Personal Cookbook for Samba.
Objective:
To enable a Unix server for share folders
for Microsoft Windows machines with authentication
through Active Directory accounts used in the Windows
client session.
Prerequisites:
Unix Solaris 8
gcc compiler
Samba 3
Kerberos 5
OpenLDAP 2.2
Windows 2000 Server Domain Controller
Proccess:
0. Get the software:
krb5-1.4.1-signed.tar at
http://web.mit.edu/kerberos/www/
openldap-2.2.26.tar at
http://www.openldap.org/software/download/
samba-3.0.14a.tar.gz at
http://us1.samba.org/samba/
0.1 Verify the gcc compiler (v.g. execute ‘type
gcc’; if the program exist, the instruction return the
path, for example /usr/local/bin)
0.2 Verify that env var CC point to
/usr/local/bin/gcc. (Make required modifies in the
file /etc/profile)
1. Unpack the files in a temp directory. Here is
used unixmachine# /export/programs/samba
tar xvf krb5-1.4.1-signed.tar
it creates the directory kerberos
tar xvf openldap-2.2.26.tar
it creates the directory openldap-2.2.26
tar xvf samba-3.0.14a.tar.gz
it creates the directory samba-3.0.14a
2. Compile and install programs. Here is made the
explicit instruction that the programs be installed in
/home1/. Follow this order:
2.1. Kerberos
Locate in kerberos/krb5-1.4.1/src
Execute
./configure --prefix=/home1/kerberos5 \
CC=/usr/local/bin/gcc
make
make install
2.2. OpenLDAP
Locate in openldap-2.2.26
Execute
./configure --prefix=/home/openldap –-without-bdb \
–-disable-bdb –-enable-null
make depend
make
make install
2.3. Samba
Locate in samba-3.0.14a/source
Put this env vars:
export LDFLAGS=”-L/home1/openldap/lib –Wl,\
-R/home1/openldap/lib”
export CPPFLAGS=-I/home1/openldap/include
Execute
./configure –prefix=/home1/samba –with-winbind \
–with-ads –with-ldap –with-krb5=/home1/kerberos5
make
make install
3. Create a user account in your Windows 2000
Domain Controller with the same name that your machine
(use the lastname field). Enable option User cannot
change password y Password never expires.
4. Generate the keytab for Kerberos in your Win2k
Domain Controller:
C:\temp\ktpass –princ
host/unixmachine...@DOMAIN.COM
–mapuser unixmachine –pass password
-out unixmachine.keytab
4.1. Copy the file unixmachine.keytab to the
unixmachine under the directory /etc/krb5/ (It can be
made with ftp o scp, depending of the unix server)
4.2. Register the key in your unixmachine:
/home1/kerberos5/sbin/ktutil
ktutil: rkt /etc/krb5/unixmachine.keytab
ktutil: wkt /etc/krb5/krb5.keytab
ktutil: q
5. Configure some env vars::
KRB5_CONFIG=/etc/krb5/krb5.conf
KRB5_KDC_PROFILE=/var/kerberos/krb5kdc/kdc.conf
DEFAULT_KEYTAB_NAME=/etc/krb5/krb5.keytab
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local: \
/usr/local/include:/usr/local/lib:/usr/lib/iconv
export KRB5_CONFIG KRBR_KDC_PROFILE LD_LIBRARY_PATH \
DEFAULT_KEYTAB_NAME
6. Generate libraries links for nsswitch
Copy from
/export/programas/samba/samba-3.0.14a/source/nsswitch
the file libnss_winbind.so to the directory /usr/lib
Generate these soft links in /usr/lib/:
ln -s libnss_winbind.so libnss_winbind.so.1
ln –s libnss_winbind.so nss_winbind.so.1
ln –s libnss_winbind.so nss_winbind.so.2
7. Generate in /etc/init.d/ the file samba:
------------------------------------------------------
#!/bin/sh
#
#
# This file should have uid root, gid sys and chmod
# 744
#
if [ ! -d /usr/bin ]
then # /usr not mounted
exit
fi
killproc() { # kill the named process(es)
pid=`/usr/bin/ps -e |
/usr/bin/grep -w $1 |
/usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
[ "$pid" != "" ] && kill $pid
}
# Start/stop processes required for samba server
case "$1" in
'start')
/home1/samba/sbin/nmbd -D \
-l/home1/samba/var/log.%m
/home1/samba/sbin/winbindd
/home1/samba/sbin/smbd -D
;;
'stop')
killproc nmbd
killproc smbd
killproc winbindd
echo "Killing nmbd, smbd, winbindd OK..."
;;
'restart')
killproc nmbd
killproc smbd
killproc winbindd
echo "Killing OK..."
/home1/samba/sbin/nmbd -D \
-l/home1/samba/var/log.%m
/home1/samba/sbin/winbindd
/home1/samba/sbin/smbd -D
echo "Starting Samba OK..."
;;
*)
echo "Usage: /etc/init.d/samba { start | stop \
| restart }"
;;
esac
------------------------------------------------------
8. Generate the file /etc/krb5/krb5.conf:
------------------------------------------------------
# krb5.conf template
# In order to complete this configuration file
# you will need to replace the __<name>__ placeholders
# with appropriate values for your network.
#
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.COM
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
#forwardable = true
#proxiable = true
#dns_lookup_realm = true
#dns_lookup_kdc = true
[realms]
DOMAIN.COM = {
kdc = win2kdomcontr.domain.com
kdc = otherwin2kdomcontr.domain.com
admin_server = win2kdomcontr.domain.com
default_domain = domain.com
}
[domain_realm]
unixmachine.domain.com = unixmachine
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
.netbiosdomname = DOMAIN.COM
netbiosdomname = DOMAIN.COM
------------------------------------------------------
9. Generate the file /home1/samba/lib/smb.conf:
------------------------------------------------------
[global]
# general options
workgroup = NETBIOSDOMNAME
netbios name = unixmachine
realm = DOMAIN.COM
server string = SambaUNIXMACHINE
security = ADS
idmap uid = 5000-100000000
idmap gid = 5000-100000000
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
log level = 1
template homedir = /home1/samba/%D/%U
template shell = /bin/bash
encrypt passwords = yes
password server = win2kdomcontr.domain.com
[shared1]
comment = Shared data
path = /home1/samba/users
valid users = NETBIOSDOMNAME\anygroup
browseable = yes
writeable = yes
------------------------------------------------------
10. Modify the file /etc/nscd.conf:
enable-cache hosts no
enable-cache passwd no
enable-cache group no
11. Register the computer account into Active
Directory:
/home1/kerberos5/bin/kinit administrator
(put the password for the domain administrator)
/home1/samba/bin/net ads join
(This send a message indicating that the computer
has joined to the domain; verify the computer account
in Active Directory Users and Computers)
(Optionally, use net ads join –debuglevel=10 to debug
errors)
12. To test the communication with Active Directory,
execute getent passwd. This command shows the passwd
content and the Active Directory accounts.
Additionally, execute /home1/samba/bin/wbinfo –u or
/home1/samba/bin/wbinfo –g to list the users or groups
from Active Directory.
13. Execute /etc/init.d/samba start to start the
Samba daemons. The final test is to open from Windows
machine the server with Start/run/\\unixmachine
____________________________________________________
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Thanks for the info. Do you have a web site where this could be posted