Re: [gentoo-user] Adding a gentoo workstation to Active Directory network

["Yoav Luft" <yoav.luft@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 3391 bytes --]

Thanks everyone. I was actually hoping for a "read the google, newb"
response, as long as it had the right search terms, cause I didn't have a
clue what to google for :). So again, thanks, I've downloaded a pile of
howto's to my workstation and I work on it on my dead time.

On Sun, Aug 10, 2008 at 3:09 PM, Jil Larner <jil@gnoo.eu> wrote:

> Hello,
>
> I recently set up samba to allow authentification against Active Directory
> for file sharing on a CentOS 4.5. Even if their installer is supposed to do
> it correctly, it didn't work the way I wanted, so I had to understand how to
> set it up manually.
>
> The main problem I found with documentations is that there's no one-shot
> documentation that allows you to join a domain if you meet so many obscure
> error messages like I had.
>
> I have more knowledge on Gentoo than centOs (so redhat), but what I say
> here has only been tested on centOS.
>
> Unfortunately for you, I'm on hollydays and won't go back to office until
> second part of October, so I can only tell you what I remember :
>
> You need :
> - a Kerberos client
> - a ntp daemon to set your clock according to your domain controller (more
> than 5 minutes offset will lead kerberos not to deliver tickets)
> - samba with winbind support
> - manually record your machine in the DNS used by AD
>
> Set up samba with ads security (refer to the official samba howto)
> Be sure your smb.conf has winbind configuration directives
>
> Files I remember I updated (CentOS architecture) :
> - /etc/samba/smb.conf
> - /etc/sysconfig/network (for the hostname of your machine to be the FQDN
> e.g. tux.mywindows.domain.corp and `hostname --fqdn` must immediately
> answer) => /etc/conf.d/hostname on gentoo
> - /etc/nsswitch.conf to add winbind for a few things (passwd,group,shadow
> if I remember, with less priority than file; otherwise it will be long to
> log in as a local user)
> - /etc/krb5.conf /etc/krb.conf[backward compatibility, may not be needed on
> gentoo; try without that's one file less to manage] (documentations give the
> few lines required)
>
> You'll also have to modify PAM config files for local access matching
> against AD, but I didn't tried it.
>
> Before you frag your brain out with samba and winbind, you must succeed a
> `kinit mywindowsuser` and see your ticket with `klist`. And be sure you can
> resolve local names with a nslookup. Some recommend you set the name and ip
> of your Domain Controller (DC) in /etc/hosts to avoid DNS failure.
>
> To join a domain, use the net join ads command, as explained in the docs :
> it must work. If it don't, don't look forward: solve this problem as it
> means you cannot access your DC.
>
> There's no need to configure LDAP if you use an AD architecture. And unless
> your DC is configured otherwise, it should offer you all required services
> (kerberos, ntp, dns).
>
> Don't hesitate to set up the log level of samba to 4 or the example value
> of the man page to get what's wrong.
>
> Don't look for complex configuration : a few simple lines does the job for
> matching AD. If you can identify against AD for file shares, then you just (
> :D ) have to set up pam for the main login. I'd say there are 3 or 4 winbind
> directives (uid/gid range, auto append defautl domain, etc) in and 5
> important samba directives smb.conf.
>
> I hope this fragment can help you a little bit,
> Jil.
>
>
>

[-- Attachment #2: Type: text/html, Size: 3784 bytes --]