Integrating CIFS Server with LDAP-UX
From jasonhoss.com
Preparing HP-UX
- Install CIFS-Server A.03.01 or later
- Install LdapUXClient B.05.01 or later
- Ensure latest version of krb5client and PAM-Kerberos
- If server is currently configured as an LDAP-UX client, you must remove the configuration before proceeding with the CIFS implementation. The reason is due to the computer account created by the LDAP-UX “autosetup” process is incompatible with the computer account that is created by the “samba_setup” process.
- Backup the /etc/krb5.conf, /etc/pam.conf and /etc/nsswitch.conf files because the “netleave” command will remove or modify them.
- Backup any current smb.conf file in use.
- To properly remove the LDAP-UX configuration execute:
# /opt/ldapux/config/netleave
- Ensure that the computer account has been removed from the “Computers” container in Active directory.
Configure CIFS Server (Samba)
- Run /opt/samba/bin/samba_setup to begin the server setup
- * Respond Y to continue setup
- * Respond Y if you wish to use this servers as a WINS server or N the environment already has WINS or does not
- * Response Y if you wish to use another WINS server in the environment or N if you do not wish to use WINS.
- * Assuming the LDAP server, respond N to using NDS LDAP
- * Select number 4 to make this server an ADS Member Server
- * Confirm Y to proceed with ADS Member Server configuration
- * Enter the name of the computer you wish to add to Active Directory. Typically this will be the current hostname of the HP-UX server that CIFS-Server is being configured on.
- * Enter the Kerberos realm name used by the AD implementation
- * Confirm the Realm by responding with Y.
- * Enter the FQDN of the ADS Domain Controller for the realm.
- * Confirm the ADS Domain Controller with Y.
- * Respond with Y or N depending on whether or not multiple domain controllers should be added.
- * Provide the Domain Controller's Administrative username.
- * If everything entered looks good, respond Y to accept.
- * The samba_setup utility will attempt use an existing krb5.conf file to authenticate against the Active Directory domain.
- * Provide the password for the Domain Controller's Administrative username.
- * Provide the password for the Domain Controller's Administrative username again to join the HP-UX host to the Active Directory domain.
- * Verify that the /etc/opt/samba/smb.conf contains the entries
dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab
- Delete the computer account created in Active Directory by this process.
- Re-create the computer account using the following command:
net ads join createupn=’host/<hostname>.<domainname>@<REALMNAME>’ -U <Administrative User>
- Add the CIFS service principal to the keytab by running the following command:
net ads keytab add CIFS -U <Administrative User>
- Confirm that the keytab looks something like this:
Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- --------------------------------------------------------
2 04/07/11 12:23:18 host/foo.example.com@EXAMPLE.COM 2 04/07/11 12:23:18 host/foo.example.com@EXAMPLE.COM 2 04/07/11 12:23:18 host/foo.example.com@EXAMPLE.COM 2 04/07/11 12:23:18 host/foo@EXAMPLE.COM 2 04/07/11 12:23:18 host/foo@EXAMPLE.COM 2 04/07/11 12:23:18 host/foo@EXAMPLE.COM 2 04/07/11 12:23:17 foo$@EXAMPLE.COM 2 04/07/11 12:23:17 foo$@EXAMPLE.COM 2 04/07/11 12:23:17 foo$@EXAMPLE.COM 2 04/07/11 12:28:54 cifs/foo.example.com@EXAMPLE.COM 2 04/07/11 12:28:54 cifs/foo.example.com@EXAMPLE.COM 2 04/07/11 12:28:54 cifs/foo.example.com@EXAMPLE.COM 2 04/07/11 12:28:54 cifs/foo@EXAMPLE.COM 2 04/07/11 12:28:54 cifs/foo@EXAMPLE.COM 2 04/07/11 12:28:54 cifs/foo@EXAMPLE.COM
and start the CIFS server by typing:
# startsmb
Test connectivity by creating a local user but ensuring there is NO USER IN secrets.tdb of the same name (would have been created using the standard smbpasswd command).
Browsing to the server should bring up a list of shares and authentication should work by using the local user account and password authentication via Kerberos.
Now that this is complete, it is time to re-implement LDAP-