9. Samba
FC4 comes with samba v3.0.14a. The samba project released v3.0.20 on 20 August 2005. Here is a quote from the v3.0.20 release note about winbind.
-- quote --
Winbindd has been completely rewritten in this release to support an almost completely non-blocking, asynchronous request/reply model. This means that winbindd will scale much better in large domain environments and on high latency networks.
-- quote --
It is highly recommended to upgrade samba to v3.0.20 or above. The latest samba v3.0.21b rpms for FC4 can be found in here. Download a copy and then update samba with command "rpm -Uvh samba*.rpm".
Note: Samba v3.0.21 has a bug on the oplock code. Avoid this version. Use v3.0.21a or above.
No matter you choose to use winbind or freeradius to connect to Active Directory, you will have to configure samba properly. The configuration file of samba is in /etc/samba and is called smb.conf. The file should have at least the following lines.
[global] # define the netbios name of the domain workgroup = EXAMPLE # define the pptp server netbios name netbios name = PPTPDSVR # define the AD domain name realm = EXAMPLENET.ORG # server description server string = pptpd Server # printer stuff printcap name = /etc/printcap load printers = no cups options = raw # log file stuff log file = /var/log/samba/%m.log max log size = 50 # must set to ads security = ads # address of domain controller password server = 10.0.0.1 # enable encrypt passwords encrypt passwords = yes # default setting socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # not to be a master browser domain master = no preferred master = no # address of the WINS server wins server = 10.0.0.1 dns proxy = no # require this line to join the domain client use spnego = yes # winbind stuff idmap uid = 50001-550000 idmap gid = 50001-550000 winbind separator = + winbind nested groups = Yes winbind enum users=yes winbind enum groups=yes template shell = /bin/false winbind use default domain = no
The lines in bold are the important ones that you should pay attention to. Execute "testparm" to check the configuration. Correct any errors before proceeding to the next step.
Once the Kerberos and Samba are configured, it's time to add the pptpd server to the AD domain.
[root@pptp ~]# net ads join -U skwok@EXAMPLENET.ORG "Asiapac/Australia/Sydney/Servers"
skwok@EXAMPLENET.ORG's password:
Using short domain name -- EXAMPLE
Joined 'PPTPDSVR' to realm 'EXAMPLENET.ORG'
The above net ads join command create the server in the container
"OU=Servers,OU=Sydney,OU=Australia,OU=Asiapac,DC=EXAMPLENET,DC=ORG"
The user must have admin right on the container to create the server object. If the operation is successful, you will see a new server object created in the AD.
Another test to see if the trust between the pptpd server and the domain is working is smbclient.
[root@pptp ~]# smbclient //dc1/c$ -k
OS=[Windows Server 2003 3790 Service Pack 1] Server=[Windows Server 2003 5.2]
smb: \> dir
AUTOEXEC.BAT A 0 Wed Jul 20 10:53:47 2005
boot.ini AHSR 208 Fri Jul 22 10:41:57 2005
CONFIG.SYS A 0 Wed Jul 20 10:53:47 2005
Documents and Settings D 0 Fri Jul 22 16:25:51 2005
download D 0 Thu Aug 4 17:31:28 2005
IO.SYS AHSR 0 Wed Jul 20 10:53:47 2005
MSDOS.SYS AHSR 0 Wed Jul 20 10:53:47 2005
NTDETECT.COM AHSR 47772 Fri Jul 22 10:16:32 2005
ntldr AHSR 295536 Fri Jul 22 10:16:32 2005
pagefile.sys AHS 805306368 Fri Aug 12 11:24:27 2005
Program Files DR 0 Wed Jul 20 10:51:09 2005
shared1 D 0 Thu Jul 21 17:06:28 2005
System Volume Information DHS 0 Fri Jul 22 10:52:09 2005
WINDOWS D 0 Tue Aug 16 14:33:36 2005
wmpub D 0 Wed Jul 20 10:55:13 200539064 blocks of size 524288. 31129 blocks available
smb: \>
Note: With Samba v3.0.14a or v3.0.20, everytime I run "net ads join", the command crash at the end with message "*** glibc detected *** net: free(): invalid pointer: 0x001cddb0 ***" and then a dump to the screen. The join seems to be working fine though. Samba v3.0.21a does not have this problem.