1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" 2"http://www.w3.org/TR/html4/loose.dtd"> 3<html> 4<head> 5<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> 6<title>Poptop MSCHAP2 ADS Howto</title> 7</head> 8 9<body> 10<p><strong>9. Samba 11</strong></p> 12<p>FC4 comes with samba v3.0.14a. The samba project released v3.0.20 on 20 August 2005. Here is a quote from the v3.0.20 release note about winbind.</p> 13<blockquote> 14 <p>-- quote --<br> 15 Winbindd has been completely rewritten in this release to support 16an almost completely non-blocking, asynchronous request/reply 17model. This means that winbindd will scale much better in 18large domain environments and on high latency networks.<br> 19-- quote -- 20 </p> 21</blockquote> 22<p>It is highly recommended to upgrade samba to v3.0.20 or above. The latest samba v3.0.21c rpms for FC4 can be found in <a href="http://us5.samba.org/samba/ftp/Binary_Packages/Fedora/RPMS/i386/core/4/">here</a>. Download a copy and then update samba with command "rpm -Uvh samba*.rpm". </p> 23<p><strong>Note: </strong> 24Samba v3.0.21 has a bug on the oplock code. Avoid this version. Use v3.0.21a or above. </p> 25<hr> 26<strong><a name="smbconf"></a>9.1 Configure Samba</strong> 27<p>No matter you choose to use winbind or freeradius to connect to Active Directory, you will have to configure samba properly. The configuration file of samba is in /etc/samba and is called smb.conf. The file should have at least the following lines. </p> 28<blockquote> 29 <pre>[global] 30# define the netbios name of the domain 31<strong>workgroup = EXAMPLE</strong> 32# define the pptp server netbios name 33<strong>netbios name = PPTPDSVR</strong> 34# define the AD domain name 35<strong>realm = EXAMPLENET.ORG</strong> 36# server description 37server string = pptpd Server 38# printer stuff 39printcap name = /etc/printcap 40load printers = no 41cups options = raw 42# log file stuff 43log file = /var/log/samba/%m.log 44max log size = 50 45# must set to ads 46<strong>security = ads</strong> 47# address of domain controller 48<strong>password server = 10.0.0.1</strong> 49# enable encrypt passwords 50<strong>encrypt passwords = yes</strong> 51# default setting 52socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 53# not to be a master browser 54domain master = no 55preferred master = no 56# address of the WINS server 57<strong>wins server = 10.0.0.1</strong> 58dns proxy = no 59# require this line to join the domain 60<strong>client use spnego = yes</strong> 61# winbind stuff 62<strong>idmap uid = 50001-550000 63idmap gid = 50001-550000 64winbind separator = + 65winbind nested groups = Yes 66winbind enum users=yes 67winbind enum groups=yes</strong> 68template shell = /bin/false 69winbind use default domain = no</pre> 70</blockquote> 71<p>The lines in bold are the important ones that you should pay attention to. Execute "testparm" to check the configuration. Correct any errors before proceeding to the next step.</p> 72<hr> 73<a name="smbjoin"></a><strong>9.2 Join the AD Domain</strong> 74<p>Once the Kerberos and Samba are configured, it's time to add the pptpd server to the AD domain.</p> 75<blockquote> 76 <pre>[root@pptp ~]# net ads join -U skwok@EXAMPLENET.ORG "Asiapac/Australia/Sydney/Servers"<br>skwok@EXAMPLENET.ORG's password: <br>Using short domain name -- EXAMPLE<br>Joined 'PPTPDSVR' to realm 'EXAMPLENET.ORG' 77</pre> 78</blockquote> 79<p>The above net ads join command create the server in the container</p> 80<p>"OU=Servers,OU=Sydney,OU=Australia,OU=Asiapac,DC=EXAMPLENET,DC=ORG"</p> 81<p>The user must have admin right on the container to create the server object. If the operation is successful, you will see a new server object created in the AD.</p> 82<p>Another test to see if the trust between the pptpd server and the domain is working is smbclient.</p> 83<blockquote> 84 <pre>[root@pptp ~]# smbclient //dc1/c$ -k<br>OS=[Windows Server 2003 3790 Service Pack 1] Server=[Windows Server 2003 5.2]<br>smb: \> dir<br> AUTOEXEC.BAT A 0 Wed Jul 20 10:53:47 2005<br> boot.ini AHSR 208 Fri Jul 22 10:41:57 2005<br> CONFIG.SYS A 0 Wed Jul 20 10:53:47 2005<br> Documents and Settings D 0 Fri Jul 22 16:25:51 2005<br> download D 0 Thu Aug 4 17:31:28 2005<br> IO.SYS AHSR 0 Wed Jul 20 10:53:47 2005<br> MSDOS.SYS AHSR 0 Wed Jul 20 10:53:47 2005<br> NTDETECT.COM AHSR 47772 Fri Jul 22 10:16:32 2005<br> ntldr AHSR 295536 Fri Jul 22 10:16:32 2005<br> pagefile.sys AHS 805306368 Fri Aug 12 11:24:27 2005<br> Program Files DR 0 Wed Jul 20 10:51:09 2005<br> shared1 D 0 Thu Jul 21 17:06:28 2005<br> System Volume Information DHS 0 Fri Jul 22 10:52:09 2005<br> WINDOWS D 0 Tue Aug 16 14:33:36 2005<br> wmpub D 0 Wed Jul 20 10:55:13 2005</pre> 85 <p> 39064 blocks of size 524288. 31129 blocks available<br> 86 smb: \> </p> 87</blockquote> 88<p><strong>Note</strong>: With Samba v3.0.14a or v3.0.20, everytime I run "net ads join", the command crash at the end with message "*** glibc detected *** net: free(): invalid pointer: 0x001cddb0 ***" and then a dump to the screen. The join seems to be working fine though. Samba v3.0.21a does not have this problem. </p> 89<hr> 90<a href="poptop_ads_howto_7.htm">Next</a> <a href="poptop_ads_howto_5.htm">Previous</a> <a href="poptop_ads_howto_1.htm#toc">Content</a> 91<p> </p> 92</body> 93</html> 94