SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
samba-tool domain provision --use-rfc2307 --interactive
and then samba
and then smbclient -L localhost -U%
and now get
Quote:
Domain=[KINGDOM] OS=[Unix] Server=[Samba 4.1.6]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.1.6)
Domain=[KINGDOM] OS=[Unix] Server=[Samba 4.1.6]
smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter Administrator's password:
Domain=[KINGDOM] OS=[Unix] Server=[Samba 4.1.6]
. D 0 Sat Apr 12 17:11:21 2014
.. D 0 Sat Apr 12 17:13:40 2014
64251 blocks of size 524288. 60017 blocks available
So far so good, right? Now for the kerberos part:
I tried downloading the krb5 SlackBuild form SlackBuilds, but building it failed with
Code:
sh krb5.SlackBuild
.....
making all in kadmin/testing/util...
make[3]: Entering directory `/tmp/SBo/krb5-1.7.1/src/kadmin/testing/util'
gcc -DHAS_STDARG -I../../../include -I./../../../include -I../../../lib/kdb/ -DKRB5_DEPRECATED=1 -O2 -fPIC -Wall -Wcast-qual -Wcast-align -Wshadow -Wmissing-prototypes -Wno-format-zero-length -Woverflow -Wstrict-overflow -Wmissing-format-attribute -Wmissing-prototypes -Wreturn-type -Wmissing-braces -Wparentheses -Wswitch -Wunused-function -Wunused-label -Wunused-variable -Wunused-value -Wunknown-pragmas -Wsign-compare -Werror=declaration-after-statement -Werror=variadic-macros -pthread -c tcl_ovsec_kadm.c
tcl_ovsec_kadm.c: In function 'parse_str':
tcl_ovsec_kadm.c:241:14: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual]
*out_str = (char *) in_str;
^
tcl_ovsec_kadm.c: In function 'parse_principal_ent':
tcl_ovsec_kadm.c:676:18: error: 'Tcl_Interp' has no member named 'result'
sprintf(interp->result, "wrong # args in principal structure (%d should be 12)",
^
tcl_ovsec_kadm.c: In function 'parse_policy_ent':
tcl_ovsec_kadm.c:860:18: error: 'Tcl_Interp' has no member named 'result'
sprintf(interp->result, "wrong # args in policy structure (%d should be 7)",
^
tcl_ovsec_kadm.c: In function 'unparse_keyblock':
tcl_ovsec_kadm.c:1001:18: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
for (i = 0; i < keyblock->length; i++) {
^
make[3]: *** [tcl_ovsec_kadm.o] Error 1
make[3]: Leaving directory `/tmp/SBo/krb5-1.7.1/src/kadmin/testing/util'
make[2]: *** [all-recurse] Error 1
make[2]: Leaving directory `/tmp/SBo/krb5-1.7.1/src/kadmin/testing'
make[1]: *** [all-recurse] Error 1
make[1]: Leaving directory `/tmp/SBo/krb5-1.7.1/src/kadmin'
make: *** [all-recurse] Error 1
So I downloaded a binary from slacky.eu krb5-1.12, which seems to have installed OK.
However "klist" gets "command not found, as does "kinit".
Frankly, heimdall would suit me fine also, as I just want the Samba AD DC part working. I looked at http://canich.net/slackware/krb5.html#krb5-pkg, but it is from 2011, so before I try to follow that guide, I was wondering if you had any suggestions or could let me know how you set up your samba.
Do you realize that you already have Heimdall installed on your server? It comes with Samba 4. It is private to Samba so there is no way to use it system-wide. Samba uses this internal Heimdall implementation for its Active Directory Domain Controller role.
If you want to test communication with the Samba server, with a kerberos client on another computer or even on the server itself, then you will need a separate Heimdall package, like the one in my repository: http://www.slackware.com/~alien/slackbuilds/heimdall/
Do you realize that you already have Heimdall installed on your server?
Hmm, obviously not, I'm equally obviously over my head. I'm just trying to get AD DC working right now, and was running through the testing steps. It doesn't appear that what I have done so far is sufficient to allow any Windows machines to see an AD domain, which doesn't surprise me. I've really only used the old samba workgroups in the past.
If you want to test communication with the Samba server, with a kerberos client on another computer or even on the server itself, then you will need a separate Heimdall package, like the one in my repository: http://www.slackware.com/~alien/slackbuilds/heimdall/
It seems that's not the "Heimdal" (one l) included with Samba, but something else entirely.
The home page for Heimdal is http://www.h5l.org. The latest stable version (1.5.3) compiles without issues on Slackware.
Hmm, obviously not, I'm equally obviously over my head. I'm just trying to get AD DC working right now, and was running through the testing steps.
As AlienBob said, a version of Heimdal Kerberos is included with Samba 4. You don't need to install anything else.
Quote:
Originally Posted by mostlyharmless
It doesn't appear that what I have done so far is sufficient to allow any Windows machines to see an AD domain, which doesn't surprise me. I've really only used the old samba workgroups in the past.
If samba-tool domain provision completed successfully, you have a working AD DC.
Clients will need to use the Samba or BIND DNS server you specified during provisioning, and you should join Samba/Windows clients to the domain. Logging on from a client without a domain account will work if your smb.conf allows NTLM fallback, but you'll miss out on all the useful AD features (Kerberos, ID mapping, RFC 2307 Unix attributes etc).
It seems that's not the "Heimdal" (one l) included with Samba, but something else entirely.
The home page for Heimdal is http://www.h5l.org. The latest stable version (1.5.3) compiles without issues on Slackware.
Ah, shoot :-) I never published my heimdal (kerberos) package.
And you are right, the Heimdall I point to by mistake is a program which is used to flash Samsung phones... my apologies for causing confusion.
Well, I built heimdal (the correct one), and it installed its binaries into /usr/heimdal. Tried adding /usr/bin/heimdal/bin and sbin to the PATH in /etc/profile, but that didn't quite seem to work right. Is there a better way?
In the mean time, I can go to that directory and run ./kinit. Still have my hands full trying to figure out how to set it all up though
Well, I built heimdal (the correct one), and it installed its binaries into /usr/heimdal. Tried adding /usr/bin/heimdal/bin and sbin to the PATH in /etc/profile, but that didn't quite seem to work right. Is there a better way?
I consider Heimdal to be a system component in a Kerberized environment, so I usually install directly to /usr/bin. If you want to keep it separate from "native" Slackware packages, /opt/heimdal would be the natoural choice in my opinion.
Quote:
Originally Posted by mostlyharmless
In the mean time, I can go to that directory and run ./kinit. Still have my hands full trying to figure out how to set it all up though
Set up what exactly? Once you've provisioned the domain, there's literally nothing more you need to do. The provisioning scripts will have created the Kerberos realm, populated the AD database and created the necessary DNS records.
In order to locate the domain controllers in the AD domain, client computers will need to use whichever DNS server holds the AD-specific records.
I think getting Samba to work with A/D is non-trivial. I've battled in the past. I now have a recipe which involves rebuilding Samba from scratch using kerberos. I had no idea Slack was supposedly able to work with A/D out-of-the-box. Would someone (perhaps @Ser Olmy) be able to give us a for-dummies rundown please ?
Samba 4.x is the first major version to support being an Active Directory Domain Controller. Setting up a Samba AD domain from scratch is pretty straightforward:
Decide on an Active Directory domain name
Decide whether you want to use a BIND dlz zone or the built-in Samba DNS server
Configure the BIND dlz zone if necessary
Run samba-tool domain provision with the correct parameters or in interactive mode
That's all there is to it, really. I did this only a few days ago, and it worked like a charm. I then configured a Windows 7 workstation to use the proper DNS server and had it join the domain.
You'll still have to configure winbind, NSS and PAM if you want to log on to a Linux system with AD credentials and be able to map Windows SIDs to Unix UIDs and GIDs, just like before.
Thanks ... And what if you were working in a pre-existing A/D environment and just wanted to hook up your Slack box so that it could create shares ? (The A/D environment would be 100% genuine Microsoft - not Samba acting as A/D domain controller). Again - I have this working via a convoluted method which involves add kerberos and recompiling from scratch. I'd love to use Samba 4 from Slack as-is !
Thanks ... And what if you were working in a pre-existing A/D environment and just wanted to hook up your Slack box so that it could create shares ?
You can skip the Kerberos installation steps, as a version of Heimdal is bundled with Samba 4. Just go straight to the step where you put the IP addresses of the AD DCs (and ONLY the AD DCs) as name servers in /etc/resolv.conf and configure smb.conf with "security = ads", but make sure you read up on the current syntax for the settings related to ID mapping. Then run net ads join as before.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.