You are ready to integrate some Linux and Windows hosts. You want a single central authentication mechanism for all users. You have chosen Samba because you're not ready to start migrating to an LDAP backend, or because it is fairly simple to implement, and you're already familiar with it. You want to know what software you need to install.
You will need some or all of these programs installed. Each recipe in this chapter tells you which ones you'll need:
Samba 3.0.20 or newer
MIT Kerberos 1.4 or newer
OpenLDAP
Winbind 3.0.20 or newer (part of Samba, but may be packaged separately)
Then, you need support for these compiled into Samba:
Kerberos
LDAP
Winbind
Active Directory
Debian and Fedora keep their binary packages fairly up-to-date and built with the options you need, so you'll be fine using Aptitude or Yum to install Samba.
Debian tends to split programs into a lot of little packages, so finding all the pieces you want can be a bit of a chore. For Samba, you'll need these: samba, samba-common, samba-doc, smbclient, and winbind.
Fedora users need samba, samba-client, and samba-common.
Find the installed Samba version information with these commands:
$ /usr/sbin/smbd --versionVersion 3.0.23-Debian$ /usr/sbin/winbindd --versionVersion 3.0.23-Debian
On Debian, check your Kerberos version with dpkg:
$ dpkg -l | grep krb5
ii libkrb53 1.4.4-etch MIT Kerberos runtime librariesOn Fedora, use rpm:
$ rpm -q krb5-workstation
krb5-workstation-1.5-21Samba comes with a great little command that shows all of its compiled options:
$ /usr/sbin/smbd -bHowever, that spits out pages of output, so you should narrow your search with grep:
$ smbd -b | grep -i ldapHAVE_LDAP_H HAVE_LDAP HAVE_LDAP_DOMAIN2HOSTLIST ...$ smbd -b | grep -i krb5HAVE_KRB5_H HAVE_ADDRTYPE_IN_KRB5_ADDRESS HAVE_KRB5 ...$ smbd -b | grep -i adsWITH_ADS WITH_ADS$ smbd -b | grep -i winbindWITH_WINBIND WITH_WINBIND
You'll see more output than is printed here. This shows you are ready to proceed to the rest of the recipes in this chapter.
A blank line indicates that support for that particular item is not compiled into Samba, which means you'll have to recompile it yourself. See Recipe 11.2 to learn how to do this.
If you are familiar with Heimdal Kerberos, that works just fine. Some admins prefer it, as it is outside of the United States' export controls. The examples in this chapter will use MIT Kerberos.
Fedora users need krb5-workstation, containing client utilities, and krb5-libs for the server. Debian splits it up into several smaller packages, as you can see from searching the Debian packages list (http://www.us.debian.org/distrib/packages), or searching your own local package list:
$ apt-cache search krb5
libpam-krb5 - PAM module for MIT Kerberos
krb5-admin-server - MIT Kerberos master server (kadmind)
krb5-clients - Secure replacements for ftp, telnet and rsh using MIT Kerberos
krb5-config - Configuration files for Kerberos Version 5
krb5-doc - Documentation for krb5
krb5-ftpd - Secure FTP server supporting MIT Kerberos
krb5-kdc - MIT Kerberos key server (KDC)
krb5-user - Basic programs to authenticate using MIT Kerberos
libkrb53 - MIT Kerberos runtime libraries
ssh-krb5 - Secure rlogin/rsh/rcp replacement (OpenSSH with Kerberos)For this chapter, you'll need krb5-config, krb5-doc, krb5-admin-server, krb5-kdc, and krb5-user.
Fedora users need these packages to get OpenLDAP: openldap, openldap-servers, and openldap-clients.
On Debian, you'll need ldap-utils, ldapscripts, libldap2, and slapd.