NAME
sadms - turn a Linux box into a domain controller
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SADMS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
What to do ? \fB-install the package's dependencies (this may be
carried out automatically through apt, yum, urpmi and the likes) \fB-
run precheck to ensure everything went well \fB-detect the data \fB-
fill in the remaining data \fB-optionally run the network,dns,Kerberos
diagnostics \fB-run install \fB-you'll have to wait for some time until
Active Directory users are imported \fB-run install PAM if Active
Directory users are to interactively log in to the host.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PRETESTS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This series of tests determine:
- if Samba 3 is present on the host
- if krb5-workstation package is present
- if pam_mount is installed
Note that the ./START script can guide you
into installing the required libraries.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
DATA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
DNS : This is the DNS suffix that your Active Directory operates on.
realm : This is the Kerberos realm, usually the same as the DNS domain
but in uppercase.
kdc : This is a Domain Controller that delivers Kerberos tickets used
in authentication. In case it is not found through DNS. Also referred
to as the KDC the Key Distribution Center.
netbios domain name : This is the (short) name for the domain, the way
domains were named before Active Directory.
netbios server name : This is the Netbios name of the Samba host you
are currently configuring. Though this is by no means compulsory, it
makes sense to provide the same name as the DNS, to be on the safe
side.
domain users group : The container for Domain Users. This is localized
and is 'Domain users' in English, 'Utilisa. du domaine' in French.
hosts allow : This points at the network that is allowed to access the
Samba host being configured. This parameter is a comma, space, or tab
delimited set of hosts which are permitted to access the Samba
services. You can specify the hosts by name or IP number. You can also
specify hosts by network/netmask pairs and by netgroup names. See man
smb.conf for further reference.
OU to place host in : This is the Organizational Unit container the
host to be configured will be placed in in Active Directory. This may
vary with languages and is 'Computers' in English.
WINS server : This specifies the IP address (or DNS name: IP address
for preference) of the WINS server that the host should register with.
This is optional and the data will be placed into smb.conf if the data
is non\fB-null. The line in smb.conf should then be commented out for
the parameter to be disabled.domain administrator login : Active
Directory administrator login you are operating as. This is necessary
for a host to enter a domain.
domain administrator password : Active Directory administrator
password.
domain users group : The container for Domain Users. This is localized
and is 'Domain users' in English, 'Utilisa. du domaine' in French.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PAM
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This will configure system authentication
(/etc/pam.d/system-auth) to use
- pam_winbind : use Active Directory
authentication, so the user does not have
to have a local account to login to this
host.
- pam_mkhomedir : create a local home
directory footprint for Active Directory
user that does not have a local home.
- pam_mount : connect to a Samba or Windows
remote share that could contain a domain
home. The share will be mounted on the local
file system (/mnt/net).
Important note: Tampering with the /etc/pam.d service files may result
in the machine being unable to accept any authentication even from
root. Should such a situation occur, reboot the system in
administrative mode (single) and use an editor to restore the
/etc/pam.d/system\fB-auth to its previous contents : remove the
pam_winbind, pam_mount, pam_Mkhomedir lines and remove use_first\fB-
pass in pam_unix line. It is recommended that the system administrator
leave a console session open while carrying out the tests.
Home server : This is the Samba or Windows server that hosts the share
the user will connect to and will be mounted at /mnt/net.
Home share : This is the name of the share (without any leading server
name). If the share is to be determined at run time and is user-
dependent, use * as a place\fB-holder for the logged\fB-on user name.
Tests with more than one level have so far failed (eg users/*).
Client signing : If you connect to a Windows 2003 server client signing
my be necessary. smbfs does not support client signing. So use the
cifs file system. See the end of /etc/psecurity/pammount.conf.
February 02, 2008 sadms(1)