NT4-Style Domains (Includes Samba Domains)
NT4 Domain Member Server smb.con is a simple example of an NT4 DMS
smb.conf file that shows only the global section.
Example13.1.NT4 Domain Member Server smb.conf
| # Global parameters |
| |
[global]
|
workgroup = MEGANET2
|
security = DOMAIN
|
idmap uid = 10000-20000
|
idmap gid = 10000-20000
|
template primary group = "Domain Users"
|
template shell = /bin/bash
|
The use of
winbind
requires configuration of NSS. Edit the /etc/nsswitch.conf
so it includes the following entries:
...
passwd: files winbind
shadow: files winbind
group: files winbind
...
hosts: files [dns] wins
...
The use of DNS in the hosts entry should be made only if DNS is used on site.
The creation of the DMS requires the following steps:
-
Create or install an smb.conf file with the above configuration.
-
Execute:
root# net rpc join -UAdministrator%password
Joined domain MEGANET2.
The success of the join can be confirmed with the following command:
root# net rpc testjoin
Join to 'MIDEARTH' is OK
A failed join would report an error message like the following:
root# net rpc testjoin
[2004/11/05 16:34:12, 0] utils/net_rpc_join.c:net_rpc_join_ok(66)
Join to domain 'MEGANET2' is not valid
-
Start the
nmbd, winbind,
and
smbd
daemons in the order shown.
The procedure for joining an ADS domain is similar to the NT4 domain join, except the smb.conf file
will have the contents shown in
ADS Domain Member Server smb.conf
Example13.2.ADS Domain Member Server smb.conf
| # Global parameters |
| |
[global]
|
workgroup = BUTTERNET
|
netbios name = GARGOYLE
|
realm = BUTTERNET.BIZ
|
security = ADS
|
template shell = /bin/bash
|
idmap uid = 500-10000000
|
idmap gid = 500-10000000
|
winbind use default domain = Yes
|
winbind nested groups = Yes
|
printer admin = "BUTTERNET\Domain Admins"
|
ADS DMS operation requires use of kerberos (KRB). For this to work, the krb5.conf
must be configured. The exact requirements depends on which version of MIT or Heimdal Kerberos is being
used. It is sound advice to use only the latest version, which at this time are MIT Kerberos version
1.3.5 and Heimdal 0.61.
The creation of the DMS requires the following steps:
-
Create or install an smb.conf file with the above configuration.
-
Edit the /etc/nsswitch.conf file as shown above.
-
Execute:
root# net ads join -UAdministrator%password
Joined domain BUTTERNET.
The success or failure of the join can be confirmed with the following command:
root# net ads testjoin
Using short domain name -- BUTTERNET
Joined 'GARGOYLE' to realm 'BUTTERNET.BIZ'
An invalid or failed join can be detected by executing:
root# net ads testjoin
GARGOYLE$@'s password:
[2004/11/05 16:53:03, 0] utils/net_ads.c:ads_startup(186)
ads_connect: No results returned
Join to domain is not valid
The specific error message may differ from the above because it depends on the type of failure that
may have occurred. Increase the
log level
to 10, repeat the test,
and then examine the log files produced to identify the nature of the failure.
-
Start the
nmbd
,
winbind
, and
smbd
daemons in the order shown.
