as
you set it up on the controllers.  If not, samba will complain.

8) Log into the Active Directory controller:

$ kinit adminuser
adminuser@YOUR.ADS.DOMAIN's password:
$ klist

This will prompt for your administrative user's password, then display
the ticket you received from the controller.  This user should be
someone with 'add computer to domain' permissions. =20

9) Join the domain:

$ net ads join
Using short domain name -- YOUR
Joined 'YOUR-PC' to realm 'YOUR.ADS.DOMAIN'

I have *not* gone as far as to set up winbind yet, but once this is done
you should be able to do things like:

net user
net group

And get replies.

--J/dobhs11T7y2rNN
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFApTM8CczNhKRsh48RAj9DAKC4dpjKgSD7BhHIL9JM5RUFULBnCACgtn8Y
FtEmzWWJHbykyrYIP+FkgB4=
=U7PP
-----END PGP SIGNATURE-----

--J/dobhs11T7y2rNN--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040514205940.GA80327>