how to get solaris machine with samba to use domain authentication
Bob Jaques
user it does not seem to validate so I have
set it to shared and this is really not what I want.
1. the solaris machine is not in the domain do I have to have the domain
servers set the machine to be in the domain.
2. what settings other than user do I use to set domain authentication or
even unix authentication. Can someone
explain user vs shared..
this is a windows 2000 domain.
thanks
bob
--
Robert Jaques
MNP Inc.
email b...@cablecar.net
e-page page...@cablecar.net
Robert M. Stockmann
<b...@cablecar.net> wrote:
> I have a solaris machine. I want it to use domain authentication. When
> on user it does not seem to validate so I have set it to shared and this
> is really not what I want.
>
> 1. the solaris machine is not in the domain do I have to have the domain
> servers set the machine to be in the domain.
>
> 2. what settings other than user do I use to set domain authentication
> or even unix authentication. Can someone explain user vs shared..
>
> this is a windows 2000 domain.
In this example :
I will call the win2000 Active Directory server AD-CABLE (== netbios
name ). The netbios domainname is CABLECAR and the win2000 domain
will be cablecar.net. The hostname of the solaris machine is
samba-cable.cablecar.net with netbios name SAMBA-CABLE.
DNS is of course running on AD-CABLE and it should contain this ip
number info :
192.168.1.100 samba-cable.cablecar.net samba-cable
192.168.1.200 ad-cable.cablecar.net ad-cable
netmask = 255.255.255.0
Things to do, to get win2000 authentication enabled on SAMBA-CABLE :
1. shutdown samba on samba-cable.cablecar.net .
2. add a machine account SAMBA-CABLE inside windows active directory
Users and Computers : right-click folder Computers -> New -> Computer
fill-in : samba-cable and check the box "Allow pre-Windows 2000
computers to use this account" . right-click on the samba-cable
computer icon inside the Computers folder, and select "Reset Account"
3. login as root into samba-cable.cablecar.net and proceed into either
the /etc/samba directory or the /usr/local/samba/lib directory, where
smb.conf is located. Make sure the following things are present and
defined inside smb.conf :
security = domain
password server = * ( or password server = AD-CABLE if
its a older samba version )
encrypt passwords = yes
; smb passwd file = /etc/samba/smbpasswd
local master = no
domain master = no
preferred master = no
The following lines are ok if WINS service is running on AD-CABLE :
wins server = 192.168.1.200
name resolve order = wins lmhosts host bcast
Anyway /etc/resolv.conf should preferably point to the DNS server of
the Active Directory :
# cat /etc/resolv.conf
domain cablecar.net
search cablecar.net
nameserver 192.168.1.200
4. Now you are ready to Join the samba server SAMBA-CABLE to the domain
CABLECAR . you do this with the smbpasswd command :
# smbpasswd -h
smbpasswd: invalid option -- h
smbpasswd [options] [username] [password]
options:
-s use stdin for password prompt
-D LEVEL debug level
-U USER remote username
-r MACHINE remote machine
-L local mode (must be first option)
-R ORDER name resolve order
-j DOMAIN join domain name
-a add user
-x delete user
-d disable user
-e enable user
-n set no password
-m machine trust account
#
If previous attempts have failed , remember to always throw away the old
samba caching data and shit. That would mean :
# rm -f /etc/samba/MACHINE.SID
# rm -f /etc/samba/secrets.tdb
# rm -f /var/cache/samba/*
These above are the locations for samba 2.2.x on RedHat Linux. You have
to find your own locations on the solaris machine.
When cleaned-up, you can issue the command :
# smbpasswd -j CABLECAR -r AD-CABLE
2002/01/31 01:18:06 : change_trust_account_password: Changed password for
domain CABLECAR.
Joined domain CABLECAR
#
Next startup samba on samba-cable again. Remember that only win2000
Active Directory user accounts can access SAMBA-CABLE if there is also a
unix user account present with the same principle name on
samba-cable.cablecar.net.
Robert M. Stockmann - RHCE
Network Engineer - UNIX Consultant
crashrecovery.org st...@stokkie.net
Robert M. Stockmann
> I have a solaris machine. I want it to use domain authentication. When
> on user it does not seem to validate so I have set it to shared and this
> is really not what I want.
>
> 1. the solaris machine is not in the domain do I have to have the domain
> servers set the machine to be in the domain.
>
> 2. what settings other than user do I use to set domain authentication
> or even unix authentication. Can someone explain user vs shared..
>
> this is a windows 2000 domain.
>
In this example :
I will call the win2000 Active Directory server AD-CABLE (== netbios
name ). The netbios domainname is CABLECAR and the win2000 domain
will be cablecar.net. The hostname of the solaris machine is
samba-cable.cablecar.net with netbios name SAMBA-CABLE.
DNS is of course running on AD-CABLE and it should contain this ip
number info :
192.168.1.100 samba-cable.cablecar.net samba-cable
192.168.1.200 ad-cable.cablecar.net ad-cable
netmask = 255.255.255.0
Things to do, to get win2000 authentication enabled on SAMBA-CABLE :
1. shutdown samba on samba-cable.cablecar.net .
2. add a machine account SAMBA-CABLE inside windows active directory
Users and Computers : right-click folder Computers -> New -> Computer
fill-in : samba-cable and check the box "Allow pre-Windows 2000
computers to use this account" . right-click on the samba-cable
computer icon inside the Computers folder, and select "Reset Account"
3. login as root into samba-cable.cablecar.net and proceed into either
the /etc/samba directory or the /usr/local/samba/lib directory, where
smb.conf is located. Make sure the following things are present and
defined inside smb.conf :
netbios name = SAMBA-CABLE
workgroup = CABLECAR
security = domain
password server = * ( or password server = AD-CABLE if
its a older samba version )
encrypt passwords = yes
; smb passwd file = /etc/samba/smbpasswd
local master = no
domain master = no
preferred master = no
The following two lines are ok if WINS service is running on AD-CABLE :
---