Samba, joining NT Domain, & NT Auth recipe

Scott Mann Scott.Mann at lefthandnetworks.com
Tue Nov 13 16:24:01 GMT 2001


 
-------------- next part --------------

Since I have had a good deal of trouble getting NT Domain
Authentication to work reliably, I figured lots of other
folks might benefit from my struggles. So, I've documented
a method that works consistently. Please feel free to
let me know if you have problems with what I've written here.

Many thanks to Stephan Scheufen who's assistance was
invaluable and who also has posted many useful tidbits here.

Setting the Stage
-----------------
Samba 2.2.2 on Linux with a 2.4.2 or later kernel (I've
tested RedHat 7.1/7.2 and Mandrake 7.2/8.1 as well as
kernels up through 2.4.10).

The Linux Samba server is NOT a PDC, but only an NT
Domain client that serves up file and print resources
and wants to authenticate NT Domain/Active Directory
users and groups.

My PDC is W2K. I haven't tested an NT PDC.

Steps to Get Linux Authenticating Domain Users
----------------------------------------------

1. Kill all running samba daemons on the Linux Samba system. 
This includes all instances
of smbd, nmbd, and (if you're already running it) winbind. If
you've got run control scripts (RedHat, Mandrake, and the like),
then you can execute:
	# /etc/init.d/smb stop
Also, and this is VERY important, remove the two files:
	# rm -f secrets.tdb
	# rm -f MACHINE.SID
These files will be located in /etc or in the Samba config directory.
If you don't know where that is, use find or slocate. Also, these
two files MUST be removed before you rejoin a domain or a join a new
domain.

2. On the W2K primary domain controller, add the Linux computer
as a pre-Windows 2000 computer. You can accomplish this in the
following way:

Start->Settings
A Window will pop-up from which you select "Administrative Tools."
Another window pops-up from which you select "Active Directory
	Users and Computers."
Yet another window pops-up. Select computers and then click on
	Action->New->Computer
The "New Object - Computer" window pops-up. Type in the hostname
of the Linux Samba system. Click on the "Change" button and select
the "Pre-Windows 2000 Compatible Access" group. Check the box next
to "Allow pre-Windows 2000 computers to access this account." Click
OK.

3. On the Linux Samba system, build Samba:
	# cd /somedir
	# tar zxvf samba-2.2.2.tar.gz
	# cd samba-2.2.2/source
	# ./configure --with-pam --with-winbind --with-acl-support
	# make && make install
	# cd nsswitch
	# cp pam_winbind.so /lib/security
	# cp libnss_winbind.so /lib
	# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.1
	# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
NB: The options to ./configure are for PAM, winbind (nt auth), and ACL support.
    You may want other -- options to configure, see ./configure --help.
    In particular, you will want to set the --prefix and other dir
    locations appropriately.

IMPORTANT: Be sure to read through all of the documents in
	samba-2.2.2/docs. Especially read through 
	samba-2.2.2/docs/htmldocs/winbind.html. There's some useful
	stuff in that latter document although I have never been able
	to successfully get "smbpasswd -j DOMAIN -r PDC -U Admin%pw"
	working. If I could, I would completetly avoid step #2 above.

3. Set up /etc/nsswitch.conf with the winbind stuff. Use something
like:
	passwd: files winbind nis
	shadow: files winbind nis
	group:  files winbind nis

4. Set up PAM. There are lots of good examples in the other docs
about this (see the NB in step #3). I take advantage of the
pam_stack.so module and simply modify /etc/pam.d/system-auth as
shown below. I also am permitting NT Auth users full access to
the system, so it makes sense to configure my PAM this way.
You need to determine what your needs are, for example if you
want to allow NT Domain users access only to file shares, then
you would likely only modify /etc/pam.d/samba. Here's my
/etc/pam.d/system-auth file:

auth	   sufficient	  /lib/security/pam_winbind.so debug
auth       sufficient     /lib/security/pam_unix.so use_first_pass likeauth nullok md5 shadow
auth        required      /lib/security/pam_deny.so
account	    required	  /lib/security/pam_winbind.so
password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
password    required      /lib/security/pam_deny.so
session	    required	  /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

Note that I've got "debug" after pam_winbind.so for the auth stack.
This gives me some extra output in /var/log/auth.log. You may want
to remove that argument and reduce the log entries. Note also that
pam_windbind.so completely replaces pam_unix.so for the account
stack and still functions properly for NIS and local unix users.

5. This step may not be necessary depending upon your environment,
but it won't hurt and it makes name resolution simple.

In /etc/lmhosts (or wherever you configured Samba to put it
based on ./configure above), put
<IP address>	<NT/W2K domainname>

for example:
172.16.0.1	NTDOMAIN.COM

Note that you use the domainname, not a hostname! The IP address
should match that of the PDC.

In /etc/hosts, put
<IP address>	<Primary Domain Controller hostname>

for example:
172.16.0.1	my-pdc	my-pdc.dns.domain.com

Arguably, this entry could also be put in lmhosts, but I
like having it available in /etc/hosts for resolution by
other processes. It is also resolvable, in my environment,
via DNS, but this is faster ;-)

6. Now configure smb.conf. You will likely have a bunch of
other stuff in it, but this represents a minimal set for
NT Auth support.

[global]
	 netbios name = <Linux Samba hostname here>
	 workgroup = <NT/W2K DOMAIN name goes here>
	 security = domain
	 password server = <hostname of the PDC goes here>
	 encrypt passwords = yes
	 smb passwd file = /etc/smbpasswd
	 unix password sync = Yes
	 username map = /etc/smbusers
	 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	 passwd program = /usr/bin/passwd %u
	 passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*\n
	 winbind separator = +
	 winbind uid = 10000-20000
	 winbind gid = 10000-20000
	 winbind enum users = yes
	 winbind enum groups = yes
	 template shell = /bin/bash

Be sure to replace the things inside <> appropriately. Also, be sure
to read the docs about these and other entries before you go into
production.

7. You should now be able to join the domain.
	# smbpasswd -j <DOMAIN>

where <DOMAIN> is the name of your NT/W2K domain.

8. Start all of the samba daemons. This includes smbd, nmbd, and
winbindd. Make sure that your startup script includes the winbindd
invocation, if you are using one:
	# /etc/init.d/smb start

9. Now check the exchanged secret:
	# wbinfo -t
	Secret is good
	#
If you get "Secret is good", you are ready to go!

If you get "Error checking machine account", then winbindd is
not running.

If you get "Secret is bad", then you have a configuration error
and you need to kill the Samba daemons, remove secrets.tdb and
MACHINE.SID. Go to the W2K PDC, remove the entry from the Active
Directory, reboot the PDC (or wait for the entry to flush out
of the cache) and readd the machine entry to the
Active Directory (see step #2). Then rejoin the domain (step #7),
restart the daemons (step #8), and recheck the secret (step #9).

10. Try authenticating some NT users.

	# telnet linuxsamba
	login: <DOMAIN+ntuser>
	Password: <ntuser's pw>

This should let you log in with a home directory of /home/DOMAIN/ntuser.

11. If you are having problems, try running winbindd -d 5. This sets
the debugging level to 5 and writes stuff out to /var/log/samba/log.winbindd.
If 5 is too much, try 3.

I hope this is useful to someone...again, any and all feedback is
welcome.

Regards,
Scott


More information about the samba-ntdom mailing list