Domain Member Server - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual
Hide thumbs
Also See for ENTERPRISE LINUX 5 - DEPLOYMENT:
- Manual (402 pages) ,
- Configuration (86 pages) ,
- Overview (68 pages)
Table of Contents
Advertisement
Chapter 20. Samba
comment = All Printers
path = /var/spool/samba
printer admin = john, ed, @admins
create mask = 0600
guest ok = Yes
printable = Yes
use client driver = Yes
browseable = Yes
20.6.2. Domain Member Server
A domain member, while similar to a stand-alone server, is logged into a domain controller (either
Windows or Samba) and is subject to the domain's security rules. An example of a domain member
server would be a departmental server running Samba that has a machine account on the Primary
Domain Controller (PDC). All of the department's clients still authenticate with the PDC, and desktop
profiles and all network policy files are included. The difference is that the departmental server has the
ability to control printer and network shares.
20.6.2.1. Active Directory Domain Member Server
The following smb.conf file shows a sample configuration needed to implement an Active Directory
domain member server. In this example, Samba authenticates users for services being run locally
but is also a client of the Active Directory. Ensure that your kerberos realm parameter is shown in all
caps (for example realm = EXAMPLE.COM). Since Windows 2000/2003 requires Kerberos for Active
Directory authentication, the realm directive is required. If Active Directory and Kerberos are running
on different servers, the password server directive may be required to help the distinction.
[global]
realm = EXAMPLE.COM
security = ADS
encrypt passwords = yes
# Optional. Use only if Samba cannot determine the Kerberos server automatically.
password server = kerberos.example.com
In order to join a member server to an Active Directory domain, the following steps must be completed:
• Configuration of the smb.conf file on the member server
• Configuration of Kerberos, including the /etc/krb5.conf file, on the member server
• Creation of the machine account on the Active Directory domain server
• Association of the member server to the Active Directory domain
To create the machine account and join the Windows 2000/2003 Active Directory, Kerberos must
first be initialized for the member server wishing to join the Active Directory domain. To create an
administrative Kerberos ticket, type the following command as root on the member server:
kinit administrator@EXAMPLE.COM
The kinit command is a Kerberos initialization script that references the Active Directory
administrator account and Kerberos realm. Since Active Directory requires Kerberos tickets, kinit
obtains and caches a Kerberos ticket-granting ticket for client/server authentication. For more
278
Advertisement
Table of Contents
Need help?
Do you have a question about the ENTERPRISE LINUX 5 - DEPLOYMENT and is the answer not in the manual?
Questions and answers