<div dir="ltr">Thanks everyone. I was actually hoping for a "read the google, newb" response, as long as it had the right search terms, cause I didn't have a clue what to google for :). So again, thanks, I've downloaded a pile of howto's to my workstation and I work on it on my dead time.<br> <br><div class="gmail_quote">On Sun, Aug 10, 2008 at 3:09 PM, Jil Larner <span dir="ltr"><jil@gnoo.eu></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> Hello,<br> <br> I recently set up samba to allow authentification against Active Directory for file sharing on a CentOS 4.5. Even if their installer is supposed to do it correctly, it didn't work the way I wanted, so I had to understand how to set it up manually.<br> <br> The main problem I found with documentations is that there's no one-shot documentation that allows you to join a domain if you meet so many obscure error messages like I had.<br> <br> I have more knowledge on Gentoo than centOs (so redhat), but what I say here has only been tested on centOS.<br> <br> Unfortunately for you, I'm on hollydays and won't go back to office until second part of October, so I can only tell you what I remember :<br> <br> You need :<br> - a Kerberos client<br> - a ntp daemon to set your clock according to your domain controller (more than 5 minutes offset will lead kerberos not to deliver tickets)<br> - samba with winbind support<br> - manually record your machine in the DNS used by AD<br> <br> Set up samba with ads security (refer to the official samba howto)<br> Be sure your smb.conf has winbind configuration directives<br> <br> Files I remember I updated (CentOS architecture) :<br> - /etc/samba/smb.conf<br> - /etc/sysconfig/network (for the hostname of your machine to be the FQDN e.g. tux.mywindows.domain.corp and `hostname --fqdn` must immediately answer) => /etc/conf.d/hostname on gentoo<br> - /etc/nsswitch.conf to add winbind for a few things (passwd,group,shadow if I remember, with less priority than file; otherwise it will be long to log in as a local user)<br> - /etc/krb5.conf /etc/krb.conf[backward compatibility, may not be needed on gentoo; try without that's one file less to manage] (documentations give the few lines required)<br> <br> You'll also have to modify PAM config files for local access matching against AD, but I didn't tried it.<br> <br> Before you frag your brain out with samba and winbind, you must succeed a `kinit mywindowsuser` and see your ticket with `klist`. And be sure you can resolve local names with a nslookup. Some recommend you set the name and ip of your Domain Controller (DC) in /etc/hosts to avoid DNS failure.<br> <br> To join a domain, use the net join ads command, as explained in the docs : it must work. If it don't, don't look forward: solve this problem as it means you cannot access your DC.<br> <br> There's no need to configure LDAP if you use an AD architecture. And unless your DC is configured otherwise, it should offer you all required services (kerberos, ntp, dns).<br> <br> Don't hesitate to set up the log level of samba to 4 or the example value of the man page to get what's wrong.<br> <br> Don't look for complex configuration : a few simple lines does the job for matching AD. If you can identify against AD for file shares, then you just ( :D ) have to set up pam for the main login. I'd say there are 3 or 4 winbind directives (uid/gid range, auto append defautl domain, etc) in and 5 important samba directives smb.conf.<br> <br> I hope this fragment can help you a little bit,<br><font color="#888888"> Jil.<br> <br> <br> </font></blockquote></div><br></div>