Samba 3.0 allows Linux to authenticate against Active Directory and access shared resources on a Windows 2000 server. Samba 3.0 is still beta. For info on the status, see the status page at samba.org. This article will detail the procedure to get this running with Red Hat 8.0.
First, get the Samba distribution from samba.org. Remove the old samba packages if installed and install the new one. We will also need the krb5-workstation-1.2.5-6 package:
[root@srv-34 rpms]# rpm -e samba-common-2.2.5-10 --nodeps [root@srv-34 rpms]# rpm -e samba-client-2.2.5-10 [root@srv-34 rpms]# rpm -i samba-3.0alpha21-1.i386.rpm Looking for old /etc/smb.conf... Looking for old /etc/smbusers... Looking for old /etc/lmhosts... Looking for old /etc/MACHINE.SID... Looking for old /etc/smbpasswd... Moving tdb files in /var/lock/samba/*.tdb to /var/cache/samba/*.tdb Installing stack version of /etc/pam.d/samba... [root@srv-34 rpms]# rpm -i krb5-workstation-1.2.5-6.i386.rpm |
We need to make sure that the dates match up, or things will go haywire. There is a cool utility with Red Hat called dateconfig. Now, srv-34 is one of the machines we manage through our serial port console mux dealie, so we need to export the display to use GUI utilities. On the machine we want to run the GUI on, run xhost +10.50.100.53, which is srv-34’s IP address, then:
[root@srv-34 rpms]# export DISPLAY=u-1:0.0 [root@srv-34 rpms]# dateconfig Shutting down ntpd: [FAILED] ntpd: Synchronizing with time server: [ OK ] Starting ntpd: [ OK ] [root@srv-34 rpms]# |
Here is a shot of the time set utility. Time is good. Just make sure your Windows box is syncing time as well. Edit /etc/krb5.conf. Here is a copy of srv-34’s. Note that you do need to pay attention to the caps. First, Kerberos can’t find the entry if you don’t match case. Also, it appears that upper case is needed for Active Directory. When we tried to authenticate with signalqint.COM, all failed miserably with the error: KDC reply did not match expectations while getting initial credentials. Another problem is that we tested with administrator:
[root@srv-34 etc]# /usr/kerberos/bin/kinit administrator@SIGNALQINT.COM Password for administrator@SIGNALQINT.COM: kinit(v5): KDC has no support for encryption type while getting initial credentials |
The event logs give a clue. Here is what shows up in the event log. Just reset the password. We also filled in the administrator name here. Once all is working OK with Kerberos, kinit should come back without errors:
[root@srv-34 etc]# /usr/kerberos/bin/kinit administrator@SIGNALQINT.COM Password for administrator@SIGNALQINT.COM: [root@srv-34 etc]# |
Kerberos can connect and authenticate. Let’s hack out a minimal smb.conf file, which we’ll put in /etc/samba/:
[root@srv-34 etc]# cat /etc/samba/smb.conf realm = SIGNALQINT.COM ads server = 10.50.100.36 security = ADS encrypt passwords = yes [root@srv-34 etc]# |
Now, lets join srv-34 to the Active Directory:
[root@srv-34 samba]# net ads join Joined 'srv-34' to realm 'SIGNALQINT.COM' [root@srv-34 samba]# |
On the Windows 2000 server, in the Active Directory Users And Computers tool, the properties for the computer srv-34 show up as this, and this. If we create a share called public and give adminsrator read only access:
[root@srv-34 samba]# smbclient //10.50.100.36/public -k added interface ip=10.50.100.53 bcast=10.50.100.255 nmask=255.255.255.0 Doing spnego session setup (blob length=106) Doing kerberos session setup OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] smb: > smb: > del testdoc.txt NT_STATUS_ACCESS_DENIED deleting remote file estdoc.txt smb: > smb: > get testdoc.txt getting file estdoc.txt of size 4 as testdoc.txt (0.1 kb/s) (average 0.1 kb/s) smb: > |
All is good.
