Manualshelf

HP CIFS Server 3.0f Administrator's Guide verison A.02.03

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software
71727374757677787980
Joining an HP CIFS Server to a Windows 2000/2003 Domain
HP CIFS Server only supports the following Kerberos encryption types:
DES-CBC-MD5
DES-CBC-CRC
RC4-HMAC
You must configure one of these encryption types in the /etc/krb5.conf file as shown below. HP
recommends you set the encrption type to DES-CBC-MD5 in /etc/krb5.conf unless you have other
kerberos enabled applications on the HP server that require one of the other supported encryption types.
WARNING! Do not add your machine name to the ADS Server with the Windows Server Manager.
If your machine has already been added to the ADS with the Windows Server Manager GUI, you may
simply use Window Server Manager to delete the machine account. Then, follow the instructions to run the
"kinit" and "net ads join" commands as described below in “Step-by-step Procedure.
Another way to resolve this problem is to *AND* the "userAccountControl" attribute value for the CIFS
member server with the ADS_UF_USE_DES_KEY_ONLY (2097152 or 0x2000000) flag in the ADS. This
can be accomplished by using the "adsiedit.msc" tool from the Windows 2000 or 2003 CD or using the
ldapmodify command.
NOTE: If an HP CIFS Server is currently joined to the domain as a pre-Windows 2000 member server,
please first remove the server from the domain before adding an HP CIFS Server to a Windows domain as
a ADS member server.
Configuration Parameters
The following is a description of the smb.conf paramters shown in “Step-by-step Procedure:
realm This parameter specifies the name of the ADS kerberos realm which has the fully
qualified domain name. It must be set the same as the kerberos realm value in
krb5.conf.
workgroup This parameter specifies the name of domain in which the HP CIFS Server is a
domain member server.
security When the HP CIFS Server joins to Windows 200x as an ADS native member
server, you must set this parameter to ADS.
password server This parameter defines the NetBIOS name of the Windows ADS PDC machine
that performs the user name authentication and validation.
encrypt passwords If this parameter is set to yes, the passwords used to authenticate users are
encrypted.
netbios name Set this parameter to the NetBIOS name by which a member server is known.
Step-by-step Procedure
Use the following instructions to join an HP CIFS Server to a Windows 2000/2003 Domain as an ADS
native member server:
1. Verify that LDAP-UX Integration product has been installed on your HP CIFS Server:
swlist | grep J4269AA
Consult “Installing LDAP-UX Client Services on an HP CIFS Serverin Chapter 6, "LDAP Integration
Support" if necessary.
2. On your HP CIFS Server, you need to create the Kerberos configuration file, /etc/krb5.conf, which
specifies the default realm, the location of a Key Distribution Center (KDC) server and the logging file
names. The Kerberos client depends on the configuration to locate the realm's KDC.
If there is no /etc/krb5.conf file in existence at the time that /opt/samba/bin/samba_setup
is run, samba_setup will attempt to create and validate an appropriately configured krb5.conf file
based on the answers to the questions asked when 'ads member server' is chosen.
72 Windows 2000/2003 Domains