[Samba] Samba PDC linux authentication

Philip Washington phwashington at comcast.net
Mon Jan 16 02:58:16 GMT 2006 

John H Terpstra wrote:

>On Sunday 15 January 2006 09:52, Philip Washington wrote:
>  
>
>>I have set up a Samba PDC and am trying to get my linux computers to use
>>the PDC for authentication.  So far using Suse 10 or RHEL4 I have not
>>been able to accomplish this.  I have been searching for 2 days looking
>>for the information or the right combination of informationn and have
>>not come up with a solution.   Does anyone here know of a howto which
>>shows a setup for a linux desktop which can use a Samba PDC  so that
>>users in a Domain can use their same logins to login to a linux desktop.
>>    
>>
>
>Have you checked chapter 7, section 7.3.5.1? If you have, what problems are 
>you experiencing? I'd really like to make sure that our documentation is 
>correct, so your help would be appreciated.
>
>http://www.samba.org/samba/docs/Samba3-ByExample.pdf
>
>- John T.
>  
>
Duh.  I bought the book but I didn't remember that part.    I went to 
the samba displayed in html form and checked the link and could have 
sworn it took me to the ADS portion.    Well nevermind this part, I just 
didn't pick up the book and look through it.

Okay what I accomplished today is getting the logins working via console 
and gdm xdm.

Things I found that may need correcting
The html page when clicking on the link points you to a file that 
references ldap.
passwd:   files ldap
shadow:   files ldap
group: files ldap

I may be mistaken but I believe that for winbind configuration you need 
winbind instead of ldap here.  I started with a straight Suse 10 setup 
with the files needed (I believe).  I used Yast2 for my initial 
configuration and that didn't work.  So I borrowed from your book and 
made some adjustments to the original files based on that.  I still have 
some problems but a domain user can now logon.
Problems I still have that I know of:
1) Users when logging in.  System does not create a home directory for 
them if it's there first time to login.  I think there is a PAM module 
or something like that, that might help, by getting and using there home 
directories from the file server.  If someone has a better idea and/or 
sees the mistake I made causing this  please  post.
2) Once a user logs in , they cannot browse the  network using the 
desktop application on Suse.  They can see Samba servers and shares, but 
when they click on a share they can't login.  Could something in the 
smb.conf file have done this?  I haven't looked at the Samba PDC logs, 
but I looked at the file server logs and saw no changes there, like my 
computer didn't exist.

Here are my configuration files.
nsswitch.conf------------------------------------------------------------------------------------------------

passwd: compat winbind
group:  compat winbind

hosts:  files dns
networks:       files dns

services:       files
protocols:      files
rpc:    files
ethers: files
netmasks:       files
netgroup:       files
publickey:      files

bootparams:     files
automount:      files nis
aliases:        files
smb.conf 
---------------------------------------------------------------------
# I modified the idmaps to match what is on my Samba PDC
#

[global]
        workgroup = DOMTEST
        printing = cups
        security = domain
        netbios name = WRKSTN
        log level = 1
        syslog = 0
        log file = /var/log/samba/%m
        smb ports = 139
        name resolve order = wins bcast hosts
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        idmap gid = 16777216-33554431
        idmap uid = 16777216-33554431
        template primary group = "Domain Users"
        template shell = /bin/bash
        winbind separator = +
        hosts allow = 192.168.5.,127.

--------------------------------------------------------------------
Okay here is where there is a slight deviation from the Samba3-examples 
(very slight, I think)
[For those following along, if your logged into X to mak changes to 
pam.d file .  Make changes to your pam.d file save them then hit 
Ctrl-Alt-F1 or Ctrl-Alt-F2, which will take you to a console screen.  
Once you are there make sure you can log in as root.  Hit Ctrl-Alt-F7 to 
get back to the X window.  If you are ssh into the system, create 
another ssh session before you start or try to make sure you can log in 
as root via ssh , before logging out of your current session.]  Whatever 
you do don't directly copy these files onto you r system.  Look at 
Samba3-examples and understand the differences here and change at your 
on risk
------------------------------------------------------------------------
/etc/pam.d/login
#%PAM-1.0
auth     required       pam_securetty.so
auth     include        common-auth
auth     required       pam_nologin.so
auth     required       pam_mail.so
account  include        common-account
password include        common-password
session  include        common-session
session  required       pam_resmgr.so
-----------------------------------------------------------------------------
/etc/pam.d/common-auth
auth    sufficient      pam_unix2.so    nullok
auth    sufficient      pam_winbind.so use_first_pass use_authtok
auth    required        pam_env.so
#auth   required        pam_unix2.so
--------------------------------------------------------------------------------
/etc/pam.d/common-account
#
#account        required        pam_unix2.so
account sufficient      pam_unix2.so
account sufficient      pam_winbind.so use_first_pass use_authtok
------------------------------------------------------------------------------------
/etc/pam.d/common-passwd
password required       pam_pwcheck.so  nullok
password sufficient     pam_winbind.so  use_first_pass use_authtok
password required       pam_unix2.so    nullok use_first_pass use_authtok
#password required      pam_make.so     /var/yp

------------------------------------------------------------------------------------
.etc/pam.d/common-session
#
#account        required        pam_unix2.so
account sufficient      pam_unix2.so
account sufficient      pam_winbind.so use_first_pass use_authtok
----------------------------------------------------------------------------------------
Basically the changes were using an include file and you don't have to 
edit /etc/pam.d/gdm,
/etc/pam.d/xdm or /etc/pam.d/login, just the common-* files.  You can 
look at it as a way of setting up everything at once or screwing up 
everything at once :-).

So I'll still continue to work on my issues noted and find some more, 
then work on RHEL and then circle back and try to do LDAP authentication 
through the ldap server on the SambaPDC.   I started with winbind 
because after looking around it seemed that it might be the easiest to 
configure and I need to get these desktops up pretty quick.

More information about the samba mailing list