Samba with AD authentication on Solaris 8
From Brandonhutchinson.com
(Difference between revisions)
m (→Configure Samba) |
m (→Configure Samba) |
||
| Line 129: | Line 129: | ||
# Log to /var/log/samba.log instead of /usr/local/samba/var/log.smbd | # Log to /var/log/samba.log instead of /usr/local/samba/var/log.smbd | ||
log file = /var/log/samba.log | log file = /var/log/samba.log | ||
| + | |||
| + | ==== Create the Samba startup/shutdown script ==== | ||
| + | |||
| + | e.g., ''/etc/init.d/samba'' | ||
| + | |||
| + | #!/bin/sh | ||
| + | |||
| + | SMBDIR=/usr/local/samba | ||
| + | |||
| + | case "$1" in | ||
| + | 'start') | ||
| + | $SMBDIR/sbin/smbd -D | ||
| + | ;; | ||
| + | 'stop') | ||
| + | $SMBDIR/bin/smbcontrol smbd shutdown | ||
| + | ;; | ||
| + | *) | ||
| + | echo "Usage: $0 { start | stop }" | ||
| + | ;; | ||
| + | esac | ||
| + | |||
| + | # '''chmod 555 /etc/init.d/samba''' | ||
| + | # '''chown root:root /etc/init.d/samba''' | ||
Revision as of 15:05, 24 September 2007
The SunFreeware Samba package is not compiled with AD support.
$ pkginfo -l SMCsamba
PKGINST: SMCsamba
NAME: samba
CATEGORY: application
ARCH: sparc
VERSION: 3.0.25a
...
$ /usr/local/samba/sbin/smbd -b | egrep 'ADS|LDAP|KRB'
$ tar xvf krb5-1.6.2-signed.tar
$ gpg --verify krb5-1.6.2.tar.gz.asc gpg: Signature made Tue 10 Jul 2007 02:20:59 PM CDT using RSA key ID F376813D gpg: Can't check signature: public key not found $ gpg --keyserver pgp.mit.edu --recv-keys F376813D gpg: requesting key F376813D from hkp server pgp.mit.edu gpg: key F376813D: duplicated user ID detected - merged gpg: key F376813D: public key "Tom Yu <tlyu@MIT.EDU>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
$ gpg --verify krb5-1.6.2.tar.gz.asc gpg: Signature made Tue 10 Jul 2007 02:20:59 PM CDT using RSA key ID F376813D gpg: Good signature from "Tom Yu <tlyu@MIT.EDU>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 52 E0 3E E9 38 AE 70 58 3F 21 5C C8 5C C4 55 24
Contents |
Kerberos Installation and Configuration
Install Kerberos
Download and install Kerberos.
$ gzip -cd krb5-1.6.2.tar.gz | tar xvf - $ cd krb5-1.6.2/src $ PATH=$PATH:/usr/local/bin ./configure $ make # make install
Configure Kerberos
Example /usr/local/etc/krb5.conf assuming:
- Kerberos domain of DOMAIN.EXAMPLE.COM
- Key Distribution Center (KDC) of PDC.DOMAIN.EXAMPLE.COM:
[libdefaults]
# To prevent encryption type mismatches, limit the Kerberos client
# libraries to the list supported by Microsoft
default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
# Default realm to append to unqualified principal names
default_realm = DOMAIN.EXAMPLE.COM
# Use DNS to locate KDCs
# This requires:
# 1. /etc/resolv.conf contains nameservers used by AD clients
# and servers
# 2. The /etc/resolv.conf "search" list contains the name of the
# AD domain
dns_lookup_kdc = true
# Example of manually configuring KDC lookups
#[realms]
# DOMAIN.EXAMPLE.COM = {
# kdc = pdc.domain.example.com
# }
OpenLDAP Installation
Download and install OpenLDAP.
$ gzip -cd openldap-2.3.38.tgz | tar xvf - $ cd openldap-2.3.38 $ PATH=$PATH:/usr/local/bin ./configure --disable-bdb --enable-null --without-tls ... checking db.h usability... no checking db.h presence... no checking for db.h... no configure: error: BDB/HDB: BerkeleyDB not available
GNU autoconf (i.e., configure) checks for BerkeleyDB even with the --disable-bdb option. As a workaround, use the --disable-backends option.
$ PATH=$PATH:/usr/local/bin ./configure --disable-backends --enable-null --without-tls $ make depend $ make # make install
Samba Installation and Configuration
Install Samba
Download and install Samba.
$ gzip -cd samba-3.0.26a.tar.gz | tar xvf - $ cd samba-3.0.26a/source $ PATH=$PATH:/usr/local/bin ./configure --with-ldap --with-ads --with-krb5=/usr/local --with-winbind # make install
Configure Samba
- Create the Samba configuration file (e.g., /usr/local/samba/lib/smb.conf).
[global]
# Kerberos, LDAP, and Active Directory support must be built into
# Samba to use "security = ads"
security = ads
# Required for member servers of a domain, "yes" by default
encrypt passwords = yes
# In Active Directory domains, the Kerberos realm is the same
# as the domain's DNS name in uppercase
realm = DOMAIN.EXAMPLE.COM
# Domain to which the server belongs
workgroup = DOMAIN
# Disable NetBIOS; use DNS for name service and TCP/UDP for transport
smb ports = 445
disable netbios = yes
name resolve order = hosts
# Log to /var/log/samba.log instead of /usr/local/samba/var/log.smbd
log file = /var/log/samba.log
Create the Samba startup/shutdown script
e.g., /etc/init.d/samba
#!/bin/sh
SMBDIR=/usr/local/samba
case "$1" in
'start')
$SMBDIR/sbin/smbd -D
;;
'stop')
$SMBDIR/bin/smbcontrol smbd shutdown
;;
*)
echo "Usage: $0 { start | stop }"
;;
esac
# chmod 555 /etc/init.d/samba # chown root:root /etc/init.d/samba
