sadms(1)

NAME

sadms - turn a Linux box into a domain controller

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SADMS

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

What to do ? \fB-install the package's dependencies (this may be carried out automatically through apt, yum, urpmi and the likes) \fB-run precheck to ensure everything went well \fB-detect the data \fB-fill in the remaining data \fB-optionally run the network,dns,Kerberos diagnostics \fB-run install \fB-you'll have to wait for some time until Active Directory users are imported \fB-run install PAM if Active Directory users are to interactively log in to the host. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

PRETESTS

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This series of tests determine:

- if Samba 3 is present on the host
- if krb5-workstation package is present
- if pam_mount is installed

Note that the ./START script can guide you
into installing the required libraries.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

DATA

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

DNS : This is the DNS suffix that your Active Directory operates on.

realm : This is the Kerberos realm, usually the same as the DNS domain but in uppercase.

kdc : This is a Domain Controller that delivers Kerberos tickets used in authentication. In case it is not found through DNS. Also referred to as the KDC the Key Distribution Center.

netbios domain name : This is the (short) name for the domain, the way domains were named before Active Directory.

netbios server name : This is the Netbios name of the Samba host you are currently configuring. Though this is by no means compulsory, it makes sense to provide the same name as the DNS, to be on the safe side.

domain users group : The container for Domain Users. This is localized and is 'Domain users' in English, 'Utilisa. du domaine' in French.

hosts allow : This points at the network that is allowed to access the Samba host being configured. This parameter is a comma, space, or tab delimited set of hosts which are permitted to access the Samba services. You can specify the hosts by name or IP number. You can also specify hosts by network/netmask pairs and by netgroup names. See man smb.conf for further reference.

OU to place host in : This is the Organizational Unit container the host to be configured will be placed in in Active Directory. This may vary with languages and is 'Computers' in English.

WINS server : This specifies the IP address (or DNS name: IP address for preference) of the WINS server that the host should register with. This is optional and the data will be placed into smb.conf if the data is non\fB-null. The line in smb.conf should then be commented out for the parameter to be disabled.domain administrator login : Active Directory administrator login you are operating as. This is necessary for a host to enter a domain.

domain administrator password : Active Directory administrator password.

domain users group : The container for Domain Users. This is localized and is 'Domain users' in English, 'Utilisa. du domaine' in French. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

PAM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This will configure system authentication
(/etc/pam.d/system-auth) to use

- pam_winbind : use Active Directory

authentication, so the user does not have
to have a local account to login to this
host.

- pam_mkhomedir : create a local home

directory footprint for Active Directory
user that does not have a local home.

- pam_mount : connect to a Samba or Windows

remote share that could contain a domain
home. The share will be mounted on the local
file system (/mnt/net).

Important note: Tampering with the /etc/pam.d service files may result in the machine being unable to accept any authentication even from root. Should such a situation occur, reboot the system in administrative mode (single) and use an editor to restore the /etc/pam.d/system\fB-auth to its previous contents : remove the pam_winbind, pam_mount, pam_Mkhomedir lines and remove use_first\fB-pass in pam_unix line. It is recommended that the system administrator leave a console session open while carrying out the tests.

Home server : This is the Samba or Windows server that hosts the share the user will connect to and will be mounted at /mnt/net.

Home share : This is the name of the share (without any leading server name). If the share is to be determined at run time and is user- dependent, use * as a place\fB-holder for the logged\fB-on user name. Tests with more than one level have so far failed (eg users/*).

Client signing : If you connect to a Windows 2003 server client signing my be necessary. smbfs does not support client signing. So use the cifs file system. See the end of /etc/psecurity/pammount.conf.

February 02, 2008 sadms(1)